Windows Internals for Reverse Engineers by Alex Ionescu
Learn the internals of the Windows NT kernel architecture, including Windows 7 and Server 2008 R2, and how rootkits and other kernel-mode malware exploit the various system functionalities, mechanisms and data structures to do their data work. Also learn how drivers operate and how they can be subject to attack from user-mode callers to elevate their privileges. New Windows 7 kernel features relevant to driver operation and rootkit techniques will be discussed, such as the new Object Manager data structures. After learning the theory, you will use tools such as WinDBG and IDA to analyze, poke, and prod kernel-mode Windows components, as well as write your own drivers and tools. Finally, you will use all this knowledge to analyze some custom drivers that are either buggy and/or purposely malicious, understanding their behaviour and exploitability.
Instructor: Alex Ionescu
Dates: 6-8 July 2010
Availability: 18 Seats
Day 1: Inside the Windows Kernel
The focus of the first day is understanding the behaviour and operation of the Windows Kernel. Core topics such as interrupts, DPCs, APCs, timers, scheduling and memory management will be discussed at the architectural level. You are expected to already be familiar with some of these concepts -- for example, on the topic of memory management, it is not about how to use malloc, but rather about the complexities of and effects of the algorithms used by Windows when managing pages. A detailed overview of the object manager and ALPC mechanism will also be on the table.
You will learn the various data structures used by book-keeping and internal consistency and management of core system components and objects, such as threads and processes, and how these fields can affect the operation of the system in ways that malicious code can control. Modification of kernel objects and its effects, as well as legitimate hooking techniques will be presented.
PatchGuard and other kernel integrity mechanisms will also be analyzed.
Day 2: Windows Kernel Mode Reverse Engineering and Debugging
The second day will focus on using various tools to inspect the Windows kernel for consistency, tracing its operation, and editing it. You will also learn how to write your own drivers and user-mode tools that can perform some of this work, for the purposes of better understanding driver operation and reversing a well-known driver to see its output in IDA to build a "base case" and discover various effects of WDK/MSVC optimizations. You will be presented with many WinDBG/KD commands, as well as how to write your own scripts and extensions.
During the second day, we will also focus on using VM technologies to emulate the Windows kernel as well as any drivers you will be writing and loading, to avoid hitting a real system, as well as avoiding the need for a second machine. Various debugging techniques will be demonstrated, such as GDB stubs in VMWare and QEMU, and how to plug-in IDA into these stubs to perform analysis without requiring WinDBG.
Day 3: Windows Driver/Rootkit Analysis
The last day of the training focuses on building on your knowledge from the previous days to tackle several examples of malicious and/or buggy drivers in a given Windows system. You will apply both static analysis with IDA to understand the source code and behaviour of the drivers (no obfuscation will be employed, so knowledge in such mechanisms is not a prerequisite), as well as dynamic analysis through debugging and analysis tools presented earlier to determine the effect that the driver is having on the system. Safe unloading and neutralization may also be discussed.
For buggy drivers, you will have to provide some possible exploit code or at least an analysis of how the bug could be exploited by an unprivileged user-mode client. We will also look at several types of kernel-mode shellcode possibilities.
Class Requirements
IMPORTANT: This training isn't for reverse engineering beginners, and none of the basic stuff will be presented. You must be fluent in x86 assembly to take this course., but knowledge of obfuscation, packing, etc, is not required. Basic knowledge of Windows and operating systems is required -- you should know what an interrupt is, and what is the difference between user and kernel mode, etc. VMware (trial/free version is fine) is recommended with an installed version of Windows 7 (demo/trial build is fine). 32-bit or 64-bit is fine -- you may prefer 32-bit if that is the disassembly you are most familiar with and/or want to use Hexrays. You must have a Windows machine to attend, on which you have the WDK (Windows Driver Kit) installed. A trial or full copy of Visual Studio 2008/2010 is recommended, but if you would rather use your own IDE, that is fine.
Legal IDA Pro license (5.5 or higher). Hex-rays helpful, but not required.
VMware (trial/free version is fine) is recommended with an installed version of Windows 7 (demo/trial build is fine). 32-bit or 64-bit is fine -- you may prefer 32-bit if that is the disassembly you are most familiar with and/or want to use Hexrays.
You must have a Windows machine to attend, on which you have the WDK (Windows Driver Kit) installed. A trial or full copy of Visual Studio 2008/2010 is recommended, but if you would rather use your own IDE, that is fine.
Bio
Alex is coauthor of Windows Internals 5th edition. He teaches Windows OS internals to Microsoft employees and other organizations worldwide. He is the founder of Winsider Seminars & Solutions Inc., specializing in low-level system software for administrators and developers. Alex was the lead kernel developer for ReactOS, an open source clone of Windows XP/2003 written from scratch, where he wrote most of the NT-based kernel. Alex is also very active in the security research community, discovering and reporting several vulnerabilities related to the Windows kernel and presenting talks at conferences such as Blackhat and Recon. In the last three years, he has also contributed to patches and development in two major commercially used operating system kernels.