Yosifovich Pavel. Windows Kernel Programming

2nd Edition. — Leanpub, 2022-09-30. — 382 p.Windows kernel programming is considered by many a dark art, available to select few that manage to somehow unlock the mysteries of the Windows kernel. Kernel development, however, is no different than user-mode development, at least in general terms. In both cases, a good understanding of the platform is essential for producing high quality code.The book is a guide to programming within the Windows kernel, using the well-known Visual Studio integrated development environment (IDE). This environment is familiar to many developers in the Microsoft space, so that the learning curve is restricted to kernel understanding, coding and debugging, with less friction from the development tools. The book targets software device drivers, a term I use to refer to drivers that do not deal with hardware. Software kernel drivers have full access to the kernel, allowing these to perform any operation allowed by the kernel. Some software drivers are more specific, such as file system mini filters, also described in the book.Who Should Read This Book:
The book is intended for software developers that target the Windows kernel, and need to write kernel drivers to achieve their goals. Common scenarios where kernel drivers are employed are in the Cyber Security space, where kernel drivers are the chief mechanism to get notified of important events, with the power to intercept certain operations. The book uses C and C++ for code examples, as the kernel API is all C. C++ is used where it makes sense, where its advantages are obvious in terms of maintenance, clarity, resource management, or any combination of these. The book does not use complex C++ constructs, such as template metaprogramming. The book is not about C++, it’s about Windows kernel drivers.What You Should Know to Use This Book:
Readers should be very comfortable with the C programming language, especially with pointers, structures, and its standard library, as these occur very frequently when working with kernel APIs. Basic C++ knowledge is highly recommended, although it is possible to traverse the book with C proficiency only.Who Should Read This Book
What You Should Know to Use This Book
Book Contents
Sample Code
Windows Internals Overview
Processes
Virtual Memory
Page States
System Memory
Threads
Thread Stacks
System Services (a.k.a. System Calls)
General System Architecture
Handles and Objects
Object Names
Accessing Existing Objects
Getting Started with Kernel Development
Installing the Tools
Creating a Driver Project
The DriverEntry and Unload Routines
Deploying the Driver
Simple Tracing
Kernel Programming Basics
General Kernel Programming Guidelines
Unhandled Exceptions
Termination
Function Return Values
IRQL
C++ Usage
Testing and Debugging
Debug vs. Release Builds
The Kernel API
Functions and Error Codes
Strings
Dynamic Memory Allocation
Linked Lists
The Driver Object
Object Attributes
Device Objects
Opening Devices Directly
Driver from Start to Finish
Driver Initialization
Passing Information to the Driver
Client / Driver Communication Protocol
Creating the Device Object
Client Code
The Create and Close Dispatch Routines
The Write Dispatch Routine
Installing and Testing
Debugging and Tracing
Debugging Tools for Windows
Introduction to WinDbg
Tutorial: User mode debugging basics
Kernel Debugging
Local Kernel Debugging
Local kernel Debugging Tutorial
Full Kernel Debugging
Using a Virtual Serial Port
Using the Network
Kernel Driver Debugging Tutorial
Asserts and Tracing
Asserts
Extended DbgPrint
Other Debugging Functions
Trace Logging
Viewing ETW Traces
Kernel Mechanisms
Interrupt Request Level (IRQL)
Raising and Lowering IRQL
Thread Priorities vs. IRQLs
Deferred Procedure Calls
Using DPC with a Timer
Asynchronous Procedure Calls
Critical Regions and Guarded Regions
Structured Exception Handling
Using __try/__except
Using __try/__finally
Using C++ RAII Instead of __try / __finally
System Crash
Crash Dump Information
Analyzing a Dump File
System Hang
Thread Synchronization
Interlocked Operations
Dispatcher Objects
Mutex
Fast Mutex
Semaphore
Event
Named Events
Executive Resource
High IRQL Synchronization
The Spin Lock
Queued Spin Locks
Work Items
The I/O Request Packet
Introduction to IRPs
Device Nodes
IRP Flow
IRP and I/O Stack Location
Viewing IRP Information
Dispatch Routines
Completing a Request
Accessing User Buffers
Buffered I/O
Direct I/O
User Buffers for IRP_MJ_DEVICE_CONTROL
Putting it All Together: The Zero Driver
Using a Precompiled Header
The DriverEntry Routine
The Create and Close Dispatch Routines
The Read Dispatch Routine
The Write Dispatch Routine
Test Application
Read/Write Statistics
Advanced Programming Techniques (Part 1)
Driver Created Threads
Memory Management
Pool Allocations
Secure Pools
Overloading the new and delete Operators
Lookaside Lists
The ``Classic'' Lookaside API
The Newer Lookaside API
Calling Other Drivers
Putting it All Together: The Melody Driver
Client Code
Invoking System Services
Example: Enumerating Processes
Process and Thread Notifications
Process Notifications
Implementing Process Notifications
The DriverEntry Routine
Handling Process Exit Notifications
Handling Process Create Notifications
Providing Data to User Mode
The User Mode Client
Thread Notifications
Image Load Notifications
Final Client Code
Remote Thread Detection
The Detector Client