Disclaimer: I am not sponsored by any of the training companies that are mentioned in this post. These are platforms that I have used in my journey and the opinions expressed are my own.

Why I Started

A few years ago I saw an ad for Maldev Academy and I was immediately nerd-sniped. But I had a problem: I didn’t know anything about Windows internals. While it is possible to learn malware development without fully understanding Windows internals, it’s not really recommended. And to be honest, without learning some of the intricacies of Windows you’re really missing out on a lot of important concepts. This was me. I was learning about malware by barely scratching the surface of Windows, I was stagnant, and I was quickly losing motivation. So much so, that I put it on hold for the next couple of years.

As someone who currently works in cybersecurity, I was disappointed with my lack of understanding and I wanted to change that. What follows is the methodology I’m using to learn Windows internals and perhaps this model will enable you to apply this to your own learning adventures.

Resources

Here are the resources that I’ve gained the most knowledge from:

Courses:

  • TrainSec.net - The 🐐 Pavel Yosifovich! These courses are not cheap but they are incredibly good.

Books:

Free Resources

My Study Strategy

Just reading and watching videos is a sure-fire way to remain in the dreaded tutorial cycle. I know from way too much experience! Don’t do this!

Take Notes

For me the most effective way to learn is to treat it like an actual lecture. I take notes while I’m going through the material, especially if it’s something that repeats or I don’t understand it. Sometimes I even write down the things I do know just to maintain the habit.

Here’s an example from my notes about process basics:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

PROCESSES

A process is a management and containment object.

Each process has:
- a private virtual address space
- a working set of memory
- a private handle table to kernel objects
- an access token (primary token)
- a priority class (affects all threads in the process)

When a process terminates the kernel is guaranteed to clean up everything used by the process.
- memory is freed
- all handles in handle table
- guaranteed

... and so on ...

Write Code

🌶️ Hot Take 🌶️ - Writing code is the best way to learn!

After a video or reading some module, I spend at least an hour (sometimes many hours) trying to do labs around the topic. If labs or challenges aren’t provided I try to come up with something on my own, even if it’s a small program or “re-inventing the wheel”. The goal is to reinforce understanding, not to build the next big thing.

I often struggle during this part, but this is where the learning actually happens. And at this point in my journey I enjoy this the most. The temptation is to have AI write the code for you but don’t do this! Read the docs and try to understand what the API you’re using requires - inputs, outputs, what it returns, etc. Google search for examples and try to understand the code you find. Eventually your code will compile and you’ll have gained a lot from it.

Going off of the process example above, one of the labs I struggled with involved getting process creation times. The API recommended in the lab was GetProcessTimes and I remember it took some time sorting through stackoverflow posts before I figured out what I was doing wrong. I learned that I needed FileTimeToSystemTime, which required the timezoneapi.h header, as well as the SYSTEMTIME and FILETIME data structures.

Here’s a sample of the code that eventually worked with a screenshot of the output:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18


#include <timezoneapi.h>

    // some code here

    SYSTEMTIME st;
    FILETIME ftCreation, ftExit, ftKernel, ftUser;

    do {
        HANDLE hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, Proc.th32ProcessID);
		if (GetProcessTimes(hProcess, &ftCreation, &ftExit, &ftKernel, &ftUser)) {
			if (FileTimeToSystemTime(&ftCreation, &st)) {
				printf("Image Name: %ws PID: %u Threads: %u Created: %04d-%02d-%02d %02d:%02d \n", Proc.szExeFile, Proc.th32ProcessID, Proc.cntThreads,
				st.wYear, st.wMonth, st.wDay, st.wHour, st.wMinute);
			}
		}

    // the rest of the code

The output isn’t great to look at but it worked and I learned how to do it through deliberate practice.

Analyze/Summarize/Documentize(?)

The Feynman Technique is a learning method that uses active recall to explain something to someone else in simple, plain language. To be honest I have no interest in explaining things to people verbally, so this blog is where I will attempt to do this through documentation.

In conjunction with Bloom’s Taxonomy I believe this could be a powerful retention and deep comprehension method, but I’ve not really tried this yet.

As a whole this study strategy feels painful sometimes, but it is the best approach over the long run. One thing that I often remind myself is that no one knows everything and it’s ok to take things slowly. The speed at which we can gather information is incredible, but don’t sacrifice your ability to acquire real skills through hard work!

Current Focus

My current focus is learning about processes in Pavel’s Windows Internals course. I’m about 32% through “Day 2” and I have a couple of labs to catch up on.

What’s Next

I’ll probably spend some time with WinDbg and then revisit some modules from Maldev Academy soon. I left off in some process enumeration modules to detour into Windows Internals. With what I’ve learned I feel much better equipped to tackle those without too much struggle!