Windows Internals for Reverse Engineers by Alex Ionescu

Learn the internals of the Windows NT kernel architecture, including Windows 7 and Server 2008 R2, and how rootkits and other kernel-mode malware exploit the various system functionalities, mechanisms and data structures to do their dirty work. Also learn how drivers operate and how they can be subject to attack from user-mode callers to elevate their privileges. New Windows 7 kernel features relevant to driver operation and rootkit techniques will be discussed, such as the new Object Manager data structures. After learning the theory, you will use tools such as WinDBG and IDA to analyze, poke, and prod kernel-mode Windows components, as well as write your own drivers and tools. Finally, you will use all this knowledge to analyze certain pieces of buggy C code with hard-to-spot Windows-kernel-specific bugs, as well as looking at a custom driver to understand its behaviour and exploitability. Attendees will receive a copy of Windows Internals, 5th Edition.

Instructor: Alex Ionescu
Dates: 5-7 July 2011
Availability: 18 Seats

Instructor: Alex Ionescu
Dates: 11-13 July 2011
Availability: 18 Seats

Part 1: Inside the Windows Kernel

The focus of the first part is understanding the behaviour and operation of the Windows Kernel.

Core topics such as interrupts, DPCs, APCs, timers, scheduling and memory management will be discussed at the architectural level. You are expected to already be familiar with some of these ideas -- for example, on the topic of memory management, it is not about how to use malloc, but rather about the complexities of and effects of the algorithms used by Windows when managing pages.

A detailed summary of the object manager and ALPC mechanism will also be on the table, as well as the window manager (Win32k.sys) and its data structures/behaviors.

You will learn the various data structures used by bookkeeping and internal consistency and management of core system components and objects, such as threads and processes, and how these fields can affect the operation of the system in ways that malicious code can control. A secondary focus will be for forensic purposes -- how to recover system data and state from raw memory information.

You will be presented with many WinDBG/KD commands, as well as how to write your own scripts and extensions.

Part 2: Windows Kernel Mode Reverse Engineering and Debugging

The second part will focus on using various tools to inspect the Windows kernel for consistency, tracing its operation, and editing it.

During this part, we will also focus on using VM technologies to emulate the Windows kernel as well as any drivers you will be writing and loading, to avoid hitting a real system, as well as avoiding the need for a second machine. Various debugging techniques will be demonstrated, such as GDB stubs in VMWare and QEMU, and how to plug-in IDA into these stubs to perform analysis without requiring WinDBG.

Part 3: Windows Driver/Rootkit Analysis

The last part of the training focuses on building on your knowledge from the previous days to tackle several examples of malicious and/or buggy drivers in a given Windows system.

You will also learn how to write your own drivers and user-mode tools that can perform some of this work, for the purposes of better understanding driver operation and reversing a well-known driver to see its output in IDA to build a "base case" and discover various effects of WDK/MSVC optimizations.

You will apply both static analysis with IDA to understand the source code and behaviour of the drivers (no obfuscation will be employed, so knowledge in such mechanisms is not a prerequisite), as well as dynamic analysis through debugging and analysis tools presented earlier to determine the effect that the driver is having on the system.

For buggy drivers, you will have to provide some possible exploit code or at least an analysis of how the bug could be exploited by an unprivileged user-mode client. We may also look at several types of kernel-mode shellcode possibilities.

Finally, we will take a look at certain examples of plain C code, that contains well-known bugs, as well as certain harder-to-spot bugs within the specific context of running in a Windows kernel environment.

Class Requirements

IMPORTANT: This training isn't for reverse engineering beginners, and none of the basic stuff will be presented. You should be able to understand x86 assembly to take this course, but knowledge of obfuscation, packing, etc, is not required. Basic knowledge of Windows, Intel architecture, and operating systems is required -- you should know what an interrupt is, and what is the difference between user and kernel mode (ring levels), a bit about segmentation and virtual memory/paging, etc.

VMware Player or Workstation is recommended with an installed version of Windows 7. 32-bit or 64-bit is fine -- you may prefer 32-bit if that is the disassembly you are most familiar with and/or want to use Hexrays. As well, development in class will be done on 32-bit targets to avoid signing issues and Patchguard, but 64-bit internals and Windows-specific changes will be covered.

You must have a Windows machine to attend, on which you have the latest version of the WDK (Windows Driver Kit) installed. You should have Visual Studio 2010 with the C/C++ compilers (Express Edition is fine). Legal IDA Pro license (5.5 or higher, 6.0 recommended). Hexrays helpful, but not required.


Alex is coauthor of Windows Internals 5th edition and is currently working on the 6th Edition. He teaches Windows OS internals to Microsoft employees and other security and government organizations worldwide through David Solomon Expert Seminars as well as his own company, Winsider Seminars & Solutions Inc., which also produces low-level system tools. He has also had the chance to contribute to some of Mark Russinovich's Sysinternals tools, such as Process Explorer. He is also very active in the security research community, discovering and reporting several vulnerabilities related to the Windows kernel and presenting talks at conferences such as Blackhat and Recon.

Previously, Alex was the lead kernel developer for ReactOS, an open source clone of Windows XP/2003 written from scratch, where he wrote most of the NT-based kernel. In the last four years, he has also contributed to patches and development in two major commercially used operating system kernels.

To Register

To register for a training session, download and fill this file and mail it to registration.training2011 recon cx