| ISBN | 出版时间 | 包装 | 开本 | 页数 | 字数 |
|---|---|---|---|---|---|
| 未知 | 暂无 | 暂无 | 未知 | 0 | 暂无 |
译者序
引言
第1章 系统信息和控制
ZwQuerySystemInformation
ZwSetSystemInformation
SYSTEM_INFORMATION_CLASS
SystemBasicInformation
SystemProcessorInformation
SystemPerformanceInformation
SystemTimeOfDayInformation
SystemProcessesAndThreadsInformation
SystemCallcounts
SystemConfigurationInformation
SystemProcessorTimes
SystemGlobalFlah
SystemModuleInformation
SystemLockInformation
SystemHandleInformation
SystemObjectInformation
SystemPagefileInformation
SystemInstructionEmulationCounts
SystemCacheInformation
SystemPoolTagInformation
SystemProcessorStatistics
SystemDpcInformation
SystemLoadImage
SystemUnloadImage
SystemTimeAdjustment
SystemCrashdumpInformation
SystemExceptionInformation
SystemCrashDumpStateInformation
SystemKernelDebuggerInformation
SystemContextSwitchInformation
SystemRegistryQuotaInformation
SystemLoadAndCallImage
SystemPrioritySeparation
SystemTimeZoneInformation
SystemLookasideInformation
SystemTimeSlipEvent
SystemSetTimeSlipEvent
SystemCreateSession
SystemDeleteSession
SystemRangeStartInformation
SystemVerifierInformation
SystemAddVerifier
SystemSessionProcessesInformation
SystemPoolBlocksInformation
SystemMemoryUsageInformation
例子1.1:一个不完整的ToolHelp库的实现
例子1.2:列出一个打开进程的句柄
ZwQuerySystemEnvironmentValue
ZwSetSystemEnvironmentValue
ZwShutdownSystem
ZwSystemDebugControl
例子1.3:设置内部断点
例子1.4:得到跟踪信息
第2章 对象、对象目录和符号链接
OBJECT_ATTRIBUTES
ZwQueryObject
ZwSetInformationoObject
OBJECT_INFORMATION_CLASS
ObjectBasicInformation
ObjectNameInformation
ObjecttypeInformation
ObjectAllTypesInformation
ObjectHandleInformation
ZwDuplicateObject
ZwMakeTemporaryObject
ZwClose
例子2.1;列出一个打开进程的句柄
ZwQuerySecurityObject
ZwSetSecurityObject
ZwCreateDirectoryObject
ZwOpenDirectoryObject
ZwQuerydirectoryObject
ZwCreateSymbolicLinkObject
ZwOpenSymbolicLinkObject
ZwQuerySymbolicLinkObject
第3章 虚拟内存
ZwAllocateVirtualMemory
ZwFreeVirtualMemory
ZwQueryVirtualMemory
MEMORY_INFORMATION_CLASS
MemoryBasicInformation
MemoryWorkingSetList
MemorySectionName
ZwLockVirtualMemory
ZwUnlockVirtualMemory
ZwReadVirtualMemory
ZwWriteVirtualMemory
ZwProtectVirtualMemory
ZwFlushVirtualMemory
ZwAllocateUserPhysicalPages
ZwFreePhysicalpages
ZwMapuserPhysicalpages
ZwMapuserPhysicalpagesScatter
ZwGetWriteWatch
ZwResetWriteWatch
第4章 区\段
ZwCreateSection
ZwOpenSection
ZwQuerySection
SECTION_INFORMATION_CLASS
SectionBasicInformation
SectionImageInformation
ZwExtendSection
ZwMapViewOfSection
ZwUnmapViewOfSection
ZwAreMappedFilesTheSame
第5章 线程
ZwCreateThread
ZwOpenThread
ZwTerminateThread
ZwQueryInformationThread
ZwSetInformationThread
THREADINFOCLASS
ThreadBasicInformation
ThreadPriority
ThreadBasePriority
ThreadAffinityMask
ThreadImpersonationToken
ThreadEnableAlignmentFaultFixup
ThreadEventPair
ThreadQuerySetWin32StartAddress
ThreadZerotlsCell
ThreadPerfomanceCount
ThreadAmILastThread
ThreadIdealProcessor
ThreadPriorityBoost
ThreadSetTlsArrayAddress
ThreadIsIoPending
ThreadHideFromDebugger
ZwSuspendThread
ZwResumeThread
ZwGetContextThread
ZwSetContextThread
ZwQueueApcThread
ZwTestAlert
ZwAlertThread
ZwAlertResumeThread
ZwRegisterThreadterminatePort
ZwImpersonateThread
ZwImpersonateAnonymousToken
第6章 进程
ZwCreateProcess
ZwOpenProcess
ZwTerminateProcess
ZwQueryInformationProcess
ZwSetInformationProcess
PROCESSINFOCLASS
ProcessBasicInformation
ProcessQuotaLimits
ProcessIoCounters
ProcessVmCounters
ProcessTimes
ProcessBasePriority
ProcessRaisePriority
ProcessDebugPort
ProcessExceptionPort
ProcessAccessToken
ProcessDefaultHardErrorMode
ProcessPooledUsageAndLimits
ProcessWorkingSetWatch
ProcessUserModeIOPL
ProcessEnableAlignmentFaultFixup
ProcessPriorityClass
ProcessWx86Information
ProcessHandleCount
ProcessAffinityMask
ProcessPriorityBoost
ProcessDeviceMap
ProcessSessionInformation
ProcessForegroundInformation
ProcessWow64Information
RtlCreateProcessParameters
RtlDestroyProcessParameters
PROCESS_PARAMETERS
RtlCreateQueryDebugBuffer
RtlQueryProcessDebugInformation
RtlDestroyQueryDebugBuffer
DEBUG_BUFFER
DEBUG_MODULE_INFORMATION
DEBUG_HEAP_INFORMATION
DEBUG_LOCK_INFORMATION
例子6.1:分叉一个Win32进程
例子6.2:创建一个Win32进程
例子6.3:使用RtlQueryProcessDebugInformatioton实现拓展ToolHelp库
第7章 作业
ZwCreateJobObject
ZwOpenJobObject
ZwTerminateJobObject
ZwAssignProcessToJobObject
ZwQueryInformationJobObject
ZwSetInformationJobObject
JOBOBJECTINFOCLASS
JobObjectBasicAccountingInformation
JobObjectBasicLimitInformation
JobObjectBasicProcessIdList
JobObjectBasicUIRestrictions
JobObjectSecurityLimitInformation
JobObjectEndOfJobTimeInformation
JobObjectAssociateCompletionPortInformation
JobObjectBasicAndIoAccountingInformation
JobObjectExtendedLimitInformation
第8章 标记(Token)
ZwCreateToken
ZwOpenProcessToken
ZwOpenthreadToken
ZwDuplicateToken
ZwFilterToken
ZwAdjustPrivilegesToken
ZwAdjustGroupsToken
ZwQueryInformationToken
ZwSetInformationToken
TOKEN_INFORMATION_CLASS
TokenUser
TokenGroups和TokenRestrictedSide
TokenPrivileges
TokenOwner
TokenPrimaryGroup
TokenDefaultDacl
TokenSource
TokenType
TokenImpersonationLevel
TokenStatistics
TokenSessionId
例子8.1:为SYSTEM用户创建一个命令窗口
第9章 同步
ZwWaitForSingleObject
ZwSignalAndWaitForSingleObject
ZwWaitForMultipleObject
ZwCreateTimer
ZwOpenTimer
ZwCancelTimer
ZwSetTimer
ZwQueryTimer
TIMER_INFORMATION_CLASS
TimeBasicInformation
ZwCreateEvent
ZwOpenEvent
ZwSetEvent
ZwPulseEvent
ZwResetEvent
ZwClearEvent
ZwQueryEvent
EVENT_INFORMATION_CLASS
EventBasicInformation
ZwCreateSemaphore
ZwOpenSemaphore
ZwReleaseSemaphore
ZwQuerySemaphore
SEMAPHORE_INFORMATION_CLASS
SemaphoreBasicInformation
ZwCreateMutant
ZwOpenMutant
ZwReleaseMutant
ZwQueryMutant
MUTANT_INFORMATION_CLASS
MutantBasicInformation
ZwCreateIoCompletion
ZwOpenIoCompletion
ZwSetIoCompletion
ZwRemoveIoCompletion
ZwQueryIoCompletion
IO_COMPLETION_INFORMATION_CLASS
IoCompletionBasicInformation
ZwCreateEventPair
ZwOpenEventPair
ZwWaitLowEventPair
ZwWaitHighEventPair
ZwSetLowWaitHighEventPair
ZwSetHighWaitLowEventPair
ZwSetLowEventPair
ZwSetHighEventPair
第10章 时间
ZwQuerySystemTime
ZwSetSystemTime
ZwQueryPerformanceCounter
ZwSetTimerResolution
ZwQueryTimerResolution
ZwDelayExecution
ZwYieldExecution
ZwGettickCount
第11章 执行配置
DPROFILE_SOURCE
ZwCreateProfile
ZwSetIntervalProfile
ZwQueryIntervalProfile
ZwStartProfile
ZwStopProfile
例子11.1:配置内核
第12章 端口(局部过程调用)
PORT_MESSAGE
PORT_SECTION_WRITE
PORT_SECTION_READ
ZwCreatePort
ZwCreateWaitablePort
ZwConnectPort
ZwSecureConnectPort
ZwListenPort
ZwAcceptConnectPort
ZwCompleteConnectPort
ZwRequestPort
ZwRequestWaitReplyPort
ZwReplyPort
ZwReplyWaitReplyPort
ZwReplyWaitReceivePort
ZwReplyWaitReceivePortEx
ZwReadRequestData
ZwWriteRequestData
ZwQueryInformationPort
PORT_INFORMATION_CLASS
PortBasicInformation
ZwImpersonateClientOfPort
例子12.1:连接到一个命名端口
第13章 文件
ZwCreateFile
ZwOpenFile
ZwDeleteFile
ZwFlushBuffersFile
ZwCancelIoFile
ZwReadFile
ZwWriteFile
ZwReadFileScatter
ZwWriteFileGather
ZwLockFile
ZwUnlockFile
ZwDeviceIoControlFile
ZwFscontrolFile
ZwNotifyChangeDirectoryFile
FILE_NOTIFY_INFORMATION
ZwQueryEaFile
ZwSetEaFile
FILE_FULL_EA_INFORMATION
FILE_GET_EA_INFORMATION
ZwCreateNamedPipeFile
ZwCreateMailslotFile
ZwQueryVolumeInformationFile
ZwSetVolumeInformationFile
FS_INFORMATION_CLASS
FileFsVolumeInformation
FileFsVolumeInformation
FileFsLabelInformation
FileFssizeInformation
FileFsdeviceInformation
FileFsAttributeInformation
FileFsControlInformation
FileFsFullSizeInformation
FileFsObjectIdInformation
ZwQueryQuotaInformationFile
ZwSetquotaInformationFile
FILE_USER_QUOTA_INFORMATION
FILE_QUOTA_LIST_INFORMATION
ZwQueryAttributesFile
ZwQueryFullAttributesFile
ZwQueryInformationFile
ZwSetInformationFile
ZwQueryDirectoryFile
ZwQueryOleDirectoryFile
FILE_INFORMATION_CLASS
FileDirectoryInformation
FilefullDirectoryInformation
FileBothDirectoryInformation
FileBasicInformation
FilestandardInformation
FileInternalInformation
FileEaInformation
FileAccessInformation
FileNameInformation
FileRenameInformation和FileLinkInformation
FileNamesInformation
FileDispositionInformation
FilePositionInformation
FileModeInformation
FileAlignmentInformation
FileAllInformation
FileAllocationInformation
FileEndOffileInformation
FileStreamInformation
FilePipeInformation
FilePipeLocalInformation
FilePipeRemoteInformation
FileMailslotQueryInformation
FileMailstotSetInformation
FilecompressionInformation
FileObjectIdInformation
FileCompletionInformation
FileMoveClusterInformation
FileQuotaInformation
FileReparsePointInformation
FileNetworkOpenInformation
FileAttributeTagInformation
例子13.1:通过文件标识符打开一个文件
第14章 注册表关键项
ZwCreateKey
ZwOpenKey
ZwDeleteKey
ZwFlushKey
ZwSaveKey
ZwSaveMergedKey
ZwRestoreKey
ZwLoadKey
ZwLoadKey2
ZwUnloadKey
ZwQueryOpenSubKeys
ZwReplaceKey
ZwSetInformationKey
KEY_SET_INFORMATION_CLASS
KeyLastWriteTimeInforamtion
ZwQueryKey
ZwEnumerateKey
KEY_INFORMATION_CLASS
KeyBasicInformation
KeyNodeInformation
KeyFullInformation
KeyNameInformation
ZwNotifyChangeKey
ZwNotifyChangeMultipleKeys
ZwdeleteValueKey
ZwSetValueKey
ZwQueryValueKey
ZwEnumerateValueKey
KEY_VALUE_INFORMATION_CLASS
KeyValueBasicInformation
KeyValueFullInformation和KeyValueFullInformationAlign64
KeyValuePartialInformation
ZwQueryMultipleValueKey
DEY_VALUE_ENTRY
ZwInitializeRegistry
第15章 安全性和审计
ZwPrivilegeCheck
ZwPrivilegeObjectAuditAlarm
ZwPrivilegeServiceAuditAlarm
ZwAccess Check
ZwAccess CheckAndAuditAlarm
ZwAccess CheckByType
ZwAccess CheckByTypeAndAuditAlarm
ZwAccess CheckByTypeResultList
ZwAccess CheckByTypeResultListAndAuditAlarm
ZwAccess CheckByteResultListAndauditAlarmByHandle
ZwOpenObjectAuditAlarm
ZwcloseObjectAuditAlarm
ZwdeleteObjectAuditAlarm
第16章 即插即用和电源管理
ZwRequestWakeupLatency
ZwRequestDeviceWakeup
ZwCancelDeviceWakeupRequest
ZwIssystemResumeAutomatic
ZwSetThreadExecutionState
ZwGetDevicePowerState
ZwSetsystemPowerState
ZwInitiatePowerAction
ZwPowerInformation
POWER_INFORMATION_LEVEL
SystemPowerPolicyAc,SystemPowerPolicDc,SystemPowerPolicyCurrent
SystemPowerCapabilities
SystemBatteryState
SystemPowerStatehandler
ProcessorStateHandler
AdministratorPowerPolicy
ProcessorInformation
SystemPowerInformation
ZwPlugPlayControl
ZwGetPlugPlayEvent
第17章 其它系统服务
ZwRaiseException
ZwContinue
ZwW32Call
ZwCallbackReturn
ZwsetLowWaitHighThread
ZwSetHighWaitLowThread
ZwLoadDriver
ZwUnloadDriver
ZwFlushInstructionCache
ZwFlushWriteBuffer
ZwQueryDefaultLocale
ZsSetDefaultLocale
ZwQueryDefaultUILanguage
ZwSetDefaultUILanguage
ZwQueryInstallUILanguage
ZwAllocateLocallyUniqueId
ZwAllocateUuids
ZwSetUuidSeed
ZwRaiseHardError
ZwSetDefaultHardErrorPort
ZwDisplayString
ZwCreatePagingFile
ZwAddAtom
ZwFindAtom
ZwDeleteAtom
ZwQueryInformationAtom
ATOM_INFORMATION_CLASS
AtomBasicInformation
AtomListInformation
ZwSetLdtEntries
ZwVdmControl
Unimplemented System Services
附录A 从内核模式调用系统服务
例子A.1:重新实现NtQueryEvent
例子A.2:动态粘接到ntdll.dl
附录B 内核模式具体针对Intel平台的入口点
KiTrap03
KiTrap04
KiGetTickCount
KiCallbackReturn
kiSetLowWaitHighThread
KiDebugService
KiSystemService
附录C 异常和调试
例子C.1:KiDispatchException的伪代码
例子C.2:KiUserExceptionDispatcher的伪代码
内核调试器
例子C.3:debugService的伪代码
用户模式调试器
DEBU_MESSAGE
调试消息路由
由路由进程添加的值
OutputDebugString
跟踪对DLL所导出的例程的调用
例子C.4:跟踪实用程序
附录D 取NTFS盘上结构
NTFS_RECORD_HEADER
FILE_RECORD_HEADER
ATTRIBUTE
RESIDENT_ATTRIBUTE
NONRESIDENT_ATTRIBUTE
AttributeStandardInformation
AttributeAttributeList
AttributeFileName
AttributeObjectId
AttributeSecuritydescriptor
AttributeVolumeName
AttributeVolumeInformation
AttributeData
AttributeIndexRoot
AttributeIndexAllocation
DIRECTORY_INDEX
DIRECTORY_ENTRY
AttributeBitmap
AttributeReparsePoint
AttributeEAInformation
AttributeEA
AttributePropertySet
AttributeLoggedUtilityStream
特殊文件
打开特殊文件
从被删除的文件恢复数据
例子D.1:从一个文件恢复数据
例子D.2:对被恢复的数据解压缩
