01 - Windows OS

Question 1

What are the three main types of Windows Applications? Explain those.

Answer 1

• *EXE** (Executables),
• *DLL** (Dynamic Link Library, exports code by a function name or ordinal (numerical value) to be used by multiple other applications),
• *SYS** (device drivers, allows higher level programs to interact with hardware).

Question 2

How can a DLL be loaded? What are the three main steps?

Answer 2

Can be loaded during load time (first execution of program) or runtime (during run of application)

1. Call the LoadLibrary API with the name of the DLL.
2. Get access to function via GetProcAddress function.
3. Call function.

Question 3

What is a process and what does it have?

Answer 3

Program running in memory. All processes have:

• Unique process ID
• Private virtual address space (4GB on 32bit system)
• Executable program code mapped into memory
• 1+ execution threads (part of execution of a program)
• Unique Security Access token
• List of open handles to OS resources

Question 4

What is a thread and what does it have?

Answer 4

Execution path within a program, scheduled for execution by CPU. A program can have multiple threads (one for updates, one for error signals, etc). All threads have:

• A unique thread ID
• Unique Access token
• CPU state
• Kernel mode and user mode stacks (areas of memory to hold temporary variables)
• Thread Local Storage (TLS)

Question 5

What are Access Tokens and what do they have?

Answer 5

Contains:

• Security Identifier (SID) for the user’s account
• Owner and Group SIDs
• Discretionary Access Control List (DACL)
• Privilege

Question 6

What are VAD & handle table?

Answer 6

Handle table: Keeps track of all the objects (files, registry, ports, etc) that it has open.

Virtual address descriptor (VAD): Keeps track of all allocated virtual memory.

Question 7

How does process creation works?

Answer 7

[1] Image file opened => [2] Process Object Created => [3] Initial Thread Created => [4] OS subsystem notified => [5] OS executes initial thread => [6] Thread initialises Process.

Question 8

Explain TEB / PEB?

Answer 8

Thread Environment Block (TEB): data structure containing information and system variables in User-mode memory

Process Environment Block (PEB):

• One per process
• Info about DLLs, OS, etc
• TEB has a pointer to PEB

When analysis, following info can be found:

• Is debugger present?
• Installing an Exception Handler
• When a dll is loaded via LoadLibrary into a Process a new entry in the PEB.Ldr.InMemoryOrderModuleList is created

Also allows an attacker to bypass certain API calls.

Question 9

Explain important Windows processes?

Answer 9

• smss.exe
• csrss.exe
• winlogon.exe
• services.exe
• svchost.exe
• lsass.exe
• userinit.exe
• explorer.exe

Question 10

What is virtual memory?

Answer 10

It’s logical view of memory. Every process has a virtual memory of 4 GB. Physical memory will only be assigned until first accessed.

Question 11

What does the Windows Memory Manager?

Answer 11

• Mapping accesses to virtual memory into physical memory.
• When physical memory runs out, swaps pages of memory to disk.

Question 12

What are the main three file systems?

Answer 12

FAT32, UDF, NTFS

Question 13

What does NTFS supports?

Answer 13

• Supports ACL
• Unicode Naming
• LZ77 Compression
• Alternate Data Streams (ADS)
• Encrypted File System (EFS)

Question 14

Explain the Windows Architecture?

Answer 14

Draw picture

Question 15

For what is Win32 API?

Answer 15

Whenever a process likes to access a device or win function, it uses Win32 API. Has three DLLs: kernel32.dll, user32.dll, gdi32.dll.

Question 16

What is Ntdll.dll

Answer 16

Takes API calls and passing it through to the kernel; some Windows built processes can access ntdll.dll directly. (ntdll.dll is undocumented).

Question 17

What does the System Service Dispatcher?

Answer 17

Responsible for taking all API requests from user mode via ntdll.dll and passing it to the relevant part of the kernel and passes results back up to user-mode. Passing control from User mode to Kernel Mode is handled by the system service dispatcher. Intel Processors actually allow 4 privilege levels or rings

Question 18

Explain segment descriptor?

Answer 18

Every code segment in memory has a segment descriptor, which lists:
Start of code segment, Length of code segment, Privilege level of code segment (Kernel mode = ring 0; User mode = ring 3)

Question 19

Name the two tables and registers for the segment descriptor?

Answer 19

Tables:

• Global Descriptor Table (for shared / kernel memory, tells you for every page in memory what level its at)
• Local Descriptor Table (one per process)

Registers:

• Global Descriptor Table Register (GDTR)
• Local Descriptor Table Register (LDTR) / This will be swapped by OS when swapping processes

Question 20

Explain what happes when Ntdll.dll causes a system interrupt.

Answer 20

First KiSystemService (the System Service Dispatcher) checks which call was requested and picks the relevant Kernel routine.

It does this by looking up the supplied System Service Number in the SSDT (System Service Descriptor Table). This in turn points to the actual code for the function in Ntoskrnl.exe.

Question 21

What is the registry?

Answer 21

The Windows Registry is a Hierarchical database that contains settings for OS + other software. Think of it as a huge settings file / ini file. It also contains in memory volatile data such as current Hardware setup. It has a tree architecture: Hives, Keys, Values.

Question 22

Name the six registry hives?

Answer 22

HKLM, HKU, HKCU, HKCR, HKCC, HKPD

Question 23

What are Windows Services? Name the three type of Services?

Answer 23

Windows Services are background executables that performs specific functions and which are designed not to require user intervention. Separate Process, Shared Process, Kernel Drivers.

Question 24

What are the new Windows protection mechanisms?

Answer 24

Kernel Patch Protection (PatchGuard) and digital signature of 64 bit drivers

Question 25

What is the I/O subsystem for?

Answer 25

The Windows I/O system is responsible for all Input and Output from the Windows OS. Made up of several Kernel components: I/O Manager, Plug and Play Manager, Power Manager.

Question 26

Name the three important components of Device Drivers?

Answer 26

DriverEntry, Add-Device Routine, Dispatch Routines.

Question 27

Explain Layered Driver Model and Filter Drivers?

Answer 27

The first step goes through NTDLL => System Service Dispatcher

(1) I/O manager send File Offset to File System Driver, and gets back volume offset to the place on disk that the file is located.
(2) This is passed to Disk Driver, which talks to actual HDD. It in turn reads the disk and passes the data via the I/O manager to the user.

Filter Driver is a driver which will be inserted into the chain of drivers called for a certain piece of hardware. E.g. AV.

Question 28

Name the most common APIs for analyzing malware?

Answer 28

Files/Registry, Process / Threads, Memory, Services, Extras

Question 29

Name the three ways of Fileless attacks?

Answer 29

Executing code directly in memory, Registry Scripts, Powershell Scripts