Reversing : The Hacker's Guide to Reverse Engineering

Portable Unlike the original Windows product, Windows NT was writ- ten in a combination of C and C++, which means that it can be ...

a different assembly language. Focusing exclusively on 32-bit versions of Win- dows makes sense because this book only deals wit ...

memory that is only accessible while the processor is in privileged mode. User mode is the nonprivileged mode: when the system i ...

body; nothing could be farther from the truth. Page faults have a bad reputa- tion because any program or system crash is usuall ...

that the kernel memory is always available, regardless of which process is cur- rently running. The upper 2 GB are, of course, p ...

Figure 3.1 A typical layout of the Windows kernel memory address space. Terminal Services Session Space This memory area is used ...

sessions on a single Windows system. In order to implement this feature, Microsoft has made the Win32 memory space “session priv ...

mapping the same section object into both the kernel address space and one or more user-mode address spaces. Finally, it should ...

space—every application is different. Still, it is important to understand how applications use memory and how to detect differe ...

up any memory. Committing a block means that we actually allocate space for it in the system page file. No physical memory will ...

Viewing objects from user mode, as most applications do, gives them a somewhat mysterious aura. It is important to understand th ...

Figure 3.2 Objects and process handle tables. User-ModeKernel-Mode Process 292 Access Mask:Read Write Object Pointer Process HHa ...

Named objects are arranged in hierarchical directories, but the Win32 API restricts user-mode applications’ access to these dire ...

Processes A process is a fundamental building block in Windows. A process is many things, but it is predominantly an isolated me ...

An interesting aspect of the Windows architecture is that the kernel is pre- emptiveand interruptible, meaning that a thread can ...

What happens when a thread doesn’t just give up the processor? This could easily happen if it just has a lot of work to do. Thin ...

Mutexes A mutex (from mutually exclusive) is an object that can only be acquired by one thread at any given moment. Any threads ...

At this point control is passed into LdrpRunInitializeRoutines, which is an internal NTDLL.DLLroutine responsible for initializ ...

If you’re going to be doing serious reversing of Windows applications, it is going to be important for you to understand the Win ...

The following are the key components in the Win32 API: ■■ Kernel APIs(also called the BASE APIs) are implemented in the KERNEL32 ...