“Windows Internals for Beginners — Process & Thread Explained”
Welcome to our Windows Internals for Malware Development series. If you're starting out in red teaming, ethical hacking, or malware analysis, it all begins with understanding how Windows manages processes and threads.
In this blog, we’ll go through a hands-on practical where we :
-
Create a basic C++ program that retrieves the current process ID (PID) and thread ID (TID).
-
Use MinGW on Kali Linux to cross-compile the C++ code for Windows.
-
Execute the compiled program on a Windows machine and monitor its output using Task Manager or System Informer.
-
Run the executable in Windows and observe output via Task Manager or System Informer.
-
Explain how understanding process and thread IDs lays the groundwork for code injection and more advanced malware development techniques.
Let’s get started with the practical walkthrough.
🔹 Process:
A process is an instance of a program that’s executing. It has its own memory, system resources, and at least one thread running inside it.
🔹 Thread:
A thread is the actual unit of execution within the process. Think of the process as a container and threads as workers doing the job.
In malware development, threads are manipulated during code injection, while processes are the targets of these injections.
Here’s the basic C++ code used for this practical demonstration :
#include <windows.h>
#include <iostream>
using namespace std;
int main() {
DWORD processId = GetCurrentProcessId();
DWORD threadId = GetCurrentThreadId();
cout << ">> This is Process ID:" << processId << endl;
cout << ">> This is Current Thread ID:" << threadId << endl;
system("pause"); // Keeps the console open
return 0;
} - Save the code as
thread_process.cppin your VSCode editor. - Click to run the program.
- You’ll see an output similar to this :
Current Process ID: 5132
Current Thread ID: 5896
Press any key to continue . . .- Open System Informer or Task Manager, navigate to the Details tab, and match the displayed PID with the corresponding process.
✅ Congratulations! You've successfully linked the C++ code to a running Windows process!
Want a step-by-step walkthrough with narration and a live demo of the entire process?
Why Is This Practical Important?
This basic exercise is not just academic — it’s the foundation of all malware development techniques :
-
Code injection uses functions like CreateRemoteThread, so understanding what a thread is becomes crucial.
-
Process hollowing requires creating or modifying processes while they are in a suspended state, enabling manipulation of their memory.
-
Shellcode injection either targets remote processes or creates new ones to execute malicious code.
Knowing how to retrieve and interpret PIDs and TIDs is essential for understanding how attackers and red teamers operate at a deeper level.
-
How Windows represents running programs through processes and threads.
-
How to retrieve the Process ID (PID) and Thread ID (TID) using Windows APIs.
-
Analyzing running programs with tools like System Informer or Task Manager.
This basic yet crucial practical sets the foundation for what’s to come. In the next tutorials, we’ll dive deeper into :
-
Creating remote threads.
-
Injecting shellcode.
-
Using Windows internals like handles, memory permissions, and APIs to manipulate processes.
For anyone serious about red teaming, ethical hacking, or malware analysis, this marks the beginning of your technical journey.
-Malforge Group.