Home    |    Instructor-led Training    |    Online Training     
         
 
Courses
ADA
Adobe
Agile
AJAX
Android
Apache
AutoCAD
Big Data
BlockChain
Business Analysis
Business Intelligence
Business Objects
Business Skills
C/C++/Go programming
Cisco
Citrix
Cloud Computing
COBOL
Cognos
ColdFusion
COM/COM+
CompTIA
CORBA
CRM
Crystal Reports
Data Science
Datawarehousing
DB2
Desktop Application Software
DevOps
DNS
Embedded Systems
Google Web Toolkit (GWT)
IPhone
ITIL
Java
JBoss
LDAP
Leadership Development
Lotus
Machine learning/AI
Macintosh
Mainframe programming
Mobile
MultiMedia and design
.NET
NetApp
Networking
New Manager Development
Object oriented analysis and design
OpenVMS
Oracle
Oracle VM
Perl
PHP
PostgreSQL
PowerBuilder
Professional Soft Skills Workshops
Project Management
Python
Rational
Ruby
Sales Performance
SAP
SAS
Security
SharePoint
SOA
Software quality and tools
SQL Server
Sybase
Symantec
Telecommunications
Teradata
Tivoli
Tomcat
Unix/Linux/Solaris/AIX/
HP-UX
Unisys Mainframe
Visual Basic
Visual Foxpro
VMware
Web Development
WebLogic
WebSphere
Websphere MQ (MQSeries)
Windows programming
XML
XML Web Services
Other
Windows Kernel Internals
Overview

This course focuses exclusively on kernel mode aspects of Windows and is targeted at kernel driver developers, security researchers, malware analysts and support engineers. Attendees learn about behind the scenes working of various components of the windows kernel with emphasis on internal algorithms, data structures and debugger commands. Attendees can apply this knowledge to develop better kernel drivers, debug BSODs and hangs more effectively and better understand how rootkits interact with the system.

Hands-on Labs

Every topic in the course is accompanied by hands-on labs that involve extensive usage of the Debugging Tools for Windows (WinDBG) as well as other tools that ship with the WDK. These hands-on labs provide attendees with real life experience with tools to inspect system state, diagnose system level issues and identify malware.

Prerequisites

This is an intermediate level course and requires attendees to be able to read C/C++ source code. In addition, attendees are expected to have basic working knowledge of WinDBG.

The Windows Debugging and Reversing course provide most of the pre-requisite knowledge for this course.

Course duration

3 Days

Topics

Kernel Architecture

This section discusses the kernel mode infrastructure provided by Windows, its key architectural features, components and mechanisms. It covers details of threading model, virtual address space, native API calls, handle table, object management and exception handling from the kernel’s perspective. Attendees will learn about the similarities and differences between the user mode and kernel mode environment in Windows and their implications on development and debugging.

Kernel Execution Environment

Unlike user mode where executable code runs only in the context of an application thread, driver code can run under various contexts like ISRs, DPCs, APCs, system worker threads and user mode threads. This section focuses on these different execution environments and discusses the restrictions that apply to each one of them. Attendees will learn about the usage model of these environments and how to avoid common pitfalls associated with them.

Kernel Synchronization

The windows kernel provides quite a few synchronization mechanisms like events, semaphores, mutexes, ERESOURCEs and spin locks to driver developers. This section covers these mechanisms, highlights the key differences between them and discusses the design tradeoffs. Data structures used to implement these mechanisms and the debugger commands that apply to these structures are discussed with the intention of familiarizing attendees with their usage in debugging deadlocks and livelocks.

Memory Management

As compared to user mode applications, drivers can exercise far more control over memory allocation and usage. This section covers some of the key concepts related to kernel mode memory management. It discusses the layout of the system virtual address space, page table entries for X86, X64 and ARM, the PFN database, MDLs, kernel memory pools and look-aside lists. Attendees will gain a solid understanding of behind the scenes implementation of the kernel memory management APIs and how to use them effectively in device drivers.

I/O Management

Device drivers interact with the I/O manager using data structures like driver objects, device objects (FDO, PDO, FiDO), symbolic links, file objects and I/O request packets. This section provides an architectural overview of these structures, their mutual relationships and how they are used by drivers to implement driver functionality like PnP, data transfer between user mode and kernel mode, Synchronous & Asynchronous I/O processing, I/O completion, I/O cancellation and I/O request filtering. Attendees will learn how to interpret the information displayed by the debugger commands and use that to gather information about device drivers and I/O operations in the system.

Please contact your training representative for more details on having this course delivered onsite or online

Training Outlines - the one stop shopping center for IT training.
© Training Outlines All rights reserved