Skip to main content


Showing posts from August, 2012

Deep Dive to Windows, Part 2

In this section, I’d like to disassemble our main function which we’ve written in series 1 and would like to see how it looks like. Also would like to see if we can see the string “Hello World”. I’ve launched my sample executable using WinDbg. Then Issued following command: x sample_hello!*main* *** WARNING: Unable to verify checksum for Sample_Hello.exe 00419048           Sample_Hello!__native_dllmain_reason = 0xffffffff 0041917c           Sample_Hello!mainret = 0n0 004114b0           Sample_Hello!wmain (int, wchar_t **) 004122b0           Sample_Hello!__tmainCRTStartup (void) 00412290           Sample_Hello!wmainCRTStartup (void) 00413592           Sample_Hello!__wgetmainargs ( ) 0041a3d8           Sample_Hello!_imp____wgetmainargs = Since we know my intended function is ‘main’ so I searched for it. The highlighted one is our main function. Then unassembled the function using following command: 0:000> uf Sample_Hello!wmain Sample_Hello!wmain

Deep Dive to Windows, Part 1

This part of the discussion will revolve more towards inside of Windows OS. I bet you’ll love the way it has been designed and evolved. Issues might be there while using the OS but it’s a matter of debate whether application has been designed the way windows expect etc. This is not the space for that debate. Also, it’s is a not aim to teach anyone about windows but some facts and figure and little bit stack analysis and more. This is the first attempt from my side to do little bit debugging (I’m not an experienced debugger without source code) for user mode. Note: Mark’s (Mark Russionovich, widely popular for his work in Windows Internals) work always been inspiring for me. Let’s start the journey : In this series target environment is x86. In this series, I’d like to cover: 1.        Thread Environment Block: It’s a data structure that stores info about the currently running thread of a process. 2.        How it looks and what’s the significance of it? Le