We covered basics of Windows internals including processes, virtual memory allocation, handles, DLLs, Portable executable header and other aspects of Windows OS. This was part of TryHackMe Internals Red Team pathway.
Learn and understand the fundamentals of how Windows operates at its core.
A process maintains and represents the execution of a program; an application can contain one or more processes. A process has many components that it gets broken down into to be stored and interacted with. The Microsoft docs break down these other components, “Each process provides the resources needed to execute a program. A process has a virtual address space, executable code, open handles to system objects, a security context, a unique process identifier, environment variables, a priority class, minimum and maximum working set sizes, and at least one thread of execution.” This information may seem intimidating, but this room aims to make this concept a little less complex.
A thread is an executable unit employed by a process and scheduled based on device factors.
Device factors can vary based on CPU and memory specifications, priority and logical factors, and others.
We can simplify the definition of a thread: “controlling the execution of a process.”
Since threads control execution, this is a commonly targeted component. Thread abuse can be used on its own to aid in code execution, or it is more widely used to chain with other API calls as part of other techniques.
Virtual memory is a critical component of how Windows internals work and interact with each other. Virtual memory allows other internal components to interact with memory as if it was physical memory without the risk of collisions between applications.
Virtual memory provides each process with a private virtual address space. A memory manager is used to translate virtual addresses to physical addresses. By having a private virtual address space and not directly writing to physical memory, processes have less risk of causing damage.
DLLs are used as one of the core functionalities behind application execution in Windows. From the Windows documentation, “The use of DLLs helps promote modularization of code, code reuse, efficient memory usage, and reduced disk space. So, the operating system and the programs load faster, run faster, and take less disk space on the computer.”
When a DLL is loaded as a function in a program, the DLL is assigned as a dependency. Since a program is dependent on a DLL, attackers can target the DLLs rather than the applications to control some aspect of execution or functionality.
What is the process ID of “notepad.exe”?
What is the parent process ID of the previous process?
What is the integrity level of the process?
What is the stack argument of the previous thread?
What is the total theoretical maximum virtual address space of a 32-bit x86 system?
What default setting flag can be used to reallocate user process address space?
Open the provided file: “Logfile.PML” in Procmon and answer the questions below.
What is the base address of “notepad.exe”?
What is the base address of “ntdll.dll” loaded from “notepad.exe”?
What is the size of “ntdll.dll” loaded from “notepad.exe”?
How many DLLs were loaded by “notepad.exe”?
What PE component prints the message “This program cannot be run in DOS mode”?
Open “notepad.exe” in Detect It Easy and answer the questions below.
What is the entry point reported by DiE?
What is the value of “NumberOfSections“?
What is the virtual address of “.data“?
What string is located at the offset “0001f99c”?