SlideShare a Scribd company logo

Reversing & malware analysis training part 2 introduction to windows internals

Abdulrahman Bassam, profile picture
Abdulrahman Bassam

This document provides information about a reversing and malware analysis training program. It introduces the trainers, Amit Malik and Swapnil Pathak, and outlines topics to be covered including Windows architecture, memory management, processes and threads, system APIs, and system service dispatching. The training materials are intended to help students learn reverse engineering and malware analysis techniques.

Technology
1 of 22
Downloaded 71 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
www.SecurityXploded.com
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely of the trainer’s only and nothing to do with the company or the organization in which the trainer is currently working. However in no circumstances neither the trainer nor SecurityXploded is responsible for any damage or loss caused due to use or misuse of the information presented here. www.SecurityXploded.com
Acknowledgement  Special thanks to null & Garage4Hackers community for their extended support and cooperation.  Thanks to all the trainers who have devoted their precious time and countless hours to make it happen. www.SecurityXploded.com
Reversing & Malware Analysis Training This presentation is part of our Reverse Engineering & Malware Analysis Training program. Currently it is delivered only during our local meet for FREE of cost. For complete details of this course, visit our Security Training page. www.SecurityXploded.com
Who am I #1 Amit Malik (sometimes DouBle_Zer0,DZZ)  Member SecurityXploded  Security Researcher @ McAfee Labs  RE, Exploit Analysis/Development, Malware Analysis  Email: m.amit30@gmail.com www.SecurityXploded.com
Who am I #2 Swapnil Pathak  Member SecurityXploded  Security Researcher @ McAfee Labs  RE, Malware Analysis, Network Security  Email: swapnilpathak101@gmail.com www.SecurityXploded.com
Course Q&A  Keep yourself up to date with latest security news  http://www.securityphresh.com  For Q&A, join our mailing list.  http://groups.google.com/group/securityxploded www.SecurityXploded.com
Windows Architecture www.SecurityXploded.com
Memory Management  Virtual Memory - An invisiblelayerbetween a softwareand physicalmemory - Every process first get loaded into its virtual memory address space - Small units called “pages”are used to do mapping between physicalmemory and virtual memory.  Paging - Memory managementschemethat stores and retrieves datafrom secondary storageforuse in main memory - Uses same size blocks called pages - Pagetable is used to translatevirtualaddresses in physicalmemory addresses www.SecurityXploded.com
Memory Management Cont.  UserAddressSpace - Allocatedfor user mode applications. - All processes executein theirown virtual space. - Useoperating system dlls to interact with kernel  Kernel AddressSpace - Strictlyreserved forkernel, devicedrivers and operatingsystemexecutive. - No user mode applicationcan directly interactwith thekernel. www.SecurityXploded.com
Kernel & UserAddress Space www.SecurityXploded.com
Process and Thread  Process - Executinginstanceofan application. - Isolatedaddress space - PEB data structurestoreinformationabout process - PEB is an user space data structure  Threads - Multiplethreads sharethe same address spacein the process. - Each process has at least a single executingthread. - TEBdata structurestoreinformation aboutthread www.SecurityXploded.com
PEB (Process Environment Block) An opaque data structure that store information about process in user space www.SecurityXploded.com
PEB Cont. www.SecurityXploded.com
TEB (Thread Environment Block) TEB is a data structure that store information about thread www.SecurityXploded.com
Application Programming Interface  API - Includesfunctions,classes, datastructures and variables - Interfacebetween varioussoftwarecomponents to communicatewith each other. - WindowsAPIs areused to interact with kernel or othermodules.  MSDN - Providesdocumentationforvarious APIfunctions.  System Dlls - ntdll.dll, kernel32.dll, user32.dll, advapi32.dll, hal.dll etc www.SecurityXploded.com
System Service Dispatching www.SecurityXploded.com
System Service Dispatching Cont. www.SecurityXploded.com
Important API  File and Directories - CreateFile, GetSystemDirectory, ReadFile, WriteFile etc  Network - socket, send, recv, URLDownloadToFile etc  Registry - RegOpenKey, RegSetValue, RegQueryValue etc www.SecurityXploded.com
Important API Cont.  Processes, Threads, Synchronization using mutex, semaphore. - CreateProcess, ReadProcessMemory, WriteProcessMemory,CreateRemoteThread, CreateMutex etc  Memory - VirtualAlloc, VirtualProtect ,HeapAlloc, LocalAlloc etc www.SecurityXploded.com
Reference  Complete Reference Guide for Reversing & Malware Analysis Training www.SecurityXploded.com
Thank You ! http://SecurityXploded.com

More Related Content

PPTX
Reversing & malware analysis training part 2 introduction to windows internals
securityxploded
 
PPTX
Reversing & malware analysis training part 3 windows pe file format basics
securityxploded
 
PPTX
Reversing malware analysis training part2 introduction to windows internals
Cysinfo Cyber Security Community
 
PDF
Reversing & malware analysis training part 1 lab setup guide
Abdulrahman Bassam
 
PPTX
Reversing & malware analysis training part 1 lab setup guide
securityxploded
 
PDF
Reversing & malware analysis training part 5 reverse engineering tools basics
Abdulrahman Bassam
 
PPTX
Reversing malware analysis training part1 lab setup guide
Cysinfo Cyber Security Community
 
PDF
Reversing & malware analysis training part 11 exploit development advanced
Abdulrahman Bassam
 
Reversing & malware analysis training part 2 introduction to windows internals
securityxploded
 
Reversing & malware analysis training part 3 windows pe file format basics
securityxploded
 
Reversing malware analysis training part2 introduction to windows internals
Cysinfo Cyber Security Community
 
Reversing & malware analysis training part 1 lab setup guide
Abdulrahman Bassam
 
Reversing & malware analysis training part 1 lab setup guide
securityxploded
 
Reversing & malware analysis training part 5 reverse engineering tools basics
Abdulrahman Bassam
 
Reversing malware analysis training part1 lab setup guide
Cysinfo Cyber Security Community
 
Reversing & malware analysis training part 11 exploit development advanced
Abdulrahman Bassam
 

Similar to Reversing & malware analysis training part 2 introduction to windows internals (20)

PDF
Reversing & malware analysis training part 12 rootkit analysis
Abdulrahman Bassam
 
PPTX
Reversing malware analysis training part11 exploit development advanced
Cysinfo Cyber Security Community
 
PPTX
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
securityxploded
 
PDF
Reversing & malware analysis training part 3 windows pe file format basics
Abdulrahman Bassam
 
PDF
Reversing & malware analysis training part 10 exploit development basics
Abdulrahman Bassam
 
PPTX
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
securityxploded
 
ODP
Pyramid patterns
Carlos de la Guardia
 
PPTX
Virtualization auditing & security deck v1.0
Concentrated Technology
 
PDF
Reversing & malware analysis training part 8 malware memory forensics
Abdulrahman Bassam
 
PPT
Salesforce Internship Presentation (Summer 2012)
Nitin Jain
 
PDF
Reversing & malware analysis training part 7 unpacking upx
Abdulrahman Bassam
 
PDF
MySQL and memcached Guide
webhostingguy
 
PPTX
Advanced malware analysis training session8 introduction to android
Cysinfo Cyber Security Community
 
PPTX
Penetration testing dont just leave it to chance
Dr. Anish Cheriyan (PhD)
 
PDF
Multicore Software Development Techniques Applications Tips and Tricks 1st Ed...
zmqyytgwu0985
 
PPTX
Advanced Malware Analysis Training Session 8 - Introduction to Android
securityxploded
 
PPTX
Bridging the Gap
Will Schroeder
 
PPTX
Bridging the Gap: Lessons in Adversarial Tradecraft
enigma0x3
 
PPTX
A Beard, An App, A Blender
edm00se
 
DOC
136 latest dot net interview questions
sandi4204
 
Reversing & malware analysis training part 12 rootkit analysis
Abdulrahman Bassam
 
Reversing malware analysis training part11 exploit development advanced
Cysinfo Cyber Security Community
 
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
securityxploded
 
Reversing & malware analysis training part 3 windows pe file format basics
Abdulrahman Bassam
 
Reversing & malware analysis training part 10 exploit development basics
Abdulrahman Bassam
 
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
securityxploded
 
Pyramid patterns
Carlos de la Guardia
 
Virtualization auditing & security deck v1.0
Concentrated Technology
 
Reversing & malware analysis training part 8 malware memory forensics
Abdulrahman Bassam
 
Salesforce Internship Presentation (Summer 2012)
Nitin Jain
 
Reversing & malware analysis training part 7 unpacking upx
Abdulrahman Bassam
 
MySQL and memcached Guide
webhostingguy
 
Advanced malware analysis training session8 introduction to android
Cysinfo Cyber Security Community
 
Penetration testing dont just leave it to chance
Dr. Anish Cheriyan (PhD)
 
Multicore Software Development Techniques Applications Tips and Tricks 1st Ed...
zmqyytgwu0985
 
Advanced Malware Analysis Training Session 8 - Introduction to Android
securityxploded
 
Bridging the Gap
Will Schroeder
 
Bridging the Gap: Lessons in Adversarial Tradecraft
enigma0x3
 
A Beard, An App, A Blender
edm00se
 
136 latest dot net interview questions
sandi4204
 
Ad

Recently uploaded (20)

PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Approach and Philosophy of On baking technology
30anthuong17
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Ad

Reversing & malware analysis training part 2 introduction to windows internals

  • 2. Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely of the trainer’s only and nothing to do with the company or the organization in which the trainer is currently working. However in no circumstances neither the trainer nor SecurityXploded is responsible for any damage or loss caused due to use or misuse of the information presented here. www.SecurityXploded.com
  • 3. Acknowledgement  Special thanks to null & Garage4Hackers community for their extended support and cooperation.  Thanks to all the trainers who have devoted their precious time and countless hours to make it happen. www.SecurityXploded.com
  • 4. Reversing & Malware Analysis Training This presentation is part of our Reverse Engineering & Malware Analysis Training program. Currently it is delivered only during our local meet for FREE of cost. For complete details of this course, visit our Security Training page. www.SecurityXploded.com
  • 5. Who am I #1 Amit Malik (sometimes DouBle_Zer0,DZZ)  Member SecurityXploded  Security Researcher @ McAfee Labs  RE, Exploit Analysis/Development, Malware Analysis  Email: m.amit30@gmail.com www.SecurityXploded.com
  • 6. Who am I #2 Swapnil Pathak  Member SecurityXploded  Security Researcher @ McAfee Labs  RE, Malware Analysis, Network Security  Email: swapnilpathak101@gmail.com www.SecurityXploded.com
  • 7. Course Q&A  Keep yourself up to date with latest security news  http://www.securityphresh.com  For Q&A, join our mailing list.  http://groups.google.com/group/securityxploded www.SecurityXploded.com
  • 9. Memory Management  Virtual Memory - An invisiblelayerbetween a softwareand physicalmemory - Every process first get loaded into its virtual memory address space - Small units called “pages”are used to do mapping between physicalmemory and virtual memory.  Paging - Memory managementschemethat stores and retrieves datafrom secondary storageforuse in main memory - Uses same size blocks called pages - Pagetable is used to translatevirtualaddresses in physicalmemory addresses www.SecurityXploded.com
  • 10. Memory Management Cont.  UserAddressSpace - Allocatedfor user mode applications. - All processes executein theirown virtual space. - Useoperating system dlls to interact with kernel  Kernel AddressSpace - Strictlyreserved forkernel, devicedrivers and operatingsystemexecutive. - No user mode applicationcan directly interactwith thekernel. www.SecurityXploded.com
  • 11. Kernel & UserAddress Space www.SecurityXploded.com
  • 12. Process and Thread  Process - Executinginstanceofan application. - Isolatedaddress space - PEB data structurestoreinformationabout process - PEB is an user space data structure  Threads - Multiplethreads sharethe same address spacein the process. - Each process has at least a single executingthread. - TEBdata structurestoreinformation aboutthread www.SecurityXploded.com
  • 13. PEB (Process Environment Block) An opaque data structure that store information about process in user space www.SecurityXploded.com
  • 15. TEB (Thread Environment Block) TEB is a data structure that store information about thread www.SecurityXploded.com
  • 16. Application Programming Interface  API - Includesfunctions,classes, datastructures and variables - Interfacebetween varioussoftwarecomponents to communicatewith each other. - WindowsAPIs areused to interact with kernel or othermodules.  MSDN - Providesdocumentationforvarious APIfunctions.  System Dlls - ntdll.dll, kernel32.dll, user32.dll, advapi32.dll, hal.dll etc www.SecurityXploded.com
  • 18. System Service Dispatching Cont. www.SecurityXploded.com
  • 19. Important API  File and Directories - CreateFile, GetSystemDirectory, ReadFile, WriteFile etc  Network - socket, send, recv, URLDownloadToFile etc  Registry - RegOpenKey, RegSetValue, RegQueryValue etc www.SecurityXploded.com
  • 20. Important API Cont.  Processes, Threads, Synchronization using mutex, semaphore. - CreateProcess, ReadProcessMemory, WriteProcessMemory,CreateRemoteThread, CreateMutex etc  Memory - VirtualAlloc, VirtualProtect ,HeapAlloc, LocalAlloc etc www.SecurityXploded.com
  • 21. Reference  Complete Reference Guide for Reversing & Malware Analysis Training www.SecurityXploded.com