Windows Low Level Development: Zero to Hero

August 2022

## Class Abstract Writing code for Windows in user mode or kernel mode will enhance your understanding and capabilities significantly. Whether you're reversing malware, writing an exploit, or researching some dark Windows corner - the knowledge of using processes, threads, memory, DLLs, kernel APIs and more deepen your understanding that can take you anywhere you need to go within Windows. The course teaches user-mode programming with the Windows API (and some native APIs), along with developing kernel drivers that hook into kernel mechanisms. By the end of this course, you'll have the tools and knowledge of a low-level Windows developer.

Suggested Combo from the same instructor:
Windows Low Level Security Fundamentals
Supplementary Reading Material authored/co-authored by the instructor:
Windows Internals 7th Edition
Windows Kernel Programming
Windows System Programming Part 1
Windows System Programming Part 2
## Course Objectives * Understand the main mechanisms and components of the windows OS * Write user-mode programs leveraging the Windows API * Use WinDbg and Visual Studio to debug processes and kernel code * Understand driver development fundamentals * Write kernel-mode drivers ## Who Should Attend * Developers * Reverse Engineers * Members of Red Teams wishing to write custom tools * Anyone wishing to dive deep into Windows Internals ## Syllabus #### Module 1: Windows System Architecture Overview * Tools * Processes * Virtual Memory * Threads * User mode vs. Kernel mode * Architecture Overview * System Calls * Introduction to WinDbg #### Module 2: Windows API Foundation * Windows APIs * Using Visual Studio * Common Types and Conventions * Working with Strings * 64-bit vs. 32-bit development * Kernel Objects * Working with Handles * Sharing Objects * Object Names #### Module 3: Processes * Process creation * The main function(s) * Creating processes * Process termination * Enumerating processes * DLLs #### Module 3: Memory * Process address space * Process memory counters * Reserving and committing memory * The heap manager * Memory Mapped Files #### Module 4: Threads * Thread basics * Creating threads * Thread Priorities * Thread Scheduling * Thread Stacks * Thread Synchronization #### Module 5: The I/O System * I/O System overview * Device Drivers * The Windows Driver Model (WDM) * The Kernel Mode Driver Framework (KMDF) * Driver types * Software drivers * Driver and device objects * I/O Processing and Data Flow * Accessing files and devices * Asynchronous I/O #### Module 6: Kernel programming basics * C++ in a kernel driver * Creating a driver project * Building and deploying * The kernel API * Strings * Linked Lists * Kernel Memory Pools * The DriverEntry function * The Unload routine * Driver Debugging #### Module 7: The I/O Request Packet (IRP) * Creating a device object * Exporting a device name * Building a driver client * Driver dispatch routines * Introduction to I/O Request Packets (IRPs) * Completing IRPs * Accessing user space buffers * Handling DeviceIoControl calls #### Module 8: Kernel Mechanisms * Interrupt Request Levels (IRQLs) * Deferred Procedure Calls (DPCs) * Structured Exception Handling * System Crash * Synchronization * Work Items #### Module 9: Process and Thread Notifications * Process creation/destruction callback * Specifying process creation status * Thread creation/destruction callback * Notifying user mode * Writing a user mode client * User/kernel communication #### Module 10: Object and Registry Notifications (if time permits) * Process/thread object notifications * Pre and post callbacks * Registry notifications * Performance considerations * Reporting results to user mode ## Prerequisites * Basic acquaintance of Windows concepts and architecture * Power-user level working with Windows * Experience writing C code (basic C++ knowledge is recommended but not required) ## System Requirements * Windows 10 or 11 x64 (any SKU) * Visual Studio 2019 + latest updates (must include the C++ workload) * (optional) Visual Studio 2022 with the C++ workload * Windows 11 SDK (at least the Debugging tools for Windows) * Windows 11 Driver Kit (WDK) * Virtual machine running one of Windows 7/8.1/10/11 (based on Hyper-V, VMWare or VirtualBox) * (Optional) WinDbg Preview (from the Microsoft Store) * The Sysinternals suite (from www.sysinternals.com) * PDF reader
Pavel Yosifovich

Pavel Yosifovich

Register Now

Pavel is a developer, trainer, author and speaker. He has written several books dealing with the inner workings of Windows, such as [Windows Internals 7th edition part 1](https://www.amazon.com/Windows-Internals-Part-architecture-management/dp/0735684189) (co-author), [Windows Kernel Programming](https://www.amazon.com/Windows-Kernel-Programming-Pavel-Yosifovich/dp/B08WZHBQYC), and [Windows 10 System programming, part 1](https://www.amazon.com/Windows-10-System-Programming-Part/dp/B086Y6M7LH) and [part 2](https://www.amazon.com/Windows-10-System-Programming-Part/dp/B09GJKKBZP). Pavel is the author of many open-source tools that show detailed information about Windows, which can be found in his Github repos. Pavel also provides training for developers and researching on Windows-related topics, as well as more general software development using C/C++, C# and Rust.