Our process will want to do something at one point in its lifetime as a good process should.
In windows this application will be represented by a process in user mode when it runs, and we’ll possess at least one thread of execution. So let’s say we have an application and we’ll call it “Application X”. Whereas the kernel space will handle everything related to memory, drivers, file system, I/O…etc. User space will contain everything ranging from applications, services, system processes like the service control manager, sessions manager and everything that the user will execute. Windows segregates user operations and OS operations by what’s called “User Space / User Mode” and “Kernel Space / Kernel Mode”.
Windows Internals and The Win32 APIīefore we start our journey into procmon, I think we should make a little detour and understand what happens when a process tries to request something from the OS by taking a look at some Internals. We’ll start with an introduction on what happens when a process request something form the OS and then we’ll dive into procmon and how we can use some of its features to understand and hunt malware. In this third part, we’ll be taking a look at the powerful “Process Monitor” or “procmon” for short.
0 kommentar(er)
