Windows Internals - Kernel Architecture and Security Model
The foundational course for everything else on this platform. Covers the Windows kernel architecture byte by byte. Protection rings, security tokens, EPROCESS internals, system call mechanics, the kernel attack surface, and privilege escalation techniques.
Overview
About this course
This is where everything starts. Before you can write a driver, exploit a vulnerability, or build a rootkit, you need to understand how the Windows kernel actually works. Not the high-level overview you find on Microsoft Docs. The actual structures, the actual fields, the actual bytes in memory.
This course takes you through every layer of the Windows kernel security model. You'll learn how the CPU enforces privilege separation, how Windows represents processes and their permissions internally, how system calls transition between user mode and kernel mode, and where the attack surface lives.
Every concept is examined at the structure level in WinDbg. You'll dump _TOKEN structures, walk EPROCESS linked lists, read the SSDT, and trace the full path of a system call from ntdll through KiSystemCall64 into the kernel function.
This course is the prerequisite for every other Windows course on this platform. Take it seriously.
What you'll learn
How the CPU enforces the separation between user mode (Ring 3) and kernel mode (Ring 0) through protection rings, the CS register, and the Current Privilege Level.
The complete _TOKEN structure. TokenSource, AuthenticationId, the _SEP_TOKEN_PRIVILEGES bitmask with its Present, Enabled, and EnabledByDefault fields, UserAndGroups, SIDs, integrity levels, and impersonation levels. Every field explained, every offset verified in WinDbg.
The EPROCESS structure and how the kernel represents processes internally. UniqueProcessId, ActiveProcessLinks (the doubly-linked list that chains every process), the Token field as an _EX_FAST_REF, and how to navigate from gs:[0x188] through KPCR, KPRCB, KTHREAD, to EPROCESS.
The complete system call mechanism on x64 Windows. What the syscall instruction does at the hardware level, how KiSystemCall64 dispatches to the SSDT, how Win32k maintains the Shadow SSDT, and how syscall numbers are resolved dynamically from ntdll stubs.
The full kernel attack surface. Nt* system calls and their validation requirements, third-party driver vulnerabilities and the BYOVD technique, Win32k.sys and its user-mode callback problem, font and image parsers, and the registry.
Three privilege escalation paths. Token stealing via EPROCESS linked list traversal, privilege bitmap manipulation, and arbitrary code execution at Ring 0.
IRQL (Interrupt Request Level) and why it matters. PASSIVE_LEVEL, DISPATCH_LEVEL, DIRQL, and the constraints each level imposes on what your code can safely do.
Prerequisites
Solid understanding of the C programming language. You'll read kernel structure definitions and pseudo-code throughout the course.
Basic familiarity with x86-64 assembly. You don't need to be an expert, but you should be able to read simple instruction sequences.
A Windows 10 or 11 VM with WinDbg connected for kernel debugging. The first Windows course on this platform (Driver Development) covers this setup, but any equivalent setup works.