Windows Internals for Reverse Engineers
Alex Ionescu

Introduction

Class Outline

• Part 1: WinDBG Zero to Hero
  
  You will be presented with many WinDBG/KD commands, as well as how to write your own scripts. You’ll spend a good few hours learning WinDBG tricks that will save you hours of time and effort, and turn your WinDBG-fu from white belt to WinDBG sensei. You’ll also never call it “Win DEE BEE GEE” again. For complete mastery, you’ll move on to learning about the new NatVis Debugger Data Model, which includes support for LINQ, Anonymous Types, Lambda Functions, and more.
  
  
• Part 2: Windows OS and CPU Architecture
  
  You’ll be exposed to low-level CPU details such as segmentation and task gates, things you probably thought didn’t matter since 1986 anymore, but which still drive core Windows architecture today. Never again will you think [fs:18h] is a magic constant. Both x86 and x64 will be covered, and you’ll also learn about how ARM does some of these things and how Windows Mobile interacts with the ARM chip. A quick look at ARM64 will also make the rounds. Security features such as SMEP and SGX will be par for the course, and we’ll see the facilities that Windows provides to use them. Finally, we’ll see how the hypervisor adds its own layer of security mechanisms using Virtual Trust Levels and SLAT.
  
  We’ll then move our focus toward understanding the behavior and operation of the Windows Kernel. Core topics such as interrupts, DPCs, APCs, system calls, timers, scheduling and memory management will be discussed at the architectural level. You are expected to already be familiar with some of these ideas – for example, on the topic of memory management, it is not about how to use malloc, but rather about the complexities of and effects of the algorithms used by Windows when managing pages.
  
  
• Part 3: Windows Kernel Mode Reverse Engineering, Vulnerability Analysis, and Forensics
  
  You will learn the various data structures used by bookkeeping and internal consistency and management of key system components such as the ALPC subsystem that powers RPC, as well as core mechanisms and objects such as threads, processes, and jobs, and how these fields can affect the operation of the system in ways that malicious code can control.
  
  You’ll learn about the Windows Memory Manager and its many bookkeeping data structures both at the virtual memory and physical memory layer and how they can both be used to identify hidden code at runtime, as well as used forensically for gathering data about an attack. We’ll also cover shared memory objects, and the dangers that lie within – including a few live samples of bugs nobody cares to fix.
  
  Finally, it’s not just all about the kernel! You’ll also discover how Windows’ Subsystem Model affects the execution of code and abstraction of various system components and we’ll take a look at the Windows Subsystem specifically, and how past and present CSRSS vulnerabilities can be used to escape sandboxes and attack the kernel. The Windows Subsystem extends its claws into the kernel through the window manager (Win32k.sys) and its data structures and behaviors will also be in the purview of our class. We will be using deprecated and unsupported debugger extensions to peer into aspects of Win32k.sys that few have looked at before – except those that find new kernel vulnerabilities in it by the minute.
  
  Finally, we will take a look at certain examples of plain C code that contain well-known bugs, as well as certain harder-to-spot bugs within the specific context of running in a Windows kernel environment.

Class Requirements

• Prerequisites

  IMPORTANT: It’s helpful to understand x86/x64/ARM assembly to take this course, but knowledge of obfuscation, packing, etc., is not required.
  
  Basic knowledge of Windows, processor architecture, and operating systems is helpful – you should have some vague idea of what an interrupt is, and what is the difference between user and kernel mode (ring levels), a bit about virtual memory/paging, etc.

• Minimum Software to Install

  You must have a Windows machine to attend, and you should have the Windows Driver Kit 10 release for Threshold 2 or later (10586 / 1511), which you can freely grab from the Windows Hardware Portal or MSDN.
  
  A virtual machine (VirtualBox is strongly preferred – configured in EFI + Hyper-V mode for best performance) is recommended with an installed version of Windows 10. Locally, any version of Windows 7 or Windows 8, 32-bit or 64-bit is fine – you may prefer 32-bit if that is the disassembly you are most familiar with and/or want to use Hexrays. You should install the Windows Driver Kit on your host – not the VM. If you have a Linux or Mac device, then you may either install the Windows Driver Kit on the VM itself, or, better yet, use two separate virtual machines.
  
  The instructor will use a 64-bit Windows 10 device, with Windows 8.1 and Windows 7 32-bit VMs.
  
  IDA/Hexrays helpful, but not required.