Windows Internals

User-Mode

  • Allows access to non-operating system code & data only.

  • No access to the hardware

  • Protects user applications from crashing the system.

Kernel-Mode

  • Privileged mode for use by the kernel and device drivers only.

  • Access to all system-resources.

  • Can potentially crash the system. [BSOD]

Process

Process is a manager/container of various data structures that have the capability to execute code via threads.

Process consists of:

  • Private virtual space

  • An executable program referring to a file on disk containing code.

  • Security context(access tokens).

  • One or more threads that execute code.

  • Table of handles to various kernel objects.

Threads

  • Entities scheduled by the kernel to execute code.

  • Information stored in Thread Local Storage[TLS].

Objects & Handles

PE Files

EXE vs DLL

EXEDLL [Dynamic Loaded Library]

Separate programs that can be loaded into memory as an independent process.

PE modules that are loaded into existing processes and cannot live independently in memory.

Purpose: Deliver a certain functionality the calling process needs.

Needs a main() function which is called by the OS loader when it finishes all initialization of a new process. Program starts execution when the OS loader finishes this job.

The loader has already created a process in memory, but for some reason the loader requires a function implemented by the DLL to be loaded into the process.

Loader reads a DLL from disk -> Reserves some space in the target process -> Loads the DLL into the space -> Calls DLL's function dllmain() -> This function initializes the library -> Loader hands over the control back to the process -> Process can call functions from the loaded DLL.

When malware is implemented as a DLL, you need to implement a dllmain() and export atleast one function which can be called externally.

Disassembers - 101

PreviousGeneralNextExecution

Last updated