Windows Kernel Development Training

Windows Kernel Development

Description

Most security software on Windows runs in kernel mode. This training provides students a jumpstart into the world of Windows kernel-mode software development through a practical hands-on approach using the latest version of Visual Studio, Windows Driver Kit, and WinDBG.

The topics covered in this course go much deeper than the information available in the WDK documentation or in public forums. Coverage includes use cases of various APIs, their applicability to security, behind the scenes working of functions, and common usage pitfalls. The discussions do not shy away from undocumented features and techniques that are essential when building kernel-mode drivers related to security functionality but considered out of scope by generic driver development training courses in the industry.

This training course focuses on security-related topics and does not cover topics related to hardware drivers such as plug and play, power management, hardware busses (PCI, USB, Bluetooth), or the kernel-mode driver framework (KMDF).

Hands-on Labs

In the hands-on lab exercises, students develop and build drivers in C/C++ and then deploy, test, and debug these drivers on the latest build of Windows 10 64-bit running in a Hyper-V VM. Students also learn various techniques to debug these drivers using WinDBG.

Prerequisites

Attendees must be proficient in C programming. Attendees must have a good working knowledge of the windows kernel. The CodeMachine Windows Kernel Internals course provides the prerequisite Windows kernel knowledge required to get the maximum value from this course.

Learning Objectives

  • Be able to use tools such as Visual Studio and WDK or EWDK to develop and build kernel-mode software.
  • Be able to deploy, test, and debug kernel-mode software.
  • Be able to use the debugger effectively to perform live debugging of kernel-mode software.
  • Understand the various options available to implement features in kernel-mode software.
  • Be able to perform common programming tasks required by kernel-mode software.
  • Be able to develop reasonably complex security functionality in kernel-mode.
  • Be able to use tools other than the debugger to debug issues with kernel-mode software.
  • Understand the intricacies of kernel-mode software development.
  • Understand the best practices and common pitfalls when developing Windows kernel-mode software.

Topics

  • Driver Development Environment
  • Driver Programming Basics
  • Driver Debugging
  • I/O Processing
  • Kernel Execution
  • Kernel Synchronization
  • System Enumeration
  • Common Tasks

Course Details

Development Environment

The objective of this section is to learn about the Windows driver development toolchain and how to use the tools effectively to code, build, deploy, test, and debug drivers. It covers topics such as header files and libraries required to build drivers, various options supported by the build process, service control manager and native APIs to load and unload drivers, debugger symbols and associated kernel debugger commands, the pros and cons of using C vs C++ to develop drivers and the effect of compiler and linker flags on code generation.

  • Enterprise Windows Driver Kit
  • Targets, Platforms & Configurations
  • Build Customization
  • Driver Registration and Loading
  • Driver Symbols and Source Code
  • Code Analysis (PreFast)
  • Source Annotation Language (SAL)
  • Kernel Mode Code Signing (KMCS)

Driver Development Basics

The objective of this section is to learn about the unique aspects of Windows driver development. It covers topics such as various methods of determining kernel version, header file versioning, statically and dynamically binding to APIs, handling kernel API failures, allocating memory from pools and lookaside lists, manipulating UNICODE strings.

  • Windows version APIs
  • WDK headers & libraries
  • Static and dynamic linking
  • NTSTATUS codes
  • Dynamic memory allocation
  • Lookaside lists
  • Kernel CRT support
  • Unicode string handling

Driver Debugging

The objective of this section is to learn about tools and techniques to perform live debugging of kernel-mode drivers. It covers topics such as configuring kernel debugging settings, controlling driver debug output, break-pointing techniques that go beyond just the commands bp/bu/ba, etc., using various tools to find subtle bugs in kernel-mode drivers, and configuring the system to collect instrumentation data.

  • Debug prints
  • Driver replacement maps
  • Live debugging techniques
  • Common debugging tasks
  • Driver verifier
  • Special pool & pool tracking
  • Stack tracing
  • GFlags kernel settings

I/O Processing

The objective of this section is to learn about how drivers process I/O requests from user-mode applications. It covers topics such as driver objects, device objects, symbolic links, file objects, Win32 I/O APIs, driver entry points, dispatch routines, IRPs and I/O stack locations, synchronous and asynchronous processing of IRPs, completion routines, cancel routines, IOCTL codes, and data transfer mechanisms between user mode and kernel mode.

  • I/O manager objects
  • Device namespaces
  • User/kernel interface
  • Dispatch routines
  • IRP processing
  • Device I/O control
  • Buffering methods
  • Accessing user buffers
  • Building IRPs
  • Memory mapping

Kernel Execution

The objective of this section is to learn about the different code execution mechanisms available in the kernel, their use cases, and constraints imposed on them. It covers topics such as the IRQLs, process and thread contexts, DPC routines and their triggers, system worker threads, executive work queues and worker routines, creating and managing driver threads, object reference counting and reference tracking, various mechanisms to query time in the kernel, their sources and precision.

  • IRQL management
  • System time
  • Kernel and executive timers
  • DPC poutines
  • APC routines
  • Worker routines
  • Object lifetime management
  • Kernel events
  • Driver managed threads
  • Exception handling

Kernel Synchronization

The objective of this section is to learn about the synchronization primitives available to drivers to perform multiprocessor safe operations such as mutexes, ERESOURCES, push-locks, mutually exclusive spin-locks, reader-writer spin-locks, and rundown protection. It covers topics such as the different types of linked lists available to drivers and their use cases, implications of IRQL on synchronization, considerations when selecting a locking mechanism, correct usage of interlocked operations to perform low overhead synchronization, and the safe unloading of drivers from memory.

  • Linked lists
  • Waitable locks
  • Spin locks
  • Reader-writer locks
  • Critical and guarded regions
  • Recursive locks
  • Rundown protection
  • Interlocked operations

System Enumeration

The objective of this section is to learn about programming tasks that are common when developing drivers that provide security-related functionality. It covers topics such as memory mapping techniques, accessing process memory from kernel mode, options for building and sending IRPs to drivers, considerations when performing registry and file access in kernel mode, various run-time instrumentation techniques, and best practices when developing drivers.

  • Native API
  • Registry & file access
  • Processes & threads
  • Handle tables
  • Module list
  • PE file parsing
  • Object namespace
  • Physical memory ranges