Malware Development Essentials ☠️

Credits to 5mukx and his blog

Become an Beginner to Intermediate in Malware Development Field !

For Malware development and security professionals, understanding the inner workings of Windows is crucial. Windows internals, the hidden world beneath the user interface, can harbor vulnerabilities if not properly secured. Let’s dissect the key components and their security implications:

Note

These are my complete notes when I’m studying about maldev and these are just notes. If you want to know more on particular topics . Just google it or visit MSDN Documentation ie Microsoft Documentation .

Windows Architecture

Windows architecture follows a layered design with two main components: user mode and kernel mode.

+--------------------+----------------------+  
|    Application A   |      Application B   |  
+--------------------+----------------------+  
|       User Mode    |         User Mode    |  
+--------------------+----------------------+  
			 |               |  
			 v               v  
		  +---------------------+  
		  |       Kernel        |  
		  +---------------------+    
				  |     |  
				  v     v  
		  +----------------------+  
		  |        Hardware      |  
		  +----------------------+

• User Mode: This layer sits on top of Kernel Mode and contains applications, subsystems, and processes running on the system. These programs have limited access to hardware and rely on Kernel Mode for hardware interaction.
• Kernel Mode (Protected Mode): This core layer houses critical system components like device drivers, memory management, and process management. It has unrestricted access to hardware and executes with full privileges.
• System Calls: When a user mode program needs to access hardware or perform privileged operations, it makes a system call. This essentially triggers a request that gets processed by Kernel Mode.
• Hardware Abstraction Layer (HAL): This layer acts as a bridge between the Kernel Mode and the physical hardware. It translates generic hardware instructions from the kernel into commands specific to the underlying hardware components. This allows Windows to function on different computer systems without needing major code modifications for each specific hardware configuration.
• Hardware: This represents the physical components of the computer system, including the CPU, memory, storage devices, and peripherals. Kernel Mode interacts with the hardware through the HAL.

Here is an brief Diagram of Windows architectures.

If you want to know more you can visit the internals site : https://apprize.best/microsoft/internals/2.html

Windows Memory Management

Windows employs a sophisticated memory management system to efficiently allocate and utilize physical memory (RAM) and virtual memory (a combination of RAM and disk space).

Memory Types

• User-mode/Kernel Mode: As discussed earlier, applications run in either user mode (limited access) or kernel mode (full access). Memory allocations are segregated based on the mode to ensure security and stability.
• x86 (2GB-4GB)/x64 (2GB-128TB): These represent the addressable memory space for different processor architectures. 32-bit x86 processors can typically address up to 4GB of memory, while 64-bit x64 processors can handle significantly larger amounts (up to 128TB theoretically).
• Paged Pool: This is a dynamically allocated memory pool used for frequently accessed data that can be swapped between RAM and the paging file (virtual memory on disk) as needed. This optimizes memory usage for active programs.
• Non-paged Pool: This pool holds critical kernel-mode data that must always reside in RAM for optimal performance. It cannot be paged out to disk.

States of Pages

These states indicate the current status of memory pages within the paged pool:

• Free: The page is unused and available for allocation.
• Reserved: The page is allocated but not yet committed for use.
• Committed: The page contains data and is actively in use. It can be either:
  • Modified: The data in the page has been changed since it was loaded into memory.
  • Writeable: The data can be written to, but hasn’t been modified yet.
• Standby: The page is in RAM but hasn’t been recently accessed. It can be swapped out to disk if needed.

System Cache

This refers to a portion of memory reserved for frequently accessed data. By caching this data, the system can retrieve it faster, improving application performance.

Memory Access Permissions

Refer MSDNfor More Info . This is just an note for cheatsheet and can used in work.

These flags define the access rights for memory pages:

• PAGE_EXECUTE_READ (0x20): Allows code execution and data reading.
• PAGE_EXECUTE_READWRITE (0X40): Grants full access for code execution, reading, and writing.
• PAGE_EXECUTE_WRITECOPY (0X80): Permits code execution, but writes trigger a copy of the page to be created before modification. This protects the original data.
• PAGE_READONLY (0X02): Only data reading is allowed.
• PAGE_READWRITE (0X04): Enables both reading and writing.
• PAGE_WRITECOPY (0X08): Similar to PAGE_EXECUTE_WRITECOPY, but for writable data in general.
• PAGE_TARGETS_INVALID (0x40000000), PAGE_TARGETS_NO_UPDATE (0x40000000): Flags used for memory-mapped I/O (input/output).
• PAGE_GUARD (0x100): Marks a page as inaccessible, triggering an access violation if attempted. Used for memory protection.
• PAGE_NOCACHE (0x200): Prevents caching of the page’s data.
• PAGE_WRITECOMBINE (0x400): Optimizes write performance for certain types of memory accesses.

Page Protections in Windows

Page protections are a fundamental security mechanism in Windows memory management that control how applications can access specific regions of memory. These protections are implemented through memory flags assigned to individual memory pages, granting or restricting permissions for:

• Reading: Retrieving data from the page.
• Writing: Modifying data within the page.
• Executing: Running code instructions stored in the page.

By carefully configuring page protections, Windows safeguards against malicious attacks that exploit vulnerabilities in software. Two prominent security features rely on page protections: DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization).

Data Execution Prevention (DEP)

DEP is a security technology that marks certain memory pages as non-executable. This prevents attackers from injecting malicious code (such as shell-code) into these regions and attempting to execute it. Here’s a breakdown of DEP’s functionality:

1. Residence: DEP settings reside in the Thread Environment Block (TEB) or Thread Information Block (TIB) for each thread. This allows for thread-specific DEP configurations.
2. Non-Executable Memory: DEP identifies and marks specific memory pages as non-executable. These pages typically include:

• Default heap: Used for dynamic memory allocation, often targeted by buffer overflow attacks.
• Stacks: Areas where function call arguments and local variables are stored, another potential target for exploitation.
• Memory pools: Pre-allocated memory areas managed by the system, also vulnerable to attacks.

3. Attack Mitigation: If an application attempts to execute code from a non-executable page, DEP triggers an access violation

Illustration of DEP:

Imagine a memory space with various segments:

+--------------------+--------------------+--------------------+
|        Code        |      Data (Heap)   |       Stack        |
+--------------------+--------------------+--------------------+
		 ^                                         ^
	   Executable                           Non-Executable 
										  (Protected by DEP)

• The “Code” segment stores program instructions and is marked as executable.
• The “Data (Heap)” and “Stack” segments hold program data and are protected by DEP, preventing code execution attempts.

Address Space Layout Randomization (ASLR)

ASLR is a security technique that randomizes the base addresses where a process, its modules (DLLs), and critical data structures are loaded into memory during process creation. This randomization makes it more difficult for attackers to exploit vulnerabilities that rely on knowing specific memory locations:

1. Randomization: During process creation, the memory addresses for loading the process image, DLLs, and key data structures are randomized within a designated address space range. This randomization occurs at a system level to ensure consistency across processes.
2. Exploitation Difficulty: If an attacker’s exploit relies on hardcoded memory addresses, it’s highly likely to fail due to ASLR. The exploit wouldn’t be able to locate the intended target locations in memory, preventing successful execution.

Illustration of ASLR:

Consider two process memory layouts before and after ASLR:

Before ASLR:

+--------------------+--------------------+
|      Process A     |      Process B     |
+--------------------+--------------------+
 ^                       ^
Specific, predictable    Specific, predictable
addresses (0x00002020)   addresses (0x00002021)

After ASLR:

+--------------------+--------------------+  
|      Process A     |      Process B     |  
+--------------------+--------------------+  
|     Randomized          Randomized      |  
|       addresses          addresses      |  
|     (0x02133221)        (0x03983463)    |  
+--------------------+--------------------+

• Process A and B are loaded at different base addresses in each scenario due to ASLR.

Combined Impact

DEP and ASLR work together to significantly enhance Windows security:

• DEP prevents malicious code execution from data regions.
• ASLR makes it harder for attackers to predict memory locations for exploitation attempts.

WinAPI Calls: Core Functions

WinAPI (Windows API) calls are functions provided by Microsoft that allow applications to interact with the underlying functionalities of the Windows operating system. These calls offer programmatic access to features like memory management, file systems, user interface elements, and more.

Basic Windows API Calls:

These calls form the foundation for interacting with the Windows system from your programs.

• Getting Information: Many WinAPI calls retrieve information about the system or user.
• Managing Processes and Threads: These calls allow you to create and manage processes (running programs) and threads (execution paths within a process).
• User Interface Interaction: Some WinAPI calls enable programs to interact with the user interface elements like windows, menus, and controls.
• File and Memory Management: Advanced WinAPI calls provide access to manage files and memory within your programs.

Basic Calls Explained:

• GetUserNameA/GetUserNameW: These functions retrieve the name of the current user logged into the system. The “A” suffix indicates the ANSI character set version, while “W” indicates the Unicode version for wider character support.
• GetCurrentDirectory: This function retrieves the full path of the current working directory for your application.
• Sleep: This function suspends execution of the calling thread for a specified amount of time in milliseconds. It allows your program to pause briefly before continuing.
• GetComputerNameA/GetComputerNameW: Similar to GetUserName, these functions retrieve the name of the computer itself. Again, “A” is for ANSI and “W” for Unicode.
• CreateProcessA/CreateProcessW: These powerful functions allow you to create a new child process and optionally wait for it to finish execution. The “A” and “W” versions again correspond to character set options.
• CreateThread: This function creates a new thread of execution within your current process. Threads allow your program to handle multiple tasks concurrently.

Core Windows DLLs:

These are all essential DLLs (Dynamic Link Libraries) that servers for many Windows functions.

• msvcrt.dll: This DLL provides core runtime library functions for C++. It includes essential routines for memory management, input/output operations, and string manipulation used by many Windows applications.
• kernel32.dll: This is a fundamental DLL that offers a wide range of core Windows functionalities. It includes functions for process and memory management, file system access, security, and console input/output. Many other DLLs rely on kernel32.dll for basic system interaction.
• kernelbase.dll: This DLL is closely tied to kernel32.dll and provides even more low-level system functions related to memory management, object creation, and synchronization. It acts as an extension to kernel32.dll for more advanced tasks.
• ntdll.dll: This is the Windows NT kernel-mode DLL. It provides the core functionalities of the Windows kernel, including managing hardware access, virtual memory, and security. Due to its kernel-mode nature, it’s not directly accessible by most programs.
• wininet.dll: This DLL offers functions specifically for internet access. It allows applications to interact with the internet using protocols like HTTP and FTP for downloading files, accessing websites, and more.
• ws2_32.dll: This DLL implements the Windows Sockets (Winsock) API, which provides a network programming interface. It enables applications to handle TCP/IP networking tasks like creating sockets, sending and receiving data, and managing network connections.
• user32.dll: This DLL is crucial for the user interface. It provides functions for creating and managing windows, menus, controls, and handling user input like mouse and keyboard actions. Essentially, it controls how you interact with your programs visually.
• advapi32.dll: This DLL offers functions related to advanced Windows security features like user authentication, access control, and registry manipulation. It allows programs to interact with secure aspects of the system in a controlled manner.

PE Structures

For PE(Portable Executable) File Structure you can Learn more about on 0xRick Blog ..

Link : https://0xrick.github.io/win-internals/pe1/

That’s it Nerds, it will almost take 2 to 3 weeks to become familiar with windows structures. So Take frequent breaks when you get burned out and start with fresh :)

Best Malware Resources sites: https://ru-sfera.pw/threads/vvedenie-v-razrabotku-vredonosnyx-programm-oglavlenie.4435/#post-150566