Unorganized Notes

Check out this blog post for a more organized set if notes

Implant Development and Defense Evasion Part 1: File BasicsMedium

Processes

A running instance of a program, processes don't run they manage, threads do the running.

A process contains:

1. executable program, contains code and data

2. private virtual address space, used for allocating memory

3. a primary token which contains security context, this is used by threads

4. private handle table to executive objects, like events, semaphores and files

5. threads for execution

• A process is identified by its PID

• Note that the executable program part is not unique part of the program like the PID

.NET

has 2 major things

• CLR: run time engine for .NET which has a JIT compiler that translates CIL into hardware CPU machine language, garbage collector, type verification, code access security, and more. It’s implemented as a COM in-process server (DLL) and uses various things from win api

• FCL: large collection of types

Virtual Memory

• every process has its own virtual, private and linear address space.

• this address space starts out around empty since ntdll and executable image are the first to be mapped followed by more subsystem dlls

• address space from main is private, other processes cannot access it directly

• 32 bit address space is 32 gb, we can specify to use more address spaces if we want

• 64 bit address space is 128 TB, for 32 bit on 64 bit the address space is 2gb

Each process has its own address space, which makes any process address relative, rather thanabsolute. For example, when trying to determine what lies in address 0x20000, the address itselfis not enough; the process to which this address relates to must be specified.

• memory itself is virtual, there is an indirect relationship between an address range and exact location in RAM

• if memory is not mapped to RAM, CPU will raise a page fault exception that will cause the memory manager’s page fault handler to fetch the data from the appropriate file, copy it to RAM, make the required changes in the page table entries that map the buffer, and instruct the CPU to try again.

• unit of memory management is called page

• size of page is based on CPU type

page states can be in three states

• free: page is not allocated in anyway, accessing this will result in violation

• committed: reverse of free,

• reserved: the page is not committed, but the address range is reserved for possible future commitment. From the CPU’s perspective, it’s the same as Free – any access attempt raises an access violation exception, but the virtualalloc or ntallocatevirtualmemory that does not specify an address would not allocate in the reserved region

System Memory

• user mode is lower part of address space, kernel mode is higher part of address space

• 32 bit the operating system resides in the upper 2 GB of virtual address space, from address0x8000000to0xFFFFFFFFF

• On 64-bit systems on Windows 8.1, Server 2012 R2 and later, the OS takes the upper 128 TB ofvirtual address space

Threads

A thread Contains:

1. Current access mode, either user or kernel.(contents of a set of CPU regisers)

2. thread id

3. Execution context, including processor registers and execution state.

4. One or two stacks, used for local variable allocations and call management.

5. Thread Local Storage array, which provides a way to store thread-private data with uniform access semantics.

6. Base priority and a current (dynamic) priority.

7. Processor affinity, indicating on which processors the thread is allowed to run on

The most common states a thread can be in are:

1. running

2. ready

3. waiting

threads information, registers, private storage are called the thread context

Syscalls

• translate to user mode calls to system mode calls.

• a system call number is put into eax, and then the syscall or sysenter thing is called which transitions into kernel mode

• the SSDT uses the value in EAX, and jumps into the syscall itself

System Architecture

• subsystem dlls: dlls that implement apis of subsystem, this is a certain view of capabilities exposed by the kernel. Ex. kernel32.dll, user32.dll, gdi32.dll etc.

• NTDLL.DLL: lower layer of code in user mode, makes transition from user mode into kernel mode and implements the heap manager, image loader and some part of the user mode thread pool.

• service processes: normal windows processes that communicate with the SCM, and allow some control over their life time. the SCM can stop, pause, resume etc. to services

• executive: upper layer of Ntoskrnl.exe(the kernel), it hosts most of the code in kernel mode, and includes the various managers.

• kernel: fundamental kernel mode os things

• win32k.sys: kernel mode component of the windows subsystem, handles the UI and GDI apis.

• HAL: closes to the CPU, allows device drivers to user APIs that do not quire detail and specific knowledge of things like DMA controller, this layer is mostly useful for device drivers written to handle hardware devices.

• (TODO)

Handles and Objects

• kernel exposes various types of objects for use by user mode processes, the kernel itself and kernel mode drivers, instance of these are data structures created by object manager

• objects are reference counted

• object can reside in system space, they cannot be access directly in user mode, the must use handles

• handles are index to a entry in a table maintained on a process by process basis that points to a kernel object in system space

• the kernel can use a direct pointer or handle, the choice is based on the API you want to call, Kernel code can get a pointer to an object given a valid handle using the ObReferenceObjectByHandle function.

• handles are multiples of 4, 0 is not valid handle

• each object points to an object type, which holds info on the type itself, these are exported as kernel global variables