Windows Internals Essentials

Operation system security


Windows Internals Essentials is meant for security professionals and cyber security analysts who want to review their Windows internals concepts and skillsets and bolster their foundations on the same. This course also will be useful for reverse engineers and malware analysts as well since a lot of the core concepts overlap when it comes to Windows malware and its interaction with the OS. Windows Internals Essentials will focus on building a thorough grasp of the key OS mechanisms and data structures in both ring 0 and ring 3 as well as developing proficiency in Sysinternals Suite, WDK (Windows Driver Kit), Windows Debugging Tools (x86/x64) to probe the OS layers. The course participants will also analyse both user mode and kernel mode malware with a focus on using Microsoft debuggers to extract relevant information. The transparency gained in your day to day analysis will be the prime motto of this course.

Course Objectives

  • Obtain a solid grasp of the tools required to get the job done with a clear understanding of the pros and cons of each and the benefit of having a well streamlined toolkit.
  • Understand the Windows OS system mechanisms and OS layers with a focus on the Windows kernel.
  • Build proficiency in Windbg/KD/LiveKD and tweak the debugger to get the level of detail required for your analysis. Starting from setup and configuration you will cover and extensive array of Windbg commands, categorised by type, action and goal.
  • Demistify system data structures, memory management and the Object manager in Windows.
  • Catalog the IOC’s or Indicators of Compromise while dealing with malicious code using Windbg/KD.
  • Understand how to capture and work with memory dumps inside the debugger

Who should attend

  • Reverse engineers
  • Malware analysts
  • Penetration testers
  • Security researchers
  • C/C++ developers
  • Cyber Security Professionals
  • Students with aptitude

Table of Contents

Day 1
Day 2
Windows architecture and data structures:

Rings, graphic subsystem, system DLLs, call gates, interrupts, SYSENTER/SYSEXIT, user mode, kernel mode, processes, threads, jobs, EPROCESS, ETHREAD, KPROCESS, KTHREAD, KSHARED_USER_DATA, KPCR (processor control region) TLS, PEB, TEB, CPU registers for system management

Malware demo 1 that demonstrates above concepts.

Day 3
Day 4

Register for a training

Previous TrainingExploit Development
Next TrainingBig Data for Security Analytics
Bhushan Jeevan Rane, Assistant Manager – SHCIL

Faculty has a good trainers. Yes, the course met its objective.

Mukesh Lokre, Information Security Analyst – Travelex

Faculty has delivered the content clearly. He has a good subject knowledge.

Chinmay Dhawale, Information Security Analyst – Travelex

Very impressive, knowledgeable, technically sound & skilled trainers.

Shital Ranadive, Info Security Analyst – IDBI Intech Ltdt

Faculty is good & has explained the topics very well.

Reshma Dsouza

Concepts well explained. Queries handled very well. Good correlation of practical usage of the concepts in incident investigations.