Windows Kernel Internals


Description

Kernel mode software has unrestricted access to the system. Which is why most anti-malware solutions and rootkits are implemented as Windows kernel modules. To analyze rootkits, identify indicators of compromise (IoC) and collect forensic evidence it is critical to have a good understanding of the architecture and internals of the Windows kernel. This course takes a deep dive into the internals of the Windows kernel from a security perspective with emphasis on internal algorithms, data structures, debugger usage. Attendees use the kernel debugger (WinDBG/KD) extensively and learn how to interpret the debugger output to understand the health of the system and identify malicious activity. Other tools like the Volatility framework are also used throughout course to hunt for IoCs in the kernel.

Prerequisites

Attendees must have a solid understanding of operating system concepts and have a working knowledge of Windows. This course does not require any programming knowledge.

Learning Objectives

Topics

Details

Kernel Debugger

The objective of this section is to learn about the Windows kernel debugger (WinDBG/KD), debugging symbols, debugger usage and debugger extensions useful for forensic analysis of the kernel.

  • Debugger Package
  • Debugger Parameters
  • Kernel Mode Debugging
  • Debugger Symbols
  • Debugger Command Types
  • Debugger Command Reference
  • Debugger Extensions

Kernel Architecture

The objective of this section to discuss the architecture of the Windows kernel, key kernel mode components and core system mechanisms that are critical to kernel mode security software.

  • NTOSKRNL, HAL & Drivers
  • Processes and Threads
  • System & System Idle Process
  • Process and Thread Data Structures
  • System Calls
  • System Service Dispatching
  • User vs Kernel Mode Execution
  • CPU Hardware Support
  • Virtualization Based Security (VBS)

Execution Contexts

The objective of this section is to learn about the different mechanism provided by the Windows kernel for code execution, their use cases and the restrictions imposed by them.

  • Kernel Processor Control Region (KPCR)
  • Interrupt Request Levels (IRQL)
  • Interrupt Service Routines (ISR)
  • Deferred Procedure Calls (DPC)
  • Asynchronous Procedure Calls (APC)
  • System Worker Threads
  • Driver Threads
  • User Mode Thread Context

Synchronization

The objective of this section is to learn about the different synchronization primitives available in the Windows kernel, their usage scenarios and the advantages and disadvantages of each of them.

  • Dispatcher Objects
  • Thread Waits
  • Interlocked Operations
  • Mutexes & Fast Mutexes
  • Executive Resources
  • Critical Regions
  • Spin Locks & In-Stack Queued Spin Locks
  • Push Locks

Memory Management

This objective of this section is to understand how the Windows kernel performs memory management for applications as well as for drivers.

  • Virtual Address Space
  • Virtual Address Descriptors
  • Kernel Virtual Address Space
  • Address Translation
  • PTE and Session Space
  • PFN Database
  • System Cache
  • Kernel Mode Stacks
  • Kernel Pools
  • Memory Descriptor Lists
  • Memory Mapping

Objects and Handles

The objective of this section is to understand how objetcs are managed by the Windows kernel and relationship between object and handles.

  • Object Namespace
  • object Layout
  • object Header
  • object Types & Procedures
  • object Security Checks
  • Handle Tables
  • Handle table entries
  • Object Reference Counting

I/O Management

This objective of this section is to understand how the Windows kernel dispatches I/O requests to device drivers, how device drivers handle I/O requests and the various data structures that are involved in processing I/O.

  • Driver Architecture
  • I/O Manager Data Structures
  • Hardware Device Tree
  • Driver Types (Bus, Function, Filter)
  • Device Types (FDO, PDO, FiDO)
  • Filter Drivers
  • Driver Layering
  • IRPs & I/O Stack Locations
  • IRP Processing
  • IRP Completion
  • IRP Data Buffering

Kernel Security Mitigations

The objective of this section is to understand the different exploit mitigations that have been added to the Windows kernel over the course of its lifetime.

  • Kernel mode code signing (KMCS)
  • Kernel patch protection (PatchGuard)
  • Kernel address layout randomization (KASLR)
  • Supervisor mode execution prevention (SMEP)
  • Non-executable (NX) pools
  • Safe pool unlinking
  • Pool integrity checks
  • NULL page allocation protection
  • Control Flow Guard (CFG)