x86-64 OS Internals

TIME: 09:00 to 17:00 ICT/GMT+7

Go HERE to take this class as a 4-Day Buffet course.
Go HERE to take this class as a 3-Day Buffet course.
Go HERE to join just the x86-64 assembly class.
Go HERE to join just the x86-64 Intel Firmware Attack & Defense class.

This class is run a little different from most classes. We provide you purpose-built recorded lectures instead of trapping you in realtime with live-lectures. But fear not, the instructor is always right there eagerly waiting to mingle with the students and answer any questions you have. (The instructor really likes being asked questions. It shows you’re paying attention ;)).

One of many benefits is that you can watch lectures at 2x speed and zoom ahead of the other students and get to the hands on labs quicker. Or if there’s bits of material you already know, you can just skip them and move on to the bits you don’t know! Another big benefit is that you get to take the full lectures and labs with you! That means if you forget stuff and then need it in 6 months, you can quickly re-bootstrap yourself! Or you can watch the class twice, to really grow those neural connections and cement it in your brain! And unlike live lectures, our lectures are always getting more factually accurate, by having any accidental errors edited out.

Because we give you all the lecture and lab materials and videos after class, what you’re really paying for is support from the instructor! So you’ll be entitled to keep asking up to 20 questions after class, with 1-2 hour turnaround answers (after accounting for time-zone differences.) This lets you keep productively working through the material if you run out of time at the conference. If you’d like to learn more about the benefits of this style of class delivery, please read this blog post

“I really liked that figure 2-2 being literally covered during the class. I was not expecting all of those concepts becoming familiar after the class. I felt really fulfilled after each section that we completed.”

“I enjoyed the class very much, especially the easy-going approach of Xeno presenting the material, whereby he does not make you feel overwhelmed about the material, but on the contrary he makes the content more approachable and within grasp to anyone who would like to learn very low level concepts. I also liked a lot that he also structure the course in such a way, that it really flows from the one topic to the next, which happens naturally, and also provides a top-bottom overview of the concepts taught, also facilitating getting a good grasp of the concepts.”

“The class was excellent, really high quality. What I want to see in the future is more of this high quality content.”

“I like the way videos are made for the classes. I like because there are interesting correlations made for some topics of the classes with some funny stuffs from real life, and Sonic of course, that make the learning process much easier. “

“The class is very well structured and fits very well someone looking to acquire the basics and expand its foundations.”

“The course was precise, engaging and the delivery was delightful. Xeno knows his content, the audience and the relevance to modern technology is clearly visible in the course. By the end of the course you will be more knowledgeable, confident and a little brain hurt. Can’t wait for the subsequent courses.”

“I watched some of the classes in 1.5x in general. But I think the normal pace of the videos were also quite good. I found the tiny references to popular games and movies during the lecture quite useful for maintaining attention to the material.”

“I enjoyed having the transcripts.”

Topics Covered

Introduction

CPUID

• CPU Feature Identification instruction

Processor Execution Modes

• Real mode, protected mode, IA-32e mode, system management mode

Model Specific Registers (MSRs)

• Reading and writing MSRs (rdmsr, wrmsr)

Privilege Rings & Segmentation

• Privilege rings start
• Segment selectors & segment registers
• Global Descriptor Table (GDT) & Local Descriptor Table (LDT)
• Segment descriptors
• Privilege rings finish
• Call gates
• Return to RTFM
• Implicit and explicit use of segmentation

Interrupts

• Interrupts vs. Exceptions
• Tasks and the Task State Segment (TSS)
• Interrupt Descriptor Table (IDT)
• Interrupt Descriptors
• Interrupt masking
• Red Pill and virtualization detection

System Calls

• System Call instructions (syscall/sysret, sysenter/sysexit)
• Syscall-adjacent techniques & instructions (swapgs, {rd,wr}{fs,gs}base)

Read the Time Stamp Counter (RDTSC)

Paging and Virtual Memory

• Introduction
• Paging and the Control Registers
• Page Tables
• – MAXPHYADDR
• – 32 bit linear to 32 bit physical, 4KB pages
• – 32 bit linear to 32 bit physical, 4MB pages
• – 32 bit linear to 40 bit physical, Physical Address Extensions (PAE)
• – 48 bit linear to 52 bit physical, 4-level paging, 4KB, 2MB, 1GB pages
• – (Optional) 57 bit linear to 52 bit physical, 5-level paging
• Page Table Entries
• – CR3
• – PML4E
• – Exploit Mitigation Aside: XD, SMEP, SMAP
• – PDPTE
• – PDE
• – PTE
• Canonical addresses
• Page faults
• Translation Lookaside Buffer & Shadow Walker rootkit
• Non-executable Memory (NX/XD bit)

Interrupts & Debugging

• Software breakpoints
• Hardware breakpoints
• Normal break on execute, write, read/write, port IO
• Break on mov to debug registers
• Trap Flag (TF)
• Resume Flag (RF) and single step exceptions

Port IO

• In/out instruction and accessing VMWare “backdoor” IO port

Conclusion

Go HERE to take this class as a 4-Day Buffet course.
Go HERE to take this class as a 3-Day Buffet course.
Go HERE to join just the x86-64 assembly class.
Go HERE to join just the x86-64 Intel Firmware Attack & Defense class.