Call Us: (1) 424 781 7156 - Mail
Training services from Alex Ionescu and Yarden Shafir
Modern Windows Internals Update (3 Days)

Course Description

Specially designed for attendees that have already attended a Windows Internals training course more than five years ago, this course provides a thorough review of all the new features that have been added since Windows 8 and later, up to the very latest Windows 10 “Redstone” releases, such as Version 1703, Creator’s Update. Attendees will first be presented the significant improvements in the Windows Debugger, including support for NatVis/LINQ, JavaScript, new & fixed debugger commands, and DML-aware debugging. Then, updates in Windows fundamentals such as how system calls are made, interrupts, security assertions & more will follow, to be continued with changes in the executive such as Object Manager Footers, Extended Object Types & Callbacks, Handle Usage References, as well as improvements to the User-Mode Loader.

Following a in-depth update on the Process Manager (which includes a description of Protected Process Light, Pico Processes & Secure Processes, as well as new Job Object Capabilities), attendees will learn about changes in the Thread Scheduler such as the Desktop Activity Monitor (DAM), Priority Inheritance, Quantum Donation & Directed Switch, plus the move to a Shared Ready Queue for scalable thread selection. Finally, this section will cover the new Windows Container support through the Server Silo feature.

The course finishes with an entire day on all the new security-related changes to Windows, including the addition of over 37 new mitigations, Virtualization-Based Security such as Device Guard & Credential Guard, Application Sandboxing through AppContainer, changes to the basic authentication security model through Attribute-Based Access Control (ABAC) & Centralized Access Protection (CAP) with Dynamic Access Control (DAC), and finally the implementation of Secure Boot & Measured Boot, new Kernel-Mode Code Signing (KMCS) Signing Policies & Hypervisor-Based Code Integrity (HVCI), and anti-malware extensions such as Early Launch Anti Malware (ELAM), Anti Malware Scan Interface (AMSI), Secure ETW, and Image Signature Callbacks.

Refresher Course Outline

  • Introduction
  • Modern Windows Debugging 
  • Updated OS Fundamentals
  •  New Executive Features 
  • Platform Security & Integrity Improvements 
  • Process Sandboxing Technologies 
  • Exploit Mitigations 

In-Depth Topics

The following topics and concepts are covered in the first days of the course.

Forensics & Analysis

WinDBG Network Debugging, NatVis Support, Language-Integrated Natural Query (LINQ), Modern Scripting with JavaScript ES 6, Debugger Markup Language (DML)

System Architecture

Heterogeneous Processors, Process-Dedicated CPU Sets, Changes to Interrupt Dispatching, Interrupt-Based System Calls, Intel Security Mitigation Support

Executive Components

MinWin Dependency Decoupling, Memory Layout Changes, Memory Partitions, Object Manager Private Namespaces, Object Footers, and Extended Types, Handle Table Changes, Win32k Refactoring & Isolation

Processes, Threads, and Jobs

Minimal & Pico Processes, Windows Containers, Network & I/O Rate Control, Shared Ready Queue, Directed Switch, Desktop Activity Manager (DAM)

With a heavy focus on security changes during the last day 

System Fundamentals

Security Assertion Calls, Hypervisor-aware , I/O APIC, ELAM, AMSI, Signature Callbacks, Secured ETW

System Security

UEFI Secure Boot, Signing Policies, User Mode Code Integrity (UMCI), Hypervisor-Based Code Integrity, Device Guard/Strong Code Guarantees, PatchGuard, HyperGuard

Process Sandboxing & Protection

User-mode Loader & Protected Policies, AppContainer, Protected Process Light (PPL), Secure Processes (Trustlets)

Exploit Mitigations

Arbitrary Code Guard (ACG), Control Flow Guard (CFG), Return Flow Guard (RFG), User-Mode Font Loading, 

If you are interested in this course, or for more information, please contact us.x
Back to Top