| 1. |
Introduction |
|
3 (4) hours |
|
Windows Kernel Architecture, detailed. Various components, executables and libraries that make up the core of the Windows Operating System. OS Services. System Call Table. Dispatching System Calls
- Windows System architecture
- Quick user mode refresher
- Windows Boot Process
- Windows 8 fast boot
- Session Manager
- WinInit (7,8)
- Services.exe and svchost.exe
- Desktops and Window Stations
|
| 2. |
Compiling and Debugging Drivers |
|
1 (2) hours |
|
- WDK - The Windows Driver Kit
- WDF - The Windows Driver Foundation
- SysInternals Tools
- Process Monitor
- WinObj
- DbgView
- WinDBG and KD - The Debuggers of choice
- Debugging on Intel vs. ARM
|
| Day 2 |
| 3. |
Kernel Survival Guide |
|
4 hours |
|
This module discusses the main considerations of Kernel mode programming. It explores the differences from "traditional" user mode, and focuses on key concepts.
- Basic kernel programming constraints
- Interrupt Request Levels (IRQLs)
- Synchronization objects
- Spinlocks
- Mutexes
- Classic
- Fast
- Guarded Mutexes (XP and later)
- Semaphores
- Events
- The Kernel Object Manager
- RTL functions
|
| 4. |
Creating a device driver |
|
2 (4) hours |
|
Device Drivers in Windows are no more than simple DLLs, with some modifications to allow them to operate in Kernel space. This module discusses the implementation issues of a simple Windows Device Driver - Creating, installing and debugging.
- Basic Device Driver Structure
- Driver entry and exit points
- The Windows driver object
- "Hello, Kernel" - Creating a simple device driver
- Installing your driver
- Using a .inf file
- Using the service control manager
|
| Day 3 |
| 5. |
Handling Devices |
|
2 hours |
|
Most drivers are used to represent a logical or physical device. This module discusses how to create and handle devices from the driver's perspective, as well as how to interface and stack on top of other, pre-existing devices.
- Windows Devices
- Device I/O Operations
- Opening and closing a device
- Reading and writing data
- I/O control operations
- Plug & Play operations
- Attaching to pre-existing devices
- Handling Plug & Play notifications - Detecting device insertion and removal
|
| 6. |
I/O in Device Drivers |
|
3 (5) hours |
|
The Windows I/O model is an inherently asynchronous model that serves individual I/O requests in the form of "I/O Request Packets" (IRPs). IRPs, which are created by the I/O Manager when user-mode I/O operations are requested, flow through and between various Kernel components and drivers.
- Windows I/O model
- Handling IRPs in the Kernel
- Handling I/O Errors - IRP Cancellation
- IRP Modes - Synchronous vs. Asynchronous
- Interfacing with User Mode via IRPs
|
|
This module explores the Windows Driver Foundation - The new and preferred successor to the Windows Driver model. We explain the basic concepts of WDF, and cover two very different driver types: UMDF and KMDF
- WDM vs. WDF
- The basic concepts of WDF
- User mode drivers vs. kernel mode
- The kernel mode driver framework - KMDF
- Driver architecture
- Sample Driver
- The user mode driver framework - UMDF
- Drivers as COM objects
- Sample Driver
|
| Day 4 |
| 8. |
Kernel Network Architecture |
|
3 (4) hours |
|
The Network Driver Interface Specification (NDIS) is a fully independent programming environment in the Kernel that aims to standardize network adapter drivers. Introduced back in 16-bit Windows, it is still supported and updated by Microsoft, and is also supported in Linux (using the open-source "NDISWrapper" Tool). While NDIS drivers can call standard Kernel APIs, a properly-coded driver uses only the self-contained function calls, allowing for portability.
This module provides an overview of the Windows Network Architecture - from user mode sockets (WinSock), through the Kernel network stack, and particularly NDIS. It provides an introduction to the key concepts of NDIS driver writing, and focuses on the many features of the various NDIS versions.
- Windows Networking Architectural Overview
- WS2_32.DLL - The WinSock API Layer
- Network IPC mechanisms - Pipes and MailSlots
- The Windows RPC Stack
- The Winsock Service Provider Interface
- The Transport Driver Interface (up to Windows Vista)
- Protocols and Adapters
- Introducing NDIS
- NDIS Device Driver Types:
- NDIS 5/6 Miniports
- NDIS 5/6 Protocols
- NDIS 5 Intermediates
- NDIS 6 Filters
- NDIS Version differences and idiosyncrasies
- NDIS 5 - Windows 2000
- NDIS 5.1 - Windows XP, 2003
- NDIS 6 - Windows Vista
- NDIS 6.1 - Windows Server 2008
- NDIS 6.2 - Windows 7
- NDIS 6.3 - Windows 8
|
| Day 5 |
| 9. |
Kernel Hacking and Patching |
|
4 (6) hours |
|
Kernel "Hacking" or "Patching" refers to the techniques used by security software and malware alike to intercept, protect and subvert system calls and Kernel services. These undocumented and often obscure techniques allow the manipulation of Kernel object and hiding of code so it runs undetected. Kernel-based malware, often called "rootkits", use these techniques to render themselves invisible and undetectable, while retaining full functionality.
- DKOM - Direct Kernel Object Manipulation
- Hiding your device driver
- Kernel code patching
- System call hooking
- Detours
- IRP Hijacking
- Interrupt gate overriding
- SYSEnter redirection
- Detours
- Surreptitiously installing your driver
- Vista enhancements - Patchguard
|
