Windows Kernel Programming (2019).pdfThere is noth

文件名称: Windows Kernel Programming (2019).pdf

所属分类: 桌面系统

开发工具:

文件大小: 5mb

下载次数: 0

上传时间: 2019-10-20

提供者: loc****

下载 (5mb)

不能下载？报告错误

详细说明：There is nothing like the power of the kernel in Windows - but how do you write kernel drivers to take advantage of that power? This book will show you how.The book describes software kernel drivers programming for Windows. These drivers don't deal with hardware, but rather with the system itself: processes, threads, modules, registry and more. Kernel code can be used for monitoring important events, preventing some from occurring if needed. Various filters can be written that can intercept calls that a driver may be interested in.CONTENTS Contents Chapter 1: Windows Internals Overview P1 rocesses Virtual memo Page States System Mei Thread Thread Stacks System Services(aka. System Calls) cal System architect 10 Handles and objects 13 Object Names 14 Accessing Existing Obj 17 Chapter 2: Getting Started with Kernel Development Installing the Tools 20 Creating a Driver Project The driverEntry and Unload routines 22 Deploying the driver 翻8垂 25 Simple tracing…... 28 Exercises.,,,,,,,,,,,,,, 31 Summary 31 Chapter 3: Kernel Programming Basics 32 General Kernel Programming Guidelines Unhandled Exceptions Termination 233 Function Return values 34 IROL 34 C++ Usage 34 Testing and debugging Debug vs. Release builds 36 The Kernel aPi ·:···· 36 Functions and error codes 37 String 38 ( C)2019 Pavel Yosifovich CONTENTS Dynamic Memory allocation Lists 42 The Driver Object 44 Device Objects 45 ummary 48 Chapter 4: Driver from Start to Finish 49 Introduction ..,,,,,,,49 Driver initialization 50 P Information to the dri 52 Client/ Driver Communication Protocol 53 Creating the Device Object 54 Client Code 57 The Create and Close Dispatch routin The DeviceioControl dispatch routine Installing and Testing .64 Summary 67 Chapter 5: Debugging 68 Debugging Tools for W Indows 68 Introduction to WinD Tutorial: User mode debugging basics 70 Kernel debugging .....87 Local Kernel debugging 88 Local kernel Debugging Tutorial ··· 89 Full Kernel debugging 6 Configuring the Target 97 configuring the 99 Kernel Driver Debugging Tutorial Summary 10 Chapter 6: Kernel Mechanisms 105 Interrupt request level 105 Raising and lowering IRQL :··· 108 Thread Priorities vS. IRQLS 109 Deferred procedure calls ,,,,,,,110 sing DPC with a Timer 112 Asynchronous procedure call .113 Critical Regions and Guarded Regions 114 Structured Exception Handling 114 Using-try/_except 116 USing try/ final 118 Using C++ RAIl Instead of try /finally ............ 119 System Crash 122 (C)2019P CONTENTS Crash Dump Information 124 Analyzing a Dump File 128 System Hang 131 Thread Synchronization 133 Interlocked Or pe erations 133 Dispatcher Objects 135 Mutex 137 Fast mutex 140 Semaphore 142 Eⅴent 142 Executive resource ,,,,,,,,,,,,,.143 High Irql Synch ation 144 The Spin Lock 146 Work items 149 Summary ,151 Chapter 7: The I/O Request Packet ·· ,152 Introduction to irps 152 Device nodes .153 IRP Flow 157 IRP and l o Stack Location 159 Viewing irp Information 162 Dispatch routines 163 Completing a request 165 Accessing User Buffers 166 Buffered I/O 167 Direct I/o .171 User Buffers for IRP MJ_DEVICE_CONTROL 176 Putting it All Together The Zero Driver 177 Using a Precompiled header 178 The DriverEntry Routin 180 The Read Dispatch routine 182 The Write dispatch Routi 183 Test appli plicatic 183 Summary.... 185 Chapter 8 Process and Thread Notifications 186 Process notifications ··.·.·····: 186 Implementing Process Notifications 189 The DriverEntry routine 192 Handling Process Exit Notifications ·.·.194 Handling Process Create Notifications 197 Providing data to User Mode 199 ( C)2019 Pavel Yosifovich CONTENTS The user mode client 201 Thread Notifications 204 Image Load Notifications ∩ Exercises ummary 20 Chapter 9: Object and Registry Notifications Object notifications ,,,,,,,210 Pre-Operation Callback 212 Post-Operation Callback 215 The Process Protector driver 216 Object Notification Registration.............. 217 Managing Protected Processes 218 The Pre-Callback 222 The Client application .223 Registry Notifications 226 Handling Pre-Notifications ··: 228 Handling Post-Operations 228 Performance considerations Implementing registry Notifications 229 Handling Registry Callback ,231 Modified client code Exercises .235 Summary 235 Chapter 10: Introduction to File System Mini-Filters 236 Introduction ...237 Loading and Unloading 238 Initialization 240 Operations Callback registration 243 The altitude 247 Installation 250 Ⅰ Nf files 250 Installing the Driver ,,,,,,,,,.258 Processing IyO Operations 258 Pre Operation callbacks .258 Post Operation Callbacks 261 The delete Protector driver 263 Handling Pre-Create 264 Handling Pre-Set Information 269 Some refactoring........ 272 Generalizing the Driver ,,,275 Testing the modified Driver ,,,,.,,281 ( C)2019 Pavel Yosifovich CONTENTS File names 282 File Name Parts 284 RAIl FLT_FILE_NAME_INFORMATION wrapper 287 The Alternate delete protector driver Handling pre-Create and Pre-Set Information 296 Testing the d g 299 Contexts ,,,,,,,,,.299 Managing contexts Initiating I/O Requests The File backup driver ......304 The post create callback ,,,,,,,,,,,,,,307 The Pre-Write Callback 312 The Post-Cleanup callback ,,,319 Testing the driver 320 Restoring backups User Mode communication 323 Creating the Communication Port.......... 323 User Mode Connection Sending and Receiving Messages .326 Enhanced File Backup Driver 327 The User Mode client 330 Debugging 332 Exercises 335 Summary 336 Chapter 11: Miscellaneous Topics 337 Driver Signing· .337 Driver verifier 342 Example driver Verifier Sessions 346 Using the Native API 352 Filter drivers 353 Filter Driver Implementation 355 Attaching Filters 356 Attaching Filters at Arbitrary Time 358 Filter Cleanup ,,,360 More on hardware-Based Filter drivers 361 Device monitor 362 adding a device to Filter 364 Removing a Filter device 367 Initialization and Unload Handling Requ Testing the driver 374 Results of requests 378 ( C)2019 Pavel Yosifovich CONTENTS Driver Hooking 380 Kernel libraries .383 summary 384 ( C)2019 Pavel Yosifovich Chapter 1: Windows Internals Overview This chapters describes the most important concepts in the internal workings of windows. Some of the topics will be described in greater detail later in the book, where it's closely related to the topic at hand. Make sure you understand the concepts in this chapter, as these make the foundations upon any driver and even user mode low-level code, is built In this chapter: ● Processes Virtual Memory Threads · System services System architecture Handles and objects Processes a process is a containment and management object that represents a running instance of a program The term"process runs" which is used fairly often, is inaccurate. Processes dont run- processes manage. Threads are the ones that execute code and technically run. From a high-level perspective, a process owns the following An executable program, which contains the initial code and data used to execute code within the process A private virtual address space, used for allocating memory for whatever purposes the code within the process needs it A primary token, which is an object that stores the default security context of the process used by threads executing code within the process(unless a thread assumes a different token by using impersonation) a private handle table to executive objects, such as events, semaphores and files Chapter 1: Windows Internals Overview One or more threads of execution a normal user mode process is created with one thread (executing the classic main/Win Main function). A user mode process without threads is mostly useless and under normal circumstances will be destroyed by the kernel These elements of a process are depicted in figure 1-1 Primary Token Virtual Address Descriptors Process VAD VAD VAD andle lable Executive Obiect Executable Executive Image(File) Object oken Thread Thread Thread Figure 1-1: Important ingredients of a process a process is uniquely identified by its Process ID, which remains unique as long as the kernel process object exists. Once it's destroyed the same id may be reused for new processes. It's important to realize that the executable file itself is not a unique identifier of a process. For example, there may be five instances of notepad. exe running at the same time. Each process has its own address space, its own threads, its own handle table, its own unique process ID, etc. All those five processes are using the same image file(notepad. exe)as their initial code and data. Figure 1-2 shows a screen shot of Task Manager's Details tab showing five instances of Notepad. exe, each with its own attributes (C)2019

(系统自动生成,下载前可以参看下载内容)