Author’s Note:

These are my personal notes regarding learning process I did for understanding Windows internals, messy and nothing much to see here.

Windows.h

Process & It’s Management

Thread & Manipulation of Thread

IPC - Synchronization

Memory Management Remote & Local

Handles & Permission

Debugging in x64dbg, toolings

Native API Nt and Zw

Process Handling:

Processes in Windows are excution of program in runtime, we are making direct system calls to create, open and manipulate some process.

STARTUPINFO is method that has members like count bytes, size, title, Input ouput, error etc any vital information regarding process startup

another is processInformation;

HANDLE hProcess; HANDLE hThread; DWORD dwProcessId; DWORD dwThreadId;

Both are defined under processthreadsapi.h

These both are important to define and to create our intended process,

simple createProcess

In windows legacy system createProcessA, createProcessW are predesscors of leacy system in ansi unicode writing conventions, Above code shows different ways of createProcess Moreover we can create processes with different user permissions

Files:

Windows use NTFS (New Technology File System), given github code shows two ways in Nt native library and another the api one,

The API has generally less syntax and less hasle regarding different requirements

createFile API vs Ntcreatefile

here in x64dbg theres isnt much difference except some file resolution from C:// to /??/ for Nt

Attach x64 gdb comparison

later updation

asdfghjklqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmq

asdfghjklqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjkl

80 bytes => allocation

0x0000000000

python -c print”asdfghjklqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjkl”+b”\x97\x0b\x40”