[TOC] # Malware Development - Windows ## Process  Processes don't know each other. Each process has its own virtual address. Chrome.exe consists of multiple processes working together. ### VA (Virtual Address) spaces  ### Memory Map  ### Process Type #### 1.Application Process Processes spawned in the task manager that can be terminated by the user. #### 2.Background Process Processes running in the background; they don't require user interaction and start automatically. e.g. Update Software Monitor - AV (Anti-Virus) Index files #### 3.Windows Process (Systems Process) Windows processes perform critical tasks during the system's startup. Examples: Memory Management Security Drivers ### Process Priority  CPU time is just a measure of the amount of time the CPU spends processing instructions for a specific task or process. Six Priority Ratings: Real-Time (Notice) High Normal (Default) (Notice) Below Low Low (Notice) input, keyboard, disk cache. (Have High Priority!) IF we set the priority class of a CPU-intensive program(Minecraft.exe XD) to real-time, It will stuck up our computer.  ### Threads Each process starts with a single thread, often called the primary or main thread.  Processes and threads are both units of execution. Process is independent of each other Threads are interdependent and share memory with the process, just like the process has an ID and handle. ## Handler Handler is a generic unit of identification Handle is 32-bit or 64 bit integer, It like a resource identifier Handle is a pointer (var) We can passing the handle's name to another process to invoke the resource  It allows our program or code to interact with it without Access the it to Memory(DMA) >DMA is a technique allow the I/O device director access the main memory without CPU engagement to speed up the memory operation We won't use these handlers ourselves; instead we're going to pass them through to some function then will use them in order to accomplish the goal  ### type of handle win32 API #### Handle to Process (and Threads etc..) The notation of Handle Handle to Thread -> hThread Handle to Process-> hProcess ``` HANDLE hThread, hProcess; ``` #### Handle to Module Handle to Module -> hModule ``` HANDLE hMoudle; ``` #### Handle to Windows ``` HWND myWindows; ``` Supose the function call GetProcessInfo(); we need to pass 'handle to the process' to getProcessInfo() function Handles are system-wide. If we have Process A and Process B: If Process A finds out its process handle, it can send the handle value to Process B.  ### Inherit the handle inherit the handle is mean when the process spawns the new process, the new process will inherit the handle's value if inherit the handle is enable, Parent and child process are the same handle's value. # [Win32API](/4ZXPUaeVQrSLIfHY0PQ7zg) # [Process Injection](/BcZuF3kgSp-V579c5t2NeA) # [DLL Injection](/BAP2C10TRuqike0p0GfjhA) # [Native API](/is95OecaQ06475OlHFwaGQ) # Systems Call  Owner:侯智晟 Gmail:meowheckerouo@gmail.com # Reference: https://www.youtube.com/watch?v=aNEqC-U5tHM