Windows Internals (ON-SITE TRAINING)

This 2-days training is for anyone who wants to know how Windows works, how to understand what is happening behind the stage and how to interface with it effectively. Whether you want to analyze malware, understand (un)-documented stuff in the system, developer or just curious, there is a place for you here.

This training aims to give the audience some knowledge about the Windows operating system and practicing reverse-engineering. On the first hand, the training based on Windows 11 begins with an introduction to how the operating system works with main components, main services, objects architecture, scheduling, memory management, security, programming, etc. We will dive more and more in detail according to the expectations of the group. The course is theoretical but also practical through various small labs to interact with Windows. The objective is to understand what these various elements are used for, how they work internally but also how to interface with them via the Windows API.

On the second hand, we will present the basics of reverse engineering. First, we will recall how a processor works, then we will see the assembly language in order to write some (small) programs. Maybe also the occasion to see some bugs with compilers/debuggers, who knows… At the end, we will practice with various reverse engineering software, namely IDA and Windbg.

In the end, members of the public will have a better knowledge of Windows and more practice in reverse engineering. Knowing how works Windows could help to solve problems that seemed impossible from a system or application perspective in addition to better understand the benefits provided by the operating system or hardware.

It should be noted that this course remains an introduction to each of these fields. It is also possible, depending on the questions and needs (and the possibility to answer them), to modify the course according to the requests the same day.

Day 1

  • Introduction to Windows internal
    • General architecture
    • Windows’ versions
  • Windows basics
    • CPU Protection level
    • Virtual memory & address space layout
  • Windows key concepts & components
    • Process, threads, jobs, fiber, UMS…
    • Objects handles and security
    • Windows desktops and sessions
    • Hypervisor, core OS kernel, drivers, HAL, NTDLL, Win32k…
    • Main user mode components/services
  • Windows subsystem & API
    • Win32, POSIX, OS/2, WinRT, Pico Process, WSL 1&2
  • Some security components
    • SGX enclave, TPM, VBS, VSM, VTL-X
  • System calls, kernel/hypervisor
    • Probe/capture
    • Memory paging
    • Processor mode & hooking API
    • Wow64
  • Through the day, practice: Mastering Windbg
    • Presentation of Windbg
    • First steps debugging with Windbg
    • More advanced procedures with Windbg

Day 2

  • Assembly programming
    • First steps with MASM32
    • Assembly programming
      • Some history about CPU (optional)
      • Main concepts with assembly programming
      • Registers, stack, sysenter/syscall, segment code, scheduler & thread context
      • Instructions
        • Intel documentation
        • Most useful instructions
      • Writing some small programs with MASM and debugging with Windbg
        • From C code to Assembly code (and vice-versa)
        • Calling conventions (cdecl/stdcall/x64)
        • MZ-PE format details
      • Through the day, practice: Reverse engineering
        • Writing small programs in assembly
        • Windbg & assembly programming
        • Use of IDA software

About the Speaker