Windows Internals
User-Mode
Allows access to non-operating system code & data only.
No access to the hardware
Protects user applications from crashing the system.
Kernel-Mode
Privileged mode for use by the kernel and device drivers only.
Access to all system-resources.
Can potentially crash the system. [BSOD]
Process
Process is a manager/container of various data structures that have the capability to execute code via threads.
Process consists of:
Private virtual space
An executable program referring to a file on disk containing code.
Security context(access tokens).
One or more threads that execute code.
Table of handles to various kernel objects.
Threads
Entities scheduled by the kernel to execute code.
Information stored in Thread Local Storage[TLS].
Objects & Handles
PE Files
EXE vs DLL
EXE | DLL [Dynamic Loaded Library] |
---|---|
Separate programs that can be loaded into memory as an independent process. | PE modules that are loaded into existing processes and cannot live independently in memory. Purpose: Deliver a certain functionality the calling process needs. |
Needs a main() function which is called by the OS loader when it finishes all initialization of a new process. Program starts execution when the OS loader finishes this job. | The loader has already created a process in memory, but for some reason the loader requires a function implemented by the DLL to be loaded into the process. |
Loader reads a DLL from disk -> Reserves some space in the target process -> Loads the DLL into the space -> Calls DLL's function dllmain() -> This function initializes the library -> Loader hands over the control back to the process -> Process can call functions from the loaded DLL. | |
When malware is implemented as a DLL, you need to implement a dllmain() and export atleast one function which can be called externally. |
Disassembers - 101
Youtube Lesson
Last updated