Most security software on Windows runs in kernel mode. This training provides students a jumpstart into the world of Windows kernel mode software development through a practical hands-on approach using the latest version of Visual Studio, Windows Driver Kit and WinDBG.
The topics covered in this course go much deeper than the information available in the WDK documentation or in public forums. Coverage includes use cases of various APIs, their applicability to security, behind the scenes working of functions and common usage pitfalls. The discussions do not shy away from undocumented features and techniques that are essential when building kernel mode drivers related to security functionality but considered out of scope by generic driver development training courses in the industry.
In the hands-on lab exercises, students develop and build drivers in C/C++ and then deploy, test and debug these drivers on the latest build of Windows 10 64-bit running in a Hyper-V VM. Students also learn various techniques to debug these drivers using WinDBG.
To maximize student engagement, the course delivery is a mix of theory, instructor-led demos, code walk-throughs, labs exercises involving coding and debugging, and quizzes to check students' grasp of the content.
This training course focuses on security related topics and does not cover topics related to hardware drivers such as plug and play, power management, hardware busses (PCI, USB, Bluetooth) or the kernel mode driver framework (KMDF).
Attendees must be proficient in C programming.
Attendees must have good working knowledge of the windows kernel.
The CodeMachine Windows Kernel Internals course provides the prerequisite Windows kernel knowledge required to get the maximum value from this course.
The objective of this section is to learn about the Windows driver development toolchain and how to use the tools effectively to code, build, deploy, test and debug drivers. It covers topics such as header files and libraries required to build drivers, various options supported by the build process, service control manager and native APIs to load and unload drivers, debugger symbols and associated kernel debugger commands, the pros and cons of using C vs C++ to develop drivers and the effect of compiler and linker flags on code generation.
The objective of this section is to learn about the unique aspects of Windows driver development. It covers topics such as various method of determining kernel version, header file versioning, statically and dynamically binding to APIs, handling kernel API failures, allocating memory from pool and lookaside lists, manipulating UNICODE strings.
The objective of this section is to learn about tools and techniques to perform live debugging of kernel mode drivers. It covers topics such as configuring kernel debugging settings, controlling driver debug output, break-pointing techniques that go beyond just the commands bp/bu/ba etc., using various tools to find subtle bugs in kernel drivers and configuring the system to collect instrumentation data.
The objective of this section is to learn about how drivers process I/O requests from user mode applications. It covers topics such as driver objects, device objects, symbolic links, file objects, Win32 I/O APIs, driver entry points, dispatch routines, IRPs and I/O stack locations, synchronous and asynchronous processing of IRPs, completion routines, cancel routines, IOCTL codes and data transfer mechanisms between user mode and kernel mode.
The objective of this section is to learn about the different code execution mechanisms available in the kernel, their use cases and the constrains imposed on them. It covers topics such as the IRQLs, process and thread contexts, DPC routines and their triggers, system worker threads, executive work queues and worker routines, creating and managing driver threads, object reference counting and reference tracking, various mechanisms to query time in the kernel, their sources and precision.
The objective of this section is to learn about the synchronization primitives available to drivers to perform multiprocessor safe operations such as mutexes, ERESOURCES, push locks, mutually exclusive spin locks and reader writer spin locks and rundown protection. It covers topics such as the different types of linked lists available to drivers and their use cases, implications of IRQL on synchronization, considerations when selecting a locking mechanism, correct usage of interlocked operations to perform low overhead synchronization and the safe unloading of drivers from memory.
The objective of this section is to learn about programming tasks which are common when developing drivers that provide security related functionality. It covers topics such as memory mapping techniques, accessing process memory from kernel mode, options for building and sending IRPs to drivers, considerations when performing registry and file access in kernel mode, various run time instrumentation techniques and best practices when developing drivers.