Windows Internals Essentials is meant for security professionals and cyber security analysts who want to review their Windows internals concepts and skillsets and bolster their foundations on the same. This course also will be useful for reverse engineers and malware analysts as well since a lot of the core concepts overlap when it comes to Windows malware and its interaction with the OS. Windows Internals Essentials will focus on building a thorough grasp of the key OS mechanisms and data structures in both ring 0 and ring 3 as well as developing proficiency in Sysinternals Suite, WDK (Windows Driver Kit), Windows Debugging Tools (x86/x64) to probe the OS layers. The course participants will also analyse both user mode and kernel mode malware with a focus on using Microsoft debuggers to extract relevant information. The transparency gained in your day to day analysis will be the prime motto of this course.
Debugging Tools for Windows (x86/x64), symbols, symbol server, VC++, Masm32, VMWare/Parallels, named pipes, serial/usb kernel debugging, OS boot modes
Initial overview of Windows data structures via LiveKD on a running system, Windows Debug Mode, Windbg dot commands, meta commands and extension commands, supported instances of each on Windbg via LiveKD.Generic use cases
Selected tools from the suite, process explorer, process monitor, autoruns, livekd, handles, clockres, biginfo, strings and many others
System programming via Visual Studio and some key API’s that we will focus on from the Win32 and Native API function groups.
IDA Pro, Ollydbg, Immunity debugger, Visual Studio Debugger, PE format parsers, API monitoring tools
Rings, graphic subsystem, system DLLs, call gates, interrupts, SYSENTER/SYSEXIT, user mode, kernel mode, processes, threads, jobs, EPROCESS, ETHREAD, KPROCESS, KTHREAD, KSHARED_USER_DATA, KPCR (processor control region) TLS, PEB, TEB, CPU registers for system management
Malware demo 1 that demonstrates above concepts.
Win32/Native APIs with discussions in VC++, stuctured exception handling, vectored exception handling, kernel user callbacks, service descriptor tables, interrupt request levels, traps, errors, faults, memory manager, paging, page directory tables, page table entires, pagefile, page frame number database, CR3 register, MSRs (Model Specific Registers), VAD trees, thread stacks, memory descriptor lists, memory management APIs, stack, heap data structure, memory bug checks, analysis of memory dumps in Windbg
Malware demo 2 that demonstrates above concepts.
Object headers, object manager, object categories, security tokens, handles, handle tables, reference counting, Windbg commands to investigate objects in Windows.
WDK, sample driver coding and compiling, I/O requests, major and minor function arrays, driver analysis, kernel exploitation
Rootkit demo that illustrates the above concepts.
This course goes deep down into depths of networking, systems, web applications, actual exploitation & helps beginners to take their confident first step towards information security field.