• Start your journey in Microsoft Windows Internals
• Unveil common Win32/NT APIs used by the malwares
• Understand malwares abusing internals from user-mode perspective
• Perform various challenges/exercises to learn Windows Internals
• Learn different kernel data structures (EPROCES, ETHREAD, KPCR etc.) through Windbg

01. CWI-RTO Course Introduction
1. Welcome to the CWI-RTO Course

02. Module 0 – Labsetup
1. CWI-RTO Lab Setup

03. Module 1 – Windows Architecture
1. High-Level Overview of Windows Architecture
2. User & Kernel Mode APIs

04. Module 2 – Interrupts
1. Interrupt Overview
2. Interrupt Lab-Windbg
3. Interrupt Theory
4. KTRAP_FRAME & KINTERRUPT
5. Interrupt Dispatching – IDA Analysis

05. Module 3 – Exceptions
1. Exception-Internals
2. Exception-Analysis-IDA
3. Exception-Dispatching-Windbg
4. Exercise-Exception

06. Module 4 – Objects
1. Object Manager
2. Object
3. Exercise-object & subheaders
4. Object Type
5. Excercise-Decode-TypeIndex

07. Moduel 5 – Handles
1. Handles Intro
2. Multi-level-handle-table & handle-table-entry-lookup
3. Exercise-Process Handle Table
4. Exercise-Global-Handle-Table
5. Exercise-Calculating-Process-ID
6. Exercise-Query-Handle & Object
7. Exercise-Finding-Leak-Handle-Guide

08. Module 6 – Processes
01. Intro
02. Process-Continue
03. Process-EPROCESS & KPROCESS
04. Process-EPROCESS & KPROCESS-continuation
05. EPROCESS-Userland Touch
06. Exercise NtQuerySystemInformation
07. Process Environment Block (PEB)
08. PEB-Windbg
09. PEB-Parsing Loaded Modules
10. Process Creation Brief
11. Exercise-NtCreateProcess
12. Exercise-NtCreateProcess-Continue
13. Classic Process Injection Intro
14. Classic Process Injection and brief on Process Attachment

09. Moudle 7 – Threads
01. Thread Intro
02. Thread-Priority
03. Thread-Scheduling-Basic
04. Thread-Some-Linked-List
05. Thread-Context-Swapping
06. Context-Swapping-continue
07. Thread-Context-Swapping-Continue
08. Thread-Context-Swapping-final
09. Exercise-Remote Thread Hijacking
10. Exercise-Thread-Context-Hijacking

10. Module 8 – APC
01. APC basics
02. APC Environment
03. KeInitialize Apc
04. KeInitializeApc-continue
05. KeInsert Queue APC
06. KiInsertQueueApc Continue
07. KiInsertQueueApc Addition
08. KiDeliverApc
09. KiDeliverApc-continue
10. KiDeliverApc-addition
11. KiDeliverApc-KiInitializeApc-continue
12. KiDeliverApc-UserMode-Final
13. Exercise-Early Bird Injection

11. Module 9 – Portable Executable (PE)
1. PE-Brief Intro
2. Exercise-PE-Parsing
3. Exercise-Parsing-EAT
4. Exercise-Parsing-IAT
5. IAT-Hooking-intro
6. Exercise-Iat-Hooking

12. Module 10 – Syscall
1. Syscall-Intro
2. SystemCall-Debugging
3. SystemCall-Debugging-continue
4. SyscallNo-Translation
5. Syscall-FunctionParameters
6. Direct-SysCall
7. DirectSyscall-task-spoiler
8. Vectored-syscall-handler

13. Module 11 – Security
01. SID-&Mandatory-Integrity-Level
02. Exercise-Parsing-Token
03. SecurityDescriptor-Intro
04. Experiment-On-DACL&MandatoryIntegrity
05. SecurityDescriptor-PeekInto-NtOpenProcess
06. Exercise-Parsing-ACE-Windbg-Mimiking-RtlGetAce
07. Experiment-Null-Security-Descriptor
08. Privileges-Intro
09. Privileges-NtAdjustPrivilegeToken-WRK
10. Token-Brief-Intro
11. Token-Impersonation-Windgb-Analysis-&-Tips-On-Duplicating-Handle