Windows exposes two faces to developers in user mode: the familiar Win32 (Windows API) layer and a far leaner, more powerful interface the operating system itself relies on - the Native API. In this course Pavel Yosifovich guides you past the Win32 façade and straight to that inner doorway. You begin with the NT architecture and the system-call path, then master the data types, processes, threads, objects and memory structures that everything in Windows is built on. Each subsequent module peels back another layer: spawning true Native executables, leveraging the object manager’s namespace, tracing handles, using virtual memory, streaming data through the I/O manager, and editing the Registry atomically. Short labs turn every concept into working code in Visual Studio using open-source headers, so by the final lesson you can create, probe and control any kernel-backed resource from user mode-skills that underpin debuggers, forensic tools and custom loaders alike.
Begin your native-level adventure with a clear map of the territory. First we dissect the Windows NT architecture-user mode, kernel mode, and the all-important NTDLL gateway that ties them together. Next comes a quick tour of the historical subsystems (POSIX, OS/2, Win32) to see how each layers its own personality over the same kernel. With that context we crack open the undocumented Native API: why those mysterious Nt*/Zw* pairs exist, how NTDLL funnels them into ring-0 through the system-service dispatcher, and what you can (and can’t) do that Win32 hides. We wrap up in Visual Studio: adding the open-source PHNT headers for instant prototypes and experimenting with both static and dynamic binding so you can call native functions safely from day one. By the end of the module you’ll know exactly where the Native layer sits, how to talk to it, and why it unlocks powers later module builds on.
The Native API speaks its own dialect, and this module hands you the phrasebook. Pavel demystifies the core data structures-NTSTATUS, Unicode strings, OBJECT_ATTRIBUTES, linked-list nodes, CLIENT_ID, and time types-and then drills you through a lab where you put each one to work. By the end of the module, you’ll recognize these structs on sight, know the helper macros and functions that tame them, and be ready to pass well-formed parameters into any Nt* function that appears in later modules.
Now that you know the API’s landscape, it’s time to compile real executables that live there. This module shows how Windows treats “Native” and “Boot” applications, then guides you through creating, linking, and finally spawning a Native EXE entirely from your own code. By the end you’ll have a working sample that prints during the boot-screen phase and a clear checklist for producing-and launching-any Native-subsystem binary you need in later experiments.
Windows hides a vast amount of live data just below Win32. In this module you learn to pull back the curtain. Starting with NtQuerySystemInformation, you’ll enumerate processes, threads, and even every open handle on the system. Along the way Pavel demystifies the Object Manager-its types, names, and namespace hierarchy. The module wraps with a look at KUSER_SHARED_DATA, the always-mapped page that gives you fast, syscall-free access to clocks, CPU info and more.
Processes are the backbone of Windows. This module starts with crafting a process from raw pieces-image, initial thread, parameters-before moving on to deep inspection via NtQueryInformationProcess and direct reads of the Process Environment Block. You’ll learn to suspend, resume, terminate, and tweak scheduling priority without ever touching Win32. By the end of this module, you can create, probe, and manage any process on the system using pure Native calls.
Processes may own resources, but threads get work done. In this module you craft threads from scratch with NtCreateThreadEx, peek into their private stacks and TEBs, and gather live stats via NtQueryInformationThread. Pavel then unpacks the Native APIs for keeping threads in line: waits, APCs, and low-level synchronization, culminating in thread-pool discussion that showcases practical concurrency patterns. By the end you’ll be comfortable creating, inspecting, synchronizing, and fine-tuning threads-skills that power everything from stealth implants to high-throughput servers.
Windows unifies named kernel objects through the Object Manager, and this module is your guided tour. You’ll map the kernel namespace, enumerate every object it contains, and learn to create, link, duplicate, and query them using pure Native calls. With a solid grasp of directory and symbolic-link objects, you pivot to the synchronization primitives-mutexes, semaphores, events-and finish by managing whole process groups with job objects. By the end of this module, you’ll not only understand how handles and objects work in the system, but also have hands-on techniques for inspecting and orchestrating those objects in your own tools and experiments.
Memory is everywhere.. In this module, Pavel walks you from the hardware-backed basics up through high-level heaps and memory-mapped files. You’ll allocate, protect, query, and even patch memory using pure Native calls, then peek into the kernel’s view of working sets and protection bits. The journey continues with custom heaps for performance-critical tasks and finishes with section objects-the backbone of DLLs and shared memory. By the end of this module, you’ll understand, visualize, and manipulate any byte in a process’s address space with confidence.
Whether you’re streaming from disk, pinging a driver, or ringing the PC speaker, it all rides the same I/O manager. This module teaches you to open any path, translate it into the kernel’s namespace, and push bytes through NtReadFile, NtWriteFile, or custom IOCTLs. You’ll enumerate directories, grab metadata, harness I/O completion ports for speed, and even load a driver-all with pure Native calls. By the finish, “file” will mean much more than what’s on disk: it’s the universal door to any device, physical or virtual, on Windows.
The Registry is Windows’ configuration database, and the Native API lets you operate on it with surgical precision. In this module Pavel demystifies its hive-backed architecture, then leads you through opening, creating, editing, and enumerating keys and values without a single Win32 call. You’ll set up change notifications for instant event-driven reactions and wrap multiple edits inside kernel-level transactions for all-or-nothing safety. By the end you’ll wield the same low-level operations used by installers, services, and malware alike-perfect for configuration tools, forensic collectors, or stealthy persistence tricks.
Every access to a kernel object involves a user/group (SID) opening a handles to said object that may be protected by a Security Descriptor. The user’s “power” is represented by its Access Token, containing its privileges and other properties. This module connects those dots. You’ll decode SIDs, inspect and duplicate tokens, enumerate logon sessions, and even create tokens from scratch. Finally, you’ll craft security descriptors and ACLs, giving you full control over who can touch your objects—essential knowledge for access management.