Most security software on Windows run in kernel mode.
This course starts with the basics of kernel mode software development and debugging and then progressively dives into the APIs, filtering mechanisms and advanced programming techniques required to implement kernel mode security software.
Every topic in the course is accompanied by hands-on labs that involve extensive coding and debugging of kernel mode software to understand the programming model, the interfaces (APIs), their use cases and common pitfalls.
NOTE: This is a security focused course and does not cover development of drivers for hardware devices like PCI and USB, Bluetooth, neither does NOT cover Kernel Mode Driver Framework (KMDF).
Attendees must be proficient in C programming.
Attendees must have good working knowledge of the windows kernel.
CodeMachine's Windows Internals course provides the prerequisites Windows kernel knowledge required to attend this course.
The objective of this section is to learn about the Windows kernel module development terminology, environment and the tool chain.
The objective of this section is to learn about how drivers process I/O request from user mode applications and how a driver builds and sends its own I/O requests to other drivers in the system.
The objective of this section is to learn about the different mechanisms available in the kernel to execute code asynchronously and the use cases for each of these mechanisms.
The objective of this section is to learn about the different types of queues available in the kernel, the synchronization primitives which are available to kernel modules to perform multiprocessor safe operations and techniques to safely remove kernel modules from memory.
The objective of this section is to get students familiar with different techniques for implementing security functionality in a kernel module in Windows.
The objective of this section is to learn how to develop IRP based filters drivers to intercept devices like keyboard, mouse and disks.
The objective of this section is to learn about the documented mechanisms available to kernel mode anti-malware solutions to intercept various system activity.
Registry and file system mini-filters are complex drivers. The objective of this section is to provide working knowledge of these interception and modification of regsitry and file I/O from a security perspective.
This objective of this section is to discuss the architecture of the Windows networking stack and the various mechanisms available to Windows kernel modules to intercept networking activity in the system.