What are the three main types of Windows Applications? Explain those.
- *EXE** (Executables),
- *DLL** (Dynamic Link Library, exports code by a function name or ordinal (numerical value) to be used by multiple other applications),
- *SYS** (device drivers, allows higher level programs to interact with hardware).
How can a DLL be loaded? What are the three main steps?
Can be loaded during load time (first execution of program) or runtime (during run of application)
- Call the LoadLibrary API with the name of the DLL.
- Get access to function via GetProcAddress function.
- Call function.
What is a process and what does it have?
Program running in memory. All processes have:
- Unique process ID
- Private virtual address space (4GB on 32bit system)
- Executable program code mapped into memory
- 1+ execution threads (part of execution of a program)
- Unique Security Access token
- List of open handles to OS resources
What is a thread and what does it have?
Execution path within a program, scheduled for execution by CPU. A program can have multiple threads (one for updates, one for error signals, etc). All threads have:
- A unique thread ID
- Unique Access token
- CPU state
- Kernel mode and user mode stacks (areas of memory to hold temporary variables)
- Thread Local Storage (TLS)
What are Access Tokens and what do they have?
Contains:
- Security Identifier (SID) for the user’s account
- Owner and Group SIDs
- Discretionary Access Control List (DACL)
- Privilege
What are VAD & handle table?
Handle table: Keeps track of all the objects (files, registry, ports, etc) that it has open.
Virtual address descriptor (VAD): Keeps track of all allocated virtual memory.
How does process creation works?
[1] Image file opened => [2] Process Object Created => [3] Initial Thread Created => [4] OS subsystem notified => [5] OS executes initial thread => [6] Thread initialises Process.
Explain TEB / PEB?
Thread Environment Block (TEB): data structure containing information and system variables in User-mode memory
Process Environment Block (PEB):
- One per process
- Info about DLLs, OS, etc
- TEB has a pointer to PEB
When analysis, following info can be found:
- Is debugger present?
- Installing an Exception Handler
- When a dll is loaded via LoadLibrary into a Process a new entry in the PEB.Ldr.InMemoryOrderModuleList is created
Also allows an attacker to bypass certain API calls.
Explain important Windows processes?
- smss.exe
- csrss.exe
- winlogon.exe
- services.exe
- svchost.exe
- lsass.exe
- userinit.exe
- explorer.exe
What is virtual memory?
It’s logical view of memory. Every process has a virtual memory of 4 GB. Physical memory will only be assigned until first accessed.
What does the Windows Memory Manager?
- Mapping accesses to virtual memory into physical memory.
- When physical memory runs out, swaps pages of memory to disk.
What are the main three file systems?
FAT32, UDF, NTFS
What does NTFS supports?
- Supports ACL
- Unicode Naming
- LZ77 Compression
- Alternate Data Streams (ADS)
- Encrypted File System (EFS)
Explain the Windows Architecture?
Draw picture
For what is Win32 API?
Whenever a process likes to access a device or win function, it uses Win32 API. Has three DLLs: kernel32.dll, user32.dll, gdi32.dll.
What is Ntdll.dll
Takes API calls and passing it through to the kernel; some Windows built processes can access ntdll.dll directly. (ntdll.dll is undocumented).
What does the System Service Dispatcher?
Responsible for taking all API requests from user mode via ntdll.dll and passing it to the relevant part of the kernel and passes results back up to user-mode. Passing control from User mode to Kernel Mode is handled by the system service dispatcher. Intel Processors actually allow 4 privilege levels or rings
Explain segment descriptor?
Every code segment in memory has a segment descriptor, which lists:
Start of code segment, Length of code segment, Privilege level of code segment (Kernel mode = ring 0; User mode = ring 3)
Name the two tables and registers for the segment descriptor?
Tables:
- Global Descriptor Table (for shared / kernel memory, tells you for every page in memory what level its at)
- Local Descriptor Table (one per process)
Registers:
- Global Descriptor Table Register (GDTR)
- Local Descriptor Table Register (LDTR) / This will be swapped by OS when swapping processes
Explain what happes when Ntdll.dll causes a system interrupt.
First KiSystemService (the System Service Dispatcher) checks which call was requested and picks the relevant Kernel routine.
It does this by looking up the supplied System Service Number in the SSDT (System Service Descriptor Table). This in turn points to the actual code for the function in Ntoskrnl.exe.
What is the registry?
The Windows Registry is a Hierarchical database that contains settings for OS + other software. Think of it as a huge settings file / ini file. It also contains in memory volatile data such as current Hardware setup. It has a tree architecture: Hives, Keys, Values.
Name the six registry hives?
HKLM, HKU, HKCU, HKCR, HKCC, HKPD
What are Windows Services? Name the three type of Services?
Windows Services are background executables that performs specific functions and which are designed not to require user intervention. Separate Process, Shared Process, Kernel Drivers.
What are the new Windows protection mechanisms?
Kernel Patch Protection (PatchGuard) and digital signature of 64 bit drivers
