Windows Internals

Course Summary Table

Duration: 5 Day
Target Audience: Windows developers and/or researches, interested in getting a deeper
understanding of the internal mechanisms of the windows operating
system
Objectives: Understand the underlying mechanism and advanced services of the
windows OS and use that knowledge to write better and more efficient
programs on windows 7 and later
Pre Requisites: Basic knowledge of OS concepts and architecture
Power-user level working with Windows
At least basic C knowledge is recommended
Application development experience is an advantage

Instructor: Pavel Yosifovich

Abstract

The Windows OS exposes many advanced services to system programmers through the Windows
API, and to device driver writers through the Kernel API. The .NET framework wraps these
services and runs on top of the Windows API and the Kernel.
Good knowledge of what’s going on under the hood of the OS, which services are available and
how to best utilize them helps in building better and more efficient software for Windows. Those
working in the Cyber security space can greatly benefit from the course as it looks at all major
Windows mechanisms. Lab exercises are used to reinforce the theoretical material.

Syllabus

• Module 1: System Architecture

o Brief Windows NT History
o Basic Concepts
o Windows Versions
o Tools
o Processes and Threads
o Virtual Memory
o User mode vs. Kernel mode
o Objects and Handles
o Architecture Overview
o Key Components
o APIs: Win32, Native, .NET, COM, WinRT
o User/kernel transitions
o Introduction to WinDbg
 o System Processes

• Module 2: Processes & Jobs

o Processes Overview
o Process Internals & Data Structures
o Creating and terminating processes
o The loader
o DLL explicit and implicit linking
o Process attributes
o Protected processes and PPL
o UWP Processes
o Minimal and Pico processes
o Jobs
o Nested jobs
o Introduction to Silos

• Module 3: Threads
o Thread basics
o Creating threads
o Processor Groups
o Thread Priorities
o Thread Scheduling
o Thread Stacks
o Thread States
o Affinity
o CPU Sets
o Direct switch
o Thread Synchronization

• Module 4: Kernel Mechanisms

o Trap Dispatching
o Interrupts
o Interrupt Request Levels (IRQLs)
o Deferred Procedure Calls (DPCs)
o Exceptions
o System Crash
o Object Management
o Objects and Handles
o Sharing Objects
o Synchronization
o Synchronization Primitives
o Signaled vs. Non-Signaled
o High IRQL Synchronization
o Windows Global Flags
o Kernel Event Tracing
o Wow64

• Module 5: Memory Management

o Overview
 o Small, large and huge pages
o VMM Services
o Page states
o Address Space Layout
o Address Translation Mechanisms
o The Heap Manager
o APIs in User mode and Kernel mode
o Page Faults
o Page Files
o Workings Sets
o Memory Mapped Files
o Page Frame Database
o Other memory management features (ASLR, compression, enclaves)

• Module 6: I/O System

o I/O System overview
o I/O Function
o Device Drivers
o Plug & Play
o The Windows Driver Model (WDM)
o The Kernel Mode Driver Framework (KMDF)
o I/O Processing and Data Flow
o IRPs
o Power Management
o Driver Verifier
o Writing a Software Driver (if time permits)

• Module 7: Security
o Security components
o Virtualization Based Security
o Credential guard
o User Access Control (UAC)
o Integrity Levels
o Protecting objects
o SIDs
o Tokens
o Privileges
o ACLs
o Access checking
o AppContainers
o Process mitigations