Windows Internals for Malware Analysis
Introduction
This article defines Windows internals and illustrates tools which can be used to explore Windows internal systems. We’ll be defining malware and describing how they can be analyzed by comparing registry states. This also helps self-starter developers to debug basic or complex problems.
This article is designed for self-starters, students and professionals interested in reverse engineering, penetration testing and building applications within the Windows environment.
Become a certified reverse engineer!
Windows internals
Windows internals are the inner workings, critical OS data or system architecture of the Windows operating system architecture. In this article, we’ll briefly explore the following building blocks of the Windows operating system; Windows Application Interface, process, registry and threads.
Application Programming Interface
The Windows Application Program Interface (API) is the user-mode system programming interface to the Windows OS family. Windows API is generally the set of functions that a coded Windows program utilizes to request execution of actions such as closing a window, opening a new window or displaying a message on a screen amongst many other applications. The program requesting the execution of action does not need to know how the underlying hardware functions or operates.
The Windows API allows user-written programs to interact with Windows.
Process
It is easy to confuse a program for a process but they’re entirely two different things. While a program is a static sequence of instructions, a process is a dynamic set of resources to execute a program.
The process explorer tool from Sysinternals displays advanced options and features, compared to the built-in Windows task manager in current Windows operating systems. Unlike the task manager, the process explorer can trace an application down to the last Dynamic Link Library (DLL) file it is using.
Also from the Sysinternals suite is the process monitor tool, which shows real-time file system, registry and process/thread activity.
Registry
The registry is a very useful source of Windows internals. This is simply because it contains key settings that affect the performance and behavior of a system.
The registry is a system database that contains the information required to boot and configure the system, system-wide software settings that control the operation of Windows, the security database and per-user configuration settings. The default Windows registry is a graphical tool for storing and editing configuration settings of Windows components, installed hardware devices and software applications.
RegistryChangesView is a registry tool created by Nirsoft for Windows. This is a tool that allows users to take a snapshot of Windows registry settings and then compare it with other registry settings after a piece of software or hardware has been installed. It can also be used to monitor changes that have taken place in the registry.
Threads
A thread is the segment within a process that can be scheduled for execution. Threads can do more than one thing at a time and can execute process code — even code another thread is executing.
Malware analysis
It is true that most malware is written for Windows operating systems, and malware analysis is an absolute essential. Malware can be analyzed by comparing two states of the Windows registry. The first state can be the initial state of the operating system before changes such as software installation or hardware installation are made. The second state can be a snapshot of the registry after there have been changes in the operating system.
The RegistryChangesView tool picks up changes such as added value, modified value and removed values within the registry. Malware infections can be picked up by comparing previous and current states of the Windows registry. And the RegistryChangesView tool helps by picking up all modifications in the registry.
Conclusion
This article has explained four key features of Windows internals and some tools which can be used to explore these internal workings of Windows. We’ve also seen how the RegistryChangesView tool can be used to compare two states of the Windows registry, thus picking up any modifications within the system.
Sources
- Pavel Yosifovich, "Windows Internals, Part 1 (Developer Reference) 7th Edition," Microsoft Press (May 15, 2017)
- Quick introduction to Windows API, Andrew M. Steane (users.physics.ox.ac.uk)
- Mark E. Russinovich, "Windows Internals, Part 1 (6th Edition)," Microsoft Press (March 25, 2012)
- Processes and Threads, Microsoft