Course Description
Our flagship course aims to provide a variety of audiences the necessary skills and knowledge to have a thorough initial understanding of the design, architecture, and implementation of modern Windows operating systems. Providing two tracks — one for developers, and one for security experts — the course goes through nearly all core aspects of the kernel and its supporting components.
In the developer track, attendees will use tools such as Process Explorer, Process Hacker, WinObjEx64, and many other SysinternalsTools in order to understand and troubleshoot the operation of Windows applications, services, and drivers. They will learn how to use the performance counter and tracing infrastructure to understand and monitor memory consumption, while learning the algorithms that drive virtual memory management, thread scheduling, wait dispatching, synchronization, ACL-based security access checks, I/O completion, and more. When needed, the Windows Kernel Debugger will also be used to drive further in-depth understanding of system data structures and behaviors.
In the security expert track, attendees will put greater emphasis of the use of the Windows Kernel Debugger, and learn its command set and capabilities inside out, including the development of WinDBG scripts and automation in a variety of languages (NatVis/C#, Python, JavaScript & more). Using this knowledge, they will tear apart internal data structures to look for anomalies, learn the behaviors of various fields and bits, as well as learn how to analyze a system for forensic and real-time purposes to detect hidden processes, cached files, executable regions of memory, and more.
Developer Course Outline
- Introduction and Tools
- OS Fundamentals
- Kernel Infrastructure
- Processes and Threads
- Memory Management
- System Mechanisms
- Security
- I/O System
Security Course Outline
- Introduction and Tools
- WinDBG Primer
- OS Design
- Architecture & Fundamentals
- Core & Executive Mechanisms
- Execution & Memory Model
- Windows Subsystem
- Windows Bug Analysis
In-Depth Topics
Although the two tracks have a slightly different focus based on audience, many topics are covered in both flavors of the course.
Execution Fundamentals
Privilege Levels, Virtual Trust Levels (Hyper-V VTL), KPCR, KPRCB, NUMA & Topology, Timers, Interrupts, APCs, DPCs, IRQLs, System Calls, PatchGuard
Memory Fundamentals
Address Space Layouts, Hardware Page Translation, VADs, Code Signing, Pool Manager, PFN Database
System Fundamentals
Object Manager, App Container (Windows 8 Sandbox), Process Management, Protected Process Light, Sessions,
The following topics are only discussed in the developer track
System Components
WOW64, SuperFetch, I/O Manager, Services
Thread & Memory Policies
Thread Scheduling, Job Objects, Paging Files, Commit Charge, Working Set, Wait Dispatching
Data Security
Authentication (Logon), Authorization (SIDs, SDs, ACEs & DACLs), Token Attributes & Claims, Integrity Levels
The following topics are only discussed in the security track
System Architecture
x86/x64 CPU Design, User-mode Callbacks, Pico Processes, Secure Processes
System Security
UEFI Secure Boot, Signing Policies, User Mode Code Integrity (UMCI), Hypervisor-Based Code Integrity, Device Guard/Strong Code Guarantees, HyperGuard, Windows Bug Analysis
Executive Components
Advanced Local Procedure Call (ALPC), Windows Subsystem (CSRSS & Win32k)
Forensics & Analysis
WinDBG Scripting & NatVis, Hidden Processes, Registry Carving, Shared Memory/Cached File Forensics