Windows Internals

Understanding Windows internals is crucial for malware analysis, as it provides insight into system operations and helps identify malware behavior.

Windows Operating Modes

• User Mode: Limited access; applications interact with the OS via APIs. Malware in user mode can manipulate files, registry settings, and attempt privilege escalation.

• Kernel Mode: High privilege; unrestricted access to hardware and system functions. Kernel-mode malware can alter system behavior, intercept calls, and conceal itself.

Windows Architecture Overview

User-Mode Components

1. System Support Processes: Essential system processes like winlogon.exe, smss.exe, and services.exe.

2. Service Processes: Background services, e.g., Windows Update and Task Scheduler.

3. User Applications: Standard applications use APIs routed via NTDLL.DLL for kernel interaction.

4. Environment Subsystems: Provides environments for specific processes (e.g., Win32, POSIX).

5. Subsystem DLLs: Maps documented functions to native calls (e.g., kernelbase.dll, user32.dll).

Kernel-Mode Components

1. Executive: Manages OS aspects like I/O, object, security, and processes.

2. Kernel: Handles low-level functions like scheduling and synchronization.

3. Device Drivers: Enables hardware interaction.

4. Hardware Abstraction Layer (HAL): Standardizes hardware communication.

5. Win32k.sys: Manages the GUI and visual rendering.

Windows API Call Flow

Malware often uses Windows API calls to interact with system components for malicious tasks. Understanding API flow is key for detecting malware actions.

• Example: ReadProcessMemory API, which allows reading other processes' memory.

  • Call Flow: The function call goes from kernel32.dll -> NTDLL.DLL -> NtReadVirtualMemory -> kernel syscall.

  • The System Service Descriptor Table (SSDT) manages system service routines, mapping system calls to kernel functions.

  • The kernel validates access and performs the read, then transitions back to user mode with the requested data.

Portable Executable (PE) Format

Windows uses the PE format for executables, DLLs, etc. Knowledge of PE structure is essential for analyzing executables, identifying malicious code, and extracting IOCs.

Common PE Sections

1. .text: Executable code.

2. .data: Initialized global/static variables.

3. .rdata: Read-only data like constants and strings.

4. .pdata: Exception handling data.

5. .bss: Uninitialized data.

6. .rsrc: Embedded resources (icons, images).

7. .idata: Imported functions.

8. .edata: Exported functions.

9. .reloc: Relocation data for loading.

Analyzing PE sections reveals information about the code structure, imports, exports, and embedded resources.

Processes

A process represents an executing program with various system resources:

• PID: Unique identifier for tracking.

• Virtual Address Space: Memory space for code, data, stack, etc.

• Executable Code: Instructions and resources on disk.

• Handles Table: References for resources like files, devices.

• Security Context: Access rights through tokens.

• Threads: Units of execution within the process.

Understanding these helps track malware behavior, resource access, and memory management.

Dynamic-Link Library (DLL)

DLLs contain reusable functions and resources used by applications and malware alike. Malware may exploit DLL imports and exports for executing malicious actions.

Import Functions

• Functions from external libraries, linked at runtime, facilitate system interactions.

• Example of Malware Injection: Functions like OpenProcess, VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread are used for injecting code into another process.

Export Functions

• Functions that DLLs provide for other applications, acting as an interface for interaction.

• Example: Kernel32.dll exports, viewed via tools like CFF Explorer or x64dbg, provide insights into OS-level functions available to processes.