Windows Kernel Debugging


Description

This course is targeted at kernel software developers, support engineers and software QA engineers who have to regularly debug Windows kernel mode software. It starts with the foundations required to be effective at kernel debugging like kernel internals concepts, key data structures used by drivers and debugger commands to examine the state and health of the system. It then dives into various techniques and strategies that can be applied to perform triaging, fault isolation, analysis and root causing of crashes and hangs caused by kernel mode drivers. Every topic in the course is accompanied by hands-on labs that involve extensive usage of the WinDBG/KD as well as other WDK tools. These hands-on labs provide attendees with real life experience of live kernel debugging as well as crash and hang dump analysis.

NOTE : This course focuses on debugging kernel mode security software and does not cover debugging of hardware device drivers.

Prerequisites

Attendees must have a solid understanding of operating system concepts and have a working knowledge of Windows. This course does not require any programming knowledge.

Learning Objectives

Topics

Details

Kernel Debugger

Being able to use the kernel debugger effectively is critical to kernel mode software development. The objective of this section is to learn about the kernel debugger, debugging symbols and debugger usage.

  • Debugger Package
  • Debugger Parameters
  • Kernel Mode Debugging
  • Debugger Symbols
  • Debugger Command Types
  • Debugger Command Reference

Kernel Architecture

The objective of this section to discuss the architecture of the Windows kernel, key kernel mode components and core system mechanisms that are critical to kernel mode security software.

  • NTOSKRNL, HAL & Drivers
  • Processes and Threads
  • System & System Idle Process
  • Process and Thread Data Structures
  • System Calls
  • User vs Kernel Mode Execution
  • Kernel Processor Control Region (KPCR)
  • Interrupt Request Levels (IRQL)
  • Objects and Handles

Synchronization

The objective of this section is to learn about the different synchronization primitives available in the Windows kernel, their usage scenarios and the advantages and disadvantages of each of them.

  • Dispatcher Objects
  • Thread Waits
  • Interlocked Operations
  • Mutexes & Fast Mutexes
  • Executive Resources
  • Critical Regions
  • Spin Locks & In-Stack Queued Spin Locks
  • Push Locks

Memory Management

This objective of this section is to understand how the Windows kernel performs memory management for applications as well as for drivers.

  • Virtual Address Space
  • Virtual Address Descriptors
  • Kernel Virtual Address Space
  • Address Translation
  • PTE and Session Space
  • PFN Database
  • System Cache
  • Kernel Mode Stacks
  • Kernel Pools
  • Memory Descriptor Lists
  • Memory Mapping

I/O Management

This objective of this section is to understand how the Windows kernel dispatches I/O requests to device drivers, how device drivers handle I/O requests and the various data structures that are involved in processing I/O.

  • Driver Architecture
  • Driver Objects, Device Objects, File Objects
  • Filter Drivers
  • IRPs & I/O Stack Locations
  • IRP Dispatching
  • IRP Completion
  • IRP Processing
  • IRP Data Buffering

Crash Dump Analysis

The objective of this section is to learn about the Windows kernel module development terminology, environment and the tool chain.

  • System bugchecks
  • Crash dump generation
  • Types of bugchecks
  • Automated analysis
  • Module identification
  • Context switching
  • Hardware failures
  • Examining system state

Calling Convention and Call Stacks

The objective of this section is to learn about the Windows kernel module development terminology, environment and the tool chain.

  • Kernel stack layout
  • Calling convention
  • x86 call stacks
  • x64 call stacks
  • Kernel stack overflow
  • Debugging double faults
  • Debugging corrupt stacks

Debugging Deadlocks and Hangs

The objective of this section is to learn about the Windows kernel module development terminology, environment and the tool chain.

  • Causes of hangs
  • Classic deadlock
  • Deadlock debugging
  • Driver power state failure
  • I/O request stalls
  • Pool depletion
  • SysPTE depletion

Advanced Analysis Techniques

The objective of this section is to learn about the Windows kernel module development terminology, environment and the tool chain.

  • Debugging strategies
  • root cause analysis
  • Stack patterns
  • Invalid memory access
  • Pool corruption patterns
  • Structure corruption
  • Mapping data structures to modules
  • Code flow analysis

Debugging Tools

The objective of this section is to learn about the Windows kernel module development terminology, environment and the tool chain.

  • Driver verifier
  • Special pool
  • Unloaded modules
  • Run time stack capture
  • Gflags
  • Object reference tracking
  • Pool tag breakpoints
  • PTE tracking
  • Checked builds