Windows Internals Advanced

Course Description

Duration: 5 Days
This follow-up to the developer track of the Windows Internals course allows organizations to train a subset of their developers beyond the skills needed for writing efficient code, and also arming them with the knowledge on how to debug and troubleshoot deep system problems using the Microsoft Kernel Debugger, as well as adding several new components to the course curriculum, such as the Configuration Manager (in charge of the registry), the User-mode Loader (in charge of DLLs), and the Advanced Local Procedure Call (ALPC) mechanism (in charge of DCOM, RPC, User-mode Driver Communication, and more…).

Additionally, this course contains most of the security-focused content of the security track (which developers would’ve missed out on), giving access to the trainees to inside information on how their own drivers and applications may be misused to become the unwitting participants of an exploit or attack against a machine. Developers often think from a very pragmatic point of view about their interfaces and level of access, not realizing that peculiarities, oddities, and sometimes outright bugs in the kernel could be working to undermine their efforts in securing their data and code.

Finally, for organizations that are solely security-focused and are thinking about requesting the security track of the developer course, as the advanced course would provide the entire security track duplicated yet again, we recommend instead considering if 10 days of training (which can be split across the calendar year) may work better — giving your analysts and researchers good background information on Windows in the developer track — and then augmenting it with the security information they would’ve gotten had they taken the security track, plus all the additional content offered in the advanced course (such as process creation semantics, and user-mode loader internals).

Course Outline

  • Introduction and Tools
  • WinDBG Primer
  • CPU Architecture & Deep OS Fundamentals
  • Extended Executive Components
  • Advanced Process Management & Loader
  • Low-Level Memory Forensics

In-Depth Topics

As in the security track of the Windows Internals course, the following topics and concepts are covered.

System Architecture

x86/x64 CPU Design, Pico Processes, Secure Processes

Executive Components

Advanced Local Procedure Call (ALPC), Windows Subsystem (CSRSS & Win32k)

Forensics & Analysis

WinDBG Scripting & NatVis, Hidden Processes, Shared Memory/Cached File Forensics

System Security

UEFI Secure Boot, Signing Policies, User Mode Code Integrity (UMCI), Hypervisor-Based Code Integrity, Device Guard/Strong Code Guarantees, HyperGuard, Windows Bug Analysis

Plus these topics, which are exclusive to the advanced course:

System Fundamentals

Graphics System Calls, I/O APIC, ELAM, AMSI, Signature Callbacks, Secured ETW

Extended Executive Components

Object Manager Filtering & Private Namespaces, Configuration Manager (Registry)

User-Mode Management

Session Manager (SMSS), User-mode Loader (NTDLL), Protected Policies

Forensics & Analysis

Registry Carving, Object Manager Forensics, System Call Hook Analysis, Interrupt Tracking, PFN & Working Set Forensics