Undocumented Windows 2000 Secrets - Sven B. Schreiber

Undocumented Windows 2000 Secrets

A Programmer's Cookbook
Media-Kombination
592 Seiten
2001
Addison Wesley
978-0-201-72187-4 (ISBN)
49,95 inkl. MwSt
  • Titel ist leider vergriffen;
    keine Neuauflage
  • Artikel merken
PLEASE PROVIDE DESCRIPTION
Microsoft documents only a small fraction of Windows 2000's internals, and the information Microsoft leaves out is of immense value to system-level developers. In Undocumented Windows 2000 Secrets, Sven Schreiber tears away the veil, exposing the portions of Windows 2000 that system programmers care about most. Schreiber focuses on the internals of the Native API, security, symbol files, system memory, debugging, kernel-mode drivers, kernel functions, kernel objects, and object management. He introduces sophisticated techniques aimed at enabling developers to write more effective device drivers, file system extensions, and other system-level software. Coverage includes: using the Windows 2000 debugging interfaces; loading, parsing, and utilizing Windows 2000 symbol files; exploring Windows 2000 system memory; hooking calls to the user-mode subset of the Native API; and calling kernel functions from user-mode applications. You'll find a wealth of code resources for system exploration, kernel-mode programming, spying on interfaces, and much more. This book is an essential companion to Microsoft's DDK documentation.

Sven B. Schreiber is a practicing systems programmer, working for a large corporation in Nürnberg, Germany. He has authored several technical articles for Dr. Dobb's Journal, Windows Developer's Journal, and others. 0201721872AB04062001

1. Windows 2000 Debugging Support. @AHEADS Setting Up a Debugging Environment.


Preparing for a Crash Dump.



Crashing the System.



Installing the Symbol Files.



Setting Up the Kernel Debugger.



Kernel Debugger Commands.



The Top 10 Debugging Commands.



Shutting Down the Debugger.



More Debugging Tools.



PEview: The PE and COFF File Viewer.



Windows 2000 Debugging Interfaces. @BHEADS psapi.dll, imagehlp.dll, and dbghelp.dll.



Sample Code on the CD.



Enumerating System Modules and Drivers.



Enumerating Active Processes.



Enumerating Process Modules.



Adjusting Process Privileges.



Enumerating Symbols.



A Windows 2000 Symbol Browser.



Microsoft Symbol File Internals.



Symbol Decoration.



The Internal Structure of .dbg Files.



CodeView Subsections.



CodeView Symbols.



The Internal Structure of .pdb Files.



PDB Symbols.



Symbol Address Computation.



OMAP Address Conversion.



Another Windows 2000 Symbol Browser.



2. The Windows 2000 Native API 97.


The NT*() and Zw*() Function Sets



Levels of Undocumentedness.



The System Service Dispatcher.



The Service Descriptor Tables.



The INT 2Eh System Service Handler.



The Win32 Kernel-Mode Interface.



Win32K Dispatch Ids.



The Windows 2000 Runtime Library.



The C Runtime Library.



The Extended Runtime Library.



The Floating Point Emulator.



Other API Function Categories.



Frequently Used Data Types.



Integral Types.



Strings.



Structures.



Interfacing to the Native API.



Adding the ntdll.dll Import Library to a Project.



3. Writing Kernel-Mode Drivers.


Creating a Driver Skeleton.



The Windows 2000 Device Driver Kit.



A Customizable Driver Wizard.



Running the Driver Wizard.



Inside the Driver Skeleton. Device I/O Control.



The Windows 2000 Killer Device.



Loading and Unloading Drivers.



The Service Control Manager.



High-Level Driver Management Functions.



Enumerating Services and Drivers.



4. Exploring Windows 2000 Memory.


Intel i386 Memory Management.



Basic Memory Layout.



Memory Segmentation and Demand Paging.



Data Structures. Macros and Constants.



A Sample Memory Spy Device.



Windows 2000 Memory Segmentation.



The Device I/O Control Dispatcher.



The IOCTL Function SPY_IO_VERSION_INFO.



The IOCTL Function SPY_IO_OS_INFO.



The IOCTL Function SPY_IO_SEGMENT.



The IOCTL Function SPY_IO_INTERRUPT.



The IOCTL Function SPY_IO_PHYSICAL.



The IOCTL Function SPY_IO_CPU_INFO.



The IOCTL Function SPY_IO_PDE_ARRAY.



The IOCTL Function SPY_IO_PAGE_ENTRY.



The IOCTL Function SPY_IO_MEMORY_DATA.



The IOCTL Function SPY_IO_MEMORY_BLOCK.



The IOCTL Function SPY_IO_HANDLE_INFO.



A Sample Memory Dump Utility.



Command Line Format.



TEB-Relative Addressing.



FS-Relative Addressing FS:[base] Addressing.



Handle/Object Resolution.



Relative Addressing.



Indirect Addressing.



Loading Modules on the Fly.



Demand-Paging in Action.



More Command Options.



Interfacing to the Spy Device.



Device I/O Control Revisited.



Windows 2000 Memory Internals.



Basic Operating System Information.



Windows 2000 Segments and Descriptions.



Windows 2000 Memory Areas.



Windows 2000 Memory Map.



5. Monitoring Native API Calls.


Patching the Service Descriptor Table.



Service and Argument Tables.



Assembly Language to the Rescue.



The Hook Dispatcher.



The API Hook Protocol.



Handling Handles.



Controlling the API Hooks in User-Mode.



The IOCTL Function SPY_IO_HOOK_INFO.



The IOCTL Function PY_IO_HOOK_INSTALL.



The IOCTL Function SPY_IO_HOOK_REMOVE.



The IOCTL Function SPY_IO_HOOK_PAUSE.



The IOCTL Function SPY_IO_HOOK_FILTER.



The IOCTL Function SPY_IO_HOOK_RESET.



The IOCTL Function SPY_IO_HOOK_READ.



The IOCTL Function SPY_IO_HOOK_WRITE.



A Sample Hook Protocol Reader.



Controlling the Spy Device.



Highlights and Pitfalls.



6. Calling Kernel API Functions from User-Mode.


A General Kernel Call Interface.



Designing a Gate to Kernel-Mode.



Linking to System Modules at Runtime.



Looking Up Names Exported by a PE Image.



Locating System Modules and Drivers in Memory.



Resolving Symbols of Exported Functions and Variables.



The Bridge to User-Mode. The IOCTL Function SPY_IO_MODULE_INFO.



The IOCTL Function SPY_IO_PE_HEADER.



The IOCTL Function SPY_IO_PE_EXPORT.



The IOCTL Function SPY_IO_PE_SYMBOL.



The IOCTL Function SPY_IO_CALL.



Encapsulating the Call Interface in a DLL.



Handling IOCTL Function Calls.



Type-Specific Call Interface Functions.



Data-Copying Interface Functions.



Implementing Kernel API Thunks.



Data Access Support Functions.



Accessing Nonexported Symbols.



Looking Up Internal Symbols. Implementing Kernel Function Thunks.



7. Windows 2000 Object Management.


Windows 2000 Object Structures.



Basic Object Categories.



The Object Header.



The Object Creator Information.



The Object Name.



The Object Handle Database.



Resource Charges and Quotas.



Object Directories.



Object Types.



Object Handles.



Process and Thread Objects.



Thread and Process Contexts.



Process and Thread Environment Blocks.



Accessing Live System Objects.



Enumerating Object Directory Entries.



Where Do We Go from Here?



Appendix A: Kernel Debugger Commands.


Appendix B: Kernel API Functions.


Appendix C: Constants, Enumerations, and Structures.


Constants.



Dispatcher Object Type Codes.



File Object Flags.



Portable Executable Section Directory Ids.



I/O System Data Structure Type Codes.



I/O Request Packet Functions.



Object Header Flags.



Object Type Array Indexes.



Object Type Tags.



Object Attribute Flags.



Enumerations.



IO_ALLOCATION_ACTION.



LOOKASIDE_LIST_ID 532contentsMODE (see also KPROCESSOR_MODE).



NT_PRODUCT_TYPE.



POOL_TYPE.



Structures and Aliases.



ANSI_STRING.



CALLBACK_OBJECT.



CLIENT_ID.



CONTEXT.



CONTROLLER_OBJECT.



CRITICAL_SECTION.



DEVICE_OBJECT.



DEVOBJ_EXTENSION.



DISPATCHER_HEADER.



DRIVER_EXTENSION.



DRIVER_OBJECT.



EPROCESS.



ERESOURCE.



ERESOURCE_OLD.



ERESOURCE_THREAD.



ETHREAD. ETIMER.



FAST_MUTEX.



FILE_OBJECT.



FLOATING_SAVE_AREA.



HANDLE_ENTRY.



HANDLE_LAYER1, HANDLE_LAYER2, HANDLE_LAYER3.



HANDLE_TABLE.



HARDWARE_PTE.



IMAGE_DATA_DIRECTORY.



IMAGE_EXPORT_DIRECTORY.



IMAGE_FILE_HEADER.



IMAGE_NT_HEADERS.



IMAGE_OPTIONAL_HEADER.



IO_COMPLETION.



IO_COMPLETION_CONTEXT.



IO_ERROR_LOG_ENTRY.



IO_ERROR_LOG_MESSAGE.



IO_ERROR_LOG_PACKET.



IO_STATUS_BLOCK.



IO_TIMER. ContentsKAFFINITY. KAPC. KAPC_STATE. KDEVICE_QUEUE.



DEVICE_QUEUE_ENTRY.



KDPC.



KEVENT.



KEVENT_PAIR.



KGDTENTRY.



KIDTENTRY.



KIRQL.



KMUTANT, KMUTEX.



KPCR.



KPRCB.



KPROCESS.



KPROCESSOR_MODE.



KQUEUE. KSEMAPHORE.



KTHREAD. KTIMER.



KWAIT_BLOCK.



LARGE_INTEGER.



LIST_ENTRY.



MMSUPPORT.



NT_TIB (Thread Information Block).



NTSTATUS.



OBJECT_ATTRIBUTES.



OBJECT_CREATE_INFO.



OBJECT_CREATOR_INFO.



OBJECT_DIRECTORY.



OBJECT_DIRECTORY_ENTRY.



OBJECT_HANDLE_DB.



OBJECT_HANDLE_DB_LIST.



BJECT_HANDLE_INFORMATION.



OBJECT_HEADER.



OBJECT_NAME.



OBJECT_NAME_INFORMATION.



OBJECT_QUOTA_CHARGES.



OBJECT_TYPE.



OBJECT_TYPE_ARRAY.



1contentsOBJECT_TYPE_INFO.



OBJECT_TYPE_INITIALIZER.



OEM_STRING. OWNER_ENTRY. PEB (Process Environment Block).



PHYSICAL_ADDRESS.



PROCESS_PARAMETERS.



QUOTA_BLOCK.



RTL_BITMAP.



RTL_CRITICAL_SECTION_DEBUG.



SECTION_OBJECT_POINTERS.



SECURITY_DESCRIPTOR.



SECURITY_DESCRIPTOR_CONTROL.



SERVICE_DESCRIPTOR_TABLE.



STRING.



SYSTEM_SERVICE_TABLE.



TEB (Thread Environment Block).



TIME_FIELDS.



ULARGE_INTEGER. UNICODE_STRING.



VPB (Volume Parameter Block). WAIT_CONTEXT_BLOCK.



Bibliography.


Index. 0201721872T05082001

Erscheint lt. Verlag 16.5.2001
Verlagsort Boston
Sprache englisch
Gewicht 909 g
Themenwelt Informatik Betriebssysteme / Server Windows
Informatik Betriebssysteme / Server Windows Server
ISBN-10 0-201-72187-2 / 0201721872
ISBN-13 978-0-201-72187-4 / 9780201721874
Zustand Neuware
Haben Sie eine Frage zum Produkt?