• ALU (Arithmetic Logic Unit)
• Functions and arithmetic operations
• Control Unit (CU)
• Role in instruction execution
• Instruction cycle
• Registers
• General-purpose registers
• Segment registers
• Flags register
• Instruction pointer

• Functions
• A function is a named sequence of instructions that performs a specific task.
• Process
• A process is an instance of a running program.
• It represents the execution environment for a program, including its memory space, resources, and execution state.
• Thread
• A thread is a unit of execution within a process.
• It represents a single sequence of instructions that can be scheduled and executed independently.
• Threads share the same memory space as the process and can communicate with each other.
• Stack
• The stack is a region of memory used for organizing function calls and managing local variables.
• It grows and shrinks dynamically as functions are called and return.
• Stack Frames
• A stack frame, also known as an activation record, is a data structure associated with each function call on the stack.
• It contains information such as the return address, function arguments, and local variables.
• Heaps
• The heap is a region of memory used for dynamic memory allocation.
• It is managed by the program and can be used to allocate and deallocate memory blocks at runtime.
• Handles
• Handles are unique identifiers used by an operating system to reference resources such as files, windows, or synchronization objects.
• Exceptions
• Exceptions are events that occur during program execution that disrupt the normal flow.
• They are often triggered by exceptional conditions such as errors or abnormal situations.

Segment registers are used in x86 architecture for memory segmentation. They include:

• CS (Code Segment): Points to the segment that contains the current instruction being executed
• DS (Data Segment): Points to the segment that contains data used by the program
• SS (Stack Segment): Points to the segment used for the stack
• ES (Extra Segment): Used as an additional data segment
• FS and GS (Additional Segments): Additional segment registers available in some x86 processors

The Instruction Pointer (IP) or EIP (Extended Instruction Pointer) register stores the memory address of the next instruction to be executed.

• x86
• Intel's x86 architecture commonly used in modern desktop and server systems.
• ARM
• ARM architecture widely used in mobile devices, embedded systems, and IoT devices.

Memory addressing in x86 architecture involves various addressing modes:

• Direct addressing: Accessing memory using a specific memory address.

  mov eax, [0x12345678]

• Indirect addressing: Accessing memory using a value stored in a register or memory location.

  mov eax, [ebx]

• Indexed addressing: Adding an offset to a base address stored in a register.

  mov eax, [ebx + 0x10]

• Scaled indexing: Multiplying an offset by a scaling factor before adding it to a base address.

  mov eax, [ebx + esi*2]

• Relative addressing: Accessing memory relative to the current instruction pointer or program counter.

  jmp near ptr label

; Example x86 assembly code
section .text
  global _start

_start:
  mov eax, 1          ; Control Flow - Move value 1 into the eax register
  mov ebx, 42         ; Control Flow - Move value 42 into the ebx register
  add eax, ebx        ; Arithmetic Operations - Add the values in eax and ebx, storing the result in eax
  cmp eax, 50         ; Control Flow - Compare eax with the value 50
  jl less_than_50     ; Control Flow - Jump if less than 50
  jg greater_than_50  ; Control Flow - Jump if greater than 50
  jmp equal_to_50     ; Control Flow - Jump if equal to 50

less_than_50:
  ; Code for when eax is less than 50
  jmp end

greater_than_50:
  ; Code for when eax is greater than 50
  jmp end

equal_to_50:
  ; Code for when eax is equal to 50

end:
  ; End of program
  mov eax, 1

Windows supports different file systems. Here's a comparison:

In Windows, important directories include:

• User Directory (e.g., C:\Users\Username): The user's home directory, which contains personal files and user-specific settings.
• System Directory (e.g., C:\Windows\System32): Stores essential system files and libraries.
• Registry (e.g., HKEY_CURRENT_USER\Software): A hierarchical database that stores system and application settings.

When comparing the file structures of 32-bit and 64-bit versions of Windows, the main difference lies in the system directories. On 64-bit systems, there are separate directories for 32-bit and 64-bit files:

• 32-bit System Directory: C:\Windows\SysWOW64
• 64-bit System Directory: C:\Windows\System32

This structure ensures compatibility for 32-bit applications on 64-bit systems.

Consists of keys, subkeys, and values. Here's an overview of the registry structure:

The Windows API (Application Programming Interface) provides a set of functions that allow developers to interact with the operating system and its components.

Memory Management

Windows identifies memory regions through memory addresses and uses memory management techniques to allocate, deallocate, and protect memory. Some unique attributes include:

• Virtual Memory: The virtual memory system provides each process with its own address space, allowing programs to operate independently of one another.
• Memory Protection: Memory regions can be protected with different access permissions, such as read, write, or execute, to ensure memory integrity and security.
• Page Tables: Windows employs page tables to map virtual addresses to physical addresses and manage memory pages efficiently.

Process Management

A process in Windows represents an instance of a running program. Each process has a unique identifier (Process ID) and its own virtual address space. Some important attributes and API functions include:

Thread Management

A thread represents an execution context within a process. Threads allow concurrent execution and enable multitasking. Each thread has its own stack, registers, and execution state but uses the virtual address space assigned to its parent process. Some important attributes and API functions include:

• PEB: The PEB contains information about a process, including its image base address, command-line arguments, environment variables, loaded modules, and more.
• TEB: The TEB stores thread-specific information, such as the thread ID, stack base and limit, thread-local storage (TLS) data, and exception handling information.

Here's a table summarizing the attributes and API functions related to the PEB and TEB:

A hex editor is a tool used to view and edit binary files at the hexadecimal level. It allows users to examine and modify the raw data of files, including executables, libraries, and other binary formats.

A decompiler is a tool that takes an executable or binary file and attempts to reconstruct the original source code from which it was compiled. It can be useful in reverse engineering to analyze and understand the functionality and logic of a program.

A disassembler is a tool that converts machine code or binary files into assembly language instructions. It allows reverse engineers to examine the low-level instructions of a program, understand its structure, and analyze its behavior.

A debugger is a tool used for analyzing and troubleshooting programs. It allows users to execute a program step by step, set breakpoints, inspect variables, and track the program's execution flow. Debuggers are essential for dynamic analysis, bug hunting, and vulnerability discovery.

• Ring0
  • A ring0 debugger operates in kernel mode and provides deep visibility into the system's inner workings and allows for advanced kernel-level debugging, allowing access to any address in memory.
• Ring3
  • A ring3 debugger operates in user mode and only lets us access the address space used by the process we are debugging. They are often user friendly but are commonly detected by anti-reversing techniques

• System:
  • System monitoring tools are used to monitor access to files or registry keys
• API:
  • API monitoring tools hook Windows APIs used by the process under examination.