On This Page

Windows Kernel Primer

John deGruyter, Hungry Hackers | August 6-7



Overview

Understanding of the Windows kernel has typically been considered to have a steep learning curve and not for the faint of heart. However, many vulnerabilities have surfaced from within the depths of the kernel proving it to be a lucrative target for attackers. Security researchers who want to move beyond the classroom need to have a solid understanding of what goes on under the hood and behind the scenes. Unfortunately, other courses often hurry through, overlook or consider these fundamental concepts to be supplemental.

The Windows Kernel Primer course takes a deep dive into the Windows operating system, breaking down important data structures and walking step-by-step through the underlying kernel architecture. These fundamental concepts are key for system developers, malware analysts, forensics investigators, and vulnerability researchers. This course is designed to equip students with a strong foundation of Windows internals, and is taught through in-depth lecture accompanied by hands-on reverse engineering labs and exercises.

We will be breaking down and working through a lot of low-level concepts in class. There are no hard-set prerequisites, but if you have no programming experience or have never worked in a debugger, you may have to work extra hard to keep up. However, If you are up for the challenge and are looking for training that takes you a bit deeper, this course was written for you.

Windows Kernel Primer - Day 1
The Restaurant
Virtual Memory
Privilege Levels
Crash Dumps
LAB Assignment
Symbols
Windbg
Lab Assignment
Windows Kernel Overview
System Calls
Live Kernel Debugging
Lab Assignment
Object and Handles
Linked Lists
Lab Assignment
Processes and Threads
Access Tokens
ActiveProcessLinks
Lab Assignment
DKOM
Lab Assignment

Windows Kernel Primer - Day 2
Interrupts and Exceptions
IRQLs
User Land
Lab Assignment
Pools
Devices and Drivers
Lab Assignment
IRPs
LiveKD
Lab Assignment
PCR / PRCB
Damn Vulnerable Windows Driver
Lab Assignment
Kernel Security Controls
Kernel CVEs
Lab Assignment

Who Should Take this Course

Whether you are a malware analyst, developer or vulnerability researcher, having a deeper understanding of what goes on in the kernel will help you do your job better. This class was written to bridge the gap between high level security vulnerabilities and the low-level operating system functionality that they target.

Student Requirements

Students should have a basic familiarity with operating systems, assembly language, and using a debugger. Familiarity with programming/data structures is also helpful. If students have debugged user land applications before and understand basic data structures, they should have no problem with the overall concepts.

What Students Should Bring

Students will be required to bring a laptop running VMWare Workstation or VMWare Fusion. The free 30 day trial is fine.
https://www.vmware.com/try-vmware.html

The following 2 virtual machines will be required.
• Windows 7 32-bit, unpatched
• Windows 8 32-bit, unpatched
Free trials for each of these VMs can be downloaded from https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/

What Students Will Be Provided With

Students will be provided with course materials (slides in pdf form), a lab guide (pdf), all supplementary course materials (tools, scripts, etc), and a Hungry Hackers notebook.

Trainers

John deGruyter started his professional career with a laptop in one hand and an M-16 in the other. After his service as a computer specialist in the United States Marine Corps, he continued to develop his passion for taking things apart and studying how they work on a low level. His hunger for learning soon developed into a passion for teaching. He is a regular speaker at local security meetups and has taught as an adjunct professor for The George Washington University.