This course is targeted at security researchers, reverse engineers, software developers, support engineers and software QA engineers who have to regularly analyze and debug Windows kernel mode software.
The course starts with the foundations required to be effective at kernel debugging such as reverse engineering, debugger scripting, calling convention, call stacks etc.
It then dives into various techniques and strategies that can be applied to perform triaging, fault isolation, analysis and root causing of crashes and hangs caused by kernel mode drivers.
In addition, this course covers identification and analysis of kernel mode rootkits.
Every topic in the course is accompanied by hands-on labs that involve extensive usage of the WinDBG/KD, Driver Verifier, GFlags, Windows Performance Analyzer (WPA), Volatility as well as tools in the Windows Driver Kit (WDK).
These hands-on labs provide attendees with real life experience of live kernel debugging, crash/hang analysis and identification of malicious activity.
All labs in the course are performed on the 64-bit version of Windows 10.
NOTE : This course focuses on debugging kernel mode software and does not cover debugging or analysis of hardware device drivers.
Attendees must have a solid understanding of Windows kernel data structures and interfaces.
Knowledge of C/C++ programming is highly desirable to get maximum value from this course.
The CodeMachine Windows Kernel Internals and CodeMachine Windows Kernel Programming courses provide the necessary pre-requisites for this course.
Being able to use the kernel debugger effectively is critical to memory dump analysis.
The objective of this section is to learn about the kernel debugger, debugging symbols and debugger usage.
The objective of this section is to learn techniques to map X64 assembler code into C/C++ language constructs used to develop kernel modules.
The objective of this section is to learn about the debugger's scripting support and how to use it to automate common debugging and analysis tasks.
This objective of this section is to learn about the debugger engine programming interface and how to use it to develop kernel debugger extensions.
This section requires attendees to write code in C/C++ to develop extension DLLs.
The objective of this section is to learn about why and how bug-checks happen, learn about performing triaging and fault isolation.
This section also covers tools which can be used to capture enhanced runtime information to help with debugging tasks.
The objective of this section is to learn how stacks work on 64-bit systems and how to use knowledge of 64-bit stack layout to retrieve critical information about functions.
The objective of this section is to learn about debugging and analyzing systems hangs and performance issues.
The objective of this section is to learn deep analysis techniques which can be used to root cause problems into specific bugs in kernel modules.
This section also discusses how to find artifacts of kernel mode rootkits in memory dumps and physical memory captures.