Chapter One starts off with a guided tour through setup and use of the Windows 2000 Kernel Debugger, because this is one of the most helpful tools for system exploration. Other highlights are the official Windows 2000 debugging interfaces in the form of the psapi.dll, imagehlp.dll, and dbghelp.dll components. The chapter closes down with detailed descriptions of the layouts of Microsoft CodeView and Program Database (PDB) files, complemented by a sample symbol file parser DLL and an accompanying client application.

Chapter Two introduces the Windows 2000 Native API, discussing the main system service dispatcher, the various API function groups exported by ntdll.dll and ntoskrnl.exe, and the data types most frequently used by these components.

Chapter Three is a short and easy introduction to basic kernel-mode driver development. It is by no means intended as a tutorial for heavy-duty hardware driver developers. It simply points out all essential things required to understand the sample code following in subsequent chapters, including loading and unloading driver modules at runtime via the Service Control Manger interface. Probably the most interesting highlight is the description of the customizable driver wizard included with full source code on the companion CD.

Chapter Four is certainly the most challenging chapter for readers suffering of hardware phobia, because it starts with a detailed description of the Intel Pentium CPU features used by the Windows 2000 memory manager. Anyone who survives this section is rewarded by extensive sample code of a memory spy device that supports the visualization of prohibited memory regions and internal memory manager data structures. Also included is a Windows 2000 memory map that outlines how the system makes use of the vast 4-GB address space offered by the Pentium CPU family.

Chapter Five explains in detail how you can hook Native API functions, mainly focusing on call parameter monitoring and file/registry tracking. This chapter makes heavy use of inline assembler code and CPU stack twirling.

Chapter Six is a weird one, as it proposes a general-purpose solution for something that is commonly considered impossible in the Windows 2000 programming paradigm: Calling kernel-mode code from user-mode applications. The sample code in this chapter builds a bridge from the Win32 subsystem to the main kernel interfaces inside ntoskrnl.exe, hal.dll, and other core components. Just as if this weren't wacky enough, I'm also showing how you can call about any kernel function as long as its entry point is provided in the Windows 2000 symbol files. Don't read this chapter if you are afraid of mortal sins!

Chapter Seven delves deeply into the mysterious waters of the Windows 2000 object manager. The internal structure of kernel objects is one of the best-kept secrets, as Microsoft doesn't give you more information about an object than an opaque void* pointer. This chapter unveils what this pointer really points to, and how object structures and handles are maintained and managed by the system. As a special feature, the layout of process and thread objects is discussed in great detail. The great finale of the book is a sample application that displays the hierarchical arrangement of kernel objects by tracing down the relations of various undocumented object structures.

Appendix A is related to Chapter One and contains all commands and command options of the Windows 2000 Kernel Debugger.

Appendix B is related to Chapter Two and summarizes several API functions exported by the Windows 2000 kernel modules.

Appendix C provides an extensive collection of Windows 2000 constants and data types in alphabetical order. This reference list documents several undocumented kernel structures introduced and used throughout the book.

>> Back to top of page