Windows Internals for Reverse Engineers


Instructor:  Yarden Shafir
Dates:  June 5 to 8 2023
Capacity:  25 Seats






Covering Windows 11 (22H2), the upcoming Windows 11 “Copper” (23H2), and Server 2022, you’ll unravel the secrets of how bootkits, software supply chain implants, backdoors, and other kernel and firmware malware work. You’ll learn how they, and others, abuse various system functionality, obscure mechanisms, and data structures, in order to do their dirty work, and how you can too defend against it!

 

You’ll observe and experiment with how kernel-mode code operates and how it can be subject to compromise by user-mode attackers wishing to elevate their privileges, as well as how to detect, both live and forensically, such attempts. Finally, you’ll learn about how CPU architecture deeply ties into OS design, and how Intel’s and AMD’s mistakes can lead to more pwnage.

 

We’ll cover the new Windows 11 kernel changes, including Kernel Data Protection (KDP), eXtended Control Flow Guard (XFG), and Kernel Control-flow Enforcement Technology (KCET), and explain how the Trusted Platform Module (TPM) is used for Measured Boot. We’ll go inside the Octagon and learn about System Guard Runtime Assertions and the rewritten Secure Launch framework that leverages Intel TXT and AMD SKINIT for new DRTM-based attestation.

 

Of course, we’ll also discuss key Windows 10 fundamentals such as Virtual Trust Levels (VTL) combined with Virtualization Based Security (VBS), and how these technologies allow Hyper Visor Code Integrity (HVCI) and Kernel Control Flow Guard (KCFG) to prevent unsigned kernel code execution, even when faced with Ring 0 vulnerabilities, while also powering Biometric Isolation and Credential Guard, make pass-the-hash attacks virtually impossible. Enclaves and Attestation, both through Software Guard Extensions (SGX) and VBS, and TPM-based Measured Boot, will also be on the menu.

 

Windows 10 builds upon many Windows 8.1 mechanisms such as Protected Process Light and custom Code Signing Policies, so we’ll review this as well, plus new Windows 8 kernel features (AppContainer, Secure Boot, and more) relevant to driver operation and exploitation techniques will be discussed, including an overview of over two dozen new security mitigations that have been added to the operating system.

 

We’ll see how these changes to the architecture have dramatically constrained exploit techniques. Windows 7 kernel changes will be discussed too, such as the new Object Manager data structures.

 

All while learning the theory, you will use tools such as WinDbg, SysInternals Tools and Process Hacker to analyze, poke, and prod kernel-mode Windows components, as well as write your own debugger commands leveraging the new NatVis/LINQ predicate and capabilities, as well as write some JavaScript (ECMAScript 6) scripts using their new debugger engine.

 

Throughout the class, we’ll focus on using various techniques and tools to inspect the Windows kernel for consistency, tracing its operation, and editing it, as well as ways in which offensive and defensive attackers can mess with the system’s state in unexpected, “clean” ways. We’ll also give several examples of malicious and/or buggy drivers in a typical Windows system, as well as architectural bugs over Windows’ lifetime.

 

Attendees will receive a physical handout of the entire course materials for future reference, plus a full set of 40+ WinDbg scripts that the instructors have written over their lifetime, and all commands/outputs that were used in the course. Live paste-board sharing will be available to facilitate learning.


 


 


Class OUTLINE

 

 

Part 1: WinDBG Zero to Hero


You will be presented with the many ways in which Windows kernel debugging works, from legacy named pipe debugging to modern high-speed Network Debugging, as well as the various official and unofficial ways to setup local and live debugging. You’ll spend a good few hours learning WinDbg tricks that will save you hours of time and effort, turning your WinDbg-fu from white belt to WinDbg sensei. You’ll also never call it “Win DEE BEE GEE” again. For complete mastery, you’ll move on to learning about the new NatVis Debugger Data Model, which includes support for LINQ Predicates, Anonymous Types, Lambda Functions, and more. We’ll wrap up by learning how to use the new JavaScript-based (ES6) scripting engine and integrate with exciting technologies such as Time Travel Debugging (TTD). 




Part 2: Windows OS Design and CPU Architecture


You’ll be exposed to low-level CPU details such as segmentation and task gates, things you probably thought didn’t matter since 1986 anymore, but which still drive core Windows architecture today. Never again will you think [gs:60h] is a magic constant. Both x86 and x64 will be covered and we might take a look at QC’s ARM64 SoC on Windows 10 depending on market success. Security features such as SMEP, SMAP, SGX, CET, UMIP will be part of the course, and we’ll see the facilities that Windows provides to use them. Finally, we’ll see how the hypervisor adds its own layer of security mechanisms using VTLs, SLAT, IOMMU and MBEC. We’ll then move our focus toward understanding the behavior and operation of the Windows Kernel. Core topics such as interrupts, IRQLs, DPCs, APCs, system calls, user-mode callbacks, timers, scheduling and memory management will be discussed at the architectural level. You are expected to already be familiar with some of these ideas – for example, on the topic of memory management, it is not about how to use malloc, but rather about the complexities of and effects of the algorithms used by Windows when managing pages. 




Part 3: RUNTIME AND MEMORY ANALYSIS, EXECUTIVE SUBSYSTEMS


You will learn the various data structures used by bookkeeping and internal consistency and management of key system components such as the ALPC subsystem that powers RPC, as well as core mechanisms and objects such as threads, processes, and jobs, and how these fields can affect the operation of the system in ways that malicious code can control. 

 

You’ll see the various boundaries and containers that control code execution – from AppContainer to Application Package, to Fiber to Job to Silo, and discuss Critical, Secure, Pico and Minimal Processes. You’ll learn about the Windows Memory Manager and its many bookkeeping data structures both at the virtual memory and physical memory layer and how they can both be used to identify hidden code at runtime, as well as used forensically for gathering data about an attack. We’ll also cover shared memory objects, and the dangers that lie within – including a few live samples of bugs nobody cares to fix. Interesting but not well-understood kernel components, such as Extension Hosts, Windows Notification Facility (WNF) and Callback Objects will be described, and opportunities for their misuse. 

 

Finally, it’s not just all about the kernel! You’ll also discover how Windows’ Subsystem Model affects the execution of code and abstraction of various system components and we’ll take a look at the Windows Subsystem specifically and how extends its claws into the kernel through the window manager (Win32k.sys) and its data structures and behaviors will also be in the purview of our class. We will be peering into aspects of Win32k.sys that few have looked at before – except those that find new kernel vulnerabilities in it by the minute, and explain its separation into the Win32kbase and Win32kmin and Win32kfull components and continued evolution through concepts such as Core Messaging, and the removal of Simple Calls. 





Prerequisites:


IMPORTANT: It’s helpful to understand x86/x64 assembly to take this course, but knowledge of obfuscation, packing, etc., is not required.


Basic knowledge of Windows, processor architecture, and operating systems is helpful – you should have some vague idea of what an interrupt is, and what is the difference between user and kernel mode (ring levels), a bit about virtual memory/paging, etc. 



Minimum Software to install:


You must have a Windows machine to attend, and you should have the Windows Driver Kit 11 release for 22H2 or later (22621), which you can freely grab from MSDN.


A virtual machine (VirtualBox or Hyper-V are strongly preferred – configured in UEFI + Hyper-V mode for best performance) is recommended with an installed version of Windows 11. Locally, any version of Windows 7 or above, 32-bit or 64-bit is fine – but it’s strongly preferred you bring a Windows 10 or 11 box. You should install the Windows Driver Kit on your host – not the VM. If you have a Linux or Mac device, then you may either install the Windows Driver Kit on the VM itself, or, better yet, use two separate virtual machines.

 

The instructors will use a 64-bit Windows 11 device, with 32-bit VMs.

 

GHIDRA/IDA/HexRays helpful, but not required.





Bio


Yarden is a senior security researcher at Trail of Bits and a consultant for Winsider Seminars & Solutions Inc.,co-teaching security trainings. Previously she worked at CrowdStrike and SentineOne, working on EDR features and Windows research.Outside of her primary work duties, Yarden writes articles and tools and gives talks about various topics such as Pool internals, CET internals, extension host hooking and kernel exploit mitigations.Outside of infosec, Yarden is a circus artist, teaching and performing aerial arts.



To Register

Click here to register.