Windows Internals Essentials
Introduction
Windows Internals Essentials is meant for security professionals and cyber security analysts who want to review their Windows internals concepts and skillsets and bolster their foundations on the same. This course also will be useful for reverse engineers and malware analysts as well since a lot of the core concepts overlap when it comes to Windows malware and its interaction with the OS. Windows Internals Essentials will focus on building a thorough grasp of the key OS mechanisms and data structures in both ring 0 and ring 3 as well as developing proficiency in Sysinternals Suite, WDK (Windows Driver Kit), Windows Debugging Tools (x86/x64) to probe the OS layers. The course participants will also analyse both user mode and kernel mode malware with a focus on using Microsoft debuggers to extract relevant information. The transparency gained in your day to day analysis will be the prime motto of this course.
Course Objectives
- Obtain a solid grasp of the tools required to get the job done with a clear understanding of the pros and cons of each and the benefit of having a well streamlined toolkit.
- Understand the Windows OS system mechanisms and OS layers with a focus on the Windows kernel.
- Build proficiency in Windbg/KD/LiveKD and tweak the debugger to get the level of detail required for your analysis. Starting from setup and configuration you will cover and extensive array of Windbg commands, categorised by type, action and goal.
- Demistify system data structures, memory management and the Object manager in Windows.
- Catalog the IOC’s or Indicators of Compromise while dealing with malicious code using Windbg/KD.
- Understand how to capture and work with memory dumps inside the debugger
Who should attend
- Reverse engineers
- Malware analysts
- Penetration testers
- Security researchers
- C/C++ developers
- Cyber Security Professionals
- Students with aptitude
Table of Contents
Day 1
Day 2
Windows architecture and data structures:
Rings, graphic subsystem, system DLLs, call gates, interrupts, SYSENTER/SYSEXIT, user mode, kernel mode, processes, threads, jobs, EPROCESS, ETHREAD, KPROCESS, KTHREAD, KSHARED_USER_DATA, KPCR (processor control region) TLS, PEB, TEB, CPU registers for system management
Malware demo 1 that demonstrates above concepts.
Bhushan Jeevan Rane, Assistant Manager – SHCIL
Faculty has a good trainers. Yes, the course met its objective.
Mukesh Lokre, Information Security Analyst – Travelex
Faculty has delivered the content clearly. He has a good subject knowledge.
Chinmay Dhawale, Information Security Analyst – Travelex
Very impressive, knowledgeable, technically sound & skilled trainers.
Shital Ranadive, Info Security Analyst – IDBI Intech Ltdt
Faculty is good & has explained the topics very well.
Reshma Dsouza
Concepts well explained. Queries handled very well. Good correlation of practical usage of the concepts in incident investigations.