Windows Internals for Reverse Engineers

Abstract

Learn the internals of the Windows Kernel and its NT-based architecture, including the upcoming Windows 10 "Vanadium" (19H2) and "Vibranium" (20H1) plus Server 2019, in order to learn how rootkits, PLA implants, NSA backdoors, and other malicious tools exploit the various system functionalities, mechanisms and data structures to do their dirty work. Also learn how kernel-mode code operates and how it can be subject to attack from user-mode callers to elevate their privileges. Finally, learn how CPU architecture deeply ties into OS design, and how Intel and AMD's mistakes can lead to more pwnage. While you might say this latter part is trying to capitalize on recent events, it's worth nothing it's been in the course since day 1.

Of course, we'll cover the new and ongoing Windows 10 kernel changes, including the introduction of Virtual Trust Levels to make pass-the-hash attacks virtually impossible, Enclave technologies for secure computing, Hypervisor-based Code Integrity to prevent arbitrary code execution, even when faced with Ring 0 vulnerabilities, as well as new mitigations and upcoming such as Kernel Control Flow Guard (KCFG) and Intel Control-flow Enforcement Technology (CET) to protect against exploitation.

Windows 10 builds upon many Windows 8.1 mechanisms such as Protected Process Light and custom Code Signing Policies, so we'll review this as well, plus the original wave of Windows 8 kernel features (AppContainer, Secure Boot, ELAM, and more) relevant to driver operation and exploitation techniques will be discussed, including an overview of over two dozen new security mitigations that have been added to the operating system.

We'll see how these changes to the architecture have dramatically constrained exploit techniques. Windows 7 kernel changes will be discussed too, such as the new Object Manager data structures.

All while learning the theory, you will use tools such as WinDBG, SysInternals Tools and Process Hacker to analyze, poke, and prod kernel-mode Windows components, as well as write your own debugger scripts including the new NatVis/LINQ mode and JavaScript extensions.

Throughout the class, we'll focus on using various techniques and tools to inspect the Windows kernel for consistency, tracing its operation, and editing it, as well as ways in which offensive and defensive attackers can mess with the system's state in unexpected, "clean" ways. We'll also take a look at several examples of malicious and/or buggy constructs in a given Windows system, as well as architectural bugs over Windows' lifetime.

Attendees will receive a physical handout of the entire course materials for future reference, access to a live chat channel with sharing of all live commands and demo output, plus a zip file containing the course logs and over 50 different sample scripts and extensions.

Pre-requisites

IMPORTANT: It is helpful to understand x86/x64 assembly to take this course, but knowledge of obfuscation, packing, etc., is not required.



Basic knowledge of Windows, processor architecture, and operating systems is helpful - you should have some vague idea of what an interrupt is, and what is the difference between user and kernel mode (ring levels), a bit about virtual memory/paging, etc.

System Requirements

Note that a full class/software installation and preparation e-mail will be sent to you about 2 weeks before the class. That being said, in general, you should expect the following.

First, you should preferably have a Windows machine to attend, and you should have the Windows Driver Kit 10 release for Redstone 5 or later (17763 / 1803), which you can freely grab from the Windows Developer Center or MSDN.



A virtual machine (VirtualBox is strongly preferred - configured in UEFI + Hyper-V mode for best performance) is recommended with an installed version of Windows 10. Locally, any version of Windows 7 or later, 32-bit or 64-bit is fine. You should install the Windows Driver Kit on your host - not the VM.

If you have a Linux or Mac device, that's fine, and then you may either install the Windows Driver Kit on the VM itself, or, better yet, use two separate virtual machines.



The instructor will use a 64-bit Windows 10 device, with Windows 10 and Windows 7 32-bit VMs.



IDA/Hexrays or GHIDRA helpful, but not required.

Alex Ionescu

Alex Ionescu

Alex Ionescu is the Vice President of EDR Strategy at CrowdStrike, Inc., where he started as its Chief Architect almost eight years ago. Alex is a world-class security architect and consultant expert in low-level system software, kernel development, security training, and reverse engineering. He is coauthor of the last three editions of the Windows Internals series, along with Mark Russinovich and David Solomon. His work has led to the fixing of many critical kernel vulnerabilities, as well as over a few dozen non-security bugs.

Previously, Alex was the lead kernel developer for ReactOS, an open source Windows clone written from scratch, for which he wrote most of the Windows NT-based subsystems. During his studies in Computer Science, Alex worked at Apple on the iOS kernel, boot loader, and drivers on the original core platform team behind the iPhone, iPad and AppleTV. Alex is also the founder of Winsider Seminars & Solutions Inc., a company that specializes in low-level system software, reverse engineering and security trainings for various institutions.