Exclusively from the co-author of the Windows Internals book series from Microsoft Press, come learn the internals of the Windows NT kernel architecture, including Windows 10 “Redstone 5” and the upcoming “Redstone 6”, as well as Server 2019, in order to learn how rootkits, PLA implants, NSA backdoors, and other kernel-mode malware abuse the various system functionalities, mechanisms and data structures in order to do their dirty work. Also learn how kernel-mode code operates and how it can be subject to attack from user-mode callers to elevate their privileges. Finally, learn how CPU architecture deeply ties into OS design, and how Intel’s, QC’s and AMD’s mistakes can lead to more pwnage. This course is only taught twice a year, and this is your one and only chance to attend it in Europe!
We’ll cover the new Windows 10 kernel changes, including the introduction of Virtual Trust Levels (VTL) combined with Virtualization Based Security (VBS) to make pass-the-hash attacks virtually impossible, Hyper-Visor Code Integrity (HVCI) to prevent unsigned kernel code execution, even with Ring 0 vulnerabilities, as well as new mitigations such as Kernel Control Flow Guard (CFG) and Intel Control Flow Enforcement Technology (CET) to protect against exploitation. We’ll go inside the Octagon and learn about System Guard Runtime Assertions and the rewritten Secure Launch framework that leverages Intel TXT for new DRTM-based attestation.
Windows 10 builds upon many Windows 8.1 mechanisms such as Protected Process Light and custom Code Signing Policies, so we’ll review this as well, plus new Windows 8 kernel features (AppContainer, Secure Boot, and more) relevant to
driver operation and exploitation techniques will be discussed, including an overview of over two dozen new security mitigations that have been added to the operating system.
We’ll see how these changes to the architecture have dramatically constrained exploit techniques. Windows 7 kernel changes will be discussed too, such as the new Object Manager data structures.
Throughout the class, we’ll focus on using various techniques and tools to inspect the Windows kernel for consistency, tracing its operation, and editing it, as well as ways in which offensive and defensive attackers can mess with the system’s state in unexpected, “clean” ways. We’ll also take a look at several examples of malicious and/or buggy drivers in a given Windows system, as well as architectural bugs over Windows’ lifetime.
Attendees will receive a physical handout of the entire course materials for future reference, plus a full set of 40+ WinDbg scripts that the instructor has written over his lifetime, and all commands/outputs that were used in the course. Live paste-board sharing will be available to facilitate learning.
You’ll be exposed to low-level CPU details such as segmentation and task gates, things you probably thought didn’t matter since 1986 anymore, but which still drive core Windows architecture today. Never again will you think [fs:18h] is a magic constant. Both x86 and x64 will be covered and we might take a look at QC’s ARM64 SoC on Windows 10 depending on market success. Security features such as SMEP, SGX, CET, UMIP will be par for the course, and we’ll see the facilities that Windows provides to use them. Finally, we’ll see how the hypervisor adds its own layer of security mechanisms using VTLs, SLAT, IOMMU and MBEC.
We’ll then move our focus toward understanding the behavior and operation of the Windows Kernel. Core topics such as interrupts, IRQLs, DPCs, APCs, system calls, user-mode callbacks, timers, scheduling and memory management will be discussed at the architectural level. You are expected to already be familiar with some of these ideas – for example, on the topic of memory management, it is not about how to use malloc, but rather about the complexities of and effects of the algorithms used by Windows when managing pages.
You will learn the various data structures used by bookkeeping and internal consistency and management of key system components such as the ALPC subsystem that powers RPC, as well as core mechanisms and objects such as threads, processes, and jobs, and how these fields can affect the operation of the system in ways that malicious code can control.
You’ll learn about the Windows Memory Manager and its many bookkeeping data structures both at the virtual memory and physical memory layer and how they can both be used to identify hidden code at runtime, as well as used forensically for gathering data about an attack. We’ll also cover shared memory objects, and the dangers that lie within – including a few live samples of bugs nobody cares to fix.
Finally, it’s not just all about the kernel! You’ll also discover how Windows’ Subsystem Model affects the execution of code and abstraction of various system components and we’ll take a look at the Windows Subsystem specifically and how extends its claws into the kernel through the window manager (Win32k.sys) and its data structures and behaviors will also be in the purview of our class. We will peering into aspects of Win32k.sys that few have looked at before – except those that find new kernel vulnerabilities in it by the minute, and explain its recent separation into the Win32kbase and Win32kmin and Win32kfull components.
IMPORTANT: It’s helpful to understand x86/x64/ARM assembly to take this course, but knowledge of obfuscation, packing, etc., is not required.
Basic knowledge of Windows, processor architecture, and operating systems is helpful – you should have some vague idea of what an interrupt is, and what is the difference between user and kernel mode (ring levels), a bit about virtual memory/paging, etc.
You must have a Windows machine to attend, and you should have the Windows Driver Kit 10 release for Redstone 5 or later (17826 / 1809), which you can freely grab from MSDN.
A virtual machine (VirtualBox is strongly preferred – configured in EFI + Hyper-V mode for best performance) is recommended with an installed version of Windows 10. Locally, any version of Windows 7 or Windows 8, 32-bit or 64-bit is fine – but you may prefer using the latest version possible. You should install the Windows Driver Kit on your host – not the VM. If you have a Linux or Mac device, then you may either install the Windows Driver Kit on the VM itself, or, better yet, use two separate virtual machines.
The instructor will use a 64-bit Windows 10 device, with Windows 8.1 and Windows 7 32-bit VMs.
IDA/Hexrays helpful, but not required.
Alex Ionescu is the Vice President of EDR Strategy and Founding Chief Architect at CrowdStrike, Inc. Alex is a world-class security architect and consultant expert in low-level system software, kernel development, security training, and reverse engineering. He is coauthor of the last three editions of the Windows Internals series, along with Mark Russinovich and David Solomon. His work has led to the fixing of many critical kernel vulnerabilities, as well as a few dozen non-security bugs.
Previously, Alex was the lead kernel developer for ReactOS, an open source Windows clone written from scratch, for which he wrote most of the Windows NT-based subsystems. During his studies in Computer Science, Alex worked at Apple on the iOS kernel, boot loader, and drivers on the original core platform team behind the iPhone, iPad and AppleTV. Alex is also the founder of Winsider Seminars & Solutions Inc., a company that specializes in low- level system software, reverse engineering and security trainings for various institutions. In the last three years, he has also contributed to patches and development in two major commercially used operating system kernels.