Abstract
Writing code for Windows in user mode or kernel mode will enhance your understanding and capabilities significantly.
Whether you're reversing malware, writing an exploit, or researching some dark Windows corner - the knowledge of using processes, threads, memory, DLLs, kernel APIs and more deepen your understanding that can take you anywhere you need to go within Windows. The course teaches user-mode programming with the Windows API (and some native APIs), along with developing kernel drivers that hook into kernel mechanisms. By the end of this course, you'll have the tools and knowledge of a low-level Windows developer.
SUPPLEMENTARY READING MATERIAL AUTHORED/CO-AUTHORED BY THE INSTRUCTOR:
Course Objectives
- Understand the main mechanisms and components of the windows OS
- Write user-mode programs leveraging the Windows API
- Use WinDbg and Visual Studio to debug processes and kernel code
- Understand driver development fundamentals
- Write kernel-mode drivers
Who Should Attend
- Developers
- Reverse Engineers
- Members of Red Teams wishing to write custom tools
- Anyone wishing to dive deep into Windows Internals
Syllabus
Module 1: Windows System Architecture Overview
- Tools
- Processes
- Virtual Memory
- Threads
- User mode vs. Kernel mode
- Architecture Overview
- System Calls
- Introduction to WinDbg
Module 2: Windows API Foundation
- Windows APIs
- Using Visual Studio
- Common Types and Conventions
- Working with Strings
- 64-bit vs. 32-bit development
- Kernel Objects
- Working with Handles
- Sharing Objects
- Object Names
Module 3: Processes
- Process creation
- The main function(s)
- Creating processes
- Process termination
- Enumerating processes
- DLLs
Module 3: Memory
- Process address space
- Process memory counters
- Reserving and committing memory
- The heap manager
- Memory Mapped Files
Module 4: Threads
- Thread basics
- Creating threads
- Thread Priorities
- Thread Scheduling
- Thread Stacks
- Thread Synchronization
Module 5: The I/O System
- I/O System overview
- Device Drivers
- The Windows Driver Model (WDM)
- The Kernel Mode Driver Framework (KMDF)
- Driver types
- Software drivers
- Driver and device objects
- I/O Processing and Data Flow
- Accessing files and devices
- Asynchronous I/O
Module 6: Kernel programming basics
- C++ in a kernel driver
- Creating a driver project
- Building and deploying
- The kernel API
- Strings
- Linked Lists
- Kernel Memory Pools
- The DriverEntry function
- The Unload routine
- Driver Debugging
Module 7: The I/O Request Packet (IRP)
- Creating a device object
- Exporting a device name
- Building a driver client
- Driver dispatch routines
- Introduction to I/O Request Packets (IRPs)
- Completing IRPs
- Accessing user space buffers
- Handling DeviceIoControl calls
Module 8: Kernel Mechanisms
- Interrupt Request Levels (IRQLs)
- Deferred Procedure Calls (DPCs)
- Structured Exception Handling
- System Crash
- Synchronization
- Work Items
Module 9: Process and Thread Notifications
- Process creation/destruction callback
- Specifying process creation status
- Thread creation/destruction callback
- Notifying user mode
- Writing a user mode client
- User/kernel communication
Module 10: Object and Registry Notifications (if time permits)
- Process/thread object notifications
- Pre and post callbacks
- Registry notifications
- Performance considerations
- Reporting results to user mode
Prerequisites
- Basic acquaintance of Windows concepts and architecture
- Power-user level working with Windows
- Experience writing C code (basic C++ knowledge is recommended but not required)
System Requirements
- Windows 10 or 11 ×64 (any SKU)
- Visual Studio 2019 + latest updates (must include the C++ workload)
- (optional) Visual Studio 2022 with the C++ workload
- Windows 11 SDK (at least the Debugging tools for Windows)
- Windows 11 Driver Kit (WDK)
- Virtual machine running one of Windows 7/8.1/10/11 (based on Hyper-V, VMWare or VirtualBox)
- (Optional) WinDbg Preview (from the Microsoft Store)
- The Sysinternals suite (from www.sysinternals.com)
- PDF reader