This course takes a deep dive into the internals of the Windows kernel from a security perspective. Attendees learn about behind the scenes working of various components of the windows kernel with emphasis on internal algorithms, data structures and debugger usage. Every topic in this course is accompanied by hands-on labs that involve extensive use of the kernel debugger (WinDBG/KD) with emphasis on interpreting the debugger output and using this information to understand the state and health of the system. Attendees also analyze pre-captured memory dumps to identify kernel rootkits and dissect rootkit behavior.
Learning Objectives
- Understand the major components in the Windows Kernel and the functionality they provide
- Understand the key principles behind the design and implementation of the Windows kernel
- Understand the internal workings of the kernel and how to peer into it using the debugger
- Be able to investigate system data structure using kernel debugger extension commands
- Be able to interpret the output of debugger commands and correlate them to the state of the system
- Be able to navigate between different data structures in the kernel, using debugger commands
- Be able to locate indicators of compromise while hunting for kernel mode malware
- Understand how kernel mode rootkits and commercial anti-malware interact with the system
Framework Connections
The materials within this course focus on the NICE Framework Task, Knowledge, and Skill statements identified within the indicated NICE Framework component(s):
Specialty Areas
- Technology R&D