Ringzer0 - Windows Kernel Internals

Windows Kernel Internals

A Crash Course

4 Day u_long 32 CPE Hour Training: February 2022

## Abstract The Windows kernel is the heart of the Windows OS. It serves user-mode clients with system calls, provides a host of kernel object types that serve user-mode and kernel-mode clients, providing much of the functionality of Windows. This course will dive into the Windows kernel, expose many of its mechanisms and data structures. It would allow the student to gain a deeper understanding of Windows as a whole. The course uses various tools to gain insight into a Windows system, including using a kernel debugger. Simple kernel driver writing will be demonstrated, showing the power of the kernel as compared to user-mode.

Supplementary Reading Material authored/co-authored by the instructor:

## Objectives * Understand the Windows system architecture. * Inspect kernel (and user) data structures on a live system. * Understand how device drivers integrate with the kernel. * Write simple device drivers that take advantage of kernel power. ## Target audience The course is intended for developers, researchers, IR personnel, and anyone interested in understanding the workings of the Windows kernel. ## Agenda #### Module 1: System Architecture * Tools of the Trade * Processes * Virtual Memory * Threads * General System Architecture * User Mode vs. Kernel Mode * System Calls * NtDll.Dll * Introduction to WinDbg * User Mode Debugging * Kernel Mode Debugging * LABS: user and kernel debugging; Sysinternals tools; #### Module 2: Kernel Mechanisms * Interrupts and Exceptions * Interrupt Request Levels (IRQLs) * Deferred Procedure Calls (DPCs) * System Crash * Analyzing Dump Files * Driver Verifier * Objects and Handles * Protecting Objects * Thread Synchronization * LABS: analyzing a crash; synchronization #### Module 3: Memory Management * Overview * Page States * Virtual Memory Translation * Page Dynamics * Heaps * Other features (if time permits) * LABS: reserving and committing memory; address translation #### Module 4: The I/O System * I/O System components * Device Drivers * Plug and Play * Driver and Device Objects * I/O Request Packets (IRPs) * IRP Processing * Software Drivers * User/Kernel Communications * LABS: Writing a kernel driver; looking at devices and drivers #### Module 5: Miscellaneous Topics (if time permits) * Process Types * Jobs * Silos * Memory Mapped Files ## Prerequisites * Power-user level working knowledge of a Windows system. * Some familiarity with OS concepts such as processes, threads, and virtual memory is recommended. ## Software and Hardware Requirements * Any system running Windows 10 or Windows 11 with at least 16GB RAM * [Sysinternals Tools](https://www.sysinternals.com) * WinDbg Preview (install from the Microsoft Store) * Recommended: Visual Studio 2019 (the free community edition works) + include the C++ Workload when installing. * Recommended: Windows 11 Driver Kit (download and install the latest) * Recommended: A virtual machine (Hyper-V, VMWare or Virtual Box) running Windows 7, 8.1, 10 or 11 * PDF Viewer

Pavel Yosifovich

Pavel is a developer, trainer, author and speaker. He has written several books dealing with the inner workings of Windows, such as [Windows Internals 7th edition part 1](https://www.amazon.com/Windows-Internals-Part-architecture-management/dp/0735684189) (co-author), [Windows Kernel Programming](https://www.amazon.com/Windows-Kernel-Programming-Pavel-Yosifovich/dp/B08WZHBQYC), and [Windows 10 System programming, part 1](https://www.amazon.com/Windows-10-System-Programming-Part/dp/B086Y6M7LH) and [part 2](https://www.amazon.com/Windows-10-System-Programming-Part/dp/B09GJKKBZP). Pavel is the author of many open-source tools that show detailed information about Windows, which can be found in his Github repos. Pavel also provides training for developers and researching on Windows-related topics, as well as more general software development using C/C++, C# and Rust.