OSR

Windows System Software -- Unique Expertise, Guaranteed Results

Windows Internals & Software Drivers for Microsoft Students

Default Featured Image

Overview

This seminar is designed for Microsoft software engineers and architects who need to understand the details of the major Windows architectural components, as well as how to create software only kernel-mode drivers that serve as “extensions” to the Windows operating system. The seminar includes a review of basic Windows architecture, then discusses the details of driver structure, including the I/O and PnP subsystems, device discovery, enumeration, and I/O request processing. Other extension mechanisms, such as Object Manager, Process Manager, and Registry callbacks are discussed. The seminar also includes in-depth discussions of the Windows Kernel, process and thread instantiation, and the Memory Manager.

During lab sessions, participants create and modify software-only drivers to perform various kernel-mode tasks. Note that this seminar focuses on the development of drivers that service as Windows “operating system extensions” but do not service any hardware. Thus, while the basic concepts of drivers for devices are discussed, the lab sessions focus strictly on the development of software (i.e. pseudo) drivers which typically use “legacy” or “NT V4” style interfaces (as opposed to PnP).

Details

Length: 4 days

Format: Lecture and Lab

Cost and Date: Please see Learning Central for the latest information.

For More Info

Please email OSR’s Seminar Team or call 603-595-6500

Target Audience

Security researchers and engineers involved in security and threat analysis/modeling, who need a solid understanding of key Windows internals and data structures, and the options available to monitor and extend the actions of the Windows operating system. This seminar is also recommended for engineers who need to gain the prerequisite information before attending an OSR File Systems seminar.  This seminar is not appropriate for engineers who need to develop filter drivers for Windows hardware devices. Those students should instead opt for OSR’s Writing WDF Drivers I: Core Concepts seminar.

Prerequisites

This is not a seminar for beginners without knowledge or experience in operating systems. Rather, it is an intense, practical, architectural study of specific parts of the Windows O/S, interspersed with practical exercises. Students attending this seminar will need a good understanding of general O/S concepts and will be well served by starting with at least a basic Windows O/S architectural concepts (such as can be gained by reading Windows Internals by Russinovich, Solomon, and Ionescu).

Due to the hands-on orientation of this seminar, attendees will be assumed to be able to use Windows at a user level, including using Visual Studio (VC++). Working knowledge of the C programming language, and how to read and write to a file using Win32 (CreateFile, ReadFile, WriteFile) are also assumed.

Due to the highly compressed nature of this seminar, we will assume students taking this seminar already know how to compile and link a Windows driver using their team’s internal build environment (which is typically Razzle) or that they can easily learn this after they return from taking this class. In class, we use Visual Studio and the Windows Driver Kit (as described in Note on the Lab Environment, below).

We will also assume that students know the basics of installing, connecting, and using WinDbg. While clever students who have never used WinDbg will be able to learn what they need to know “on the fly” during lab sessions, knowing this info prior to the seminar will ensure that students spend their time during the lab sessions focused on learning core Windows and driver development topics, not on mastering the mechanics of the hooking up the debugger.

Note on the Lab Environment

Starting with Windows 8, the build environment that is used by customers to build drivers for Windows (the Windows Driver Kit) differs greatly from the build environment used internally by most groups.  To avoid syncing an enlistment for each student (and in so doing putting confidential information on lab machines) this class will use Visual Studio and the publically available Windows Driver Kit for labs. But don’t worry: Using the public tools for labs won’t restrict what you learn in the class in any way. Everything you learn in lab will be directly transferable to building and debugging driver code in your team’s internal build environment, whether that environment uses Visual Studio and the WDK, Razzle, or something else.

Hardware Requirement

Each student will need to bring a pre-configured and tested laptop with them to the seminar.  This laptop will be used for doing lab assignments.

The hardware and software requirements for this seminar are described on our OSR Seminar Laptop Setup Requirements page.

You’ll note that the class requires VMware for your laptop.  And you’re probably wondering if you can substitute Hyper-V in place of VMWare in class.  The answer to this is “yes, but we don’t recommend it.”  We want to be able to properly support you during your seminar experience, with answers to your questions and assistance with any problems you may discover.  Because we use VMWare for development internally at OSR, it’s the virtualization platform that we fully understand and that we’re confident we can help you with.  If you *really* want to use Hyper-V, you can… but only if all of the following conditions are true:

  1. You have significant, hands-on, experience configuring and using Hyper-V as a kernel debugging target for driver testing.  This includes configuring the Hyper-V guest system as a debug target for WinDbg running on the host system.
  1. You will not require any help using, installing, configuring, or managing Hyper-V from the OSR seminar staff during your seminar.

If you have any questions, don’t hesitate to contact OSR’s Seminar Team.

After This Seminar

This seminar provides you with the necessary information to attend OSR’s Developing File Systems for Windows seminar.

Seminar Outline

  • Windows Operating System Architecture Overview
    A brief review of the general architecture of the Windows operating system.
  • Kernel Mode and Key Structures
    In this module, we discuss fundamentals of Kernel Mode in Windows, including coverage of key object types (Dispatcher, Control, Executive) and data structures (KPCR, KTHREAD, EPROCESS) that Windows uses.
  • Device Stacks – The Windows I/O Subsystem
    A discussion of how the PnP Manager works with drivers to build stacks of devices through the enumeration process. The role of Function Drivers, Bus Drivers, and Filter Drivers is discussed. PDOs, FDOs, and Filter Device Objects are defined. The relationship of the PnP process to the process of loading “legacy” style drivers is discussed.
  • Installing Legacy Drivers on Windows
    In this section, we discuss how to create installation control files for “legacy” style, software-only drivers. Also included is a brief discussion of PnP (WDM) driver installation using INF files.
  • Building and Debugging
    This section describes how WDM drivers are built using the WDK build environment as well as the basics of how to setup and use the Windows kernel mode debugger, WinDbg.
  • Lab Setting Up the Debugger
  • Lab Building Drivers
  • Interrupt Request Levels and DPCs
    Windows synchronizes kernel mode activity by using a set of Interrupt Request Levels (IRQLs). This section covers how IRQLs are used to achieve synchronization within the OS. Also the processing that occurs at these IRQLs – including Deferred Procedure Calls (DPCs) and dispatching – are discussed.
  • Passing Requests to Other Drivers
    IRPs, I/O Stack Locations, and how requests are sent from driver to driver using IoCallDriver are all discussed. Synchronous and asynchronous IRP completion. A brief discussion of completion routines is also included.
  • I/O Function Codes and Buffer Methods
    A specific discussion of I/O function codes (major and minor), as well as defining custom Device Control requests (IOCTLs).  A detailed discussion of the way that Windows passes buffers from user-mode applications to kernel-mode, including the security implications of each method.
  • DriverEntry — PnP vs. “Legacy”
    This section describes how software only drivers are initialized, and includes a walk-through and discussion of the actions taken in a typical DriverEntry function. The discussion is rounded-out with a description of the initialization functions used by PnP drivers (Add Device and Start Device).
  • Dispatching and Completing Requests
    This module describes Dispatch Routines including I/O request validation, as well as the basics of request queuing and completion.
  • Serialization: Wait Locks and Spin Locks
    A discussion of the various mechanisms used in Windows kernel-mode programming to perform synchronization and serialization. The different types of spin locks, mutexes, and other locks are discussed, along with guidelines for when each might be appropriate for use.
  • Lab Handling DriverEntry and Dispatching Requests
  • Lab Queuing, Buffering, Async I/O
  • Lab Driver Communication
  • Tools for Driver Quality
    In this section, we discuss tools that are available in the Windows Driver Kit to test and validate drivers. Windows Driver Verifier, OACR/PREfast, and Static Driver Verifier are all discussed, along with the strengths and weaknesses of each tool and recommendations for the best use of each.
  • Boot, Crash, and Hibernation Processes
    A discussion of how Windows starts, including transitions from 16-bit mode. Also, a discussion of the crash dump and hibernation processes (which are remarkably similar on Windows). Version-specific differences are also discussed.
  • Windows System Services
    How system service calls are implemented in Windows, both in new versions of the OS and historically. A description of a selection of NtXxxx and ZwXxx functions, and how their use in user-mode and kernel mode differs.
  • Process and Thread Creation
    In this section, we discuss the role of the Process Manager, including how processes and threads are instantiated. The major data structures (ETHREAD, EPROCESS) are described. The native system services for creating processes and threads are also briefly discussed. How dispatching (scheduling) is performed in Windows.
  • Other Kernel Extensions
    An extended discussion of methods, other than those in the I/O domain, of extending the Windows operating system using software only drivers. This includes a discussion of Object Manager, Process Manager, and Registry callbacks, including the significant differences in the availability of these methods among various Windows versions.
  • Lab Continue previous labs
  • Lab Kernel Extensions
  • Cleanup, Close, and Cancel
    Cleanup, close and request cancellation are compared and contrasted. When one might need to implement support for each in a typical WDM driver is discussed. Guidelines for supporting request cancellation, including Cancel Safe Queues and in-progress request handling are presented.
  • Windows Virtual Memory
    A discussion of Windows virtual memory subsystem, including portions of the Memory Manager and Cache Manager. Page tables. Paging and page fault handling.
  • The Details of I/O Completion
    In this section, we describe the details of how Windows completes I/O requests, as well as the correct handling of different types of I/O completion requirements within drivers. This includes a discussion of how the I/O Manager manages maintains synchronous request handling when requested by an application, even when a driver performs asynchronous I/O processing. Guidelines for proper driver implementation are developed and discussed.
  • Lab Continue previous lab sessions
  • Lab Cancel