Kernel mode software has unrestricted access to the system.
Which is why most anti-malware solutions and rootkits are implemented as Windows kernel modules.
To analyze rootkits, identify indicators of compromise (IoC) and collect forensic evidence it is critical to have a good understanding of the architecture and internals of the Windows kernel.
This course takes a deep dive into the internals of the Windows kernel from a security perspective with an emphasis on internal algorithms, data structures, debugger usage.
In the hands-on lab exercises, students dig into the kernel using the kernel debugger (WinDBG/KD) commands and learning how to interpret the debugger output of these commands to understand how the kernel works. Hands-on lab exercises are performed on pre-captured memory dumps and on a live VM running the latest version of Windows 10 64-bit.
To maximize student engagement, the course delivery is a mix of theory, instructor-led demos, code walk-throughs, lab exercises involving coding and debugging, and quizzes to check students' grasp of the content.
This training course focuses on security-related topics and does not cover topics related to hardware such as plug and play, power management, BIOS, or ACPI.
Attendees must have a solid understanding of operating system concepts and have a working knowledge of Windows.
This course does not require any programming knowledge.
The objective of this section is to learn about the architecture of the Windows kernel and key kernel-mode components.
The objective of this section to learn about how the support provided by the kernel for user mode code execution.
The objective of this section to discuss the foundational building blocks of the system that kernel components rely on.
The objective of this section is to learn about the different mechanisms provided by the kernel for code execution, their use cases and the restrictions imposed by them.
The objective of this section is to learn about the different synchronization primitives available in the Windows kernel, their usage scenarios, and their pros and cons.
This objective of this section is to understand how the kernel performs memory management.
The objective of this section is to understand how objects and handles are managed by the kernel.
The objective of this section to learn about how the kernel secures access to objects.
This objective of this section is to understand how the kernel dispatches I/O requests to drivers, how drivers handle I/O requests, and the various data structures that are involved in processing I/O.
The objective of this section is to understand the different exploit mitigations that have been added to the Windows kernel over the course of its lifetime.