Windows Internals Essentials
Windows Internals Essentials is meant for security professionals and cyber security analysts who want to review their Windows internals concepts and skillsets and bolster their foundations on the same. This course also will be useful for reverse engineers and malware analysts as well since a lot of the core concepts overlap when it comes to Windows malware and its interaction with the OS. Windows Internals Essentials will focus on building a thorough grasp of the key OS mechanisms and data structures in both ring 0 and ring 3 as well as developing proficiency in Sysinternals Suite, WDK (Windows Driver Kit), Windows Debugging Tools (x86/x64) to probe the OS layers. The course participants will also analyse both user mode and kernel mode malware with a focus on using Microsoft debuggers to extract relevant information. The transparency gained in your day to day analysis will be the prime motto of this course.
- Obtain a solid grasp of the tools required to get the job done with a clear understanding of the pros and cons of each and the benefit of having a well streamlined toolkit.
- Understand the Windows OS system mechanisms and OS layers with a focus on the Windows kernel.
- Build proficiency in Windbg/KD/LiveKD and tweak the debugger to get the level of detail required for your analysis. Starting from setup and configuration you will cover and extensive array of Windbg commands, categorised by type, action and goal.
- Demistify system data structures, memory management and the Object manager in Windows.
- Catalog the IOC’s or Indicators of Compromise while dealing with malicious code using Windbg/KD.
- Understand how to capture and work with memory dumps inside the debugger
Who should attend
- Reverse engineers
- Malware analysts
- Penetration testers
- Security researchers
- C/C++ developers
- Cyber Security Professionals
- Students with aptitude
Table of Contents
Setup and configuration:
Debugging Tools for Windows (x86/x64), symbols, symbol server, VC++, Masm32, VMWare/Parallels, named pipes, serial/usb kernel debugging, OS boot modes
Initial overview of Windows data structures via LiveKD on a running system, Windows Debug Mode, Windbg dot commands, meta commands and extension commands, supported instances of each on Windbg via LiveKD.Generic use cases
Selected tools from the suite, process explorer, process monitor, autoruns, livekd, handles, clockres, biginfo, strings and many others
System programming via Visual Studio and some key API’s that we will focus on from the Win32 and Native API function groups.
IDA Pro, Ollydbg, Immunity debugger, Visual Studio Debugger, PE format parsers, API monitoring tools
Windows architecture and data structures:
Rings, graphic subsystem, system DLLs, call gates, interrupts, SYSENTER/SYSEXIT, user mode, kernel mode, processes, threads, jobs, EPROCESS, ETHREAD, KPROCESS, KTHREAD, KSHARED_USER_DATA, KPCR (processor control region) TLS, PEB, TEB, CPU registers for system management
Malware demo 1 that demonstrates above concepts.
Win32/Native APIs with discussions in VC++, structured exception handling, vectored exception handling, kernel user callbacks, service descriptor tables, interrupt request levels, traps, errors, faults, memory manager, paging, page directory tables, page table entires, pagefile, page frame number database, CR3 register, MSRs (Model Specific Registers), VAD trees, thread stacks, memory descriptor lists, memory management APIs, stack, heap data structure, memory bug checks, analysis of memory dumps in Windbg
Malware demo 2 that demonstrates above concepts.
Object manager 101:
Object headers, object manager, object categories, security tokens, handles, handle tables, reference counting, Windbg commands to investigate objects in Windows.
Device Drivers 101:
WDK, sample driver coding and compiling, I/O requests, major and minor function arrays, driver analysis, kernel exploitation
Rootkit demo that illustrates the above concepts.