This follow-up to the developer track of the Windows Internals course allows organizations to train a subset of their developers beyond the skills needed for writing efficient code, and also arming them with the knowledge on how to debug and troubleshoot deep system problems using the Microsoft Kernel Debugger, as well as adding several new components to the course curriculum, such as the Configuration Manager (in charge of the registry), the User-mode Loader (in charge of DLLs), and the Advanced Local Procedure Call (ALPC) mechanism (in charge of DCOM, RPC, User-mode Driver Communication, and more…).
Additionally, this course contains most of the security-focused content of the security track (which developers would’ve missed out on), giving access to the trainees to inside information on how their own drivers and applications may be misused to become the unwitting participants of an exploit or attack against a machine. Developers often think from a very pragmatic point of view about their interfaces and level of access, not realizing that peculiarities, oddities, and sometimes outright bugs in the kernel could be working to undermine their efforts in securing their data and code.
Finally, for organizations that are solely security-focused and are thinking about requesting the security track of the developer course, as the advanced course would provide the entire security track duplicated yet again, we recommend instead considering if 10 days of training (which can be split across the calendar year) may work better — giving your analysts and researchers good background information on Windows in the developer track — and then augmenting it with the security information they would’ve gotten had they taken the security track, plus all the additional content offered in the advanced course (such as process creation semantics, and user-mode loader internals).
Advanced Course Outline
- Introduction and Tools
- WinDBG Primer
- CPU Architecture & Deep OS Fundamentals
- Extended Executive Components
- Advanced Process Management & Loader
- Low-Level Memory Forensics
- Windows Subsystem
- Windows Bug Analysis
As in the security track of the Windows Internals course, the following topics and concepts are covered.
x86/x64 CPU Design, Pico Processes, Secure Processes
Advanced Local Procedure Call (ALPC), Windows Subsystem (CSRSS & Win32k)
Forensics & Analysis
WinDBG Scripting & NatVis, Hidden Processes, Shared Memory/Cached File Forensics
UEFI Secure Boot, Signing Policies, User Mode Code Integrity (UMCI), Hypervisor-Based Code Integrity, Device Guard/Strong Code Guarantees, HyperGuard, Windows Bug Analysis
Plus these topics, which are exclusive to the advanced course
Graphics System Calls, I/O APIC, ELAM, AMSI, Signature Callbacks, Secured ETW
Extended Executive Components
Object Manager Filtering & Private Namespaces, Configuration Manager (Registry)
Session Manager (SMSS), User-mode Loader (NTDLL), Protected Policies
Forensics & Analysis
Registry Carving, Object Manager Forensics, System Call Hook Analysis, Interrupt Tracking, PFN & Working Set Forensics