Learn and understand the fundamentals of how Windows operates at its core.
THM Room https://tryhackme.com/room/windowsinternals
TASK 1 : Introduction
Start the provided machine and move on to the next tasks.
No Answer
TASK 2 : Processes
Open the provided file: “Logfile.PML” in Procmon and answer the questions below.
No Answer.
What is the process ID of “notepad.exe”?
Opening the logfile with procmon then switch in the process tree view :
Procmon.exe
Process Tree
Answer : 5984
What is the parent process ID of the previous process?
Answer : 3412
What is the integrity level of the process?
Opening one notepad.exe in the list :
Integrity level
Answer : high
TASK 3 : Threads
Open the provided file: “Logfile.PML” in Procmon and answer the questions below.
No Answer.
What is the thread ID of the first thread created by notepad.exe?
Thread ID
Answer : 5908
What is the stack argument of the previous thread?
Filtered with just “show thread activity” :
Thread Activity filter
Then added the filter “contain thread” :
Thread Activity filter 2
I opened the first event from notepad.exe as “thread” and it has thread ID from previous question : 5908 :
Thread ID
Answer : 6584
TASK 4 : Virtual Memory
Read the above and answer the questions below.
No Answer.
What is the total theoretical maximum virtual address space of a 32-bit x86 system?
Answer : 4 GB
What default setting flag can be used to reallocate user process address space?
Answer : increaseUserVA
Open the provided file: “Logfile.PML” in Procmon and answer the questions below.
No Answer.
What is the base address of “notepad.exe”?
Hint : Listed as the operation Load Image.
First i searched the event for notepad.exe “load image” :
Operation
Then looking the process tab for the address :
Process Address
Answer : 0x7ff652ec0000
TASK 5 : Dynamic Link Libraries
Open the provided file: “Logfile.PML” in Procmon and answer the questions below.
No Answer.
What is the base address of “ntdll.dll” loaded from “notepad.exe”?
On the same process tab as for notepad.exe address :
ntdll.dll
Answer : 0x7ffd0be200000
What is the size of “ntdll.dll” loaded from “notepad.exe”?
Answer : 0x1ec000
How many DLLs were loaded by “notepad.exe”?
Using the filters : process name is “notepad.exe”, operation is “load image” and path ends with “.dll” :
Notepad filter
Notepad filter 2
Answer : 51
TASK 6 : Portable Executable Format
Read the above and answer the questions below.
No Answer.
What PE component prints the message “This program cannot be run in DOS mode”?
Answer : DOS STUB
Open “notepad.exe” in Detect It Easy and answer the questions below.
No Answer.
What is the entry point reported by DiE?
Looking in the DIE app :
Entry Point
Answer : 000000014001acd0
What is the value of “NumberOfSections”?
NumberOfSections Value
Answer : 0006
What is the virtual address of “.data”?
Hint : Found in the Section tab of the PE window
.data address
Answer : 00024000
What string is located at the offset “0001f99c”?
Offset
Answer : Microsoft.Notepad
TASK 7 : Interacting with Windows Internals
Open a command prompt and execute the provided file: “inject-poc.exe” and answer the questions below.
No Answer.
Enter the flag obtained from the executable below.
Flag
Answer : THM{1Nj3c7_4lL_7h3_7h1NG2}
TASK 8 : Conclusion
Read the above and continue learning!
No Answer.