Learn the internals of the Windows NT kernel architecture, including Windows 8 and Server 2010, and how rootkits and other kernel-mode malware exploit the various system functionalities, mechanisms and data structures to do their dirty work. Also learn how drivers operate and how they can be subject to attack from user-mode callers to elevate their privileges.

New Windows 8 kernel features relevant to driver operation and rootkit techniques will be discussed, including an overview of over two dozen new security mitigations that have been added to the operating system. Windows 7 kernel changes will be discussed too, such as the new Object Manager data structures. After learning the theory, you will use tools such as WinDBG to analyze, poke, and prod kernel-mode Windows components, as well as write your own drivers and tools. You'll also learn how to use the new Visual Studio 11 and Windows Driver Kit 8.0 to build next-generation kernel code.

Finally, you will use all this knowledge to analyze certain pieces of buggy C code with hard-to-spot Windows-kernel-specific bugs, as well as looking at a custom driver to understand its behaviour. You'll also learn how to "clean-up" your IDA or HexRays disassembly in order to understand common inline functions that distract from real code.

Attendees will receive a copy of Windows Internals, 6th Edition.

Student Pre-requisite

IMPORTANT: This training isn't for reverse engineering beginners, and none of the basic stuff will be presented. You should be able to understand x86 assembly to take this course, but knowledge of obfuscation, packing, etc, is not required.

  • Basic knowledge of Windows, Intel architecture, and operating systems is required -- you should know what an interrupt is, and what is the difference between user and kernel mode (ring levels), a bit about segmentation and virtual memory/paging, etc.
  • VMware Player or Workstation is recommended with an installed version of Windows 7. 32-bit or 64-bit is fine -- you may prefer 32-bit if that is the disassembly you are most familiar with and/or want to use Hexrays. As well, development in class will be done on 32-bit targets to avoid signing issues and Patchguard, but 64-bit internals and Windows-specific changes will be covered.
  • You must have a Windows machine to attend, and you should have the free Visual Studio 2011 Preview, as well as the Windows Driver Kit 8.0, which you can freely grab from MSDN. If you really cannot find a way to obtain it, you may contact the conference and a temporary copy for class use will be made available for you.
  • Legal IDA Pro license (5.5 or higher, 6.0+ recommended). Hexrays helpful, but not required.

Software Requirement

Hardware Requirement

Course Outline

  • Part 1: Inside the Windows Kernel
  • The focus of the first part is understanding the behaviour and operation of the Windows Kernel.

    Core topics such as interrupts, DPCs, APCs, timers, scheduling and memory management will be discussed at the architectural level. You are expected to already be familiar with some of these ideas -- for example, on the topic of memory management, it is not about how to use malloc, but rather about the complexities of and effects of the algorithms used by Windows when managing pages.

    You'll also be exposed to low-level CPU details such as segmentation and task gates, things you probably thought didn't matter since 1986 anymore, but which still drive core Windows architecture today. Never again will you think [fs:18h] is a magic constant. Both x86 and x64 will be covered, and although much of it is still not yet public, you'll also learn about how ARM does some of these things and how Windows 8 interacts with the ARM chip.

    A detailed summary of the object manager and ALPC mechanism will also be on the table, as well as the window manager (Win32k.sys) and its data structures/behaviors. We will be using deprecated and unsupported debugger extensions to peer into aspects of Win32k.sys that few have looked at before -- except those that find new kernel vulnerabilities in it by the minute.

    You will learn the various data structures used by bookkeeping and internal consistency and management of core system components and objects, such as threads and processes, and how these fields can affect the operation of the system in ways that malicious code can control. A secondary focus will be for forensic purposes -- how to recover system data and state from raw memory information.

    You will be presented with many WinDBG/KD commands, as well as how to write your own scripts and extensions. You'll spend a good few hours learning WinDBG tricks that will save you hours of time and effort, and turn your WinDBG-fu from white belt to WinDBG sensei. You'll also never call it "Win DEE BEE GEE" again.

  • Part 2: Windows Kernel Mode Reverse Engineering and Debugging
  • The second part will focus on using various tools to inspect the Windows kernel for consistency, tracing its operation, and editing it.

    During this part, we will also look at using VM technologies to emulate the Windows kernel as well as any drivers you will be writing and loading, to avoid hitting a real system, as well as avoiding the need for a second machine. Various debugging techniques will be demonstrated, such as GDB stubs in VMWare and QEMU, and how to plug-in IDA into these stubs to perform analysis without requiring WinDBG.

  • Part 3: Windows Driver/Rootkit Analysis
  • The last part of the training focuses on building on your knowledge from the previous days to tackle several examples of malicious and/or buggy drivers in a given Windows system. You will also learn how to write your own drivers and user-mode tools that can perform some of this work, for the purposes of better understanding driver operation and reversing a well-known driver to see its output in IDA to build a "base case" and discover various effects of WDK/MSVC optimizations as well as kernel inlining.

    You will apply both static analysis with IDA to understand the source code and behaviour of the drivers (no obfuscation will be employed, so knowledge in such mechanisms is not a prerequisite), as well as dynamic analysis through debugging and analysis tools presented earlier to determine the effect that the driver is having on the system.

    For buggy drivers, you will have to provide some possible exploit code or at least an analysis of how the bug could be exploited by an unprivileged user-mode client. We may also look at several types of kernel-mode shellcode possibilities. Finally, we will take a look at certain examples of plain C code, that contains well-known bugs, as well as certain harder-to-spot bugs within the specific context of running in a Windows kernel environment.

About Instructor

Alex Ionescu

Alex is coauthor of Windows Internals 5th edition and is currently working on the 6th Edition. He teaches Windows OS internals to Microsoft employees and other security and government organizations worldwide through David Solomon Expert Seminars as well as his own company, Winsider Seminars & Solutions Inc., which also produces low-level system tools. He has also had the chance to contribute to some of Mark Russinovich's Sysinternals tools, such as Process Explorer. He is also very active in the security research community, discovering and reporting several vulnerabilities related to the Windows kernel and presenting talks at conferences such as Blackhat and Recon.

Previously, Alex was the lead kernel developer for ReactOS, an open source clone of Windows XP/2003 written from scratch, where he wrote most of the NT-based kernel. In the last four years, he has also contributed to patches and development in two major commercially used operating system kernels.