This course takes a deep dive into the internals of the Windows kernel from a security perspective. Attendees learn about behind the scenes working of various components of the windows kernel with emphasis on internal algorithms, data structures and debugger usage. Every topic in this course is accompanied by hands-on labs that involve extensive use of the kernel debugger (WinDBG/KD) with emphasis on interpreting the debugger output and using this information to understand the state and health of the system. Attendees also analyze pre-captured memory dumps to identify kernel rootkits and dissect rootkit behavior.
Understand the major components in the Windows Kernel and the functionality they provide
Understand the key principles behind the design and implementation of the Windows kernel
Understand the internal workings of the kernel and how to peer into it using the debugger
Be able to investigate system data structure using kernel debugger extension commands
Be able to interpret the output of debugger commands and correlate them to the state of the system
Be able to navigate between different data structures in the kernel, using debugger commands
Be able to locate indicators of compromise while hunting for kernel mode malware
Understand how kernel mode rootkits and commercial anti-malware interact with the system
The materials within this course focus on the Knowledge Skills and Abilities (KSAs) identified within the Specialty Areas listed below. Click to view Specialty Area details within the interactive National Cybersecurity Workforce Framework.