Today we dove into some Windows internals theory. A few topics were tricky, especially virtual memory and private virtual address space but I started to get a better grasp on them.
In simple terms, virtual memory is like giving each running program its own private sandbox to play in. Instead of letting programs write directly to the physical memory (which could mess up the system), the operating system gives each one a pretend memory space. Then, a memory manager translates that “pretend” address into the actual location in physical RAM. This makes the system safer and more stable because one program can’t easily mess with another.
I also learned about DLLs (Dynamic Link Libraries). Think of them as shared tools or plugins that many programs can use. This approach means we don’t need to copy the same code into every program—saving disk space, memory, and making everything load and run faster. It’s like having one toolbox all programs can borrow from instead of each one carrying its own full set of tools.
Related to this, Windows API calls are how programs ask the operating system to do things for them—like open a file, display something on screen, or use a function from a DLL. It’s the official way for programs to interact with Windows features and services.
Next, we got into dynamic malware analysis, something I definitely want to try more in the future. My plan is to set up a sandbox environment on a separate computer to safely run and analyze malware, so I can watch what it does in real-time.
In the dynamic analysis lab, I used a few helpful tools:
- Procmon (Process Monitor): Tracks everything happening in the system in real-time like files being accessed or registry keys being changed. Great for seeing what a program is really doing.
- Process Explorer: Like Task Manager on steroids. It shows detailed info about running processes, including what files or DLLs they’re using.
- Regshot: Takes a snapshot of the Windows registry before and after you run something, then shows the differences. Useful for seeing what changes a program makes.
By the end of the day, I also completed two optional labs. One of the most interesting was exploring the Sysinternals Suite, a collection of powerful system utilities from Microsoft.
I tried out most of them to see what they do, but my favorite was Streams. I learned that Windows supports alternate data streams, which lets you hide one file inside another (for example, a script inside another text file). Using Streams, you can actually detect these hidden files.
Another cool tool was TCPView, which shows you all active network connections on your system, including the local and remote addresses, which program opened them, and the status of each connection. You can even manually close suspicious connections.
Today I finally feel like I caught up with the material. I got to do all the mandatory labs and also optional ones.
