image image

Xeno Kovah

x86-64 Hardware-specific OS Internals

Trainer: Xeno Kovah

Date: 24th - 26th Oct 2022

Time: 9:00am to 5:00pm CEST

Venue: Marriott Hotel, The Hague, Netherlands

Training Level: Intermediate

Please note: the training ticket does not include access to the conference. Similarly, the conference ticket does not grant access to the trainings. If you have any questions, reach out to us.

Note: If desired, this class can also be taken online. The dates and times are the same as for the physical classes (24-26 October 9:00 am to 5:00 pm CEST), and the registration fee will also stay the same as for in-person attendance. Please note that by default, we expect in-person students: please inform us by 7 October what your preference is (online/physical).


3 days

Training type:

Online or in-person

Training Objectives:

  • Understand how ring 0 (kernel) / ring 3 (userspace) privilege separation *really* works.
  • Understanding how to use CPUID to query the features available on your system, and how to read the Model Specific Registers (MSRs) to check which ones your OS has actually enabled.
  • Understand segmentation (and how it relates to privilege separation).
  • Understand interrupts (and how they pertain to system calls and debugging).
  • Understand system calls (and how they constitute a major attack surface of an OS).
  • Understand virtual memory and page table setup (and how it interacts with security mechanisms like XD, SMAP, and SMEP).
  • Understand how software and hardware breakpoints work.
  • Understand how port IO allows communication to legacy peripherals and VMWare's control channel.
  • Being comfortable with Reading The Fun Manual (RTFM!) to go seek out the most accurate details of how things work.

One-of-a-kind Class Format!

This class is run a little different from most classes. We provide you purpose-built recorded lectures instead of trapping you in realtime with live-lectures. The instructor is then specifically in attendance to answer your questions as soon as you have them! The less other students ask questions, the more this class ends up looking like a 1:1 tutoring session for you!

One of many benefits is that you can watch lectures at 2x speed and zoom ahead of the other students and get to the hands on labs quicker. Or if there's bits of material you already know, you can just skip them and move on to the bits you don't know! Another big benefit is that you get to take the full lectures and labs with you! That means if you forget stuff and then need it in 6 months, you can quickly re-bootstrap yourself! Or you can watch the class twice, to really grow those neural connections and cement it in your brain! And unlike live lectures, our lectures are always getting more factually accurate, by having any accidental errors edited out.

Because we give you all the lecture and lab materials and videos before and after class, what you're really paying for is support from the instructor before, during,    and after class! So you'll be entitled to start the class up to a week early and be able to ask up to 20 questions before or after class with quick turnaround. This lets you keep working through the material even if you run out of time at the in-person training.

If you'd instead like to take a custom learning-path class that picks and chooses material from any of the classes that list Xeno as the instructor, you can sign up for the Xeno's All You Can Learn Buffet class instead.

Detailed Description:

  • Introduction
    • CPU Feature Identification instruction
  • Processor Execution Modes
    • Real mode, protected mode, IA-32e mode, system management mode
  • Model Specific Registers (MSRs)
    • Reading and writing MSRs (rdmsr, wrmsr)
  • Privilege Rings & Segmentation
    • Privilege rings start
    • Segment selectors & segment registers
    • Global Descriptor Table (GDT) & Local Descriptor Table (LDT)
    • Segment descriptors
    • Privilege rings finish
    • Call gates
    • Return to RTFM
    • Implicit and explicit use of segmentation
  • Interrupts
    • Interrupts vs. Exceptions
    • Tasks and the Task State Segment (TSS)
    • Interrupt Descriptor Table (IDT)
    • Interrupt Descriptors
    • Interrupt masking
    • Red Pill and virtualization detection
  • System Calls
    • System Call instructions (syscall/sysret, sysenter/sysexit)
    • Syscall-adjacent techniques & instructions (swapgs, {rd,wr}{fs,gs}base)
  • Read the Time Stamp Counter (RDTSC)
  • Paging and Virtual Memory
    • Introduction
    • Paging and the Control Registers
    • Page Tables
      • 32 bit linear to 32 bit physical, 4KB pages
      • 32 bit linear to 32 bit physical, 4MB pages
      • 32 bit linear to 40 bit physical, Physical Address Extensions (PAE)
      • 48 bit linear to 52 bit physical, 4-level paging, 4KB, 2MB, 1GB pages
      • (Optional) 57 bit linear to 52 bit physical, 5-level paging
    • Page Table Entries
      • CR3
      • PML4E
      • Exploit Mitigation Aside: XD, SMEP, SMAP
      • PDPTE
      • PDE
      • PTE
    • Canonical addresses
    • Page faults
    • Translation Lookaside Buffer & Shadow Walker rootkit
    • Non-executable Memory (NX/XD bit)
  • Interrupts & Debugging
    • Software breakpoints
    • Hardware breakpoints
    • Normal break on execute, write, read/write, port IO
    • Break on mov to debug registers
    • Trap Flag (TF)
    • Resume Flag (RF) and single step exceptions
  • Port IO
    • In/out instruction and accessing VMWare "backdoor" IO port
  • Conclusion

Who Should Attend? | Target Audience:

  • People who want to start their journey up the skill tree towards such professions as reverse engineering, malware analyst, vulnerability hunter, security researcher, OS engineer, or systems architect.
  • People who gain satisfaction from understanding how systems really work at a very deep level.
  • People who don't have a lot of free time outside of work, and who thus want to use this time to hunker down and jam through all this material with full instructor support.

What to Bring? | Software and Hardware Requirements:

  • Headphones for watching videos, (preferably over-ear so you're not disturbed as the instructor is walking around the class answering individuals' questions).
  • A PC or an *x86* Mac (class won't work with an M1 Mac!) capable of running 2 VMs at a time with ideally 4 GB of dedicated RAM per VM.
  • Administrator privileges to install virtualization software on your machine.
  • A PC with VMWare Workstation or an *x86* Mac with VMWare Fusion (the free "Player" versions are fine).
  • ISO for installing 2 instances of Windows 10 x86-64 (30 day trial version is fine).
  • A link to a software setup guide will be sent before class, and the student should install before class to maximize time available for interaction with the instructor. (Other software includes Visual Studio 2019, the Windows Software Development Kit (SDK), the Windows Driver Development Kit (WDK), and WinDbg.)

What to Bring? | Prerequisite Knowledge and Skills:

You should have equivalent knowledge of x86-64 assembly, architecture, and specifically WinDbg, as that provided in the x86-64 Assembly class, also offered at If you don't have that background, or if you just need a quick refresher, you can sign up for the Xeno's All You Can Learn Buffet class to create a custom learning path and go through the minimum background material necessary to proceed into this class'.

Resources Provided at the Training | Deliverables:

  • Online instructions on how to set up and test your machine before coming to class
  • Access to all Creative-Commons-licensed slides & Mozilla-licensed lab code
  • Access to all Creative-Commons-licensed lecture & lab videos!!!


Xeno began leading Windows kernel-mode rootkit detection and defense research projects at MITRE in 2009, before moving into research on BIOS security in 2011. His team's first public talks started appearing in 2013, which led to a flurry of presentations on BIOS-level vulnerabilities up through 2014. In 2015 he co-founded LegbaCore. And after presenting a firmware worm that could spread between Macs via Apple's EFI-based BIOS and Thunderbolt Ethernet adapters, he ended up working for Apple. There he worked on securing all the lesser-known firmwares on Macs and peripherals - everything from 3rd party GPUs to SecureBoot for monitors! He worked on the x86-side of the T2 SecureBoot architecture, and his final project was leading the M1 SecureBoot architecture - being directly responsible for designing a system that could provide iOS-level security, while still allowing customer choice to trust arbitrary non-Apple code such as Linux bootloaders. He left Apple in Dec 2020 after the M1 Macs shipped, so he could work full time on OpenSecurityTraining2.