Windows Internals

Developer/Security Expert

Duration: 5 Days

Course Description

Our flagship course aims to provide a variety of audiences the necessary skills and knowledge to have a thorough initial understanding of the design, architecture, and implementation of modern Windows operating systems. Providing two tracks — one for developers, and one for security experts — the course goes through nearly all core aspects of the kernel and its supporting components.

In the developer track, attendees will use tools such as Process Explorer, System Informer, WinObjEx64, and many other Sysinternals Tools in order to understand and troubleshoot the operation of Windows applications, services, and drivers. They will learn how to use the performance counter and tracing infrastructure to understand and monitor memory consumption, while learning the algorithms that drive virtual memory management, thread scheduling, wait dispatching, synchronization, ACL-based security access checks, I/O completion, and more. Developers will learn the basic algorithms and implementation of the object manager and registry, as well as key mechanisms such as IRQLs, APCs and DPCS. When needed, the Windows Kernel Debugger will also be used to drive further in-depth understanding of system data structures and behaviors.

In the security expert track, attendees will put greater emphasis of the use of the Windows Kernel Debugger, and learn its command set and capabilities inside out, including the development of WinDBG scripts and automation using NatVis and JavaScript. Using this knowledge, they will tear apart internal data structures to look for anomalies, learn the behaviors of various fields and bits, as well as learn how to analyze a system for forensic and real-time purposes to detect hidden processes, cached files, executable regions of memory, and more. A lower view into software- and hardware-provided system security will be provided, such as deeper understanding of segmentation, system calls, virtualization-based security and memory mitigations.

Developer Course Outline

  • Introduction and Tools
  • OS Fundamentals
  • Kernel Infrastructure
  • Processes and Threads
  • Memory Management
  • System Mechanisms
  • Security
  • I/O System

The following topics are only discussed in the developer track:

OS Design

MinWin, Environment Subsystems

System Components

WoW64, I/O Manager, Sessions

Processes & Threads

Visualizing Processes & Threads, Thread Scheduling, Thread Priorities, Job Objects, Wait Dispatching, Processor Affinity

Memory Management

Paging Files, Commit Charge, Working Set, Virtual to Physical Address Translation, Large Pages, SuperFetch

Data Security

Authentication (Logon), Authorization (SIDs, SDs, ACEs & DACLs), Token Attributes & Claims, Integrity Levels

Security Course Outline

  • Introduction and Tools
  • WinDBG Primer
  • OS Design
  • OS Hardware Architecture & Fundamentals
  • Core & Executive Mechanisms
  • Process Execution & Isolation
  • Runtime & Memory Management

The following topics are only discussed in the security track:

OS Design & System Architecture

x86/x64 CPU Design, Flexible Return and Event Delivery, User-mode Callbacks

Process Isolation

Pico and minimal Processes, Secure Processes, VBS enclaves, AppContainers

System Security

UEFI Secure Boot, Signing Policies, User Mode Code Integrity (UMCI), Hypervisor-Based Code Integrity, Patch Guard, HyperGuard, System Guard Runtime Monitor, Hardware Mitigations

Executive Mechanisms

Advanced Local Procedure Call (ALPC), Windows Notification Facility (WNF), Extension Hosts

Forensics & Analysis

WinDBG Scripting & NatVis, LINQ, JavaScript, Registry Carving, Shared Memory/Cached File Forensics

Although the two tracks have a slightly different focus based on audience, many topics are covered in both flavors of the course.

Execution Fundamentals

Privilege Levels, Virtual Trust Levels (Hyper-V VTL), KPCR, KPRCB, NUMA & Topology, Timers, Interrupts, APCs, DPCs, IRQLs, System Calls

Memory Fundamentals

Address Space Layouts, Hardware Page Translation, VADs, Mapped Memory, Pool Manager, PFN Database, Memory Mitigations

System Fundamentals

Object Manager, Process Management, Protected Processes, Image Loader, Registry