Windows Kernel Programming


Description

Most security software on Windows run in kernel mode. This course starts with the basics of kernel mode software development and debugging and then progressively dives into the APIs, filtering mechanisms and advanced programming techniques required to implement kernel mode security software. Every topic in the course is accompanied by hands-on labs that involve extensive coding and debugging of kernel mode software to understand the programming model, the interfaces (APIs), their use cases and common pitfalls.

NOTE: This is a security focused course and does not cover development of drivers for hardware devices like PCI and USB, Bluetooth, neither does NOT cover Kernel Mode Driver Framework (KMDF).

Prerequisites

Attendees must be proficient in C programming. Attendees must have good working knowledge of the windows kernel. CodeMachine's Windows Internals course provides the prerequisites Windows kernel knowledge required to attend this course.

Learning Objectives

Topics

Details

Driver Development Environment

The objective of this section is to learn about the Windows kernel module development terminology, environment and the tool chain.

  • Windows Driver Kit
  • Building with Enterprise WDK
  • Targets, Platforms and Configurations
  • Kernel Debugging
  • Driver Symbols and Source Code
  • Driver Replacement Maps
  • Driver Verifier

Driver Programming Basics

The objective of this section is to learn about the Windows kernel module development terminology, environment and the tool chain.

  • Driver Entry Points
  • Windows Version APIs
  • WDK Headers
  • NTSTATUS Codes
  • Debug Prints
  • Memory Allocation
  • Widechar and Unicode Strings

I/O Processing

The objective of this section is to learn about how drivers process I/O request from user mode applications and how a driver builds and sends its own I/O requests to other drivers in the system.

  • Driver Objects, Device Objects and Symbolic Links
  • User/Kernel Interface
  • IRP Handling
  • Building I/O Requests
  • Object Referencing

Asynchronous Execution

The objective of this section is to learn about the different mechanisms available in the kernel to execute code asynchronously and the use cases for each of these mechanisms.

  • DPC Routines
  • Kernel Timers
  • Worker Routines
  • Driver Threads
  • Kernel Events
  • System Time & Performance Measurements

Queues & Serialization

The objective of this section is to learn about the different types of queues available in the kernel, the synchronization primitives which are available to kernel modules to perform multiprocessor safe operations and techniques to safely remove kernel modules from memory.

  • Linked Lists
  • Waitable Locks
  • Reader Writer Locks
  • Critical and Guarded Regions
  • Rundown protection
  • Spin Locks
  • Interlocked Operations

Advanced Techniques

The objective of this section is to get students familiar with different techniques for implementing security functionality in a kernel module in Windows.

  • Locking and Mapping memory
  • Object Attributes
  • Executive callbacks
  • Capturing Stack Back-Traces
  • Registry Access
  • File System Access

IRP Filter Drivers

The objective of this section is to learn how to develop IRP based filters drivers to intercept devices like keyboard, mouse and disks.

  • Driver Layering
  • Filter Driver Registry Keys
  • Device Attachment & Detachment
  • Pre & Post Operation Filtering
  • I/O Request Processing
  • Filter & Control Device Objects

Kernel Callbacks

The objective of this section is to learn about the documented mechanisms available to kernel mode anti-malware solutions to intercept various system activity.

  • Image load notifications
  • Process creation and deletion callbacks
  • Thread creation and deletion callbacks
  • Object callbacks
  • Image verification callbacks
  • Session callbacks
  • PnP and power callbacks

Complex Filtering

Registry and file system mini-filters are complex drivers. The objective of this section is to provide working knowledge of these interception and modification of regsitry and file I/O from a security perspective.

  • Registry callbacks
  • File system (FltMgr) mini-filter drivers
  • Early load anti-malware (ELAM) drivers

Network Filters

This objective of this section is to discuss the architecture of the Windows networking stack and the various mechanisms available to Windows kernel modules to intercept networking activity in the system.

  • Network stack architecture
  • Kernel network interfaces
  • Windows Socket Kernel (WSK) drivers
  • Packet data structure (NBL, NB) manipulation
  • Windows filtering platform (WFP) drivers
  • NDIS lightweight filter (LWF) drivers