Hot Topics
Security Bloggers Network 
SBN

Windows Internals for Malware Analysis

Avatar photo by Richard Azu on April 21, 2020

Introduction

This article defines Windows internals and illustrates tools which can be used to explore Windows internal systems. We’ll be defining malware and describing how they can be analyzed by comparing registry states. This also helps self-starter developers to debug basic or complex problems.

This article is designed for self-starters, students and professionals interested in reverse engineering, penetration testing and building applications within the Windows environment.

Windows internals

Windows internals are the inner workings, critical OS data or system architecture of the Windows operating system architecture. In this article, we’ll briefly explore the following building blocks of the Windows operating system; Windows Application Interface, process, registry and threads.

Application Programming Interface

The Windows Application Program Interface (API) is the user-mode system programming interface to the Windows OS family. Windows API is generally the set of functions that a coded Windows program utilizes to request execution of actions such as closing a window, opening a new window or displaying a message on a screen amongst many other applications. The program requesting the execution of action does not need to know how the underlying hardware functions or operates. 

The Windows API allows user-written programs to interact with Windows. 

Process

It is easy to confuse a program for a process but they’re entirely two different things. While a program is a static sequence of instructions, a process is a dynamic set of resources to execute a program. 

The process explorer tool from Sysinternals displays advanced options and features, compared to the built-in Windows task manager in current Windows operating systems. Unlike the task manager, the process explorer can trace an application down to the last Dynamic Link Library (DLL) file it is using. 

Also from the Sysinternals suite is the process monitor tool, which shows real-time file system, registry (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Richard Azu. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/AAKSifn6Crs/

Richard Azu
Avatar photo

Richard Azu

Richard has over 16 years of experience in Network/Telecom Engineering. Experienced in the deployment of voice and data over the 3 media; radio, copper and fibre, Richard – a system support technician currently with First National Bank Ghana Limited is still looking for ways to derive benefit from the WDM technology in Optics. Using Kali as a springboard, he has developed an interest in digital forensics and penetration testing.

richard-azu has 12 posts and counting.See all posts by richard-azu