Call Us: (1) 424 781 7156 - Mail
Training services from Alex Ionescu and Yarden Shafir
Windows Internals Advanced (5 Days)

Course Description

This follow-up to the developer track of the Windows Internals course allows organizations to train a subset of their developers beyond the skills needed for writing efficient code, and also arming them with the knowledge on how to debug and troubleshoot deep system problems using the Microsoft Kernel Debugger, as well as adding several new components to the course curriculum, such as the Configuration Manager (in charge of the registry), the User-mode Loader (in charge of DLLs), and the Advanced Local Procedure Call (ALPC) mechanism (in charge of DCOM, RPC, User-mode Driver Communication, and more…).

Additionally, this course contains most of the security-focused content of the security track (which developers would’ve missed out on), giving access to the trainees to inside information on how their own drivers and applications may be misused to become the unwitting participants of an exploit or attack against a machine. Developers often think from a very pragmatic point of view about their interfaces and level of access, not realizing that peculiarities, oddities, and sometimes outright bugs in the kernel could be working to undermine their efforts in securing their data and code.

Finally, for organizations that are solely security-focused and are thinking about requesting the security track of the developer course, as the advanced course would provide the entire security track duplicated yet again, we recommend instead considering if 10 days of training (which can be split across the calendar year) may work better — giving your analysts and researchers good background information on Windows in the developer track — and then augmenting it with the security information they would’ve gotten had they taken the security track, plus all the additional content offered in the advanced course (such as process creation semantics, and user-mode loader internals).

Advanced Course Outline

  • Introduction and Tools
  • WinDBG Primer
  • CPU Architecture & Deep OS Fundamentals
  • Extended Executive Components
  • Advanced Process Management & Loader
  • Low-Level Memory Forensics 
  • Windows Subsystem
  • Windows Bug Analysis

In-Depth Topics

As in the security track of the Windows Internals course, the following topics and concepts are covered.

System Architecture

x86/x64 CPU Design, Pico Processes, Secure Processes

Executive Components

Advanced Local Procedure Call (ALPC), Windows Subsystem (CSRSS & Win32k)

Forensics & Analysis

WinDBG Scripting & NatVis, Hidden Processes, Shared Memory/Cached File Forensics

System Security

UEFI Secure Boot, Signing Policies, User Mode Code Integrity (UMCI), Hypervisor-Based Code Integrity, Device Guard/Strong Code Guarantees, HyperGuard, Windows Bug Analysis

Plus these topics, which are exclusive to the advanced course

System Fundamentals

Graphics System Calls, I/O APIC, ELAM, AMSI, Signature Callbacks, Secured ETW

Extended Executive Components

Object Manager Filtering & Private Namespaces, Configuration Manager (Registry)

User-Mode Management

Session Manager (SMSS), User-mode Loader (NTDLL), Protected Policies

Forensics & Analysis

Registry Carving, Object Manager Forensics, System Call Hook Analysis, Interrupt Tracking, PFN & Working Set Forensics

If you are interested in this course, or for more information, please contact us.x
Back to Top