Windows Kernel Internals


Description

Kernel mode software has unrestricted access to the system. Which is why most anti-malware solutions and rootkits are implemented as Windows kernel modules. To analyze rootkits, identify indicators of compromise (IoC) and collect forensic evidence it is critical to have a good understanding of the architecture and internals of the Windows kernel. This course takes a deep dive into the internals of the Windows kernel from a security perspective with an emphasis on internal algorithms, data structures, debugger usage.

In the hands-on lab exercises, students dig into the kernel using the kernel debugger (WinDBG/KD) commands and learning how to interpret the debugger output of these commands to understand how the kernel works. Hands-on lab exercises are performed on pre-captured memory dumps and on a live VM running the latest version of Windows 10 64-bit.

To maximize student engagement, the course delivery is a mix of theory, instructor-led demos, code walk-throughs, lab exercises involving coding and debugging, and quizzes to check students' grasp of the content.

This training course focuses on security-related topics and does not cover topics related to hardware such as plug and play, power management, BIOS, or ACPI.

Prerequisites

Attendees must have a solid understanding of operating system concepts and have a working knowledge of Windows. This course does not require any programming knowledge.

Learning Objectives

Topics

Details

Kernel Architecture

The objective of this section is to learn about the architecture of the Windows kernel and key kernel-mode components.

  • System architecture
  • Execution rings
  • NTOSKRNL & HAL
  • Win32K.sys
  • Kernel mode drivers
  • Kernel module list
  • Code integrity
  • Image notification callbacks
  • Virtualization based security (VBS)

Processes and Threads

The objective of this section to learn about how the support provided by the kernel for user mode code execution.

  • Processes, threads, and jobs
  • Thread register contexts
  • Special processes
  • Process and thread data structures
  • Process resources
  • Minimal processes
  • Protected processes
  • System calls
  • User kernel transition
  • Process lists
  • Process and thread callbacks

System Mechanisms

The objective of this section to discuss the foundational building blocks of the system that kernel components rely on.

  • Native APIs and system calls
  • CPU model-specific registers (MSR)
  • System service dispatching
  • Trap frames
  • Exception handling
  • Kernel process control region (KPCR)
  • Interrupt request levels (IRQL)

Execution Contexts

The objective of this section is to learn about the different mechanisms provided by the kernel for code execution, their use cases and the restrictions imposed by them.

  • Kernel timers
  • Deferred procedure calls (DPC)
  • Asynchronous procedure calls (APC)
  • User, kernel and special kernel APCs
  • Driver and kernel threads
  • System worker threads
  • Work queues and work items

Synchronization

The objective of this section is to learn about the different synchronization primitives available in the Windows kernel, their usage scenarios, and their pros and cons.

  • Dispatcher objects
  • Thread waits
  • Interlocked operations
  • Mutexes and fast mutexes
  • Critical regions
  • Executive resources
  • Push-locks
  • Spin-locks
  • In-stack queued spin-locks
  • Reader writer spin-locks

Memory Management

This objective of this section is to understand how the kernel performs memory management.

  • Virtual and physical address space
  • Address translation
  • Page tables and page table entries (PTE)
  • Page fault handling
  • Kernel virtual address space
  • Page frame number (PFN) database
  • Session space
  • Kernel stacks
  • Kernel pools
  • Memory Descriptor Lists (MDL)
  • Memory Mapping

Object Management

The objective of this section is to understand how objects and handles are managed by the kernel.

  • Object manager
  • Object namespace
  • Object and object headers
  • Process handle tables
  • Handle permissions
  • Object reference counting
  • Type objects
  • Type procedures
  • Object callbacks

Security

The objective of this section to learn about how the kernel secures access to objects.

  • Security identifiers (SID)
  • SID format
  • Tokens
  • Privileges
  • Security descriptors
  • Access control lists (DACL and SACL)
  • Access mask
  • Integrity levels
  • Access check order
  • Impersonation

I/O Management

This objective of this section is to understand how the kernel dispatches I/O requests to drivers, how drivers handle I/O requests, and the various data structures that are involved in processing I/O.

  • Driver architecture
  • Dispatch entry points
  • Key I/O manager data structures
  • Device objects and device extensions
  • Driver types (Bus, Function, Filter)
  • Device types (FDO, PDO, FiDO)
  • IRPs and I/O stack locations (IOSL)
  • Driver layering and filter drivers
  • IRP processing
  • IRP completion routines

Kernel Security Mitigations

The objective of this section is to understand the different exploit mitigations that have been added to the Windows kernel over the course of its lifetime.

  • Kernel exploitation
  • Stack cookies
  • Kernel data execution prevention (KDEP)
  • Kernel address layout randomization (KASLR)
  • Supervisor mode execution prevention (SMEP)
  • Supervisor mode access prevention (SMAP)
  • Win32K call filtering
  • Kernel mode code signing (KMCS)
  • Kernel patch protection (PatchGuard)
  • Kernel control flow guard (KCFG)
  • Hypervisor based code integrity (HVCI)