Professional Documents
Culture Documents
Index
553
Schr Ch_Index 17/4/01 10:44 AM Page 554
554 INDEX
INDEX 555
556 INDEX
INDEX 557
558 INDEX
Kernel’s Processor Control Block (KPCB), Macro Assembler (MASM), 25, 115,
214, 443-444 294, 296
Kernel’s Processor Control Region (KPCR), Manager handle, 148-149, 157-158
214, 245, 444 Map, memory, 277-279
kernel32.dll, 97 Mask, bit, 189, 192
KeServiceDescriptorTable, 282-284, 394 Mason, W. Anthony, 365
Keyboard poll, 345 Memory dump utility, 238-257
Killer device, 6-8, 146-147 command options, 238-243, 256, 263-264
Kill.exe, 44 demand paging, 254-256
KiSystemService, 107, 282-284 FS addressing, 245-248
KMUTEX, 453 handle/object resolution, 248
KPROCESS, 434-435, 434-437 indirect addressing, 250
KTHREAD, 434-437, 446 loading modules, 252-254
Kyle, J., 145 relative addressing, 248-250
TEB-relative addressing, 244
Memory management, 167-279
L descriptors, 264-272
LARGE_INTEGER, 172 dump commands, 15
Least-recently-used (LRU) schedule, 170 Intel i386, 167-189
Library memory areas, 272-277
C runtime, 110-111 memory blocks, 232-236, 398
DDK, 126-128 memory layout, 168
extended, 111-114, 513-525 memory map, 277-279
ntdll.lib, 122-123 selectors, 21-22
w2k_img.dll, 60, 71 spy driver, 195-210
Linear address, 171-177, 187-190, 278, 372 spy functions, 210-237
Linked list, 120 spy interface, 257-262
List Nearest Symbols, 16 system information, 263-264
LIST_ENTRY, 120 See also Address
ln command, 16, 104-106 Memory segmentation, 194, 264-272
Load address, 83 Intel i386, 168-178
Loading modules, 252-254 segment registers, 168-169, 216, 264-266
LoadLibrary, 358 SPY_IO_SEGMENT, 215-221
Local Descriptor Table (LDT), 174, 218-221 Microsoft Developer Network (MSDN)
Lock Library, 98
global, 452-453 MmGetPhysicalAddress, 178, 190, 226-227,
handle table, 433 393-394
Log file, 312 MmIsAddressValid, 178, 190, 235, 393-394
Logical address, 171-174 Module
LONGLONG, 172 handle, 40-43
loading, 252-254
relationships, 99
M Most recently used (MRU) algorithm, 424
Macro Multi-Format Visual Disassembler
Intel i386, 189-193 (MFVDasm), 22-23, 134
SpyHook, 297-305 Multithreaded environment, 310, 384
Mutex, 206, 453
Schr Ch_Index 17/4/01 10:44 AM Page 559
INDEX 559
N O
Name ObCreateObject, 442
exported, 357-363 Object, 413-464
object, 421, 428 body structure, 428-429
pattern, 347 categories, 414-416
Native API, 97-123 charges and quotas, 422-424
data types, 114-118 creator information, 420-421
dispatch IDs, 108-110 directory, 424-425
function handler, 310-311 dispatcher, 414-416
function sets, 97-98, 101, 364-365 file flags, 528
INT 2Eh handler, 107 handle database, 421-422
interfacing to, 122-123 handle tables, 429-434
monitoring calls, 281 header, 417-420
nesting level, 310-311 I/O, 415-416
runtime library, 110-114 mutex, 206
SDTs, 102-106, 281-324 name, 421, 428
service dispatcher, 99-102 process/thread, 434-443
undocumentedness, 98-99 type, 419, 425-429
Win32 kernel-mode interface, 108-110 Object browser, 452-464
See also Spy device cloning structures and functions,
Native API call, 281-348 455-458
garbage filter, 316-320 command help, 462
hook dispatcher, 296-311 global lock, 452-453
hook management functions, 324-338 object manager thunks, 452-453
hook protocol, 311-316 Object Module Format (OMF), 65, 69
INT 2Eh handler, 282 OBJECT_ATTRIBUTES, 119
SDTs, 282-293 OBJECT_CREATOR_INFO, 420
NB09 format, 65-66 OBJECT_DIRECTORY, 424-425
NB10 format, 72 OBJECT_HANDLE_DB, 422
Nebbett, Gary, 36, 110, 123, 419-420, 433 OBJECT_NAME, 421
Nesting level, 310-311 OBJECT_QUOTA_CHARGES, 423
NT. See Windows NT OBJECT_TYPE, 425-427
Nt* function set, 97-98, 101, 364-365 ObReferenceObjectByHandle, 236-237
NT Insider, The, 12, 14 Offset
NtBuildNumber, 394 .dbg files, 59-63
ntdll.dll library, 99-101, 110-114, 122-123 export section, 378
ntoskrn1.exe, 99-102, 110-114 memory dump utility, 248-250
exported variables, 211 object headers, 419, 421
handle tables, 433 OMAP, 85-86
memory management, 178 OMAP address conversion, 84-92
NTPROC, 104 .dbg files, 63, 84
NtQuerySystemInformation, 35-36, Open Systems Resources (OSR), 2
39-40, 114 OpenProcess, 43
address computation, 83 Optimization, 170-171
handle tables, 433 Ordinal number array, 372
kernel API calls, 364-366 Output buffer, 203, 207
strings, 117 Overflow, 337-338
NULL pointer, 6
Schr Ch_Index 17/4/01 10:44 AM Page 560
560 INDEX
P Postmortem debugging, 2
ppbFormats, 306
+p switch, 250
ppbSymbols, 306-308
Page entry, 183, 230-232
pProcessorControlRegion, 214
Page-Directory Base Register (PDBR), 175-
#pragma directive, 144
176, 182, 230
Privilege level, 43-45
Page-directory entry (PDE), 175-178, 183,
DPL, 265
190
kernel-mode drivers, 145, 227
SPY_IO_PDE_ARRAY, 229-230
memory segmentation, 194
Page-directory index (PDI), 187, 189
module relationships, 99
Page-frame number (PFN), 175, 178,
Process
182-183
context, 443-447
Page-level write-through (PWT), 183
handle, 40-43, 46
Page-not-present entry (PNPE), 183
ID, 38-39, 43, 121, 421
Page-table entry (PTE), 175-178, 183,
module, 40-43
189-190
object, 434-443
Page-table index (PTI), 187, 189
Process Environment Block (PEB), 43,
Paging
447-451
charges and quotas, 423
!processfields, 16-18, 98, 434
crash dump, 3, 7
Program Database (PDB) file. See .pdb file
demand, 168-178, 182-187, 254-256
Project template, 129
page fault, 170
Protected Virtual Address Mode, 169
swapping to pagefiles, 254-256
Protocol, API hook, 311-316
PASCAL string, 69
buffer, 336-339
Pattern
entry format, 312-313
name, 347
filter, 316-320, 332-333
string, 345
reader, 338-348
Pcb, 434
Proxy, 393
.pdb file, 56, 72-82
psapi.dll, 25-31, 36
header, 75-77
Pseudo handle, 46
linkage, 72-73
PSTR type, 116
stream directory, 77-81
PTSTR type, 46
PDB_PUBSYM, 81
PWSTR type, 116
Pentium CPU, 167-171
PEview, 22, 24-25, 134
Physical address, 171-172, 176-178, 278 Q
Physical Address Extension (PAE), 168, q command, 22
172, 226-227 Quota, resource, 422-424
Pietrek, Matt, 45, 57, 65, 72, 84, 281
Pointer
bad, 351 R
invalid, 316 Radburn, Wayne J., 22, 25
KTHREAD/ETHREAD, 446-447 .rc file, 130
NULL, 6 Read access right, 345
object, 414 Real-Address Mode, 169
table, 284-285 Registry key, 131
Portable Executable (PE) file, 24-26, 353 Relative addressing, 248-250
directory IDs, 528 Requested Privilege Level (RPL), 179
exported names, 357-363, 370-372 Resource script, 144
Schr Ch_Index 17/4/01 10:44 AM Page 561
INDEX 561
562 INDEX
INDEX 563
CD-ROM
Warranty
Addison-Wesley warrants the enclosed disc to be free of defects in materials and
faulty workmanship under normal use for a period of ninety days after purchase. If a
defect is discovered in the disc during this warranty period, a replacement disc can be
obtained at no charge by sending the defective disc, postage prepaid, with proof of
purchase to:
Editorial Department
Addison-Wesley Professional
Pearson Technology Group
75 Arlington Street, Suite 300
Boston, MA 02116
Email: AWPro@awl.com