Insight into Windows Internals

This training delivers basic knowledge on the core components and inner working principles of the Windows 10 operating system (e.g., objects, handles, memory management functionalities). It includes hands-on exercises for the analysis of the implementation and operation of these components. This training covers topics that are essential for conducting reverse-engineering, debugging, and other analysis tasks in the context of Windows.

This training focuses on the traditional (non-virtualized) architecture of Windows 10. However, it also takes into account virtualization as a factor driving a major change in the architecture of Windows systems, first introduced in Windows 10.

The training covers topics that are essential for conducting reverse-engineering, debugging, and other analysis tasks in the context of Windows.

Agenda

Introduction to the Windows debugger (WinDbg): this includes exercising a variety of debugging scenarios, such as early-boot debugging, kernel-mode debugging, and user-mode debugging

  • Overview and analysis of the core components of Windows, deployed in kernel- and user-land
  • Traditional Windows architecture
  • Objects
  • Handles
  • Drivers
  • Memory management functionalities
  • System calls
  • Processes and threads
  • System services and system support processes
  • Virtualized Windows architecture
  • Virtual Secure Mode (VSM)
  • Hyper-V
  • Partitions
  • Virtual Trust Levels (VTLs)
  • Communication interfaces between partitions

Prerequisites

  • Familiarity with Windows and basic knowledge on computer architecture.

Requirements

  • Laptop with administrative privileges and VirtualBox installed; the laptop should have more than 8 GB RAM and more than 200 GB free disk space.

About the Speakers