Hello, Today we are going to examine the "Windows Internals" issue with you.
So what is it?
In short, let's say kernel, there is no need to confuse you.
So what will we learn?
Virtual memory, kernel mode and user mode, win32 api and more.
Of course, while I'm explaining all this, I'm going to tell you about being able to analyze malware in a cursory way. Otherwise we would have to write a book about it.
Our first title is "Virtual Memory"
Our friend, which we call Virtual memory, briefly creates an invisible space between the CPU and the operating system, instead of sending it directly to the physical memory. In short, an imaginary environment is created by the operating system.
Our operating system creates a table for the process called by the cpu, it's called a "page table".
This is how virtual memory works.
Next is "Kernel and User Mode"
In short, without confusing you, applications running in kernel mode have full authority on the system and can access without any restrictions (the virus type we call rootkit works on kernel mode). User mode cannot access hardware directly. They can access resources such as cpu and ram through the APIs of operating systems. that is, they can only work on their own resources.
Let's take a simple look at kernel32.dll. What can we see in such a situation?
Our list of requirements: cff explorer and C:\Windows\System32\Kernel32.dll
Let's open our cff explorer application and select the kernel32.dll file from the system32 folder and open it. Then, let's make a small click on the "Export directory" section and the section that appears -
Through it, we can easily see what kind of privileges this kernel32.dll friend has, what he has accessed, what he can change. You can observe this repeatedly on any virus.
Yes, now let's talk about the Win32 API.
There are many APIs in the Windows operating system. However, we can say that the most popular is Win32 Api. This API works flawlessly on both 32-bit and 64-bit. We actively use winapi when making a program/software, and as you can guess, malware also uses this API.
While performing malicious analysis, you will come across a lot of APIs. However, this does not mean that the software is harmful, many programs that we use in our daily life use it. To understand that this is malware, it would be more accurate to examine the way the API is used.
So how do we know it's malware?
We will solve this problem with Obtaining API Logs;
While analyzing the PE file on the exe, we may encounter API names. However, as we mentioned above, looking at APIs statically does not work for us. At this point, what we need is dynamic analysis or we will have to deal with reverse engineering by debugging.
APIMiner comes to our rescue when looking at API Logs. Thanks to APIMiner, we can access the logs of APIs while performing dynamic analysis. APIMiner Github: GitHub - poona/APIMiner: API Logger for Windows Executables
Well, it's been 2022. There are hundreds of WIN32 Api coming by Windows operating system and SDKs. Now let's examine where and how we can access these APIs and the usage of these friends.
Win32 DLLs
We can find the Win32 APIs in the "C:\Windows\System32" folder. In short, system32. As we have shown above, you can again examine the kernel32.dll file with the CFF explorer.
The .DLL files I have mentioned below are both necessary for Windows to work and frequently used by our viruses, see:
NTDLL.DLL
KERNEL32.DLL
KERNELBASE.DLL
USER32.DLL
NETAPI32.DLL
...
These are the dll files that come by the SDKs (I will show the dll files that come with visual studio as an example). The numbers found at the end, such as 60, 120, 20..., indicate the versions of the SDKs.
MSVCRT.DLL
MSVCP100.dll
MSVBVM60.DLL
VCRUNTIME140.DLL
Programs written in languages such as C# VB.NET use the .NET framework's own dlls. An The dlls we mentioned above will always appear in general. Now, to gather information about Win32 APIs, we will use MSDN to collect information such as what features DLLs have and what they can do.
MSDN documentation for CreateFile() Win32 API
Thank you for reading that's enough for today, I wish you all a good day.
Original Subject::
So what is it?
In short, let's say kernel, there is no need to confuse you.
So what will we learn?
Virtual memory, kernel mode and user mode, win32 api and more.
Of course, while I'm explaining all this, I'm going to tell you about being able to analyze malware in a cursory way. Otherwise we would have to write a book about it.
Our first title is "Virtual Memory"
Our friend, which we call Virtual memory, briefly creates an invisible space between the CPU and the operating system, instead of sending it directly to the physical memory. In short, an imaginary environment is created by the operating system.
Our operating system creates a table for the process called by the cpu, it's called a "page table".
This is how virtual memory works.
Next is "Kernel and User Mode"
In short, without confusing you, applications running in kernel mode have full authority on the system and can access without any restrictions (the virus type we call rootkit works on kernel mode). User mode cannot access hardware directly. They can access resources such as cpu and ram through the APIs of operating systems. that is, they can only work on their own resources.
Let's take a simple look at kernel32.dll. What can we see in such a situation?
Our list of requirements: cff explorer and C:\Windows\System32\Kernel32.dll
Let's open our cff explorer application and select the kernel32.dll file from the system32 folder and open it. Then, let's make a small click on the "Export directory" section and the section that appears -
Through it, we can easily see what kind of privileges this kernel32.dll friend has, what he has accessed, what he can change. You can observe this repeatedly on any virus.
Yes, now let's talk about the Win32 API.
There are many APIs in the Windows operating system. However, we can say that the most popular is Win32 Api. This API works flawlessly on both 32-bit and 64-bit. We actively use winapi when making a program/software, and as you can guess, malware also uses this API.
While performing malicious analysis, you will come across a lot of APIs. However, this does not mean that the software is harmful, many programs that we use in our daily life use it. To understand that this is malware, it would be more accurate to examine the way the API is used.
So how do we know it's malware?
We will solve this problem with Obtaining API Logs;
While analyzing the PE file on the exe, we may encounter API names. However, as we mentioned above, looking at APIs statically does not work for us. At this point, what we need is dynamic analysis or we will have to deal with reverse engineering by debugging.
APIMiner comes to our rescue when looking at API Logs. Thanks to APIMiner, we can access the logs of APIs while performing dynamic analysis. APIMiner Github: GitHub - poona/APIMiner: API Logger for Windows Executables
Well, it's been 2022. There are hundreds of WIN32 Api coming by Windows operating system and SDKs. Now let's examine where and how we can access these APIs and the usage of these friends.
Win32 DLLs
We can find the Win32 APIs in the "C:\Windows\System32" folder. In short, system32. As we have shown above, you can again examine the kernel32.dll file with the CFF explorer.
The .DLL files I have mentioned below are both necessary for Windows to work and frequently used by our viruses, see:
NTDLL.DLL
KERNEL32.DLL
KERNELBASE.DLL
USER32.DLL
NETAPI32.DLL
...
These are the dll files that come by the SDKs (I will show the dll files that come with visual studio as an example). The numbers found at the end, such as 60, 120, 20..., indicate the versions of the SDKs.
MSVCRT.DLL
MSVCP100.dll
MSVBVM60.DLL
VCRUNTIME140.DLL
Programs written in languages such as C# VB.NET use the .NET framework's own dlls. An The dlls we mentioned above will always appear in general. Now, to gather information about Win32 APIs, we will use MSDN to collect information such as what features DLLs have and what they can do.
MSDN documentation for CreateFile() Win32 API
Thank you for reading that's enough for today, I wish you all a good day.
Original Subject::
