Kernel mode software has unrestricted access to the system.
Which is why most anti-malware solutions and rootkits are implemented as Windows kernel modules.
To analyze rootkits, identify indicators of compromise (IoC) and collect forensic evidence it is critical to have a good understanding of the architecture and internals of the Windows kernel.
This course takes a deep dive into the internals of the Windows kernel from a security perspective with emphasis on internal algorithms, data structures, debugger usage.
Attendees use the kernel debugger (WinDBG/KD) extensively and learn how to interpret the debugger output to understand the health of the system and identify malicious activity.
Other tools like the Volatility framework are also used throughout course to hunt for IoCs in the kernel.
Attendees must have a solid understanding of operating system concepts and have a working knowledge of Windows.
This course does not require any programming knowledge.
The objective of this section is to learn about the Windows kernel debugger (WinDBG/KD), debugging symbols, debugger usage and debugger extensions useful for forensic analysis of the kernel.
The objective of this section to discuss the architecture of the Windows kernel, key kernel mode components and core system mechanisms that are critical to kernel mode security software.
The objective of this section is to learn about the different mechanism provided by the Windows kernel for code execution, their use cases and the restrictions imposed by them.
The objective of this section is to learn about the different synchronization primitives available in the Windows kernel, their usage scenarios and the advantages and disadvantages of each of them.
This objective of this section is to understand how the Windows kernel performs memory management.
The objective of this section is to understand how objetcs are managed by the Windows kernel, the object and handles relationship how the kernel performs security checks on objects.
This objective of this section is to understand how the Windows kernel dispatches I/O requests to device drivers, how device drivers handle I/O requests and the various data structures that are involved in processing I/O.
The objective of this section is to understand the different exploit mitigations that have been added to the Windows kernel over the course of its lifetime.