Understainding Windows OS Processes and Internals | TryHackMe Internals

Motasem Hamdan
3 min readDec 30, 2023

--

We covered basics of Windows internals including processes, virtual memory allocation, handles, DLLs, Portable executable header and other aspects of Windows OS. This was part of TryHackMe Internals Red Team pathway.

Challenge Description

Learn and understand the fundamentals of how Windows operates at its core.

Video Highlights

A process maintains and represents the execution of a program; an application can contain one or more processes. A process has many components that it gets broken down into to be stored and interacted with. The Microsoft docs break down these other components, “Each process provides the resources needed to execute a program. A process has a virtual address space, executable code, open handles to system objects, a security context, a unique process identifier, environment variables, a priority class, minimum and maximum working set sizes, and at least one thread of execution.” This information may seem intimidating, but this room aims to make this concept a little less complex.

A thread is an executable unit employed by a process and scheduled based on device factors.

Device factors can vary based on CPU and memory specifications, priority and logical factors, and others.

We can simplify the definition of a thread: “controlling the execution of a process.”

Since threads control execution, this is a commonly targeted component. Thread abuse can be used on its own to aid in code execution, or it is more widely used to chain with other API calls as part of other techniques.

Virtual memory is a critical component of how Windows internals work and interact with each other. Virtual memory allows other internal components to interact with memory as if it was physical memory without the risk of collisions between applications.

Virtual memory provides each process with a private virtual address space. A memory manager is used to translate virtual addresses to physical addresses. By having a private virtual address space and not directly writing to physical memory, processes have less risk of causing damage.

The Microsoft docs describe a DLL as “a library that contains code and data that can be used by more than one program at the same time.”

DLLs are used as one of the core functionalities behind application execution in Windows. From the Windows documentation, “The use of DLLs helps promote modularization of code, code reuse, efficient memory usage, and reduced disk space. So, the operating system and the programs load faster, run faster, and take less disk space on the computer.”

When a DLL is loaded as a function in a program, the DLL is assigned as a dependency. Since a program is dependent on a DLL, attackers can target the DLLs rather than the applications to control some aspect of execution or functionality.

Room Answers

Answers can be found here

--

--

Motasem Hamdan
Motasem Hamdan

Written by Motasem Hamdan

Motasem Hamdan is a content creator and swimmer who creates cyber security training videos and articles. https://www.youtube.com/@MotasemHamdan

No responses yet