Windows Kernel Programming, 2nd Edition

Introduction
Who Should Read This Book
What You Should Know to Use This Book
Book Contents
Sample Code
Chapter 1: Windows Internals Overview
Processes
Virtual Memory
Page States
System Memory
Threads
Thread Stacks
System Services (a.k.a. System Calls)
General System Architecture
Handles and Objects
Object Names
Accessing Existing Objects
Chapter 2: Getting Started with Kernel Development
Installing the Tools
Creating a Driver Project
The DriverEntry and Unload Routines
Deploying the Driver
Simple Tracing
Summary
Chapter 3: Kernel Programming Basics
General Kernel Programming Guidelines
Unhandled Exceptions
Termination
Function Return Values
IRQL
C++ Usage
Testing and Debugging
Debug vs. Release Builds
The Kernel API
Functions and Error Codes
Strings
Dynamic Memory Allocation
Linked Lists
The Driver Object
Object Attributes
Device Objects
Opening Devices Directly
Summary
Chapter 4: Driver from Start to Finish
Introduction
Driver Initialization
Passing Information to the Driver
Client / Driver Communication Protocol
Creating the Device Object
Client Code
The Create and Close Dispatch Routines
The Write Dispatch Routine
Installing and Testing
Summary
Chapter 5: Debugging and Tracing
Debugging Tools for Windows
Introduction to WinDbg
Tutorial: User mode debugging basics
Kernel Debugging
Local Kernel Debugging
Local kernel Debugging Tutorial
Full Kernel Debugging
Using a Virtual Serial Port
Using the Network
Kernel Driver Debugging Tutorial
Asserts and Tracing
Asserts
Extended DbgPrint
Other Debugging Functions
Trace Logging
Viewing ETW Traces
Summary
Chapter 6: Kernel Mechanisms
Interrupt Request Level (IRQL)
Raising and Lowering IRQL
Thread Priorities vs. IRQLs
Deferred Procedure Calls
Using DPC with a Timer
Asynchronous Procedure Calls
Critical Regions and Guarded Regions
Structured Exception Handling
Using __try/__except
Using __try/__finally
Using C++ RAII Instead of __try / __finally
System Crash
Crash Dump Information
Analyzing a Dump File
System Hang
Thread Synchronization
Interlocked Operations
Dispatcher Objects
Mutex
Fast Mutex
Semaphore
Event
Named Events
Executive Resource
High IRQL Synchronization
The Spin Lock
Queued Spin Locks
Work Items
Summary
Chapter 7: The I/O Request Packet
Introduction to IRPs
Device Nodes
IRP Flow
IRP and I/O Stack Location
Viewing IRP Information
Dispatch Routines
Completing a Request
Accessing User Buffers
Buffered I/O
Direct I/O
User Buffers for IRP_MJ_DEVICE_CONTROL
Putting it All Together: The Zero Driver
Using a Precompiled Header
The DriverEntry Routine
The Create and Close Dispatch Routines
The Read Dispatch Routine
The Write Dispatch Routine
Test Application
Read/Write Statistics
Summary
Chapter 8: Advanced Programming Techniques (Part 1)
Driver Created Threads
Memory Management
Pool Allocations
Secure Pools
Overloading the new and delete Operators
Lookaside Lists
The “Classic” Lookaside API
The Newer Lookaside API
Calling Other Drivers
Putting it All Together: The Melody Driver
Client Code
Invoking System Services
Example: Enumerating Processes
Summary
Chapter 9: Process and Thread Notifications
Process Notifications
Implementing Process Notifications
The DriverEntry Routine
Handling Process Exit Notifications
Handling Process Create Notifications
Providing Data to User Mode
The User Mode Client
Thread Notifications
Image Load Notifications
Final Client Code
Remote Thread Detection
The Detector Client
Summary