Windows Kernel Debugging


Description

This course is targeted at security researchers, reverse engineers, software developers, support engineers and software QA engineers who have to regularly analyze and debug Windows kernel mode software. The course starts with the foundations required to be effective at kernel debugging such as reverse engineering, debugger scripting, calling convention, call stacks etc. It then dives into various techniques and strategies that can be applied to perform triaging, fault isolation, analysis and root causing of crashes and hangs caused by kernel mode drivers. In addition, this course covers identification and analysis of kernel mode rootkits.

Every topic in the course is accompanied by hands-on labs that involve extensive usage of the WinDBG/KD, Driver Verifier, GFlags, Windows Performance Analyzer (WPA), Volatility as well as tools in the Windows Driver Kit (WDK). These hands-on labs provide attendees with real life experience of live kernel debugging, crash/hang analysis and identification of malicious activity. All labs in the course are performed on the 64-bit version of Windows 10.

NOTE : This course focuses on debugging kernel mode software and does not cover debugging or analysis of hardware device drivers.

Prerequisites

Attendees must have a solid understanding of Windows kernel data structures and interfaces. Knowledge of C/C++ programming is highly desirable to get maximum value from this course. The CodeMachine Windows Kernel Internals and CodeMachine Windows Kernel Programming courses provide the necessary pre-requisites for this course.

Learning Objectives

Topics

Details

Kernel Debugger

Being able to use the kernel debugger effectively is critical to memory dump analysis. The objective of this section is to learn about the kernel debugger, debugging symbols and debugger usage.

  • Debugger architecture
  • Debugger commands
  • Debugger extensions
  • Memory access
  • Number formats
  • Expression evaluation
  • Debugger symbols
  • Symbol server

Reverse Engineering

The objective of this section is to learn techniques to map X64 assembler code into C/C++ language constructs used to develop kernel modules.

  • CPU register usage
  • Instruction types and syntax
  • Basic blocks and optimizations
  • Instruction patterns
  • Functions and call stacks
  • Global and local variables
  • Structures, arrays and linked lists
  • Exception handling

Debugger Scripting

The objective of this section is to learn about the debugger's scripting support and how to use it to automate common debugging and analysis tasks.

  • Executing debugger scripts
  • Control flow tokens
  • Macros
  • Pseudo registers
  • Dereferencing mMemory
  • Aliases
  • String comparison
  • Iterators

Debugger Extensions

This objective of this section is to learn about the debugger engine programming interface and how to use it to develop kernel debugger extensions. This section requires attendees to write code in C/C++ to develop extension DLLs.

  • Debugger extension framework
  • Building extension DLLs
  • Debugger Engine interfaces
  • Extension DLL Development
  • Common tasks
  • Accessing structures
  • Traversing linked lists

Crash Dump Analysis

The objective of this section is to learn about why and how bug-checks happen, learn about performing triaging and fault isolation. This section also covers tools which can be used to capture enhanced runtime information to help with debugging tasks.

  • System bug-checks
  • Crash dump generation
  • Types of bug-checks
  • Automated analysis
  • Module identification
  • Context switching
  • Examining system state
  • Driver verifier

Calling Convention and Call Stacks

The objective of this section is to learn how stacks work on 64-bit systems and how to use knowledge of 64-bit stack layout to retrieve critical information about functions.

  • Kernel stack layout
  • Calling convention
  • Compiler register usage
  • x64 call stacks
  • Kernel stack overflow
  • Debugging double faults
  • Debugging corrupt stacks

Debugging Deadlocks and Hangs

The objective of this section is to learn about debugging and analyzing systems hangs and performance issues.

  • Causes of hangs
  • Deadlock Analysis
  • Performance slowdowns
  • I/O request stalls
  • Pool depletion
  • Runtime stack tracing
  • Reference tracking

Advanced Analysis Techniques

The objective of this section is to learn deep analysis techniques which can be used to root cause problems into specific bugs in kernel modules. This section also discusses how to find artifacts of kernel mode rootkits in memory dumps and physical memory captures.

  • Root cause analysis strategies
  • Invalid memory access
  • Pool corruption patterns
  • Structure corruption
  • Code flow analysis
  • Rootkit identification and analysis
  • Volatility framework