Skip to main content

THM | Windows Internals

· 14 min read

Malware Analysis | Windows Internals | Summary:

This room aims to provide an in-depth exploration of Windows operating system internals and common components. Important concepts like Processes, Threads, Virtual Memory, DLLs, PE and the Window API are introduced.

Disclaimer: Please note that this write-up is NOT intended to replace the original room or its content, but rather serve as supplementary material for those who are stuck and need additional guidance. This walkthrough provides one (of the many) possible solution to the challenges, without revealing any flags or passwords directly.

Learning Objectives

  • Understand and interact with Windows processes and their underlying technologies.
  • Learn about core file formats and how they are used.
  • Interact with Windows internals and understand how the Windows kernel operates.

Task | 1 | Introduction

The main focus is on empowering red teams (cybersecurity professionals who simulate attacks) to understand and exploit Windows internals for various purposes, such as evasion and exploitation when crafting offensive tools or exploits. This knowledge is crucial in a corporate setting where Windows machines are prevalent.

RDP Access

Machine IPUsernamePassword
<machine-ip>THM-AttackerTryhackme!

Question 1: Start the provided machine and move on to the next tasks.

No answer needed

Task | 2 | Processes

  • A process in Windows refers to the execution of an application, which can contain one or more processes.
  • A process has various components, including
    • a (private) virtual address space,
    • executable code | program
    • open handles to system objects
    • a security context
    • a unique process identifier | process ID
    • environment variables
    • a priority class
    • minimum and maximum working set sizes
    • at least one thread of execution
  • Processes are created when an application runs and are essential for Windows functionality

Attackers can target processes to evade detection and hide malware by using techniques such as Process Injection, Hollowing, or Masquerading.

A process also has lower-level components that reside in the virtual address space

  • code | global variables | heap memory (process heap) | resources (open files | heaps) | environment block | it's threads

These components can be observed in detail using utilities like Process Hacker 2, Process Explorer, or Procmon, which display essential process details such as name, PID, status, user name, and more.

Overall, processes are a fundamental concept in Windows that play a crucial role in the operating system's functionality and security.

Questions | Answers

First, we launch Procmon, by opening the "ProcessMonitor" Folder on our Desktop

and then running the "Procmon" executable.

Make sure to "Agree" to the Terms to accept the provided EULA.

Furthermore, ensure that you provide all the necessary Permissions for the Program to run.

Continue by opening the "Logfile" by clicking on "File" > "Open",

and then by selecting the "Logfile" which is placed in the "ProcessMonitor" folder on our Desktop.

Question 1: Open the provided file: "Logfile.PML" in Procmon and answer the questions below.

No answer needed

Filter by "Process Name" for "notepad.exe" to answer the following questions. First, we select "Filter" > "Filter",

then we continue to select "Process Name" which to filter by and specify "notepad.exe" as our target.

Lastly, we ensure our filter works by adding the item.

To answer the questions below, we check the first event's properties, by selecting the entry and clicking on the lightning bolt symbol, or by simply "right clicking" and selecting it's properties.

We will find all the answers we were looking for by simply selecting the "Process" View.

Question 2: What is the process ID of "notepad.exe"?

5984

Question 3: What is the parent process ID of the previous process?

3412

Question 4: What is the integrity level of the process?

High

Task | 3 | Threads

  • a Thread is an executable unit within a process that is scheduled based on device factors such as CPU and memory specifications, priority, and logical factors
  • are essentially "controllers" of process execution
  • Characteristics shared with the parent process
    • code | global variables | resources
  • Unique values and data specific to each thread
    • Stack | stores data relevant to the thread (exceptions, procedure calls...) -Thread Local Storage | allocates storage for a unique data environment
    • Stack Argument | a unique value assigned to each thread
    • Context Structure | holds machine register values maintained by the kernel

Threads are a critical component of processes and can be targeted by attackers for malicious purposes, such as code execution or chaining with other API calls.

Questions | Answers

Since we have the "Logfile.PML" already opened in Procmon, we just continue along where we left off in our previous task.

Question 1: Open the provided file: "Logfile.PML" in Procmon and answer the questions below.

No answer needed

For the next two questions, we first search for the first event where the Operation Field of the Event matches "Thread Create", to search the threads that were created by the notepad.exe program. Since the events are ordered in chronological order, the first one we find will be the one that we are looking for.

Question 2: What is the thread ID of the first thread created by notepad.exe?

5908

By opening it's properties, we can find the answer for both of our questions.

Question 3: What is the stack argument of the previous thread?

6584

Task | 4 | Virtual Memory

It allows different processes to use memory as if it were physical memory without the risk of collisions or conflicts between applications.

Each process has its own private virtual address space, which is managed by the memory manager. The memory manager translates virtual addresses to physical addresses and can transfer or page virtual memory to the disk when an application uses more virtual memory than physical memory allocated.

On a 32-bit x86 system, the maximum virtual address space is 4 GB, with (lower | 0x00000000 - 0x7FFFFFFF) half allocated to processes and the other (upper | 0x80000000 - 0xFFFFFFFF) half to OS memory utilization. On a 64-bit modern system, the maximum virtual address space is 256 TB, with a similar allocation layout.

Questions | Answers

Question 1: Read the above and answer the questions below.

No answer needed

Question 2: What is the total theoretical maximum virtual address space of a 32-bit x86 system?

4 GB

Question 3: What default setting flag can be used to reallocate user process address space?

increaseuserva

Question 4: Open the provided file: "Logfile.PML" in Procmon and answer the questions below.

No answer needed

Here, since we are looking for the base address of the "notepad.exe", we are going to search for the event where the "notepad.exe" program was loaded. Take note of the Operation Field of the event, which is "Load Image" and the full Path for our executable. We can find the "Image Base" either under the event's "Detail" Field, or by opening it's properties.

Question 5: What is the base address of "notepad.exe"?

0x7ff652ec0000

Task | 5 | Dynamic Link Libraries

  • are libraries that contain code and data used by multiple programs at the same time
  • they promote modularization, code reuse, efficient memory usage, and reduced disk space, making Windows applications load faster, run faster, and take less disk space.
  • can be targeted by attackers to control aspects of execution or functionality
    • DLL Hijacking (T1574.001)
    • DLL Side-Loading (T1574.002)
    • DLL Injection (T1055.001)
  • DLLs are created like any other project/application, requiring slight syntax modification
  • can be loaded into an application using either load-time dynamic linking or run-time dynamic linking.
    • Load-time dynamic linking | involves explicit calls to the DLL functions from the application, which requires providing a header file and import library
    • Run-time dynamic linking | involves loading the DLL at run time using LoadLibrary or LoadLibraryEx, and then using GetProcAddress to identify and call the exported DLL function
  • Malicious code often uses run-time dynamic linking because it allows for easier transfer of files between memory regions

Questions | Answers

Question 1: Open the provided file: "Logfile.PML" in Procmon and answer the questions below.

No answer needed

Given the previous tasks, we already did just that, so nothing to do here. As for the next two questions, we could either filter again by Operation and specify "Load Image" as our target and then search for "ntdll.dll", or simply look for it, it's the 4th event associated with the "notepad.exe" program.

Once we made sure we found the right event, Operation Field | "Load Image" and the Path Field containing "ntdll.dll", take a closer look at the event's "Detail" Field.

Question 2: What is the base address of "ntdll.dll" loaded from "notepad.exe"?

0x7ffd0be20000

Question 3: What is the size of "ntdll.dll" loaded from "notepad.exe"?

0x1ec000

Question 4: How many DLLs were loaded by "notepad.exe"?

51

There are two necessary filtering to get to the correct answer. First, we filter to include only the events where something was loaded, by selecting "Operation" with "Load Image".

But since we are only interested with loads, where a DLL was loaded, we filter for it by specifying that the "Path" must contain ".dll" which specifies the DLLs extension.

Once we are done, the correct answer will be shown on the bottom-left side of our window.

Task | 6 | Portable Executable Format

  • The PE (Portable Executable) format defines
    • the information about the executable and stored data
    • the structure of how data components are stored

PE data components:

  • DOS Header | defines the type of file (MZ --> .exe)
  • DOS Stub | a program run by default at the beginning of a file that prints a compatibility message ("This program cannot be run in DOS mode")
  • PE File Header | defines the format of the file, contains the signature and image file header, and other information headers
    • Image Optional Header | part of PE File Header
      • Data Dictionaries | point to the image data directory structure
  • Section Table | defines the available sections and information in the image

Sections

  • .text (executable code and entry point) | Contains the machine code that will be executed by the CPU
  • .data (initialized data) | Stores initialized variables and strings used by the program
  • .rdata or .idata (imports and DLLs) | Lists the Windows API functions and DLLs imported by the executable
  • .reloc (relocation information) | Provides information about addresses that need to be adjusted when relocating the executable in memory
  • .rsrc (application resources) | Contains application-specific data, such as images, icons, and other resources
  • .debug (debug information) | Stores debugging information used by debuggers
note

The following image (Portable Executable FILE Format) is part of a comprehensive guide named A Comprehensive Guide To PE Structure, The Layman’s Way and belongs to them.

Questions | Answers

Question 1: Read the above and answer the questions below.

No answer needed

Question 2: What PE component prints the message "This program cannot be run in DOS mode"?

DOS Stub

Question 3: Open "notepad.exe" in Detect It Easy and answer the questions below.

No answer needed

We start by opening up the "die_win64_..." Folder on our Desktop and running the "die" (Detect It Easy) Application.

We follow up by opening the "notepad.exe" executable, by first clicking on "..." to open up a file, and then by selecting our executable which can be found at C:\Windows\System32\notepad.exe.

If we have done everything correctly, we will find the answer for the next question right after the program finished loading "notepad.exe".

Question 4: What is the entry point reported by DiE?

000000014001acd0

Click on "PE" and select "IMAGE_NT_HEADERS" > "IMAGE_FILE_HEADER" for the number of sections.

Question 5: What is the value of "NumberOfSections"?

0006

Still in "PE", select "Sections" to viev the ".data" section and it's properties.

Question 6: What is the virtual address of ".data"?

00024000

Lastly, still in "PE", select "Strings" and look for the matching offset value.

Question 7: What string is located at the offset "0001f99c"?

Microsoft.Notepad

Task | 7 | Interacting with Windows Internals

Interacting with Windows Internals

  • can be simplified using Windows API calls
  • the Windows API provides native functionality to interact with the operating system

User Mode and Kernel Mode

info

Quote: "Most Windows internals components require interacting with physical hardware and memory...An application by default normally cannot interact with the kernel or modify physical hardware and requires an interface. This problem is solved through the use of processor modes and access levels...The processor will switch between these modes depending on access and requested mode."

  • Windows processors have two modes
    • user mode (also known as "userland")
      • No direct hardware access
      • Creates a process in a private virtual addresss space
      • Access ONLY to "owned memory locations"
    • kernel mode
      • Direct hardware access
      • Ran in a single shared virtual address space
      • Access to the ENTIRE physical memory
  • System calls or API calls are used to switch between these modes ("Switching Point")

Writing to Memory | Inject arbitrary code into local process

  • Step-1 | Allocate local process memory for our code | OpenProcess for the process handle and VirtualAllocEx to allocate memory
  • Step-2 | Write/copy our code to allocated memory | WriteProcessMemory to write the payload
  • Step-3 | Execute our code from local process memory | CreateRemoteThread to execute the payload from memory

Questions | Answers

Question 1: Open a command prompt and execute the provided file: "inject-poc.exe" and answer the questions below.

No answer needed

To open a command prompt within the proper working directore, we first open the "Process Injecti..." directory on our Desktop. Then, we click on (highlight) our current path and overwrite it with "cmd" which will open up the command promt in our desired destination.

All we have to do now is to select the PoC executable and run it. Simply pressing Tab twice in cmd will autocomplete it for us, and we can simply run it by pressing Enter.

Lastly, we grab the flag. Optionally, one could go further and use the previous tools (introduced in this room) on this exploit to gather further details about it.

Question 2: Enter the flag obtained from the executable below.

<flag>

Task | 8 | Conclusion

Question 1: Read the above and continue learning!

No answer needed