SlideShare a Scribd company logo

Windows internals

Download as PPT, PDF
Piyush Jain
Piyush Jain

Windows Internals and other basics used for cyber security

Technology
1 of 22
Windows Internals
Process • Process: Program in execution. • Processes are containers. • A process has a virtual address space, executable code, open handles to system objects, a security context, a unique process identifier, environment variables, a priority class, minimum and maximum working set sizes, and at least one thread of execution. • Run multiple threads with in same process: Multitasking.
Threads • Light-weight process. • Each thread maintains exception handlers, a scheduling priority, thread local storage, a unique thread identifier. • Microsoft Windows supports preemptive multitasking, which creates the effect of simultaneous execution of multiple threads from multiple processes. • Virtual m/c abstraction: Give illusion to process of having it's own m/c i.e. CPU, memory, O/I etc. • Switching to a thread within a process is cheaper • Threads within a process • share resources • not independent • not protected against each other
Process and Threads APIs • Start: CreateProcess; OpenProcess; CreateThread; CreateRemoteThread; OpenThread; • Kill: TerminateProcess; ExitProcess; • Suspend: SuspendThread; Sleep; • Wait: WaitForThreadpoolIoCallbacks; WaitForThreadpoolWaitCallbacks
Enumeration APIs • Process status API: – EnumProcesses – EnumProcessModule – GetModuleFileName • Process32Next function • Heap32Next function
Imp Data Types • BOOL • CHAR • DWORD: A 32-bit unsigned integer. • HANDLE: A handle to an object • HINSTANCE, HMODULE: A handle to an instance. This is the base address of the module in memory. • WINAPI: The calling convention for system functions.
Windows Architectute: • Windows is originally 16 bit graphical layer for MS-DOS. • Windows NT and 2000 are 32 bit. • NT kernel: – NTOSKRNL.EXE: Kernel of OS – HAL: Hardwere abstract layer, handle BIOS and interrupt communication. NTOSKRNL.EXE depens on HAL.DLL. – NTDLL.DLL: The file that contains NT kernel functions. – Win32k.SYS: A Kernel mode driver that implements windowing and graphics.
Windows Architectute: – Win32API: 1. kernel32.dll: most system related. 2. advapi32.dll: Registry and service handling. 3. gdi32.dll: Function for drawing and shapes. 4. user32.dll: UI for windows i.e. msgbox, programs, prompts. This perform task by calling system call implemented by Win32k.SYS.
Kernel Mode • A processor in a computer running Windows has two different modes: user mode and kernel mode. • The processor switches between the two modes depending on what type of code is running on the processor. • In Kernel mode, the executing code has complete and unrestricted access to the underlying hardware. It can execute any CPU instruction and reference any memory address. • Not all driver run in Kernel mode. • Kernel mode is generally reserved for the lowest-level, most trusted functions of the operating system. Crashes in kernel mode can halt the entire PC.
User Mode • In User mode, the executing code has no ability to directly access hardware or reference memory. Code running in user mode must delegate to system APIs to access hardware or memory. • Most of the code running on computer will execute in user mode. • If code executing in User mode attempts accessing a privileged CPU instruction or modifying memory that it has no access to then instead of entire system crashing, only that particular application crashes. That's the value of User mode.
Virtual Address Space • The virtual address space for a process is the set of virtual memory addresses that it can use. The address space for each process is private and cannot be accessed by other processes unless it is shared. • The system maintains a page table for each process. • The virtual address space for 32-bit Windows is 4 gigabytes (GB) in size and divided into two partitions: one for use by the process and the other reserved for use by the system. • APIs used are VirtualAlloc, VirtualQuery, VirtualFree fuction etc.
Registry • The registry is a system-defined database in which applications and system components store and retrieve configuration data. • Application uses the registry APIs to retrieve, modify or delete registry data. • Registry APIs: – RegOpenKeyEx, RegCreateKeyEx, RegCloseKey, RegEnumValue, RegQueryValueEx, RegDeleteValue, RegDeleteKey
Registry • Predefine keys – HKEY_CURRENT_USER: Point to user file currently logged in. – HKEY_USERS: Contain subkeys of all loaded user profile. – HKEY_CLASS_ROOT: Contains file name extension associations and COM class registration information such as ProgIDs, CLSIDs, IIDs. – HKEY_LOCAL_MACHINE: Contain all system configuration – HKEY_CURRENT_CONFIG: Current hardwere profile – HKEY_PERFORMANCE_DATA: Performance Counters.
Registry • Data Types: – REG_BINARY: Arbitrary-length binary data. – REG_DWORD: 32-bit number – REG_SZ: Fixed length Unicode string. • etc.. • HIVE: On disk, the registry isn’t simply one large file but rather a set of discrete files called hives. Each hive contains a registry tree, which has a key that serves as the root or starting point of the tree. • .alt, .log, .sav are the file formats.
Networking • Windows Internet (WinINet) application programming interface (API) enables applications to interact with FTP, and HTTP protocols to access Internet resources • InternetOpen • InternetOpenUrl • InternetReadFile • InternetWriteFile • InternetCloseHandle • InternetConnect
Networking • HTTP and HTTPS • Request methods: – GET – POST • HTTP APIs – HttpAddRequestHeaders – HttpEndRequest – HttpOpenRequest – HttpQueryInfo – HttpSendRequest – HttpSendRequestEx
Networking • File Transfer Protocol APIs: – FtpCreateDirectory – FtpDeleteFile – FtpFindFirstFile – FtpGet/SetCurrentDirectory – FtpGetFile – FtpOpenFile – FtpRenameFile
Socket programming • A socket is a handle (abstract reference) that a local program can pass to the networking application programming interface (API) to use the connection. • An Internet socket is characterized by at least the following: Local socket address: Local IP address and port number Protocol: A transport protocol (e.g., TCP, UDP, raw IP) In Windows, sockets are implemented using Winsock programming.
Socket programming • Servers and Clients have different behaviors; therefore, the process of creating them is different. • Server • Initialize Winsock: The WSAStartup function initiates use of the Winsock DLL by a process. • Create a socket: The WskSocket function creates a new socket and returns a pointer to the associated socket object. • Bind the socket. • Listen on the socket for a client. • Accept a connection from a client. • Receive and send data. • Disconnect. • Client • Initialize Winsock. • Create a socket. • Connect to the server. • Send and receive data. • Disconnect.
Dynamic Link Library • A DLL file, short for Dynamic Link Library, is a type of file that contains instructions that other programs can call upon to do certain things. • Multiple programs can share the abilities programmed into a single file, and even do so simultaneously. • Most Dynamic Link Libraries end in the file extension .DLL. Others may use .OCX, .CPL, or .DRV. • The word "dynamic" in Dynamic Link Library is used because the data is only put to use in a program when the program actively calls for it instead of having the data always be available in memory. • Third-party programs can install them too. • DLLs provide a way for parts of a program to be updated without having to rebuild or reinstall the entire program all over.
Dynamic Link Library • Exporting functions – DLL file contains an exports table. – The exports table contains the name of every function that the DLL exports to other executables. – These functions are the entry points into the DLL; only the functions in the exports table can be accessed by other executables. Any other functions in the DLL are private to the DLL. • DllMain entry point: – LoadLibrary function – FreeLibrary function – GetProcAddress
Windows Services • What is Service ? Services are processes that runs in the background and performs tasks that don't require user interaction. • Service Control Manager (SCM) • The service functions provide an interface for the following tasks performed by the SCM: – Maintaining the database of installed services. • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices – Maintaining the database of installed services. – Starting services and driver services either upon system startup or upon demand. – Enumerating installed services and driver services. – Maintaining status information for running services and driver services. – Transmitting control requests to running services. – Locking and unlocking the service database.

Recommended

Windows internals Essentials
Windows internals EssentialsWindows internals Essentials
Windows internals EssentialsJohn Ombagi
 
Real-Time Operating Systems
Real-Time Operating SystemsReal-Time Operating Systems
Real-Time Operating SystemsPraveen Penumathsa
 
Memory Hierarchy Design, Basics, Cache Optimization, Address Translation
Memory Hierarchy Design, Basics, Cache Optimization, Address TranslationMemory Hierarchy Design, Basics, Cache Optimization, Address Translation
Memory Hierarchy Design, Basics, Cache Optimization, Address TranslationFarwa Ansari
 
Real Time Operating Systems
Real Time Operating SystemsReal Time Operating Systems
Real Time Operating SystemsMurtadha Alsabbagh
 
Real time Operating System
Real time Operating SystemReal time Operating System
Real time Operating SystemTech_MX
 
Process Synchronization in operating system | mutex | semaphore | race condition
Process Synchronization in operating system | mutex | semaphore | race conditionProcess Synchronization in operating system | mutex | semaphore | race condition
Process Synchronization in operating system | mutex | semaphore | race conditionShivam Mitra
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
 
Linux Device Driver’s
Linux Device Driver’sLinux Device Driver’s
Linux Device Driver’sRashmi Warghade
 

Recommended

Windows internals Essentials
Windows internals EssentialsWindows internals Essentials
Windows internals EssentialsJohn Ombagi
 
Real-Time Operating Systems
Real-Time Operating SystemsReal-Time Operating Systems
Real-Time Operating SystemsPraveen Penumathsa
 
Memory Hierarchy Design, Basics, Cache Optimization, Address Translation
Memory Hierarchy Design, Basics, Cache Optimization, Address TranslationMemory Hierarchy Design, Basics, Cache Optimization, Address Translation
Memory Hierarchy Design, Basics, Cache Optimization, Address TranslationFarwa Ansari
 
Real Time Operating Systems
Real Time Operating SystemsReal Time Operating Systems
Real Time Operating SystemsMurtadha Alsabbagh
 
Real time Operating System
Real time Operating SystemReal time Operating System
Real time Operating SystemTech_MX
 
Process Synchronization in operating system | mutex | semaphore | race condition
Process Synchronization in operating system | mutex | semaphore | race conditionProcess Synchronization in operating system | mutex | semaphore | race condition
Process Synchronization in operating system | mutex | semaphore | race conditionShivam Mitra
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
 
Linux Device Driver’s
Linux Device Driver’sLinux Device Driver’s
Linux Device Driver’sRashmi Warghade
 
Transactional Memory
Transactional MemoryTransactional Memory
Transactional MemoryYuuki Takano
 
Understanding the Android System Server
Understanding the Android System ServerUnderstanding the Android System Server
Understanding the Android System ServerOpersys inc.
 
Multiprocessor
MultiprocessorMultiprocessor
MultiprocessorNeel Patel
 
Embedded linux
Embedded linuxEmbedded linux
Embedded linuxWingston
 
Basic functions & types of RTOS ES
Basic functions & types of RTOS ESBasic functions & types of RTOS ES
Basic functions & types of RTOS ESJOLLUSUDARSHANREDDY
 
OS Process Synchronization, semaphore and Monitors
OS Process Synchronization, semaphore and MonitorsOS Process Synchronization, semaphore and Monitors
OS Process Synchronization, semaphore and Monitorssgpraju
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsMemory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsJared Greenhill
 
Linux Programming
Linux ProgrammingLinux Programming
Linux ProgrammingEmertxe Information Technologies Pvt Ltd
 
Message Passing, Remote Procedure Calls and Distributed Shared Memory as Com...
Message Passing, Remote Procedure Calls and Distributed Shared Memory as Com...Message Passing, Remote Procedure Calls and Distributed Shared Memory as Com...
Message Passing, Remote Procedure Calls and Distributed Shared Memory as Com...Sehrish Asif
 
Practical Malware Analysis Ch 14: Malware-Focused Network Signatures
Practical Malware Analysis Ch 14: Malware-Focused Network SignaturesPractical Malware Analysis Ch 14: Malware-Focused Network Signatures
Practical Malware Analysis Ch 14: Malware-Focused Network SignaturesSam Bowne
 
Booting Process OS
Booting Process OSBooting Process OS
Booting Process OSanilinvns
 
Introduction to FreeRTOS
Introduction to FreeRTOSIntroduction to FreeRTOS
Introduction to FreeRTOSICS
 
Operating system 31 multiple processor scheduling
Operating system 31 multiple processor schedulingOperating system 31 multiple processor scheduling
Operating system 31 multiple processor schedulingVaibhav Khanna
 
Introduction to parallel processing
Introduction to parallel processingIntroduction to parallel processing
Introduction to parallel processingPage Maker
 
Ports, pods and proxies
Ports, pods and proxiesPorts, pods and proxies
Ports, pods and proxiesLibbySchulze
 
Embedded Linux Basics
Embedded Linux BasicsEmbedded Linux Basics
Embedded Linux BasicsMarc Leeman
 
Introduction to operating system, system calls and interrupts
Introduction to operating system, system calls and interruptsIntroduction to operating system, system calls and interrupts
Introduction to operating system, system calls and interruptsShivam Mitra
 
Linux device drivers
Linux device drivers Linux device drivers
Linux device drivers Emertxe Information Technologies Pvt Ltd
 
Linux systems - Getting started with setting up and embedded platform
Linux systems - Getting started with setting up and embedded platformLinux systems - Getting started with setting up and embedded platform
Linux systems - Getting started with setting up and embedded platformEmertxe Information Technologies Pvt Ltd
 
Practical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorPractical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorSam Bowne
 
CNIT 126 7: Analyzing Malicious Windows Programs
CNIT 126 7: Analyzing Malicious Windows ProgramsCNIT 126 7: Analyzing Malicious Windows Programs
CNIT 126 7: Analyzing Malicious Windows ProgramsSam Bowne
 
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs Sam Bowne
 

More Related Content

What's hot

Transactional Memory
Transactional MemoryTransactional Memory
Transactional MemoryYuuki Takano
 
Understanding the Android System Server
Understanding the Android System ServerUnderstanding the Android System Server
Understanding the Android System ServerOpersys inc.
 
Multiprocessor
MultiprocessorMultiprocessor
MultiprocessorNeel Patel
 
Embedded linux
Embedded linuxEmbedded linux
Embedded linuxWingston
 
Basic functions & types of RTOS ES
Basic functions & types of RTOS ESBasic functions & types of RTOS ES
Basic functions & types of RTOS ESJOLLUSUDARSHANREDDY
 
OS Process Synchronization, semaphore and Monitors
OS Process Synchronization, semaphore and MonitorsOS Process Synchronization, semaphore and Monitors
OS Process Synchronization, semaphore and Monitorssgpraju
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsMemory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsJared Greenhill
 
Message Passing, Remote Procedure Calls and Distributed Shared Memory as Com...
Message Passing, Remote Procedure Calls and Distributed Shared Memory as Com...Message Passing, Remote Procedure Calls and Distributed Shared Memory as Com...
Message Passing, Remote Procedure Calls and Distributed Shared Memory as Com...Sehrish Asif
 
Practical Malware Analysis Ch 14: Malware-Focused Network Signatures
Practical Malware Analysis Ch 14: Malware-Focused Network SignaturesPractical Malware Analysis Ch 14: Malware-Focused Network Signatures
Practical Malware Analysis Ch 14: Malware-Focused Network SignaturesSam Bowne
 
Booting Process OS
Booting Process OSBooting Process OS
Booting Process OSanilinvns
 
Introduction to FreeRTOS
Introduction to FreeRTOSIntroduction to FreeRTOS
Introduction to FreeRTOSICS
 
Operating system 31 multiple processor scheduling
Operating system 31 multiple processor schedulingOperating system 31 multiple processor scheduling
Operating system 31 multiple processor schedulingVaibhav Khanna
 
Introduction to parallel processing
Introduction to parallel processingIntroduction to parallel processing
Introduction to parallel processingPage Maker
 
Ports, pods and proxies
Ports, pods and proxiesPorts, pods and proxies
Ports, pods and proxiesLibbySchulze
 
Embedded Linux Basics
Embedded Linux BasicsEmbedded Linux Basics
Embedded Linux BasicsMarc Leeman
 
Introduction to operating system, system calls and interrupts
Introduction to operating system, system calls and interruptsIntroduction to operating system, system calls and interrupts
Introduction to operating system, system calls and interruptsShivam Mitra
 
Practical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorPractical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorSam Bowne
 

What's hot (20)

Transactional Memory
Transactional MemoryTransactional Memory
Transactional Memory
 
Understanding the Android System Server
Understanding the Android System ServerUnderstanding the Android System Server
Understanding the Android System Server
 
Multiprocessor
MultiprocessorMultiprocessor
Multiprocessor
 
Embedded linux
Embedded linuxEmbedded linux
Embedded linux
 
Basic functions & types of RTOS ES
Basic functions & types of RTOS ESBasic functions & types of RTOS ES
Basic functions & types of RTOS ES
 
OS Process Synchronization, semaphore and Monitors
OS Process Synchronization, semaphore and MonitorsOS Process Synchronization, semaphore and Monitors
OS Process Synchronization, semaphore and Monitors
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsMemory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
 
Linux Programming
Linux ProgrammingLinux Programming
Linux Programming
 
Message Passing, Remote Procedure Calls and Distributed Shared Memory as Com...
Message Passing, Remote Procedure Calls and Distributed Shared Memory as Com...Message Passing, Remote Procedure Calls and Distributed Shared Memory as Com...
Message Passing, Remote Procedure Calls and Distributed Shared Memory as Com...
 
Practical Malware Analysis Ch 14: Malware-Focused Network Signatures
Practical Malware Analysis Ch 14: Malware-Focused Network SignaturesPractical Malware Analysis Ch 14: Malware-Focused Network Signatures
Practical Malware Analysis Ch 14: Malware-Focused Network Signatures
 
Booting Process OS
Booting Process OSBooting Process OS
Booting Process OS
 
Introduction to FreeRTOS
Introduction to FreeRTOSIntroduction to FreeRTOS
Introduction to FreeRTOS
 
Operating system 31 multiple processor scheduling
Operating system 31 multiple processor schedulingOperating system 31 multiple processor scheduling
Operating system 31 multiple processor scheduling
 
Introduction to parallel processing
Introduction to parallel processingIntroduction to parallel processing
Introduction to parallel processing
 
Ports, pods and proxies
Ports, pods and proxiesPorts, pods and proxies
Ports, pods and proxies
 
Embedded Linux Basics
Embedded Linux BasicsEmbedded Linux Basics
Embedded Linux Basics
 
Introduction to operating system, system calls and interrupts
Introduction to operating system, system calls and interruptsIntroduction to operating system, system calls and interrupts
Introduction to operating system, system calls and interrupts
 
Linux device drivers
Linux device drivers Linux device drivers
Linux device drivers
 
Linux systems - Getting started with setting up and embedded platform
Linux systems - Getting started with setting up and embedded platformLinux systems - Getting started with setting up and embedded platform
Linux systems - Getting started with setting up and embedded platform
 
Practical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorPractical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware Behavior
 

Similar to Windows internals

CNIT 126 7: Analyzing Malicious Windows Programs
CNIT 126 7: Analyzing Malicious Windows ProgramsCNIT 126 7: Analyzing Malicious Windows Programs
CNIT 126 7: Analyzing Malicious Windows ProgramsSam Bowne
 
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs Sam Bowne
 
CNIT 126 Ch 7: Analyzing Malicious Windows Programs
CNIT 126 Ch 7: Analyzing Malicious Windows ProgramsCNIT 126 Ch 7: Analyzing Malicious Windows Programs
CNIT 126 Ch 7: Analyzing Malicious Windows ProgramsSam Bowne
 
Ch 6: The Wild World of Windows
Ch 6: The Wild World of WindowsCh 6: The Wild World of Windows
Ch 6: The Wild World of WindowsSam Bowne
 
CNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of WindowsCNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of WindowsSam Bowne
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
 
OS Internals and Portable Executable File Format
OS Internals and Portable Executable File FormatOS Internals and Portable Executable File Format
OS Internals and Portable Executable File FormatAitezaz Mohsin
 
CNIT 152: 12b Windows Registry
CNIT 152: 12b Windows RegistryCNIT 152: 12b Windows Registry
CNIT 152: 12b Windows RegistrySam Bowne
 
fdocuments.in_unit-2-foc.ppt
fdocuments.in_unit-2-foc.pptfdocuments.in_unit-2-foc.ppt
fdocuments.in_unit-2-foc.pptKrishanPalSingh39
 
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternativeApplication Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternativeDenis Gundarev
 
Tech presentation (part 1)
Tech presentation (part 1)Tech presentation (part 1)
Tech presentation (part 1)Abhijit Roy
 
Processes and Threads in Windows Vista
Processes and Threads in Windows VistaProcesses and Threads in Windows Vista
Processes and Threads in Windows VistaTrinh Phuc Tho
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgPractical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgSam Bowne
 
Thick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfSouvikRoy114738
 
CNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise ServicesCNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise ServicesSam Bowne
 
CNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise ServicesCNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise ServicesSam Bowne
 
Concepts of Malicious Windows Programs
Concepts of Malicious Windows ProgramsConcepts of Malicious Windows Programs
Concepts of Malicious Windows ProgramsNatraj G
 

Similar to Windows internals (20)

CNIT 126 7: Analyzing Malicious Windows Programs
CNIT 126 7: Analyzing Malicious Windows ProgramsCNIT 126 7: Analyzing Malicious Windows Programs
CNIT 126 7: Analyzing Malicious Windows Programs
 
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
 
CNIT 126 Ch 7: Analyzing Malicious Windows Programs
CNIT 126 Ch 7: Analyzing Malicious Windows ProgramsCNIT 126 Ch 7: Analyzing Malicious Windows Programs
CNIT 126 Ch 7: Analyzing Malicious Windows Programs
 
Ch 6: The Wild World of Windows
Ch 6: The Wild World of WindowsCh 6: The Wild World of Windows
Ch 6: The Wild World of Windows
 
CNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of WindowsCNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of Windows
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbg
 
OS Internals and Portable Executable File Format
OS Internals and Portable Executable File FormatOS Internals and Portable Executable File Format
OS Internals and Portable Executable File Format
 
CNIT 152: 12b Windows Registry
CNIT 152: 12b Windows RegistryCNIT 152: 12b Windows Registry
CNIT 152: 12b Windows Registry
 
DLL Injection
DLL InjectionDLL Injection
DLL Injection
 
Android OS
Android OSAndroid OS
Android OS
 
fdocuments.in_unit-2-foc.ppt
fdocuments.in_unit-2-foc.pptfdocuments.in_unit-2-foc.ppt
fdocuments.in_unit-2-foc.ppt
 
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternativeApplication Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
 
Tech presentation (part 1)
Tech presentation (part 1)Tech presentation (part 1)
Tech presentation (part 1)
 
Powering up on PowerShell - BSides Greenville 2019
Powering up on PowerShell - BSides Greenville 2019Powering up on PowerShell - BSides Greenville 2019
Powering up on PowerShell - BSides Greenville 2019
 
Processes and Threads in Windows Vista
Processes and Threads in Windows VistaProcesses and Threads in Windows Vista
Processes and Threads in Windows Vista
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgPractical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
 
Thick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdf
 
CNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise ServicesCNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise Services
 
CNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise ServicesCNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise Services
 
Concepts of Malicious Windows Programs
Concepts of Malicious Windows ProgramsConcepts of Malicious Windows Programs
Concepts of Malicious Windows Programs
 

More from Piyush Jain

Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditingPiyush Jain
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodologyPiyush Jain
 
Understanding security operation.pptx
Understanding security operation.pptxUnderstanding security operation.pptx
Understanding security operation.pptxPiyush Jain
 
Identity and access management
Identity and access managementIdentity and access management
Identity and access managementPiyush Jain
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operationsPiyush Jain
 
Assembly language
Assembly languageAssembly language
Assembly languagePiyush Jain
 

More from Piyush Jain (6)

Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditing
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodology
 
Understanding security operation.pptx
Understanding security operation.pptxUnderstanding security operation.pptx
Understanding security operation.pptx
 
Identity and access management
Identity and access managementIdentity and access management
Identity and access management
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operations
 
Assembly language
Assembly languageAssembly language
Assembly language
 

Recently uploaded

Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 

Recently uploaded (20)

Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 

Windows internals

  • 2. Process • Process: Program in execution. • Processes are containers. • A process has a virtual address space, executable code, open handles to system objects, a security context, a unique process identifier, environment variables, a priority class, minimum and maximum working set sizes, and at least one thread of execution. • Run multiple threads with in same process: Multitasking.
  • 3. Threads • Light-weight process. • Each thread maintains exception handlers, a scheduling priority, thread local storage, a unique thread identifier. • Microsoft Windows supports preemptive multitasking, which creates the effect of simultaneous execution of multiple threads from multiple processes. • Virtual m/c abstraction: Give illusion to process of having it's own m/c i.e. CPU, memory, O/I etc. • Switching to a thread within a process is cheaper • Threads within a process • share resources • not independent • not protected against each other
  • 4. Process and Threads APIs • Start: CreateProcess; OpenProcess; CreateThread; CreateRemoteThread; OpenThread; • Kill: TerminateProcess; ExitProcess; • Suspend: SuspendThread; Sleep; • Wait: WaitForThreadpoolIoCallbacks; WaitForThreadpoolWaitCallbacks
  • 5. Enumeration APIs • Process status API: – EnumProcesses – EnumProcessModule – GetModuleFileName • Process32Next function • Heap32Next function
  • 6. Imp Data Types • BOOL • CHAR • DWORD: A 32-bit unsigned integer. • HANDLE: A handle to an object • HINSTANCE, HMODULE: A handle to an instance. This is the base address of the module in memory. • WINAPI: The calling convention for system functions.
  • 7. Windows Architectute: • Windows is originally 16 bit graphical layer for MS-DOS. • Windows NT and 2000 are 32 bit. • NT kernel: – NTOSKRNL.EXE: Kernel of OS – HAL: Hardwere abstract layer, handle BIOS and interrupt communication. NTOSKRNL.EXE depens on HAL.DLL. – NTDLL.DLL: The file that contains NT kernel functions. – Win32k.SYS: A Kernel mode driver that implements windowing and graphics.
  • 8. Windows Architectute: – Win32API: 1. kernel32.dll: most system related. 2. advapi32.dll: Registry and service handling. 3. gdi32.dll: Function for drawing and shapes. 4. user32.dll: UI for windows i.e. msgbox, programs, prompts. This perform task by calling system call implemented by Win32k.SYS.
  • 9. Kernel Mode • A processor in a computer running Windows has two different modes: user mode and kernel mode. • The processor switches between the two modes depending on what type of code is running on the processor. • In Kernel mode, the executing code has complete and unrestricted access to the underlying hardware. It can execute any CPU instruction and reference any memory address. • Not all driver run in Kernel mode. • Kernel mode is generally reserved for the lowest-level, most trusted functions of the operating system. Crashes in kernel mode can halt the entire PC.
  • 10. User Mode • In User mode, the executing code has no ability to directly access hardware or reference memory. Code running in user mode must delegate to system APIs to access hardware or memory. • Most of the code running on computer will execute in user mode. • If code executing in User mode attempts accessing a privileged CPU instruction or modifying memory that it has no access to then instead of entire system crashing, only that particular application crashes. That's the value of User mode.
  • 11. Virtual Address Space • The virtual address space for a process is the set of virtual memory addresses that it can use. The address space for each process is private and cannot be accessed by other processes unless it is shared. • The system maintains a page table for each process. • The virtual address space for 32-bit Windows is 4 gigabytes (GB) in size and divided into two partitions: one for use by the process and the other reserved for use by the system. • APIs used are VirtualAlloc, VirtualQuery, VirtualFree fuction etc.
  • 12. Registry • The registry is a system-defined database in which applications and system components store and retrieve configuration data. • Application uses the registry APIs to retrieve, modify or delete registry data. • Registry APIs: – RegOpenKeyEx, RegCreateKeyEx, RegCloseKey, RegEnumValue, RegQueryValueEx, RegDeleteValue, RegDeleteKey
  • 13. Registry • Predefine keys – HKEY_CURRENT_USER: Point to user file currently logged in. – HKEY_USERS: Contain subkeys of all loaded user profile. – HKEY_CLASS_ROOT: Contains file name extension associations and COM class registration information such as ProgIDs, CLSIDs, IIDs. – HKEY_LOCAL_MACHINE: Contain all system configuration – HKEY_CURRENT_CONFIG: Current hardwere profile – HKEY_PERFORMANCE_DATA: Performance Counters.
  • 14. Registry • Data Types: – REG_BINARY: Arbitrary-length binary data. – REG_DWORD: 32-bit number – REG_SZ: Fixed length Unicode string. • etc.. • HIVE: On disk, the registry isn’t simply one large file but rather a set of discrete files called hives. Each hive contains a registry tree, which has a key that serves as the root or starting point of the tree. • .alt, .log, .sav are the file formats.
  • 15. Networking • Windows Internet (WinINet) application programming interface (API) enables applications to interact with FTP, and HTTP protocols to access Internet resources • InternetOpen • InternetOpenUrl • InternetReadFile • InternetWriteFile • InternetCloseHandle • InternetConnect
  • 16. Networking • HTTP and HTTPS • Request methods: – GET – POST • HTTP APIs – HttpAddRequestHeaders – HttpEndRequest – HttpOpenRequest – HttpQueryInfo – HttpSendRequest – HttpSendRequestEx
  • 17. Networking • File Transfer Protocol APIs: – FtpCreateDirectory – FtpDeleteFile – FtpFindFirstFile – FtpGet/SetCurrentDirectory – FtpGetFile – FtpOpenFile – FtpRenameFile
  • 18. Socket programming • A socket is a handle (abstract reference) that a local program can pass to the networking application programming interface (API) to use the connection. • An Internet socket is characterized by at least the following: Local socket address: Local IP address and port number Protocol: A transport protocol (e.g., TCP, UDP, raw IP) In Windows, sockets are implemented using Winsock programming.
  • 19. Socket programming • Servers and Clients have different behaviors; therefore, the process of creating them is different. • Server • Initialize Winsock: The WSAStartup function initiates use of the Winsock DLL by a process. • Create a socket: The WskSocket function creates a new socket and returns a pointer to the associated socket object. • Bind the socket. • Listen on the socket for a client. • Accept a connection from a client. • Receive and send data. • Disconnect. • Client • Initialize Winsock. • Create a socket. • Connect to the server. • Send and receive data. • Disconnect.
  • 20. Dynamic Link Library • A DLL file, short for Dynamic Link Library, is a type of file that contains instructions that other programs can call upon to do certain things. • Multiple programs can share the abilities programmed into a single file, and even do so simultaneously. • Most Dynamic Link Libraries end in the file extension .DLL. Others may use .OCX, .CPL, or .DRV. • The word "dynamic" in Dynamic Link Library is used because the data is only put to use in a program when the program actively calls for it instead of having the data always be available in memory. • Third-party programs can install them too. • DLLs provide a way for parts of a program to be updated without having to rebuild or reinstall the entire program all over.
  • 21. Dynamic Link Library • Exporting functions – DLL file contains an exports table. – The exports table contains the name of every function that the DLL exports to other executables. – These functions are the entry points into the DLL; only the functions in the exports table can be accessed by other executables. Any other functions in the DLL are private to the DLL. • DllMain entry point: – LoadLibrary function – FreeLibrary function – GetProcAddress
  • 22. Windows Services • What is Service ? Services are processes that runs in the background and performs tasks that don't require user interaction. • Service Control Manager (SCM) • The service functions provide an interface for the following tasks performed by the SCM: – Maintaining the database of installed services. • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices – Maintaining the database of installed services. – Starting services and driver services either upon system startup or upon demand. – Enumerating installed services and driver services. – Maintaining status information for running services and driver services. – Transmitting control requests to running services. – Locking and unlocking the service database.