Home > Store

Undocumented Windows 2000 Secrets: A Programmer's Cookbook

Register your product to gain access to bonus material or receive a coupon.

Undocumented Windows 2000 Secrets: A Programmer's Cookbook

Book

  • Sorry, this book is no longer in print.
Not for Sale

Description

  • Copyright 2001
  • Dimensions: 7-3/8x9-1/4
  • Pages: 592
  • Edition: 1st
  • Book
  • ISBN-10: 0-201-72187-2
  • ISBN-13: 978-0-201-72187-4

Most of the Windows 2000 and NT operating system kernels beneath the Win32 surface have not been publicly documented by Microsoft. Therefore, system programmers must explore the operating system on their own to learn more about its internal structures and functions--information essential to developing more sophisticated system level software.

In Undocumented Windows 2000 Secrets, Windows programming aficionado Sven B. Schreiber reveals numerous undocumented features of the Windows 2000 and NT 4.0 kernel--secrets he has discovered through years of close examination and exploration. Much of this material is published here for the first time, most notably, the specification of the Microsoft PDB file format and the documentation of the system's core object structures. The author describes these features in depth, shows how to put them to work, and introduces expert techniques for writing high-quality system-level software.

You will find an introduction to the basic architecture of Windows 2000, a guide to setting up your workstation to explore the kernel, and an introduction to kernel-mode driver programming. Specific topics featured include the following:

  • Using the Windows 2000 debugging interfaces
  • Loading, parsing, and utilizing the Windows 2000 symbol files
  • Foundations of the native API, including the Win32 kernel-mode interface and the Windows 2000 Runtime Library
  • Basics of kernel-mode driver development
  • Windows 2000 system memory, including a sample memory spy device and a sample memory dump utility
  • Hooking calls to the user-mode subset of the native API
  • Calling kernel API functions from user-mode applications
  • Windows 2000 kernel objects, covering basic object structures and accessing live system objects

Each chapter incorporates sample code that demonstrates these functions in action and which can be reused by any programmer to give an immediate boost to their Windows programs. The accompanying CD contains the source code for all of the samples in the book, as well as compiled and linked binary builds. The CD also includes the Multi-Format Visual Disassembler by Jean-Louis Seigne and the PE and COFF File Viewer by Wayne Radburn. These programs are not just barebones applications but full-fledged debugging applications and libraries. The companion Web site, http://www.orgon.com/w2k_internals/, contains additional samples and updates.

You will not only learn about many practical tools and techniques, but you will also gain a deeper understanding into Windows 2000 internals that will enhance your overall ability to debug and optimize Windows applications.



0201721872B06012001

Sample Content

Downloadable Sample Chapter

Click below for Sample Chapter related to this title:
schreiberch4.pdf

Table of Contents



1. Windows 2000 Debugging Support. @AHEADS Setting Up a Debugging Environment.

Preparing for a Crash Dump.

Crashing the System.

Installing the Symbol Files.

Setting Up the Kernel Debugger.

Kernel Debugger Commands.

The Top 10 Debugging Commands.

Shutting Down the Debugger.

More Debugging Tools.

PEview: The PE and COFF File Viewer.

Windows 2000 Debugging Interfaces. @BHEADS psapi.dll, imagehlp.dll, and dbghelp.dll.

Sample Code on the CD.

Enumerating System Modules and Drivers.

Enumerating Active Processes.

Enumerating Process Modules.

Adjusting Process Privileges.

Enumerating Symbols.

A Windows 2000 Symbol Browser.

Microsoft Symbol File Internals.

Symbol Decoration.

The Internal Structure of .dbg Files.

CodeView Subsections.

CodeView Symbols.

The Internal Structure of .pdb Files.

PDB Symbols.

Symbol Address Computation.

OMAP Address Conversion.

Another Windows 2000 Symbol Browser.



2. The Windows 2000 Native API 97.

The NT*() and Zw*() Function Sets

Levels of Undocumentedness.

The System Service Dispatcher.

The Service Descriptor Tables.

The INT 2Eh System Service Handler.

The Win32 Kernel-Mode Interface.

Win32K Dispatch Ids.

The Windows 2000 Runtime Library.

The C Runtime Library.

The Extended Runtime Library.

The Floating Point Emulator.

Other API Function Categories.

Frequently Used Data Types.

Integral Types.

Strings.

Structures.

Interfacing to the Native API.

Adding the ntdll.dll Import Library to a Project.



3. Writing Kernel-Mode Drivers.

Creating a Driver Skeleton.

The Windows 2000 Device Driver Kit.

A Customizable Driver Wizard.

Running the Driver Wizard.

Inside the Driver Skeleton. Device I/O Control.

The Windows 2000 Killer Device.

Loading and Unloading Drivers.

The Service Control Manager.

High-Level Driver Management Functions.

Enumerating Services and Drivers.



4. Exploring Windows 2000 Memory.

Intel i386 Memory Management.

Basic Memory Layout.

Memory Segmentation and Demand Paging.

Data Structures. Macros and Constants.

A Sample Memory Spy Device.

Windows 2000 Memory Segmentation.

The Device I/O Control Dispatcher.

The IOCTL Function SPY_IO_VERSION_INFO.

The IOCTL Function SPY_IO_OS_INFO.

The IOCTL Function SPY_IO_SEGMENT.

The IOCTL Function SPY_IO_INTERRUPT.

The IOCTL Function SPY_IO_PHYSICAL.

The IOCTL Function SPY_IO_CPU_INFO.

The IOCTL Function SPY_IO_PDE_ARRAY.

The IOCTL Function SPY_IO_PAGE_ENTRY.

The IOCTL Function SPY_IO_MEMORY_DATA.

The IOCTL Function SPY_IO_MEMORY_BLOCK.

The IOCTL Function SPY_IO_HANDLE_INFO.

A Sample Memory Dump Utility.

Command Line Format.

TEB-Relative Addressing.

FS-Relative Addressing FS:[base] Addressing.

Handle/Object Resolution.

Relative Addressing.

Indirect Addressing.

Loading Modules on the Fly.

Demand-Paging in Action.

More Command Options.

Interfacing to the Spy Device.

Device I/O Control Revisited.

Windows 2000 Memory Internals.

Basic Operating System Information.

Windows 2000 Segments and Descriptions.

Windows 2000 Memory Areas.

Windows 2000 Memory Map.



5. Monitoring Native API Calls.

Patching the Service Descriptor Table.

Service and Argument Tables.

Assembly Language to the Rescue.

The Hook Dispatcher.

The API Hook Protocol.

Handling Handles.

Controlling the API Hooks in User-Mode.

The IOCTL Function SPY_IO_HOOK_INFO.

The IOCTL Function PY_IO_HOOK_INSTALL.

The IOCTL Function SPY_IO_HOOK_REMOVE.

The IOCTL Function SPY_IO_HOOK_PAUSE.

The IOCTL Function SPY_IO_HOOK_FILTER.

The IOCTL Function SPY_IO_HOOK_RESET.

The IOCTL Function SPY_IO_HOOK_READ.

The IOCTL Function SPY_IO_HOOK_WRITE.

A Sample Hook Protocol Reader.

Controlling the Spy Device.

Highlights and Pitfalls.



6. Calling Kernel API Functions from User-Mode.

A General Kernel Call Interface.

Designing a Gate to Kernel-Mode.

Linking to System Modules at Runtime.

Looking Up Names Exported by a PE Image.

Locating System Modules and Drivers in Memory.

Resolving Symbols of Exported Functions and Variables.

The Bridge to User-Mode. The IOCTL Function SPY_IO_MODULE_INFO.

The IOCTL Function SPY_IO_PE_HEADER.

The IOCTL Function SPY_IO_PE_EXPORT.

The IOCTL Function SPY_IO_PE_SYMBOL.

The IOCTL Function SPY_IO_CALL.

Encapsulating the Call Interface in a DLL.

Handling IOCTL Function Calls.

Type-Specific Call Interface Functions.

Data-Copying Interface Functions.

Implementing Kernel API Thunks.

Data Access Support Functions.

Accessing Nonexported Symbols.

Looking Up Internal Symbols. Implementing Kernel Function Thunks.



7. Windows 2000 Object Management.

Windows 2000 Object Structures.

Basic Object Categories.

The Object Header.

The Object Creator Information.

The Object Name.

The Object Handle Database.

Resource Charges and Quotas.

Object Directories.

Object Types.

Object Handles.

Process and Thread Objects.

Thread and Process Contexts.

Process and Thread Environment Blocks.

Accessing Live System Objects.

Enumerating Object Directory Entries.

Where Do We Go from Here?



Appendix A: Kernel Debugger Commands.


Appendix B: Kernel API Functions.


Appendix C: Constants, Enumerations, and Structures.

Constants.

Dispatcher Object Type Codes.

File Object Flags.

Portable Executable Section Directory Ids.

I/O System Data Structure Type Codes.

I/O Request Packet Functions.

Object Header Flags.

Object Type Array Indexes.

Object Type Tags.

Object Attribute Flags.

Enumerations.

IO_ALLOCATION_ACTION.

LOOKASIDE_LIST_ID 532contentsMODE (see also KPROCESSOR_MODE).

NT_PRODUCT_TYPE.

POOL_TYPE.

Structures and Aliases.

ANSI_STRING.

CALLBACK_OBJECT.

CLIENT_ID.

CONTEXT.

CONTROLLER_OBJECT.

CRITICAL_SECTION.

DEVICE_OBJECT.

DEVOBJ_EXTENSION.

DISPATCHER_HEADER.

DRIVER_EXTENSION.

DRIVER_OBJECT.

EPROCESS.

ERESOURCE.

ERESOURCE_OLD.

ERESOURCE_THREAD.

ETHREAD. ETIMER.

FAST_MUTEX.

FILE_OBJECT.

FLOATING_SAVE_AREA.

HANDLE_ENTRY.

HANDLE_LAYER1, HANDLE_LAYER2, HANDLE_LAYER3.

HANDLE_TABLE.

HARDWARE_PTE.

IMAGE_DATA_DIRECTORY.

IMAGE_EXPORT_DIRECTORY.

IMAGE_FILE_HEADER.

IMAGE_NT_HEADERS.

IMAGE_OPTIONAL_HEADER.

IO_COMPLETION.

IO_COMPLETION_CONTEXT.

IO_ERROR_LOG_ENTRY.

IO_ERROR_LOG_MESSAGE.

IO_ERROR_LOG_PACKET.

IO_STATUS_BLOCK.

IO_TIMER. ContentsKAFFINITY. KAPC. KAPC_STATE. KDEVICE_QUEUE.

DEVICE_QUEUE_ENTRY.

KDPC.

KEVENT.

KEVENT_PAIR.

KGDTENTRY.

KIDTENTRY.

KIRQL.

KMUTANT, KMUTEX.

KPCR.

KPRCB.

KPROCESS.

KPROCESSOR_MODE.

KQUEUE. KSEMAPHORE.

KTHREAD. KTIMER.

KWAIT_BLOCK.

LARGE_INTEGER.

LIST_ENTRY.

MMSUPPORT.

NT_TIB (Thread Information Block).

NTSTATUS.

OBJECT_ATTRIBUTES.

OBJECT_CREATE_INFO.

OBJECT_CREATOR_INFO.

OBJECT_DIRECTORY.

OBJECT_DIRECTORY_ENTRY.

OBJECT_HANDLE_DB.

OBJECT_HANDLE_DB_LIST.

BJECT_HANDLE_INFORMATION.

OBJECT_HEADER.

OBJECT_NAME.

OBJECT_NAME_INFORMATION.

OBJECT_QUOTA_CHARGES.

OBJECT_TYPE.

OBJECT_TYPE_ARRAY.

1contentsOBJECT_TYPE_INFO.

OBJECT_TYPE_INITIALIZER.

OEM_STRING. OWNER_ENTRY. PEB (Process Environment Block).

PHYSICAL_ADDRESS.

PROCESS_PARAMETERS.

QUOTA_BLOCK.

RTL_BITMAP.

RTL_CRITICAL_SECTION_DEBUG.

SECTION_OBJECT_POINTERS.

SECURITY_DESCRIPTOR.

SECURITY_DESCRIPTOR_CONTROL.

SERVICE_DESCRIPTOR_TABLE.

STRING.

SYSTEM_SERVICE_TABLE.

TEB (Thread Environment Block).

TIME_FIELDS.

ULARGE_INTEGER. UNICODE_STRING.

VPB (Volume Parameter Block). WAIT_CONTEXT_BLOCK.



Bibliography.


Index. 0201721872T05082001

Preface

After finishing the manuscript of my first book, Developing LDAP and ADSI Clients for Microsoft Exchange(Schreiber 2000) in October 1999, I was honestly convinced for some time that I would never write a book again. Well, this phase didn't last long, as the pages you are reading right now prove. Actually, I was already starting to think about writing another book as early as November 1999 while I was playing around with the latest release candidate of Microsoft Windows 2000. Examining the kernel and its interfaces and data structures, I was very pleased to find that this operating system—despite its ugly name that reminded me too much of Windows 95 and 98—was still a good old Windows NT.

Poking around in the binary code of operating systems has always been one of my favorite pastimes. Just a couple of weeks before I had the idea to write this book, my article "Inside Windows NT System Data" (Schreiber 1999), showing how to retrieve internal system data by means of the undocumented kernel API function NtQuerySystemInformation(), had been published in Dr. Dobb's Journal. The preparatory research to this article left me with a huge amount of unpublished material that longed for being printed somewhere, and so I yelled: "Hey, how about a book about Windows 2000 Internals?" Because of the obvious similarities between Windows NT 4.0 and Windows 2000, plus my pile of interesting undocumented information too valuable to be buried, this seemed to be a great idea, and I am proud that this idea took the physical form of the book you are holding in your hands. While transforming the stuff I had collected into something that was readable by other people, I discovered lots of other interesting things, so this book also features a great deal of brand-new material that I hadn't planned to include beforehand.

Addison-Wesley has a long and glorious tradition of publishing books of this kind. The list of milestones is long, containing the two-volume printed version of Brown and Jim Kyle's classic "Interrupt List," PC Interrupts and Network Interrupts (Brown and Kyle 1991, 1993, 1994, available online at http://www.cs.cmu.edu/afs/cs.cmu.edu/user/ralf/pub/WWW/files.html; two editions of Undocumented DOS (Schulman et al., 1990, 1993); the Windows 3.1 update thereof, titled Undocumented Windows (Schulman et al., 1992); Matt Pietrek's Windows Internals (Pietrek 1993); as well as DOS Internals by Geoff Chappell (Chappell 1994) and Dissecting DOS by Michael Podanoffsky (Podanoffsky 1994). Other authors have contributed invaluable material in other areas such as PC hardware programming (Sargent III and Shoemaker 1994, van Gilluwe 1994). Andrew Schulman and Matt Pietrek both have written two more books of this "undocumented" kind about Windows 95, this time for IDG Books Worldwide (Schulman 1994, Pietrek 1995). However, what has been painfully missing in the past few years was a similar book for Windows NT system programmers. Fortunately, some information has been made available in article form. For example, Matt Pietrek has filled some parts of this huge gap in his"Under the Hood" column (e.g., Pietrek 1996a-d) in Microsoft Systems Journal (MSJ, meanwhile transformed into MSDN Magazine), and The NT Insider journal, published bi-monthly by Open Systems Resources (OSR), is an indispensable source of know-how (check out http://www.osr.com/publications_ntinsider.htm for a free subscription). We should also not forget about the incredible SysInternals Web site operated by Mark Russinovich and Bryce Cogswell at http://www.sysinternals.com, who have brought us numerous powerful utilities; some even including full source code that really should have been part of the Microsoft Windows NT Resource Kit.

For a long time, the Microsoft Windows NT Device Driver Kit (DDK) has been the only comprehensive source of information about Windows NT system internals. However, the DDK documentation is tough to read some people even say it's anything but didactic. Moreover, the DDK is documenting just a small part of the available system interfaces and data structures. The largest part belongs to the category of the so-called internal features. This has made it next to impossible to write nontrivial kernel-mode software for Windows NT without searching for additional information somewhere else. In the past, however, reliable documentation and sample code was hard. This situation improved somewhat in 1997 when The Windows NT Device Driver Book by Art Baker and Rajeev Nagar's Windows NT File System Internals appeared. The year 1998 was marked by the heavily revised update of Helen Custer's two-volume set Inside Windows NT and Inside the Windows NT File System (Custer 1993, 1994) by David Solomon (Solomon 1998), who added a lot of new, previously unpublished material. In early 1999, Windows NT Device Driver Development, written by NT kernel-mode experts Peter G. Viscarola and W. Anthony Mason, was published (Viscarola and Mason 1999). Both are consulting partners of Open Systems Resources (OSR), and the OSR people are well known for their excellent kernel-mode driver and file system programming courses, so having their first-hand knowledge in printed form was a real benefit. In the same year, Edward N. Dekker and Joseph M. Newcomer's Developing Windows NT Device Drivers(Dekker and Newcomer 1999) appeared. Both books were probably the first comprehensive and practically usefulNT kernel-mode programming tutorials. If you want to read thoughtful and accurate reviews about several Windows NT driver programming books, including some of those mentioned above, just peek into the November/December 1999 issue of The NT Insider (Open Systems Resources 1999c).

In late 1999, more authors delved into the depths of the Windows NT kernel. A trio of system programmers and consultants from Puna, India, Prasad Dabak, Sandeep Phadke, and Milind Borate, brought us the first Undocumented Windows NT book (Dabak, Phadke, and Borate 1999). Because it was published before the release of the final version of Windows 2000, it covers Windows NT 3.51 and 4.0 and the latest 2000 beta then available. After this overdue release, another must-have book for anyone in Windows 2000 system programming appeared in January 2000: Gary Nebbett's Windows NT/2000 Native API Reference (Nebbett 2000). His work provides a thorough, comprehensive, and extraordinarily detailed documentation of all API functions and the structures they involve, providing the first opportunity to double-check my findings about NtQuerySystemInformation() in Dr. Dobb's Journal (Schreiber 1999). I was pleased to see that not only did our technical details match perfectly but so did most of the symbolic names we had chosen independently. This book should have been published by Microsoft years earlier!

You may think that everything has already been said about the internals of Windows 2000. Not so! The internal functions and data structures inside the kernel involve such a vast area of knowledge that they can hardly be covered by just two books. The book you're reading now is just one of the building blocks required for a better understanding of the architecture of Windows 2000. Hopefully, the coming years will bring many more publications of this kind. One recent publication is the third edition of Inside Windows NT. Because it covers many of the new features introduced with Windows 2000, it is consequently now called Inside Windows 2000 (Solomon and Russinovich 2000). This third edition is a genuine member of the former Inside Windows NT series. In this edition, Mark Russinovich is co-author with David Solomon, which is a reliable indicator that this book can be bought blindly. There is no significant overlap between the contents of Inside Windows 2000 and Undocumented Windows 2000 Secrets: A Programmer's Cookbook, so it is probably a good idea to have both on the shelf.

THE TOPICS DISCUSSED IN THIS BOOK

If I had to compare this book with its predecessors, I'd say it's written in the tradition of the old Undocumented DOS volumes (Schulman et al., 1990, 1993). I treasured these books back in the days of DOS programming, because they involved an ideal trade-off between comprehensiveness and an in-depth treatment of an essential subset of topics. In my opinion, it is nearly impossible to write a comprehensive documentation of the internals of a complex operating system in a single volume without losing detail. If you don't opt for a multitome encyclopedia, you can either write a reference handbook, such as Nebbett's (Nebbett 2000), or focus on specific topics, as Andrew Schulman and friends did. Nebbett didn't leave much for other reference authors, but the in-depth documentation of special Windows NT/2000 topics is still a wide-open field.

Like Undocumented DOS, this book of introduces Windows 2000 programming topics that I have found both interesting and useful. In the "undocumented" business, there is always a danger of doing "art for art's sake." Unveiling undocumented features of an operating system is usually very exciting and fulfilling for the person doing the work, but might be quite irrelevant for others. Not everything that is undocumented is automatically useful as well. Some operating system internals are just internals in their strictest sense, that is, implementation details. However, many internals of Microsoft systems are much more than that. Microsoft has a notorious reputation for intentionally preventing the developer community from knowing too much about their target operating system. My favorite example is the ingenious and extremely useful MS-DOS Network Redirector Interface described in Chapter 8 of the second edition of Undocumented DOS (Schulman et al., 1993). Much time would have been saved and much trouble avoided if Microsoft had documented this wonderful interface when they introduced it. Unfortunately, Microsoft has pursued this information policy with the follow-up systems Windows 3.x, Windows 9x, Windows NT, and Windows 2000. However, books such as this are being written to provide further information.

After introducing you to the basic architecture of Windows 2000 and helping you to set up your workstation for Windows 2000 kernel spelunking, this book leads you through some very exciting corners inside the world of kernel programming. Typically, each chapter first discusses the essential theory you need to know about the topic, and then immediately presents sample code to illustrate the respective features. The language chosen for the samples is plain C. The probability is high that the readers of this book are comfortable with C, and this language is well supported by Microsoft's Windows 2000 development tools.

This book deliberately does not attempt to give a broad overview of the architecture of the Windows 2000 kernel, although it discusses parts of it in some chapters. If you are looking for such information, see Inside Windows 2000 (Solomon and Russinovich 2000) instead, which takes a very general and theoretical approach to the Windows 2000 internals. Neither Inside Windows 2000 nor the Undocumented Windows 2000 Secrets: A Programmers Cookbook Windows NT/2000 Native API Reference (Nebbett 2000) provide practical code examples and full-featured sample applications that interact live with the system contains reprinted code samples in abundance, accompanying the Windows 2000 concepts and features under discussion. The companion CD contains all of this code in ready-to-run applications that you can extend, tear to shreds for use in other applications, or simply use as is. Basically, you will be led through the following topics:

  • Using the Windows 2000 debugging interfaces
  • Loading, parsing, and using the Windows 2000 symbol files
  • Dissecting the Microsoft PDB file format
  • Interfacing to the kernel's Native API
  • Writing simple kernel-mode drivers
  • Exploring Windows 2000 system memory
  • Hooking and monitoring calls to the Native API
  • Calling kernel functions from user-mode applications
  • Calling nonexported kernel functions
  • Exploring the world of Windows 2000 kernel objects

You also will learn many more details about the system both in the text and samples. My foremost intention while writing the manuscript was to share with you anything I knew about the topics covered.

THE ORGANIZATION OF THIS BOOK

After considering which sequence of chapters would be optimal for all potential readers of this book, I have arranged the seven chapters in the order that I thought would be best for a novice Windows 2000 system programmer. Therefore, any new concepts or techniques introduced in a chapter are explained at their first appearance. Consequently, newbies should read the chapters sequentially as they appear in the book. This approach may bore expert readers who look for more "off-road" information. However, it is easier for an expert to skip over familiar details than for a novice to keep up if the material is presented in a nondidactic sequence.

Here is what awaits you in each chapter:

  • Chapter 1 begins with a guided tour through setup and use of the Windows 2000 Kernel Debugger, because this is one of the most helpful tools for system exploration. Other highlights are the official Windows 2000 debugging interfaces in the form of the psapi.dll, imagehlp.dll, and dbghelp.dll components. The chapter closes with detailed descriptions of the layouts of Microsoft CodeView and Program Database (PDB) files, complemented by a sample symbol file parser DLL and an accompanying client application.
  • Chapter 2 introduces the Windows 2000 Native API, discussing the main system service dispatcher, the various API function groups exported by ntdll.dll and ntoskrnl.exe, and the data types most frequently used by these components.
  • Chapter 3 is a short and easy introduction to basic kernel-mode driver development. It is by no means intended as a tutorial for heavy-duty hardware driver developers. It simply points out essential information required to understand the sample code in subsequent chapters, including loading and unloading driver modules at runtime via the Service Control Manger interface. Probably the most interesting highlight is the description of the customizable driver wizard included with full source code on the companion CD.
  • Chapter 4 is certainly the most challenging chapter for readers suffering from hardware phobia, because it starts with a detailed description of the Intel Pentium CPU features used by the Windows 2000 memory manager. Anyone who survives this section is rewarded by extensive sample code of a memory spy device that supports the visualization of prohibited memory regions and internal memory manager data structures. Also included is a Windows 2000 memory map that outlines how the system makes use of the vast 4-GB address space offered by the Pentium CPU family.
  • Chapter 5 explains in detail how you can hook Native API functions, mainly focusing on call parameter monitoring and file/registry tracking. This chapter makes heavy use of inline assembler code and CPU stack twirling.
  • Chapter 6 proposes a general-purpose solution for something that is commonly considered impossible in the Windows 2000 programming paradigm: calling kernel-mode code from user-mode applications. The sample code in this chapter builds a bridge from the Win32 subsystem to the main kernel interfaces inside ntoskrnl.exe, hal.dll, and other core components. The chapter also describes how to call nearly any kernel function as long as its entry point is provided in the Windows 2000 symbol files.
  • Chapter 7 delves deeply into the mysterious Windows 2000 object manager. The internal structure of kernel objects is one of the best-kept secrets, because Microsoft doesn't give you more information about an object than an opaque void* pointer. This chapter unveils what this pointer really points to, and how object structures and handles are maintained and managed by the system. As a special feature, the layout of process and thread objects is discussed in detail. The last section of the chapter is a sample application that displays the hierarchical arrangement of kernel objects by tracing the relations of various undocumented object structures.
  • Appendix A is related to Chapter 1 and contains all commands and command options of the Windows 2000 Kernel Debugger.
  • Appendix B is related to Chapter 2 and summarizes several API functions exported by the Windows 2000 kernel modules.
  • Appendix C provides an extensive collection of Windows 2000 constants and data types in alphabetical order. This reference list documents several undocumented kernel structures introduced and used throughout the book.

As you see, this book discusses much information that merits the attribute "undocumented," and some of the material has never been published before.

THE AUDIENCE OF THIS BOOK

Undocumented Windows 2000 Secrets: A Programmer's Cookbook is intended for system programmers who want to maximizethe features of their target operating system. First disclaimer: If the target platform of your software is Windows 95, 98, or Me (Millennium Edition), don't read any further. Because of the architectural differences of the Windows 9x/Me and NT/2000 platforms, you won't benefit from reading this book. Second disclaimer: This book does not contain information on the Alpha processor or multiprocessor systems—I will target the 32-bit Intel i386 single-processor platform exclusively. Third disclaimer:

Be aware that this text is not written for the faint-hearted. You will be faced with programming techniques the average Win32 programmer has never seen. The Windows 2000 kernel is an entirely different world, bearing little resemblance to the Win32 subsystem built upon it. Some of the interfacing techniques introduced toward the end of the book might be new to even experienced kernel-mode programmers. Let me put it this way: This is the book your high-school teachers and Microsoft representatives have always warned you about!

If you are still reading on, you are obviously an open-minded, courageous person who wants to know everything about the things lurking beneath the surface of the Windows 2000 operating system. That's great! Even if you won't use the know-how you gain from this book on a daily basis, you will certainly benefit from it. Knowing what is going on under the surface of an application interface is always advantageous. It facilitates debugging and optimization, and helps avoid unwanted side effects caused by misconceptions about the hidden mechanics of the system.

The only expertise I'm expecting from my readers is "talking C" fluently and basic knowledge of Win32 programming. If you have already written kernel-mode drivers, you're in an even better position, but that's not a requirement. You will find an introduction to kernel-mode driver programming in this book, telling you everything you need to know within its scope. However, please note that this is not a comprehensive kernel-mode tutorial. If you are specifically interested in kernel-mode driver development, please get one of the good books that deal with this topic exclusively (e.g., Viscarola and Mason 1999, or Dekker and Newcomer 1999).

Some chapters of this book include heavy use of inline assembly language (ASM). I don't expect you to have thorough ASM programming experience, but a basic knowledge of ASM will be certainly helpful. If you have never written a line of ASM code, you may find these chapters difficult or you may choose to skip them entirely. However, I encourage you to read at least parts of them, only skipping the subsections that explain the details of the ASM code. Because the ASM code snippets used in the samples are always well encapsulated in C function wrappers, you can usually ignore their internals and still benefit from the remaining material that surrounds them.

THE CONVENTIONS USED IN THIS BOOK

The target operating system of this book is Windows 2000. However, you will find that most of the information also applies to Windows NT 4.0, and most of the sample applications run on this platform as well. Note that I am not covering Windows NT 3.x. Although it is probably outdated now, NT 3.51 has been my favorite NT so far because it was relatively small and fast and did not burn up too many CPU MIPS in its user interface. With respect to Windows NT 4.0, I have done everything to keep the software compatible with this version, because it is still in use. Many companies have designed their corporate networks for the classic Windows NT domain concept, and they will need time to adopt the new Active Directory paradigm introduced with Windows 2000. In some cases, it is not possible to provide common code for both operating system versions because of differences in the layout of some internal data structures. Therefore, some portions of the sample code contain version checking and separate execution paths for different versions.

Concerning terminology, when I use the term Windows 2000, it usually includes Windows NT 4.0 as well. Remember that this funny name is just a marketing gimmick to propel the sales of a system that should have been named Windows NT 5.0. In the same way, the term Windows NT without a version specification refers to the NT platform in general, including Windows 2000 and Windows NT 4.0. Note again that Windows NT 3.x is not on the list. In discussing version-specific features, I will use the terms Windows 2000 and Windows NT 4.0 in a contrasting fashion, pointing out the respective differences.

THE SAMPLE CODE ON THE CD

The sample code included on the companion CD and partially reprinted in this book has been written for Microsoft Visual C/C++ 6.0 with Service Pack 3. If you want to rebuild or change the samples, you should also install the latest releases of the Win32 Platform Software Development Kit (SDK) and the Windows 2000 Device Driver Kit (DDK). These development kits contain the latest header file and import library updates. Be sure to set the compiler's and linker's search paths appropriately to guarantee that the SDK and DDK files are found before the header and library files installed with Visual C/C++. Both kits are distributed on CD or DVD as part of the Microsoft Developer Network (MSDN) Professional and Universal Subscriptions. If you aren't a subscriber yet, go for it! You will receive all updates of Microsoft's operating systems and development kits, plus more than 1 gigabyte of first-hand technical documentation. The subscription is somewhat expensive, but I think it is worthwhile. More information is available from Microsoft's MSDN Web site at http://msdn.microsoft.com/subscriptions/prodinfo/overview.asp.

The CD included with this book contains both the C source code of all samples and compiled and linked binary builds thereof for immediate use. All directories are set up as Microsoft Visual Studio 6.0 expects them: There is a base directory for each module containing the source files (C code and header files, resource scripts, definition files, project and workspace information, etc.) and a subdirectory called release holding the binaries (executables, object code, import libraries, etc.). Figure P-1 outlines the overall directory structure of the CD. All source and project files are found in the \src tree. It contains a subtree for each sample project, plus a common directory for header and library files shared by them. The \bin directory contains all .exe, .dll, and .sys files of the samples, allowing you to start all applications directly from the CD. The \tools tree is a collection of third-party tools that I thought would be helpful for readers of this kind of book.

To rebuild a sample, simply copy the module's base directory including the release subdirectory to the folder where you are keeping your own projects. The base directory contains .dsw and .dsp workspace and project definition files providing build information for Visual Studio. Rebuilding is easy: Open the .dsw file in Visual Studio, choose the active configuration (e.g., Release) and select Build \ Build or Build \ Rebuild All from the main menu. Please note that some header files contain additional linker directives in the form of #pragma statements. This neat trick allows you to rebuild all samples with default Visual Studio settings--no need to enter anything into the project setting dialogs.

Because most of the code is guaranteed to be not Windows 9x compatible, I did not provide support for ANSI characters. The native character set of Windows 2000is Unicode, featuring 16-bit characters. Therefore, strings are defined as WORD arrays or pointers, except for the rare occasions that the system actually expects ANSI strings. This makes it a lot easier, doesn't it? Good Win32 programmers always try to support both ANSI and Unicode side by side to give legacy operating systems such as Windows 95 and 98 a fair chance to execute their code. This problem does not arise here—the code presented in this book usually goes well below the Win32 layer, so we can make full use of all native features of Windows 2000. The only notable exception is the w2k_img.dll library project and its companion application w2k_sym2.exe, both discussed toward the end of Chapter 1. The DLL supports both ANSI and Unicode, and the application is compiled for ANSI. This is the only sample application on the CD that runs even on Windows 95.

There are manifold dependencies between the sample projects on the CD. For example, the kernel-mode driver w2k_spy.sys and the utility library w2k_lib.dll are referenced by several applications, introduced in different chapters. Figure P-2 outlines these dependencies. The diagram should always be read from left to right. For example, the w2k_obj.exe application imports API functions from w2k_call.dll and w2k_lib.dll, and w2k_call.dll in turn relies on w2k_lib.dll and w2k_img.dll, additionally performing Device I/O Control calls into w2k_spy.sys. This means that you should always place the dependent files into the same directory with w2k_obj.exe to be able to run this application reliably. Note that I have added imagehlp.dll and psapi.dll to the diagram, although they are Microsoft components. This is just to emphasize that the w2k_dbg.dll library relies on these additional DLLs, whereas the other sample programs do not.

"Windows 2000 Utility Library" found in the w2k_lib directory branch. As well as hosting large portions of the sample code reprinted in the following chapters, it also contains lots of Win32 boilerplate code not specifically related to the focus of this book that you might want to reuse in other projects. It features memory, registry, object pool, and linked-list management, CRC32 computation, pseudo-random number generation, operating system and file version checking, and much more. The huge w2k_lib.c file is a repository of general-purpose code I have written for myself in the past few years, and it is intended to make the life of Win32 programmers somewhat easier. Enjoy!

THE THIRD-PARTY TOOLS ON THE CD

Along with the sample code I wrote exclusively for this book, the companion CD contains valuable tools contributed by others. I am indebted to Jean-Louis Seigne and Wayne J. Radburn for allowing me to distribute their finest tools on this CD. In the \tools directory, you will find the following goodies:

The Multi-Format Visual Disassembler (MFVDasm) is written by Jean-Louis Seigné, who has been in the Windows software development business since 1990. Actually, MFVDasm is much more than just a disassembler—it is a Portable Executable (PE) file cruncher, disassembler, hex dump utility, and ASM code browser in one. The \tools\MFVDasm directory on the CD contains a fully functional timed demo version, protected with the Softlocx software produced by BitArts. You can get an unlimited version by paying US$100.00 to Jean-Louis Seigné via credit card. The latest version of MFVDasm is available at http://redirect.to/MFVDasm; inquiries about the software should be emailed to MFVDasm@redirect.to.The PE and COFF File Viewer (PEview) is contributed by Wayne J. Radburn and is given royalty-free as a special bonus for the readers of this book. Wayne is a die-hard Win32 assembly language programmer like me, except that he is still doing the job while I have moved to C. Application programming in ASM is tough, so you can be sure that Wayne is a true expert. PEview is certainly the most versatile PE file browser I'm aware of, and it is an essential tool for operating system spelunkers. It provides a quick and easy way to view the structure and content of 32-bit Portable Executable (PE) and Component Object File Format (COFF) files, and it supports the viewing of .exe, .dll, .obj, .lib, .dbg, and other file types. Meet Wayne on the Web at http://www.magma.ca/~wjr/, or send email to wjr@magma.ca.

Because this is third-party software, included here by special license agreement with the respective authors, neither Addison-Wesley nor I take any responsibility for its usage. Please read the licensing information displayed by these programs for more details.



0201721872P05072001

Index

A

+a switch, 237-238
Address, 165
base, 344-345, 349-354, 360
computation, 69, 79-80
driver load, 8
exported names, 339-345
FS, 167, 235-237
indirect, 238
linear, 165-171, 181-182, 261, 354
load, 80
logical, 165-168
OMAP conversion, 81-89
physical, 165-166, 170-172, 219-220, 261
relative, 237-238
TEB, 234
virtual, 165-166
See also Memory management
Advanced Server, 162
Alias, 110, 511-547
_allmu1 symbol, 92
Allocation bit array, 72, 75
ANSI character, 29
CHAR type, 110imagehlp.dll, 47
object tags, 410
PSTR and PWSTR types, 111
strings, 113-114, 381-383
w2k_img.dll, 58
API call. See Kernel API call; Native API call
Application descriptor, 185-187
Argument stack, 277-279, 293, 332-334, 373
Array
allocation, 72, 75
export, 343-344, 354
Asche, Ruediger R., 125
Assembly language (ASM), 24, 277-279, 286, 292
At character (@), 51, 53

B

+b switch, 256-257, 260
Bad pointer, 333
Bang command, 11, 13-14, 416, 450-458
Base address, 344-345, 349-354, 360
Bit array, 72, 75
Bit field, 172-173
Bit mask, 181, 185
Blink, 239
Block, memory, 228-229, 380
Blue Screen Of Death (BSOD), 2
Body structure, object, 410-411
Booth, Rick, 165
Branch prediction, 82IndexBrown, R, 141
Buffer
circular, 316
protocol, 319-321
size, 155
string, 381-382
Buffered I/O, 191, 200
Bug, 12, 339, 364, 370
Bugslayer, 82
Build number, 269
BYTE, 15

C

C bit field, 172-173
C language, 277, 279
C runtime library, 106-107, 486-490
C source file, 126
Call interface function, 368-372
Callback function, 45
Category, object, 396-398
CD contents
driver wizard, 125-130
hook viewer, 321
PDB stream reader, 78
service and driver browser, 156
SpySearch, 291
Utility Library, 144
w2k_call.c, 439
w2k_call.dll, 364
w2k_cv.exe, 58
w2k_dbg.dll, 29-33
w2k_def.h, 118, 395-396
w2k_dump.exe, 71
w2k_img.dll, 58, 69, 83-84
w2k_load.exe, 153
w2k_mem.exe, 230
w2k_obj.exe, 434
w2k_spy.h w2k_spy.c, 280, 299
w2k_spy.sys, 188
w2k_sym.exe, 29
_cdec1, 51, 278
internal symbols, 384
kernel-mode gate, 333, 337
CHAR type, 110
Charge, resource, 404-406
Checkpoint file, 51
Circular buffer, 316CLIENT_ID, 117
Cloning, object, 437-440
Code, IOCTL, 191
CodeView, 58, 63-69
.dbg files, 70
directories, 61, 65-66
Cogswell, Bryce, 265-269, 276, 330
CommandParse, 249
Common Object File Format (COFF), 63
Compound file, 72-73
Configuration, kernel-mode driver, 129
Constant, 505-509
Intel i368, 181-187
Context, thread/process, 425-429
Control code, 141
Control register, 220
Copying memory blocks, 380
CPU register, 333-334
Crash dump, 2-8
CreateFile, 248, 327
Custer, H., 93, 414
CV_PUBSYM, 67-69
CV_SYMHASH, 67-69

D

Data access function, 380-383
Data structure, 114-117, 511-547
Intel i368, 172-181
I/O system, 397-398
Data type
integral, 110-112
strings, 111-114
structure, 114-117
Data-copying interface function, 372-375
db command, 15
.dbg file, 54-62
header, 55-58
linkage, 70-71
OMAP, 61, 81
dbghelp.dll, 24-29
\DBG.HTM file, 9
dbgSymbolLoad, 47
dd command, 15
Debugging, 1-92
crash dump, 2-8
i368kd.exe, 2
MFVDasm, 21-22IndexPEview, 22-23
postmortem, 2
support library, 29-33
WinDbg.exe, 2
See also Interface, debugging; Kernel Debugger; Symbol file
Decoration, symbol, 51-54, 84, 92
.def file, 126, 129
Demand paging, 162-172
memory dump utility, 242-243
X86 data structures, 176-182
Descriptor
application, 185-187
system, 186-187
Descriptor Privilege Level (DPL), 251
Device context, 137
Device Driver Kit (DDK), 1, 94, 111
constants, 183
header files, 117-118, 122, 124, 197
kernel-mode drivers, 122-125
w2k_def.h, 395-396
Device I/O Control (IOCTL). See IOCTL
Directory
debug, 60-61
handle, 303
lock, 435
stream, 75-78
Dispatch ID
interrupt handler, 98, 102-103
Win32K, 104-105
Dispatcher
driver, 139
object, 396-398, 505
service, 95-98
spy, 191
DLL, 340, 363-366
DOS, 140
\DosDevices, 189
Driver
EnumDeviceDrivers, 33-36
exception, 188
w2k_kill.sys, 6-8
See also Kernel-mode driver; Spy device
Driver skeleton, 130-140
!drivers, 18-19
.dsp file, 129
.dsw file, 125
Dump command, 15
See also Memory dump utility
Dump Memory, 15
dw command, 15
DWORD, 15, 44

E

Entry point, 141
Entry point driver, 136
EnumDeviceDrivers, 33-36
Enumeration, 510-511
EnumProcesses, 37-39
EnumServicesStatus, 155, 156
Environment variable, 153
EPROCESS, 16-18, 416, 420-424
"Equals" character (=), 296
ERESOURCE, 435
Error
bad arguments, 339
crash dump, 12
kernel API calls, 370
last-error code, 364
ETHREAD, 18-19, 416, 420-424, 428
ExAcquireResourceExclusive, 435
Examine Symbols, 15-16
Exception, 188
SEH, 299, 333, 338-339
Execute, 249, 327
Exported symbol
API thunks, 376
assigning, 335, 340-345
resolving, 351-356
SPY_IO_PE_EXPORT, 360
SPY_IO_PE_SYMBOL, 362
Extended kernel call interface, 384-393
Extended runtime library, 106-107, 491-503
Extension, debugger, 11, 13-14

F

+f switch, 235
_fastcall, 51, 53
ASM, 278
internal symbols, 384
kernel-mode gate, 333-334, 337
File system, 72-73
Filter, garbage, 299-303, 315-316
Flag
file object, 401, 506
fOk, 208
object attribute, 509
object header, 508
Flat memory model, 166
Flink, 239
Floating point emulator, 107-108
fOk flag, 208
Format control ID, 290-292, 295, 303
Format string, 290-292, 295, 303
FS:[base]:addressing, 236-237
FS-relative addressing, 167, 235
Function
callback, 45
categories, 108-110
IOCTL, 199, 203-230, 244-246, 307-321
kernel API, 459-503
names, 151
wrapper, 144, 152, 244-246
Function set
imgTable*, 83-88
Nt* Zw*, 93-94, 97, 346-347

G

+g option, 252
Garbage filter, 299-303, 315-316
Gate
descriptor, 254
interrupt, 254-256
kernel-mode, 332-339
See also Interrupt handler
GetModuleHandle, 340
GetProcAddress, 340
Gircys, G.R., 63
Global Descriptor Table (GDT), 168, 211, 214
selectors, 252-254
Graphics Device Interface (GDI), 103
kernel API functions, 467-486

H

+h switch, 237
HalMakeBeep, 377
HalQueryRealTimeClock, 377-379
Handle, 300
API hook protocol, 299-307directory, 303
handle count, 296-297
object, 237, 411-416
process, 39-42, 44
registered/unregistered, 300-303
Service Control, 142-144, 151-153
spy device, 246-249
Handle database, 403-404
HANDLE_TABLE, 411-413
Hardware, accessing, 6
Hardware Abstraction Layer (HAL), 377
Hash table, 436
Header file
.dbg, 55-58
DDK, 117-118, 122, 124, 197
DrvInfo.h, 136
ntddk.h/ntdef.h, 94
ntdll.lib, 117-119
object, 399-402
TestDrv.h, 130
w2k_spy.h, 188, 248, 280, 299
Hex dump viewer, 71
HMODULE, 39-41, 44
Hook, API
dispatcher, 279-294
handles, 299-307
management functions, 307-321
protocol, 294-299
reader, 321-330
system-wide, 266, 276-277
Hummel, Robert L., 108, 162, 186

I

Icon file, 126
imagehlp.dll, 24-29
symbols, 44
undecoration, 52-53
ImageLoad, 46-49
IMG_DBG, 58
IMG_PUBSYM union, 79
imgTable* function set, 83-88
Import library, 117-119
DDK, 122-124
Import thunk, 51-52, 92
Incremental updating, 77-78
Index
object type, 410-411, 508
page-directory, 181
Indirect addressing, 238
Inline assembler, 277
Inner Loops, 165
Input buffer, 191, 200
Inside Windows NT, 6, 93
Inside Windows 2000, 93
INT 2Eh service handler. See Interrupt handler
Integral data type, 110-112
Intel i368 memory management, 161-181
data structures, 172-181
80270 CPU, 163
80368 CPU, 108, 161-164
80486 CPU, 164
layout, 162
macros/constants, 181-187
segmentation/demand paging, 162-172
Interface
GDI, 103
interface functions, 368-375
kernel API calls, 331-339, 384-393
Native API, 117-119
spy device, 244-249
Win32K kernel-mode, 103-105
Interface, debugging, 24-51
dbghelp.dll, 24-29
EnumDeviceDrivers, 33-36
EnumProcesses, 37-39
EnumProcessModules, 39-42
imagehlp.dll, 24-29, 44
process privileges, 42-44
psapi.dll, 24-29
Interrupt Descriptor Table (IDT), 96, 168, 252
gate descriptors, 254
SPY_IO_INTERRUPT, 214, 218
X86_GATE, 173-174
Interrupt handler, 96-98, 214
gates, 254-256
KiSystemService, 102-103, 266-268
Zw* functions, 346
I/O object, 397-398
I/O Request Packet (IRP), 137, 507
IOCTL, 141-142
code, 191
handler, 191
hook management functions, 307-321
kernel API calls, 331-334, 356-368
spy device functions, 199, 203-230spy device handle, 246-249
type codes, 507
wrapper functions, 244-246
IRP handler array, 137
i368kd.exe, 2, 11

K

+k switch, 236
Kernel API call, 331-393
calling conventions, 333
data access functions, 380-383
DLL encapsulation, 363-366
exported symbols, 339-345
interface functions, 368-375
internal symbols, 384-393
IOCTL, 331-334, 356-368
resolving symbols, 351-356, 362
retrieving module addresses, 346-351
SEH, 338-339
SpyCall, 334-338
thunks, 375-380
Kernel API functions, 459-503
Kernel Debugger, 2
commands, 11-19, 447-458
ln command, 16, 100-102
process and thread objects, 416, 428
setup, 11
symbol decoration, 52-53
Kernel-mode driver, 121-160
configuration, 129
enumerating services and drivers, 155-159
I/O control, 140-142
kernel API call, 332
management function, 144-155
Native API hooks, 276
nonexported structures, 434
ntoskrn1.exe, 95
privilege level, 188
SC Manager, 142-144
skeleton, 130-140
system crash, 6-8
wizard, 125-130
Kernel-mode interface, Win32, 103-105, 121-122
Kernels Processor Control Block (KPCB), 207, 425-426IndexKernels Processor Control Region (KPCR), 207, 235, 426
kernel32.dll, 93
KeServiceDescriptorTable, 266-268, 376
Keyboard poll, 328
Killer device, 6-8, 142
Kill.exe, 43
KiSystemService, 102-103, 266-268
KMUTEX, 435
KPROCESS, 416-419
KTHREAD, 416-419, 428
Kyle, J, 141

L

LARGE_INTEGER, 166
Least-recently-used (LRU) schedule, 164
Library
C runtime, 106-107
DDK, 122-124
extended, 106-107, 491-503
ntdll.lib, 117-119
w2k_img.dll, 58, 69
Linear address, 165-171, 181-182, 261, 354
Linked list, 115
List Nearest Symbols, 16
LIST_ENTRY, 115
ln command, 16, 100-102
Load address, 80
Loading modules, 240-242
LoadLibrary, 340
Local Descriptor Table (LDT), 168, 211-214
Lock
global, 434-435
handle table, 415
Log file, 295
Logical address, 165-168
LONGLONG, 166

M

Macro
Intel i368, 181-187
SpyHook, 280-294
Macro Assembler (MASM), 24, 110,277, 279
Manager handle, 143, 152-153
Map, memory, 261-263
Mask, bit, 181, 185Mason, W. Anthony, 347
Memory dump utility, 230-243
command options, 228-234, 244, 250-251
demand paging, 242-243
FS addressing, 235-237
handle/object resolution, 237
indirect addressing, 238
loading modules, 240-242
relative addressing, 237-238
TEB-relative addressing, 234
Memory management, 161-263
descriptors, 251-256
dump commands, 15
Intel i368, 161-181
memory areas, 256-261
memory blocks, 228-229, 380
memory layout, 162
memory map, 261-263
selectors, 20-21
spy driver, 188-203
spy functions, 203-230
spy interface, 244-249
system information, 250-251
See also Address
Memory segmentation, 188, 251-256
Intel i368, 162-172
segment registers, 162-163, 209, 251-253
SPY_IO_SEGMENT, 208-214
Microsoft Developer Network (MSDN) Library, 94
MmGetPhysicalAddress, 172, 183, 219-220, 375-376
MmIsAddressValid, 172, 183, 227, 375-376
Module
handle, 39-42
loading, 240-242
relationships, 95
Most recently used (MRU) algorithm, 406
Multi-Format Visual Disassembler (MFVDasm), 21-22, 130
Multithreaded environment, 293, 366
Mutex, 198, 435

N

Name
exported, 340-345
object, 403, 410
pattern, 329-330
Native API, 93-119
data types, 110-118
dispatch IDs, 103-105
function handler, 293-294
function sets, 93-94, 97, 346-347
INT 2Eh handler, 102-103
interfacing to, 117-119
monitoring calls, 265
nesting level, 293-294
runtime library, 105-110
SDTs, 98-100, 265-307
service dispatcher, 95-98
undocumentedness, 94-95
Win32 kernel-mode interface, 103-105
See also Spy device
Native API call, 265-330
garbage filter, 299-303
hook dispatcher, 279-294
hook management functions, 307-321
hook protocol, 294-299
INT 2Eh handler, 266
SDTs, 266-276
NB09 format, 63-64
NB10 format, 70
Nebbett, Gary, 36, 105, 118, 401-402, 415
Nesting level, 293-294
NT. See Windows NT
Nt* function set, 93-94, 97, 346-347
NT Insider, The, 12, 14
NtBuildNumber, 376
ntdll.dll library, 95-97, 105-110, 117-119
ntoskrn1.exe, 95-98, 105-110
exported variables, 204
handle tables, 415
memory management, 172
NTPROC, 100
NtQuerySystemInformation, 36, 38-39, 110
address computation, 80
handle tables, 415
kernel API calls, 346-348
strings, 113
NULL pointer, 6

O

ObCreateObject, 424
Object, 395-445
categories, 396-398
charges and quotas, 404-406creator information, 402-403
directory, 406-407
dispatcher, 396-398
file flags, 506
handle database, 403-404
handle tables, 411-416
header, 399-402
I/O, 397-398
mutex, 198
name, 403, 410
process/thread, 416-425
type, 401, 407-411
Object browser, 434-445
cloning structures and functions, 437-440
command help, 443-444
global lock, 434-435
object manager thunks, 434-435
Object Module Format (OMF), 63, 67
OBJECT_ATTRIBUTES, 114
OBJECT_CREATOR_INFO, 402
OBJECT_DIRECTORY, 406-407
OBJECT_HANDLE_DB, 404
OBJECT_NAME, 403
OBJECT_QUOTA_CHARGES, 404
OBJECT_TYPE, 407-409
ObReferenceObjectByHandle, 229
Offset
.dbg files, 57-61
export section, 360
memory dump utility, 237-238
object headers, 401, 403
OMAP, 82-83
OMAP address conversion, 81-89
.dbg files, 61, 81
Open Systems Resources (OSR), 2
OpenProcess, 42
Optimization, 164-165
Ordinal number array, 354
Output buffer, 191, 200
Overflow, 320-321

P

+p switch, 238
Page entry, 177, 222-224
Page-Directory Base Register (PDBR),169-170, 176, 222
Page-directory entry (PDE), 169-172,177, 183
SPY_IO_PDE_ARRAY, 222
Page-directory index (PDI), 181-183
Page-frame number (PFN), 169, 172, 176
Page-level write-through (PWT), 176
Page-not-present entry (PNPE), 177
Page-table entry (PTE), 169-172, 177,183-184
Page-table index (PTI), 181-183
Paging
charges and quotas, 404
crash dump, 3, 7
demand, 162-172, 176-182, 242-243
page fault, 164
swapping to pagefiles, 242-243
PASCAL string, 67
Pattern
name, 329-330
string, 328
Pcb, 416
.pdb file, 54, 70-82
header, 73-75
linkage, 70-71
stream directory, 75-78
PDB_PUBSYM, 78
Pentium CPU, 161-165
PEview, 21-23, 130
Physical address, 165-166, 170-172, 261
Physical Address Extension (PAE), 162, 166, 219-220
Pietrek, Matt, 44, 55, 63, 70, 81, 265
Pointer
bad, 333
invalid, 299
KTHREAD/ETHREAD, 428-429
NULL, 6
object, 396
table, 268-269
Portable Executable (PE) file, 22-24, 335
directory IDs, 506
exported names, 340-345, 351-354
Postmortem debugging, 2
ppbFormats, 289
ppbSymbols, 289-291
pProcessorControlRegion, 207
#pragma directive, 139
Privilege level, 42-44
DPL, 251
kernel-mode drivers, 139, 220
memory segmentation, 188
module relationships, 95
Process
context, 425-429
handle, 39-42, 44
ID, 37-38, 42, 117, 403
module, 39-42
object, 416-425
Process Environment Block (PEB), 42,429-433
!processfields, 16-18, 94, 416
Program Database (PDB) file. See .pdb file
Project template, 125
Protected Virtual Address Mode, 163
Protocol, API hook, 294-299
buffer, 319-321
entry format, 295-296
filter, 299-303, 315-316
reader, 321-330
Proxy, 375
psapi.dll, 24-30, 36
Pseudo handle, 44
PSTR type, 111
PTSTR type, 45
PWSTR type, 111

Q

q command, 21
Quota, resource, 404-406

R

Radburn, Wayne J., 21, 23
.rc file, 126
Read access right, 328
Real-Address Mode, 163
Registry key, 127
Relative addressing, 237-238
Requested Privilege Level (RPL), 173
Resource script, 139
Richter, Jeffrey, 265
Robbins, John, 82
Root stream, 75
Rt1ImageNtHeader, 340-341, 359
Runtime library, 105-110
Runtime linkage, 339
Russinovich, Mark, 93, 118, 265-269,276, 330

S

+s switch, 237-238
Security, system, 187, 380
Segmentation, memory. See Memory segmentation
Seign, Jean-Louis, 21
!sel, 20
Selector, 163, 173, 185-187
GDT, 252-254
spy device functions, 208-214
Service, 142
enumerating, 155-159
loading/unloading, 152-153
Service Control (SC) Manager, 142-144
Service Descriptor Table (SDT), 98-102, 163, 265-307
handles, 299-307
hook dispatcher, 279-294
hook protocol, 294-299
SpyHookExchange, 312-313
Windows 2000 vs. NT, 270-276
Service dispatcher, 95-98
Service handle, 143, 151-153
SharedUserData, 207, 269
Slash character (/), 240
Software Development Kit (SDK), 94
aliases, 110
header files, 117-119
Solomon, D. A., 6, 93, 414
Source file, C, 126
Spy device, 188-203
dump utility, 230-243
header files, 189, 197, 248
hook dispatcher, 279-294
hook management functions, 307-321
hook protocol, 294-299
interface, 244-249
internal symbols, 384
IOCTL functions, 199, 203-230, 244-246, 307-321
IOCTL handler, 191
kernel API calls, 356-362
protocol reader, 321-330
SPY_CALL_INPUT, 333-334
SPY_CALL_OUTPUT, 333
SPY_IO_CALL, 362, 368
SPY_IO_CPU_INFO, 220-222, 235
SPY_IO_HANDLE_INFO, 229SPY_IO_HOOK_FILTER, 315-316
SPY_IO_HOOK_INFO, 310-311
SPY_IO_HOOK_INSTALL, 311-313
SPY_IO_HOOK_PAUSE, 315
SPY_IO_HOOK_READ, 316-319
SPY_IO_HOOK_REMOVE, 313-315
SPY_IO_HOOK_RESET, 316
SPY_IO_HOOK_WRITE, 319-321
SPY_IO_MEMORY_BLOCK, 228-229, 380
SPY_IO_MEMORY_DATA, 224-225
SPY_IO_MODULE_INFO, 358-359
SPY_IO_OS_INFO, 204-207, 250
SPY_IO_PAGE_ENTRY, 222-224, 256
SPY_IO_PDE_ARRAY, 222
SPY_IO_PE_EXPORT, 360-361
SPY_IO_PE_HEADER, 359-360
SPY_IO_PE_SYMBOL, 362, 375
SPY_IO_PHYSICAL, 219-220
SPY_IO_SEGMENT, 208-214
SPY_IO_VERSION_INFO, 203
SpyCall, 334-338, 370
SpyHook macro, 280-294
SpyHookInitialize, 280-281
Stack frame, 278-279
_stdcall, 51, 53
ASM, 278
internal symbols, 384
kernel API calls, 370
kernel-mode gate, 333, 337
Stream directory, 75-78
String, 111-114
ANSI/Unicode, 113-114, 137
format, 290-292, 295, 303
kernel, 381-383
PASCAL, 67
pattern, 328
substitution, 126
zero-terminated, 299
Structure, 114-117, 511-547
Intel i368, 172-181
I/O system, 397-398
Structured Exception Handling (SEH), 299, 333, 338-339
Symbol browser
w2k_sym.exe, 29, 50-51
w2k_sym2.exe, 90-92
Symbol file, 8-11, 51-92
address computation, 69, 79-80
CodeView, 63-69
.dbg, 54-62
decoration, 51-54, 84, 92
internal symbols, 384-393, 434
ln command, 16
OMAP, 81-89
path setup, 10-11
.pdb, 70-79
symbol table management functions, 83-84, 88-89, 389
See also Exported symbol
SymEnumerateSymbols, 44-49
Synchronization object, 415
System crash, 6-8
System descriptor, 186-187
System Service Table (SST), 98, 102-103

T

+t switch, 234
Table Indicator (TI), 211
Tag, object, 410, 509
Tagged record, 63
Task gate, 256
Task Register (TR), 220
Task-State Segment (TSS), 215-218, 251-251
TBYTE type, 110
Tcb, 416
.td file, 126, 129
TEB-relative addressing, 234
Template file, 125-127
TestDrv.c file, 130
Thread
context, 425-429
ID, 117, 294
initialization, 103
object, 416-425
Thread Environment Block (TEB), 234, 429-433
!threadfields, 18, 94, 416
Thunk, 51-52, 92
API, 375-380
function, 392-393
object manager, 434-435
.ti file, 126
Token handle, 43
Tomlinson, Paula, 142
.tp file, 125Translation Lookaside Buffer (TLB), 170
Trap
gate, 256
handler, 214
.tw file, 125
Type ID, 397
Type object, 401, 407-411

U

u becc3000 command, 12
+u switch, 236
Unassemble Machine Code, 14-15
Undecoration algorithm, 53
Under the Hood, 55, 81
Underscore (_), 51, 53
Understanding NT, 142
"Undocumentedness", 94-95
Unicode character, 29
imagehlp.dll, 47
PSTR and PWSTR types, 111
strings, 113-114, 137, 381-383
WCHAR type, 110
w2k_img.dll, 58
zero-terminated strings, 299
UniqueProcessId, 403, 428
User-mode call, 332, 356

V

Version number, 203
Virtual address, 165-166
Viscarola, Peter G., 347
Visual C/C++
ASM, 277
data types, 110
driver wizard, 125
ntdll.dll, 106
optimizer, 7, 24
.pdb files, 77-78

W

WCHAR type, 110
Win32, 93-94, 163
accessing hardware, 6
ASM programming, 24
hooks, 265-266
kernel-mode interface, 103-105, 121-122
and Native API, 95-98
SDK header file, 55
w2k_def.h, 395-396
Win64, 29
Window Manager (USER), 103
Windows NT, 163
.dbg files, 54, 63-65
DDK, 124
debugging interfaces, 24
4GT RAM Tuning, 162
handle table, 414
hooks, 266
SDT comparison, 268-276
system security, 187
Win32K, 103
Windows NT/2000 Native API Reference, 118, 401-402
Windows 3.x, 187
WORD, 15
Workspace template, 125
Wrapper function, 144
IOCTL, 244-246
SC Manager, 152
Write access right, 198, 328
w2k_dbg.dll, 29-33
w2k_def.h, 118-119, 395-396
w2k_img.dll, 58, 69, 83-84, 88
w2k_kill.sys, 6-8, 142
w2k_mem.exe, 230-232
w2k_sym.exe, 24, 29, 50-51
w2k_sym2.exe, 90-92
w2kCall, 368-372, 384
w2kCopy, 375
w2kDirectoryOpen, 435-437w2kFilePath, 246-248
w2kObjectOpen, 437-438
w2kServiceList, 156-159
w2kServiceLoad, 153, 246-248
w2kSpyClone, 436
w2kSpyControl, 364
w2kSpyRead, 380

X

x command, 15-16
+x switch, 240, 242
X86 data structure, 172-181
X86_DESCRIPTOR, 173, 186-187
X86_GATE, 173-174
X86_LINEAR, 181
X86_OFFSET, 183
X86_PAGE, 183
X86_PAGES, 183-184
X86_PDBR, 176-177
X86_PDE, 177, 184
X86_PDI, 181-183
X86_PE, 177
X86_PNPE, 177
X86_PTE, 177, 183-184
X86_PTI, 181-183
X86_REGISTER, 173
X86_SELECTOR, 173, 185
X86_TABLE, 174

Z

Zbikowski, Mark, 33
Zw* function set, 93-94, 97, 346-347
ZwQuerySystemInformation, 346-348

Updates

Submit Errata

More Information

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020