Windows Kernel Programming


Description

Most security software on Windows run in kernel mode. This course starts with the basics of kernel mode software development and debugging and then progressively dives into the APIs, filtering mechanisms and advanced programming techniques required to implement kernel mode security software. Every topic in the course is accompanied by hands-on labs that involve extensive coding and debugging of kernel mode software to understand the programming model, the interfaces (APIs), their use cases and common pitfalls.

NOTE: This is a security focused course and does not cover development of drivers for hardware devices like PCI and USB, Bluetooth, neither does it cover the Kernel Mode Driver Framework (KMDF).

Prerequisites

Attendees must be proficient in C programming. Attendees must have good working knowledge of the windows kernel. The CodeMachine Windows Kernel Internals course provides the prerequisite Windows kernel knowledge required to get the maximum value from this course.

Learning Objectives

Topics

Details

Driver Development Environment

The objective of this section is to learn about the Windows kernel development environment, tool chain and debugging setup.

  • Windows driver kit (WDK)
  • Building with Visual Studio
  • Building with Enterprise WDK (EWDK)
  • Targets, platforms and configurations
  • Kernel debugging
  • Driver symbols and source code
  • Driver replacement maps

Kernel Programming

The objective of this section is to learn about the basics of Windows kernel module development.

  • Driver entry points
  • Windows version APIs
  • WDK headers
  • WDK Macros
  • NTSTATUS codes
  • Debug prints
  • Dynamic memory allocation

I/O Processing

The objective of this section is to learn about how drivers process I/O request from user mode applications and how a driver builds and sends its own I/O requests to other drivers in the system.

  • Wide char and Unicode strings
  • Driver objects, device objects and symbolic links
  • User-Kernel interface
  • IRP handling
  • Device I/O control
  • Building I/O requests
  • Object reference counting

Asynchronous Execution

The objective of this section is to learn about the different mechanisms available in the kernel to execute code asynchronously and the use cases for each of these mechanisms.

  • DPC routines
  • Kernel timers
  • Worker routines
  • Kernel events
  • Driver threads
  • System time
  • Performance measurements

Queues and Serialization

The objective of this section is to learn about the synchronization primitives which are available to kernel modules to perform multiprocessor safe operations, how to safely unload kernel modules from memory and how to manage linked lists in the kernel.

  • Waitable locks
  • Reader-writer locks
  • Interlocked operations
  • Spin Locks
  • Linked lists (Double, Single, Sequenced)
  • Critical regions
  • Rundown protection

Common Kernel Programming Topics

The objective of this section is to learn about common techniques useful for implementing security functionality in a kernel module in Windows.

  • Locking and mapping memory
  • Object attributes
  • Executive callbacks
  • Registry access
  • File system access
  • Capturing stack back-traces

Advanced Kernel Programming Topics

The objective of this section is to learn about advanced techniques useful for implementing security functionality in a kernel module in Windows.

  • Working with module list
  • Working with object namespace
  • Working with handles and objects
  • Working with processes and threads
  • Working with tokens
  • Working with kernel bitmaps

File System Mini-Filters

The objective of this section is to learn about the basics of intercepting file system activity in the kernel. Please note that file system mini-filters is a very complex topic and this section just covers the basics of implementing a mini-filter.

  • Filter manager architectural overview
  • Mini-filter registration
  • Pre and post processing callbacks
  • Name resolution
  • Context management
  • Content processing
  • User-kernel communication