Skip to content

Latest commit

 

History

History
113 lines (72 loc) · 3.54 KB

WindowsInternals.md

File metadata and controls

113 lines (72 loc) · 3.54 KB

Windows Internals - Medium

  1. Processes
  2. Threads
  3. Virtual Memory
  4. Dynamic Link Libraries
  5. Portable Executable Format
  6. Interacting with Windows Internals

Processes

  • Process - maintains execution of program; an app can contain multiple processes.

  • Process components:

    • Private virtual address space
    • Executable program
    • Open handles
    • Security context
    • Process ID
    • Threads

  • We can observe processes using utilities such as Process Explorer and Procmon.

1. What is the process ID of "notepad.exe"? - 5984

2. What is the parent process ID of the previous process? - 3412

3. What is the integrity level of the process? - High

Threads

  • Thread - executable unit employed by process and scheduled based on device factors; controls the execution of a process.

  • Thread components:

    • Stack
    • Thread local storage
    • Stack argument
    • Context structure
1. What is the thread ID of the first thread created by notepad.exe? - 5908

2. What is the stack argument of the previous thread? - 6584

Virtual Memory

  • Virtual memory - allows other internal components to interact with memory as if it was physical memory without risk of collisions between apps; provides each process with a private virtual address space.
1. What is the total theoretical maximum virtual address space of a 32-bit x86 system? - 4 GB

2. What default setting flag can be used to reallocate user process address space? - increaseUserVA

3. What is the base address of "notepad.exe"? - 0x7ff652ec0000

Dynamic Link Libraries

  • DLL - library that contains code & data that can be used by multiple programs simultaneously.

  • DLLs can be loaded in a program using load-time dynamic linking or run-time dynamic linking.

  • In malicious code, threat actors will often use run-time dynamic linking as the malicious program may need to transfer files between memory regions, and transferring a DLL is easier than importing using other file requirements.

1. What is the base address of "ntdll.dll" loaded from "notepad.exe"? - 0x7ffd0be20000

2. What is the size of "ntdll.dll" loaded from "notepad.exe"? - 0x1ec000

3. How many DLLs were loaded by "notepad.exe"? - 51

Portable Executable Format

  • PE (Portable Executable) format defines info about executable and stored data; it also defines structure of how data components are stored.

  • The PE and COFF (Common Object File Format) files make up the PE format.

  • Components of structure of PE data:

    • DOS Header
    • DOS Stub
    • PE File Header
    • Image Optional Header
    • Data Dictionaries
    • Section Table
1. What PE component prints the message "This program cannot be run in DOS mode"? - DOS Stub

2. What is the entry point reported by DiE? - 000000014001acd0

3. What is the value of "NumberOfSections"? - 0006

4. What is the virtual address of ".data"? - 00024000

5. What string is located at the offset "0001f99c"? - Microsoft.Notepad

Interacting with Windows Internals

  • Windows API provides native functionality to interact with Windows OS; the API contains Win32 API and Win64 API.

  • By default, an app cannot interact with Windows kernel or modify physical hardware, and requires an interface; the switch between user mode and kernel mode is facilitated by system & API calls (switching point).

1. Enter the flag obtained from the executable below. - THM{1Nj3c7_4lL_7H3_7h1NG2}