Windows Internals

THM Room https://tryhackme.com/room/windowsinternals

        • Start the provided machine and move on to the next tasks.

        No Answer

        • Open the provided file: "Logfile.PML" in Procmon and answer the questions below. 

        No Answer.

        • What is the process ID of "notepad.exe"?

        Opening the logfile with procmon then switch in the process tree view :



        Answer : 5984

        • What is the parent process ID of the previous process?

        Answer : 3412

        • What is the integrity level of the process?

        Opening one notepad.exe in the list :


        Answer : high

        • Open the provided file: "Logfile.PML" in Procmon and answer the questions below. 

        No Answer.

        • What is the thread ID of the first thread created by notepad.exe?


        Answer : 5908

        • What is the stack argument of the previous thread?

        Filtered with just "show thread activity" :


        Then added the filter "contain thread" :


        I opened the first event from notepad.exe as "thread" and it has thread ID from previous question : 5908 :

         

        Answer : 6584

        • Read the above and answer the questions below. 

        No Answer.

        • What is the total theoretical maximum virtual address space of a 32-bit x86 system?

        Answer : 4 GB

        • What default setting flag can be used to reallocate user process address space?

        Answer : increaseUserVA

        • Open the provided file: "Logfile.PML" in Procmon and answer the questions below.

        No Answer.

        • What is the base address of "notepad.exe"?

        Hint : Listed as the operation Load Image.

        First i searched the event for notepad.exe "load image" :


        Then looking the porcess tab for the address :


        Answer : 0x7ff652ec0000

        • Open the provided file: "Logfile.PML" in Procmon and answer the questions below. 

        No Answer.

        • What is the base address of "ntdll.dll" loaded from "notepad.exe"?

        On the same process tab as for notepad.exe address :


        Answer : 0x7ffd0be200000

        • What is the size of "ntdll.dll" loaded from "notepad.exe"?

        Answer : 0x1ec000

        • How many DLLs were loaded by "notepad.exe"?

        Using the filters : process name is "notepad.exe", operation is "load image" and path ends with ".dll" :



        Answer : 51

        • Read the above and answer the questions below. 

        No Answer.

        • What PE component prints the message "This program cannot be run in DOS mode"?

        Answer : DOS STUB

        • Open "notepad.exe" in Detect It Easy and answer the questions below.

        No Answer.

        • What is the entry point reported by DiE?

        Looking in the DIE app :


        Answer : 000000014001acd0

        • What is the value of "NumberOfSections"?


        Answer : 0006

        • What is the virtual address of ".data"?

        Hint : Found in the Section tab of the PE window


        Answer : 00024000

        • What string is located at the offset "0001f99c"?


        Answer : Microsoft.Notepad

        • Open a command prompt and execute the provided file: "inject-poc.exe" and answer the questions below. 

        No Answer.

        • Enter the flag obtained from the executable below.


        Answer : THM{1Nj3c7_4lL_7h3_7h1NG2}

        • Read the above and continue learning! 

        No Answer.