0% found this document useful (0 votes)
11 viewsWindows Kernel Programming
The Windows Kernel Programming course is a 5-day program aimed at experienced Windows developers interested in kernel mode driver development. Participants will learn the Windows kernel driver programming model, write drivers for process and thread monitoring, and utilize kernel hooking mechanisms, among other objectives. The course covers various modules including Windows internals, I/O systems, device driver basics, and advanced topics, with practical labs to reinforce learning.
Uploaded by
WaleedCopyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
11 viewsWindows Kernel Programming
The Windows Kernel Programming course is a 5-day program aimed at experienced Windows developers interested in kernel mode driver development. Participants will learn the Windows kernel driver programming model, write drivers for process and thread monitoring, and utilize kernel hooking mechanisms, among other objectives. The course covers various modules including Windows internals, I/O systems, device driver basics, and advanced topics, with practical labs to reinforce learning.
Uploaded by
WaleedCopyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
/ 4
Windows Kernel Programming
Course Summary Table
Duration: 5 Days
Target Audience: Experienced windows developers, interested in developing
kernel mode drivers
Objectives: • Understand the Windows kernel driver programming
model
• Write drivers for monitoring processes, threads, registry
and some types of objects
• Use documented kernel hooking mechanisms
• Write basic file system mini-filter drivers
Pre-Requisites: • At least one year of experience working with the
Windows API (user mode)
• Basic understanding of Windows OS concepts such as
processes, threads, virtual memory and DLLs
Software • Windows 10 or 11 64 bit (any SKU, latest stable version)
requirements: • Visual Studio 2019 or 2022 (any SKU) + latest update
• Windows 11 SDK (latest)
• Windows 11 WDK (latest)
• Virtual Machine for testing and debugging
Instructor: Pavel Yosifovich
Abstract
The cyber security industry has grown considerably in recent years, with more sophisticated
attacks and consequently more defenders. To have a fighting chance against these kinds of
attacks, kernel mode drivers must be employed, where nothing (at least nothing from user
mode) can escape their eyes.
The course provides the foundations for the most common software device drivers that are
useful not just in cyber security, but also other scenarios, where monitoring and sometimes
prevention of operations is required. Participants will write real device drivers with useful
features that can then be modified and adapted to their particular needs.
Syllabus
• Module 1: Windows Internals quick overview
o Processes
o Virtual memory
o Threads
o System architecture
o User / kernel transitions
o Introduction to WinDbg
o Windows APIs
o Objects and handles
o Summary
• Module 2: The I/O System
o I/O System overview
o Device Drivers
o The Windows Driver Model (WDM)
o The Kernel Mode Driver Framework (KMDF)
o Other device driver models
o Driver types
o Software drivers
o Driver and device objects
o I/O Processing and Data Flow
o Accessing devices
o Asynchronous I/O
o Summary
• Module 3: Device Drivers Basics
o Setting up for Kernel Development
o Basic Kernel types and conventions
o C++ in a kernel driver
o Creating a driver project
o The kernel API
o Strings
o Linked Lists
o The DriverEntry function
o The Unload routine
o Installation
o Testing
o Debugging
o Summary
o Lab: write and deploy a simple driver; debug a driver
• Module 4: The I/O Request Packet
o Creating a device object
o Exporting a device name
o Building a driver client
o Driver dispatch routines
o Introduction to I/O Request Packets (IRPs)
o Completing IRPs
o Accessing User Buffers
o Handling DeviceIoControl calls
o Handling Asynchronous Operations
o Summary
o Lab: access any process; use Direct I/O
• Module 5: Kernel mechanisms
o Interrupt Request Levels (IRQLs)
o Deferred Procedure Calls (DPCs)
o Dispatcher objects
o Low IRQL Synchronization
o Spin locks
o Driver-Created Threads
o Work items
o Timers
o Summary
• Module 6: Process and thread monitoring
o Motivation
o Process creation/destruction callback
o Specifying process creation status
o Thread creation/destruction callback
o Notifying user mode
o Writing a user mode client
o Preventing potentially malicious processes from executing
o Summary
o Lab: ProcMon-like process/thread operation monitoring
• Module 7: Object and Registry notifications
o Process/thread object notifications
o Pre and post callbacks
o Registry notifications
o Performance considerations
o Reporting results to user mode
o Summary
• Module 8: File system mini filters
o File system model
o Filters vs. mini filters
o The Filter Manager
o Filter registration
o Pre and Post callbacks
o File name information
o Contexts
o File system operations
o Filter to user mode communication
o Debugging mini-filters
o Lab: preventing certain file deletion
o Summary
• Module 9: Advanced Topics (as time permits)
o Using Native APIs
o Advanced Memory Management
o Trace Logging
o Hooking Drivers
o Plug & Play
o IRP Propagation
o Writing Generic Filter Drivers
o Completion Routines
o Driver Verifier
o Introduction to KMDF
o Labs: filter driver; KMDF software driver