CoursesWindows Kernel: Offensive, Defensive & Reverse Engineering

on-demand

live

offence

Build rootkits and EDR from scratch to master the Windows kernel

Learn Windows kernel internals by building both offensive and defensive tooling from scratch. In this hands-on course, you will create a functional rootkit and a custom endpoint protection platform while gaining a practical understanding of kernel initialization, object management, callbacks, ETW, threads, APCs, kernel APIs, and user-to-kernel transitions. Designed for security researchers, red teamers, blue teamers, and low-level engineers, this course focuses on how and why Windows internals work, not just surface-level techniques.

Enquire here
for Private Training

On-Demand

Live/Virtual

/Course Details

Windows Kernel: Offensive, Defensive & Reverse Engineering

$1,950 USD

Buy Course

365 Day Access

71 Videos

15 Labs

50+ Hours of Content

/Course Trainer

Trainer

Ido Veltzman

Ido Veltzman (@Idov31) is a senior security researcher specializing in reverse engineering, operating system internals, vulnerability research, and exploit development. His work spans UEFI, hypervisors, kernel, and user mode, where he has developed advanced evasion, persistence, and injection techniques. Ido is known for translating deep technical research into practical offensive tradecraft, and regularly publishes papers and presents to the global cybersecurity community.

@Idov31

Fig. ACourse Syllabus

01.

Introduction

IntroductionPreview

Environment Setup

02.

Fundamentals - Chapter 1

Kernel History

03.

Fundamentals - Chapter 2

Kernel Drivers Types

04.

Fundamentals - Chapter 3

Communication Methods With Kernel Drivers

05.

Internals - Chapter 1

Driver Anatomy

Device Object

Driver Loading

Driver Unloading

IRP Handler

Lab 0x00: Hello Kernel!

Lab 0x00: Solution

06.

Internals - Chapter 2

Kernel API

Important Kernel Types

Memory Allocation

07.

Internals - Chapter 3

Kernel Callbacks

Lab 0x01: Hello IDA!

Lab 0x01: Solution

08.

Internals - Chapter 4

Attaching To Usermode Process

Interrupts and Syscalls

Fault Handling

09.

Internals - Chapter 5

System Threads

APCs

DPCs

10.

Internals - Chapter 6

IRQLs

Lab 0x02: Bugs Buggy

Lab 0x02: Solution

11.

Offensive - Chapter 1

Rootkits 101

NTRootkit

BYOVD In A Nutshell

Loading Kernel Drivers

Lab 0x00: Hiding Processes and Changing Protection Level

Lab 0x00: Solution

12.

Offensive - Chapter 2

IRP Hooking

TDL-3

Shim Engine

User Mode Hooks From Kernel Mode

Lab 0x01: IRP Hooking

Lab 0x01: Solution

13.

Offensive - Chapter 3

Kernel Mode Injection

Injection To UsermodePreview

Manual Kernel Driver Mapping

Lab 0x02: APC & CreateThread Injection

Lab 0x02: Solution

14.

Offensive - Chapter 4

Memory Scanners

Hiding Registry Keys & Values

Hiding Processes & Threads

Hiding Loaded Modules

Lab 0x03: Hiding Artifacts

Lab 0x03: Solution

ETW Tampering

Callback Tampering

Lab 0x04: Callback Tampering

Lab 0x04: Solution

15.

Offensive - Chapter 5

Early Launch Drivers

Backdooring Credentials

Shutdown Notification Routines

Lab 0x05: Shutdown Notification Persistency

Lab 0x05: Solution

Backdooring Network Protocols

16.

Defensive - Chapter 1

AV 101

EDRs 101

EPPs & XDRs 101

17.

Defensive - Chapter 2

Event Tracing for Windows (ETW)

Lab 0x00: Consuming ETW Events

Lab 0x00: Solution

Filtering Mechanisms

Lab 0x01: Utilizing Kernel Callbacks

Lab 0x01: Solution

User Mode Hooks

18.

Defensive - Chapter 3

Behavioural Detections

Remote Thread DLL Injection Detection

Modern Memory ScannersPreview

Lab 0x02: Modern Memory Scanner

Lab 0x02: Solution

19.

Defensive - Chapter 4

Prevention vs Remediation

Prevention

Lab 0x03: DLL Injection Prevention

Lab 0x03: Solution

Remediation

20.

Defensive - Chapter 5

Watchdog

Lab 0x04: Tame Your Dog

Lab 0x04: Solution

Protecting EPP Data and Processes

Lab 0x05: Protect Your Resources

Lab 0x05: Solution

VBS Enclaves

/Frequently Asked Questions

Windows Kernel: Offensive, Defensive & Reverse Engineering

$1,950 USD

Buy Course

/More Courses

Attacking and Defending Azure & M365

on-demand

live

cloud

iOS Reversing & Exploitation ARM64

on-demand

offence

Advanced APT Threat Hunting & IR

on-demand

live

offence

Advanced IIS Post Exploitation, Detection & Evasion

on-demand

live

defence