windows internals

  1. D

    Tutorial RtlDosPathNameToNtPathName_U (NTDLL)

    Hello. There's an easy way to use normal DOS path names when working with the NTAPI. You can still use buffers like "C:\\filename.txt" or "D:\\filename.exe" even if the intention is to be working with routines like NtCreateFile or NtDeleteFile. The Win32 API accepts DOS file paths and it will...
  2. D

    Tutorial Process Management (Kernel-Mode -> Suspension (PsSuspendProcess)) #2

    Hello everyone. Introduction Today we will look into how we can suspend and resume a process in kernel-mode. As you may already know, in user-mode there are Win32 API functions like SuspendThread/ResumeThread, and there are Native API routines which can be invoked from user-mode thanks to...
  3. D

    Tutorial Token Privileges (NTAPI & Lsa*)

    Introduction Token Privileges are assigned to a process which helps determine if code executing can perform certain tasks or not. Tasks from the following list (but not limited to) are enforced by token privileges: accessing processes running on another user account (e.g. SYSTEM); loading...
  4. D

    Tutorial Data Execution Prevention (DEP) - Native API (NtSetInformationProcess)

    Hello everyone. Introduction Data Execution Prevention (DEP) is a memory protection feature which helps prevent exploitation of software. It is not only enforced from a software-level but also hardware-level usually. Unless a process marks a location in memory as executable, code will be...
  5. D

    Tutorial Critical threads (Native API)

    Hello! This thread may only be useful if you are already aware about what a critical process is and how they work/are set. Critical processes were popular once in the past amongst managed (.NET framework based) malware due to the authors not being able to develop proper self-protection...
  6. D

    Tutorial NtQuerySystemInformation and Process IDs

    Hello. One of the most common methods for enumerating through the running processes for finding the Process ID of a process from the executable name is via Win32 API functions like CreateToolhelp32Snapshot and then walking the snapshot list with a do loop. I decided I'd share an alternate...