Windows Internals

What are Windows Internals?

Windows internals refer to a collection of processes, mechanisms, and architecture that make up the Windows operating system. This includes the core components that manage the memory and processes to how the hardware interacts with the software. Examples of windows internals are the processes and threads involved when executing a program, the memory management to allocate and utilize RAM, the registry, and kernels and drivers.

As an analogy, think of the windows OS as a mechanical watch (as referenced by Jay Z's N***s in Paris), windows internals are the inner workings such as mainspring, wheel train, and balance wheel that make up the complications and keep it ticking.

Why are Windows Internals relevant to malware analysis?

As windows internals control most of the operations, malware developers will abuse these to modify settings and configurations to achieve persistence and evade security tools such as antivirus and EDRs, or even operate at the lowest levels such as the kernel through rootkits.

Using the examples listed in the above section, let's see how they are relevant:

Processes and threads

Malware can manipulate regular processes to execute its code or even inject themselves into legitimate processes. By running inside a legitimate process, malicious network activity and actions seem to originate from a trusted Windows component, making it much harder for security tools to detect.

An example is the Emotet banking trojan which acts as a loader that downloads malware such as Trickbot, Qakbot, and IcedID. It does this through the following steps:

i. Emotet identifies a generic Windows host process that is most likely trusted by firewalls and have network access such as explorer.exe and svchost.exe.

ii. Allocates a new memory region in the target process through API calls such as VirtualAllocEx.

iii. Copies payload into the new memory region with the WriteProcessMemory function.

iv. Create a new thread within the target process to execute the injected payload by using functions such as CreateRemoteThread.

Memory management

Manipulation of memory to execute malicious code by disguising itself as a legitimate process. Similar to the example above, checking Task Manager would show the legitimate process running, but it's actually the malware masquerading as such.

An example of process hollowing is the AZORult information stealer which does it through the following steps:

i. AZORult starts a legitimate Windows process in a suspended state using the CREATE_SUSPENDED flag.

ii. It then unmaps the original code from memory using NtUnmapViewOfSection.

iii. It allocates new memory within the virtual address space that it just unmapped, and writes the malicious payload into this region.

iv. AZORult then change the entry point of the process's main thread to point to the start of the malicious code.

v. The suspended process is resumed, thus executing the malicious code.

An example of DLL injection is the TrickBot trojan which forces a target process to load a malicious DLL through the following steps:

i. Similar to Emotet, TrickBot utilizes a common and innocent host process.

ii. It allocates memory within the target process to hold the path to the malicious DLL file, and writes this path into the allocated memory.

iii. It then calls the function CreateRemoteThread, but points the start address to the address of the LoadLibraryA function which points to the memory address containing the path to the DLL file.

iv. The target process executes LoadLibraryA which loads the malicious DLL file.

Kernel and drivers

As operating at the kernel level (aka ring 0) grants the highest level of permissions, some sophisticated malware are designed to do this and hide its presence and achieve persistence.

An example of this is the world famous Stuxnet! Just a wee bit more sophisticated than usual, but it's cool so let's examine how it hid through the following steps:

i. Stuxnet uses some NSA (then) 0-days to escalate to admin privileges.

ii. Installs two malicious drivers that were digitally signed with stolen, legitimate certificates from Realtek and JMicron to appear authentic to the operating system.

iii. These drivers operated at the kernel level which allowed them to intercept system calls and manipulate the data returned by the operating system to the applications.

iv. These drivers would hook functions related to file system enumeration. For instance, when a program tried to list files in a directory, it would intercept this request and filter out its own files from the results, thus evading detection as we would not be able to see its files on the disk, nor read its processes in task manager.

Fun facts about kernel and EDRs:

Modern day EDRs require kernel access in order to detect and prevent rootkits. An EDR agent running in user-space can be terminated by malware which successfully achieves moderate privileges levels. Basically, the EDR needs to have at least the same if not higher level of privileges to detect and block malware.

At the kernel level, EDRs can monitor process creation and registry modifications at the lowest level. Additionally, the EDR can also block a malicious operations from executing. For instance, blocking a process from writing a ransomware payload to disk.

There are some EDRs which have an Early Launch Anti-Malware driver which is one of the very first components that load during the boot process. This allows the agent to detect and block rootkits that are designed to activate at boot.

However, kernel access comes with higher risks. A bug or instability in a kernel-mode driver can cause the entire operating system to crash, resulting in a "Blue Screen of Death" (BSOD). A prime example of this is CrowdStrike's global outage in July 2024 when their configuration update caused a critical memory safety error triggering Windows' kernel safety mechanisms, resulting in BSOD.

If you snatched up a whole lot of CRWD at rock bottom...

Fundamental Windows Internals

Processes

A process is basically an executed program, and contains all the resources needed to run. We can view them in the Windows Task Manager. Pretty sure some programs are coded to know when you're viewing their process in Task Manager, because that's when they start working after being "not responding" for 15 minutes.

Generally, a process consists of the following (not exhaustive):

• memory address space - the allocated memory

• file handles - makes system resources accessible to the process

• code - the program's code

• process identifier - unique ID

• environment variables - configuration information for a process

• thread(s) - the sequence of code that the CPU follows

Malware tends to masquerade as legitimate and common processes to avoid detection. Examples of such attack techniques are process hollowing and process injection as we saw above.

Threads

The fundamental unit of execution within a process. An analogy is that a process is a factory and threads are the workers. The more workers there are, the faster tasks can be done.

This is also why GPUs (which have much higher throughput compared to CPUs by performing far more simple operations simultaneously) are more suited to running video games, because each frame requires billions of identical computations, such as calculating the color and position of every pixel, applying textures, and simulating lighting.

Virtual Memory

Tabstraction that gives each process its own private, isolated memory space. The OS, with help from the hardware, maps these virtual addresses to physical RAM. This prevents processes from interfering with each other. Check out the Memory (RAM) section for more details.

Dynamic Link Libraries

DLLs are libraries of code and data that can be used by multiple programs at the same time. Instead of compiling the same code into every program, applications can load a shared DLL into their memory when needed.

Portable Executable Format

The PE format is the standard file structure for all executables (.exe), object code, and DLLs on Windows. It contains a header with metadata about the file (such as when it was compiled and what functions it imports) and various sections containing the actual code (.text), data (.data), and other resources.