Windows DLLs
One of the most important things for the Windows OS is, of course, its DLLs. From performing basic tasks to loading applications, everything revolves around these DLLs, which help facilitate these tasks. However, for us Red-Teamers, the amount of mayhem we can cause with these Win functions is unlimited. But like everything, we must first understand what these DLLs even are. And how they can further our progress in exploiting Windows machines :).
As such, with everything, although this is just an introduction to these DLLs, when the time comes for exploitation, I would like to mention that the information in this article is strictly for educational purposes only!
OS Architecture
User vs Kernel Mode
I'm sure you've all seen the OS protection ring. This summarizes what level of permissions each ring has, with the center (the kernel) having the most control. Now, although there are multiple rings, we will look at the two most important ones, User and Kernel. User mode is the least privileged of all modes, and is reserved for applications, like your web browser, a game, Visual Studio, etc. Kernel mode is the highest level an application can go and revolves around handling memory and resources, handling conflicts, launching and managing applications, GUIs, and handling I/O devices.
User-mode is a bit unique; unlike ring 0, it is its own isolated environment, and it can only perform surface-level operations. Kernel-mode, on the other hand, is not bound by the chains of Windows restrictions; it can do whatever it wants, which can be beneficial for certain processes, but detrimental if any errors are found.
We'll quickly break down each section and what kind of processes to expect:
User-mode: This is your day-to-day permissions and tasks, opening up a file, using your browser, opening up your favorite game, etc.
Service Process: These are similar to user processes, which do not need a GUI and instead run in the background. The most common example is .
System Process: The second most critical process, which is essential for the Windows OS to operate. Ending these or having errors in these would result in crashing and the infamous BSOD.
Environment Subsystems: Used for the functionality of Windows APIs and support for those APIs in other applications. With the addition of WSL, this has further expanded with Linux application support.
The Windows Kernel
From Linux to MacOS and, of course, Windows, the kernel is the brain of the operation; it's the guy who doesn't get enough credit for his work, but can keep everyone afloat. The kernel rests between the thin line of hardware and software. It is able to translate software-level requests (such as applications) and sends that request to your CPU to provide the necessary power, memory, and other resources to ensure it runs smoothly.
Kernel32.dll
One of the most crucial DLLs for the Windows OS. Kernel32.dll manages computer memory, processes, I/O operations, and system services. Similarly, it is also a fine line between hardware and software architecture, serving as a mediator between the two.
Many of the APIs that we use: CreateProcessW, OpenProcess, CreateThread, VirtualAlloc, etc. These are all derived from Kernel32.dll.
There are many other crucial functions with Kernel32.dll, such as allocating proper resources to each process, basic file operations, etc. Think of this as the Kernel kitchen knife and the kernel as the chef. With its knife, it cannot perform many tasks, but with it, they are as one.
Native API
References
Last updated