Windows Kernel Internals


Description

Kernel mode software has unrestricted access to the system. Which is why most anti-malware solutions and rootkits are implemented as Windows kernel modules. To analyze rootkits, identify indicators of compromise (IoC) and collect forensic evidence it is critical to have a good understanding of the architecture and internals of the Windows kernel. This course takes a deep dive into the internals of the Windows kernel from a security perspective with emphasis on internal algorithms, data structures, debugger usage. Attendees use the kernel debugger (WinDBG/KD) extensively and learn how to interpret the debugger output to understand the health of the system and identify malicious activity. Other tools like the Volatility framework are also used throughout course to hunt for IoCs in the kernel.

Prerequisites

Attendees must have a solid understanding of operating system concepts and have a working knowledge of Windows. This course does not require any programming knowledge.

Learning Objectives

Topics

Details

Kernel Debugger

The objective of this section is to learn about the Windows kernel debugger (WinDBG/KD), debugging symbols, debugger usage and debugger extensions useful for forensic analysis of the kernel.

  • Debugger Package
  • Debugger Parameters
  • Kernel Mode Debugging
  • Debugger Symbols
  • Debugger Command Types
  • Debugger Command Reference
  • Debugger Extensions

Kernel Architecture

The objective of this section to discuss the architecture of the Windows kernel, key kernel mode components and core system mechanisms that are critical to kernel mode security software.

  • NTOSKRNL, HAL and drivers
  • Processes and threads
  • System process
  • Process and thread data structures
  • Native APIs and system calls
  • System service dispatching
  • User vs kernel mode execution
  • Virtualization based security (VBS)

Execution Contexts

The objective of this section is to learn about the different mechanism provided by the Windows kernel for code execution, their use cases and the restrictions imposed by them.

  • Kernel processor control region (KPCR)
  • Interrupt request levels (IRQL)
  • Deferred procedure calls (DPC)
  • Asynchronous procedure calls (APC)
  • System worker threads
  • Driver and kernel threads
  • User mode thread context

Synchronization

The objective of this section is to learn about the different synchronization primitives available in the Windows kernel, their usage scenarios and the advantages and disadvantages of each of them.

  • Dispatcher objects
  • Thread waits
  • Interlocked operations
  • Mutexes and fast mutexes
  • Critical regions
  • Executive resources
  • Spin locks and in-stack queued locks

Memory Management

This objective of this section is to understand how the Windows kernel performs memory management.

  • Kernel virtual address space
  • Address translation and PTEs
  • Page permissions
  • PFN database
  • Kernel stacks
  • Kernel pools
  • Non-executable (NX) pools
  • Memory Descriptor Lists (MDL) and Memory Mapping

Object Management

The objective of this section is to understand how objetcs are managed by the Windows kernel, the object and handles relationship how the kernel performs security checks on objects.

  • Object nanager namespace
  • Object headers and object layout
  • Object types and procedures
  • Object security descriptors
  • Process and thread tokens
  • Security access checks
  • Handle permissions

I/O Management

This objective of this section is to understand how the Windows kernel dispatches I/O requests to device drivers, how device drivers handle I/O requests and the various data structures that are involved in processing I/O.

  • Driver architecture
  • I/O manager data structures
  • Driver types (Bus, Function, Filter)
  • Device types (FDO, PDO, FiDO)
  • IRPs and I/O stack locations
  • Driver layering and filter drivers
  • Dispatch and completion routines
  • User/Kernel data exchange

Kernel Security Mitigations

The objective of this section is to understand the different exploit mitigations that have been added to the Windows kernel over the course of its lifetime.

  • Kernel exploitation
  • Kernel mode code signing (KMCS)
  • Kernel patch protection (PatchGuard)
  • Kernel address layout randomization (KASLR)
  • Supervisor mode execution prevention (SMEP)
  • Kernel control flow guard (kCFG)
  • Hypervisor based code integrity (HVCI)
  • Miscellaneous mitigations