Windows Internals - consoletornado.com

[TryHackMe Room Link](https://tryhackme.com/room/windowsinternals) **Note: Premium Room** ## Table of Contents - [[#Notes|Notes]] - [[#Notes#Links|Links]] - [[#Notes#Processes|Processes]] - [[#Processes#Attacks That Target Processes|Attacks That Target Processes]] - [[#Notes#Threads|Threads]] - [[#Threads#Thread Values and Data|Thread Values and Data]] - [[#Notes#Virtual Memory|Virtual Memory]] - [[#Notes#DLL's|DLL's]] - [[#DLL's#DLL Attacks|DLL Attacks]] - [[#Notes#Portable Executable (PE) Format|Portable Executable (PE) Format]] - [[#Portable Executable (PE) Format#Structure|Structure]] - [[#Structure#DOS Header|DOS Header]] - [[#Structure#PE File Header|PE File Header]] - [[#Structure#Image Optional Header|Image Optional Header]] - [[#Structure#Section Table|Section Table]] - [[#Notes#Interacting with Windows Internals|Interacting with Windows Internals]] - [[#Tasks|Tasks]] - [[#Tasks#Task 01: Introduction|Task 01: Introduction]] - [[#Tasks#Task 02: Processes|Task 02: Processes]] - [[#Tasks#Task 03: Threads|Task 03: Threads]] - [[#Tasks#Task 04: Virtual Memory|Task 04: Virtual Memory]] - [[#Tasks#Task 05: Dynamic Link Libraries|Task 05: Dynamic Link Libraries]] - [[#Tasks#Task 06: Portable Executable Format|Task 06: Portable Executable Format]] - [[#Tasks#Task 07: Interacting with Windows Internals|Task 07: Interacting with Windows Internals]] - [[#Tasks#Task 08: Conclusion|Task 08: Conclusion]] --- ## Notes ### Links Microsoft Documentation: - [Processes & Threads](https://learn.microsoft.com/en-us/windows/win32/procthread/about-processes-and-threads) ### Processes - An application can contain 1 or more processes. **Each process contains:** - Virtual address space - Isolate memory space where process is mapped to/allocated: - Code - Code to be executed by a process - Heap - A memory area where a process requests and frees memory dynamically as needed, rather than having it fixed at compile time. - Stack - Region of process memory used for function execution and control flow. - [[DLLs]] - Isolated to prevent direct access to other process' memory. - Executable code - Code executed by the CPU in user mode on behalf of the process - Open handles to system objects - References kernel objects (i.e. reg keys, events, sockets, files) - What the process has opened and can interact with. - Security context - What the process is allowed to do - Includes: - User SID - Group Memberships - Privileges - Unique process identifier - PID for internal tracking and for reference - Environment variables - Config data - Paths - User info - Runtime settings/parameters - Priority class - How much CPU time the process receives relative to other processes - Min/max working set sizes - How much physical RAM process can access in a space before it has to be trimmed or expanded - At least 1 thread of execution - Section of a process scheduled for execution. - thread = execution + sharing memory and other resources - contains: - its own stack - registers - instruction pointer #### Attacks That Target Processes - Process Injection ([T1055](https://attack.mitre.org/techniques/T1055/)) - Process Hollowing ([T1055.012](https://attack.mitre.org/techniques/T1055/012/)) - Process Masquerading ([T1055.013](https://attack.mitre.org/techniques/T1055/013/)) --- ### Threads Definition of a thread: - "controlling the execution of a process." Threads share the same details and resources as their parent process: - code, global variables, etc. #### Thread Values and Data | **Component** | **Purpose** | | -------------------- | -------------------------------------------------------------------------------- | | Stack | All data relevant and specific to the thread (exceptions, procedure calls, etc.) | | Thread Local Storage | Pointers for allocating storage to a unique data environment | | Stack Argument | Unique value assigned to each thread | | Context Structure | Holds machine register values maintained by the kernel | --- ### Virtual Memory Works by allowing internal applications to access virtual memory spaces that are mapped to physical memory spaces without the risk of collision between applications. Each process gets a private virtual address space. Uses pages / transfers to handle memory. Maximum virtual address space is 4 GB on a 32-bit x86 system. Maximum virtual address space is 256 TB on a 64-bit modern system. Address space is split in half. - Lower half - allocated to user process space - 0x00000000 -> 0x7FFFFFFF - Upper half - allocated to SYSTEM space - 0x80000000 -> 0xFFFFFFFF If an application requires more user process space, settings such as `increaseUserVA` can be used. --- ### DLL's As per Microsoft, "a library that contains code and data that can be used by more than one program at the same time" #### DLL Attacks - DLL Hijacking ([T1574.001](https://attack.mitre.org/techniques/T1574/001/)) - DLL Side-Loading ([T1574.002](https://attack.mitre.org/techniques/T1574/002/)) - DLL Injection ([T1055.001](https://attack.mitre.org/techniques/T1055/001/)) [[DLLs|DLL's]] are loaded in a program two ways: - Load-time dynamic linking - Explicit calls to DLL functions from the app - DLL is normally imported as a header and/o library file - Run-time dynamic linking - Separate functions like `LoadLibrary` are used to load the DLL at run time. - Once loaded, you need to use `GetProcAddress` to id the exported DLL function Malicious DLL's often use run-time linking in order to transfer files between memory regions. --- ### Portable Executable (PE) Format PE = Made up of Portal Executables and Common Object File Format (COFF). The data for a PE can be viewed via a hex dump. #### Structure ##### DOS Header - MZ header of a PE defines the file format as a `.exe`. ##### PE File Header - Provides info about the binary - File format - File signature - Image file header - This section has the least amount of human readable data. - Identified by the letters PE in the hex dump output. ##### Image Optional Header - Not actually optional. - Holds the data dictionaries. - Contains a magic number which denotes whether PE is `PE32` or `PE32+`. - `0x10b` - PE32 - `0x20b` - PE32+ ##### Section Table - Defines the different sections within a PE. | **Section <br>** | **Purpose** | | ----------------- | ---------------------------------------------------- | | .text | Contains executable code and entry point | | .data | Contains initialized data (strings, variables, etc.) | | .rdata or .idata | Contains imports (Windows API) and DLLs. | | .reloc | Contains relocation information | | .rsrc | Contains application resources (images, etc.) | | .debug | Contains debug information | --- ### Interacting with Windows Internals Windows Internals are most commonly interacted with via the Windows API. "The Windows kernel will control all programs and processes and bridge all software and hardware interactions." A Windows processor has a user and kernel mode. | **User mode** | **Kernel Mode** | | ---------------------------------------------------- | -------------------------------------------- | | No direct hardware access | Direct hardware access | | Creates a process in a private virtual address space | Ran in a single shared virtual address space | | Access to "owned memory locations" | Access to entire physical memory | An application starting in User mode will stay that way until a SYSTEM call is made. --- ## Tasks ### Task 01: Introduction No action needed. Just start the VM to continue. ### Task 02: Processes Check the process tree view to find the notepad process. Then go to the related event to find the further process properties. **Question 01:** Open the provided file: "Logfile.PML" in Procmon and answer the questions below. - No answer needed. **Question 02:** What is the process ID of "notepad.exe"? - 5984 **Question 03:** What is the parent process ID of the previous process? - 3412 **Question 04:** What is the integrity level of the process? - High ### Task 03: Threads **Question 01:** Open the provided file: "Logfile.PML" in Procmon and answer the questions below. - No answer needed. **Question 02:** What is the thread ID of the first thread created by notepad.exe? Listed as `Thread ID:` for the first `Thread Create` event. - 5908 **Question 03:** What is the stack argument of the previous thread? In the same `Thread Create` event, under the `Event` tab the thread it belongs to is the stack argument. - 6584 ### Task 04: Virtual Memory **Question 01:** Read the above and answer the questions below. - No answer required. **Question 02:** What is the total theoretical maximum virtual address space of a 32-bit x86 system? - 4 GB **Question 03:** What default setting flag can be used to reallocate user process address space? - increaseUserVA **Question 04:** Open the provided file: "Logfile.PML" in Procmon and answer the questions below. - No answer required **Question 05:** What is the base address of "notepad.exe"? - `0x7ff652ec0000` ### Task 05: Dynamic Link Libraries **Question 01:** Open the provided file: "Logfile.PML" in Procmon and answer the questions below. - No answer needed. **Question 02:** What is the base address of "ntdll.dll" loaded from "notepad.exe"? - `0x7ffd0be20000` **Question 03:** What is the size of "ntdll.dll" loaded from "notepad.exe"? - `0x1ec000` **Question 04:** How many DLLs were loaded by "notepad.exe"? - 51 ### Task 06: Portable Executable Format **Question 01:** Read the above and answer the questions below. - No answer needed. **Question 02:** What PE component prints the message "This program cannot be run in DOS mode"? - `DOS Stub` **Question 03:** Open "notepad.exe" in Detect It Easy and answer the questions below. - No answer needed. **Question 04:** What is the entry point reported by DiE? - `000000014001acd0` **Question 05:** What is the value of "NumberOfSections"? Can be found under `IMAGE_NT_HEADERS -> IMAGE_FILE_HEADER` - `0006` **Question 06:** What is the virtual address of ".data"? Found in the Sections table. - `00024000` **Question 07:** What string is located at the offset "0001f99c"? - `Microsoft.Notepad` ### Task 07: Interacting with Windows Internals **Question 01:** Open a command prompt and execute the provided file: "inject-poc.exe" and answer the questions below. - No answer needed. **Question 02:** Enter the flag obtained from the executable below. - `THM{1Nj3c7_4lL_7H3_7h1NG2}` ### Task 08: Conclusion **Question 01:** Read the above and continue learning! - No answer needed.