Leanpub Header

Skip to main content
Go to Leanpub.comLeanpub

Windows Kernel Programming, Second Edition

Pavel Yosifovich

Minimum price

$26.90

$37.95

You pay

$37.95

Author earns

$30.36
$

...Or Buy With Credits!

You can get credits with a paid monthly or annual Reader Membership, or you can buy them here.
PDF
EPUB
WEB
706
Readers
614
Pages
About

About

About the Book

Share this book

Feedback

Email the Author

Author

About the Author

Pavel Yosifovich

Pavel Yosifovich is a renowned author, developer, and expert in Windows Internals, system programming, and software development. With extensive experience in low-level programming, he has authored several highly regarded books, including Windows Internals, Part 1 (7th Edition) and Windows 10 System Programming. His works provide deep insights into Windows architecture, kernel-mode development, and debugging techniques, making them essential resources for developers, security researchers, and IT professionals.

Beyond his books, Pavel is also known for his contributions to the developer community through training, blog posts, tools, and technical talks. He offers in-depth courses on TrainSec, where students can learn Windows Internals, debugging, and system programming directly from his expertise. His writing style balances technical depth with clarity, making complex topics accessible to both beginners and experienced programmers. Pavel’s books and courses serve as authoritative guides for those looking to master Windows and programming.

Leanpub Podcast

Episode 257

An Interview with Pavel Yosifovich

Contents

Table of Contents

Introduction

  1. Who Should Read This Book
  2. What You Should Know to Use This Book
  3. Book Contents
  4. Sample Code

Chapter 1: Windows Internals Overview

  1. Processes
  2. Virtual Memory
  3. Page States
  4. System Memory
  5. Threads
  6. Thread Stacks
  7. System Services (a.k.a. System Calls)
  8. General System Architecture
  9. Handles and Objects
  10. Object Names
  11. Accessing Existing Objects

Chapter 2: Getting Started with Kernel Development

  1. Installing the Tools
  2. Creating a Driver Project
  3. The DriverEntry and Unload Routines
  4. Deploying the Driver
  5. Simple Tracing
  6. Summary

Chapter 3: Kernel Programming Basics

  1. General Kernel Programming Guidelines
  2. Unhandled Exceptions
  3. Termination
  4. Function Return Values
  5. IRQL
  6. C++ Usage
  7. Testing and Debugging
  8. Debug vs. Release Builds
  9. The Kernel API
  10. Functions and Error Codes
  11. Strings
  12. Dynamic Memory Allocation
  13. Linked Lists
  14. The Driver Object
  15. Object Attributes
  16. Device Objects
  17. Opening Devices Directly
  18. Summary

Chapter 4: Driver from Start to Finish

  1. Introduction
  2. Driver Initialization
  3. Passing Information to the Driver
  4. Client / Driver Communication Protocol
  5. Creating the Device Object
  6. Client Code
  7. The Create and Close Dispatch Routines
  8. The Write Dispatch Routine
  9. Installing and Testing
  10. Summary

Chapter 5: Debugging and Tracing

  1. Debugging Tools for Windows
  2. Introduction to WinDbg
  3. Tutorial: User mode debugging basics
  4. Kernel Debugging
  5. Local Kernel Debugging
  6. Local kernel Debugging Tutorial
  7. Full Kernel Debugging
  8. Using a Virtual Serial Port
  9. Using the Network
  10. Kernel Driver Debugging Tutorial
  11. Asserts and Tracing
  12. Asserts
  13. Extended DbgPrint
  14. Using Dbgkflt
  15. Other Debugging Functions
  16. Trace Logging
  17. Viewing ETW Traces
  18. Summary

Chapter 6: Kernel Mechanisms

  1. Interrupt Request Level (IRQL)
  2. Raising and Lowering IRQL
  3. Thread Priorities vs. IRQLs
  4. Deferred Procedure Calls
  5. Using DPC with a Timer
  6. Asynchronous Procedure Calls
  7. Critical Regions and Guarded Regions
  8. Structured Exception Handling
  9. Using __try/__except
  10. Using __try/__finally
  11. Using C++ RAII Instead of __try / __finally
  12. System Crash
  13. Crash Dump Information
  14. Analyzing a Dump File
  15. System Hang
  16. Thread Synchronization
  17. Interlocked Operations
  18. Dispatcher Objects
  19. Mutex
  20. Fast Mutex
  21. Semaphore
  22. Event
  23. Named Events
  24. Executive Resource
  25. High IRQL Synchronization
  26. The Spin Lock
  27. Queued Spin Locks
  28. Work Items
  29. Summary

Chapter 7: The I/O Request Packet

  1. Introduction to IRPs
  2. Device Nodes
  3. IRP Flow
  4. IRP and I/O Stack Location
  5. Viewing IRP Information
  6. Dispatch Routines
  7. Completing a Request
  8. Accessing User Buffers
  9. Buffered I/O
  10. Direct I/O
  11. User Buffers for IRP_MJ_DEVICE_CONTROL
  12. Putting it All Together: The Zero Driver
  13. Using a Precompiled Header
  14. The DriverEntry Routine
  15. The Create and Close Dispatch Routines
  16. The Read Dispatch Routine
  17. The Write Dispatch Routine
  18. Test Application
  19. Read/Write Statistics
  20. Summary

Chapter 8: Advanced Programming Techniques (Part 1)

  1. Driver Created Threads
  2. Memory Management
  3. Pool Allocations
  4. Secure Pools
  5. Overloading the new and delete Operators
  6. Lookaside Lists
  7. The “Classic” Lookaside API
  8. The Newer Lookaside API
  9. Calling Other Drivers
  10. Putting it All Together: The Melody Driver
  11. Client Code
  12. Invoking System Services
  13. Example: Enumerating Processes
  14. Summary

Chapter 9: Process and Thread Notifications

  1. Process Notifications
  2. Implementing Process Notifications
  3. The DriverEntry Routine
  4. Handling Process Exit Notifications
  5. Handling Process Create Notifications
  6. Providing Data to User Mode
  7. The User Mode Client
  8. Thread Notifications
  9. Image Load Notifications
  10. Final Client Code
  11. Remote Thread Detection
  12. The Detector Client
  13. Summary

Chapter 10: Object and Registry Notifications

  1. Object Notifications
  2. Desktop Objects
  3. Pre-Operation Callback
  4. Post-Operation Callback
  5. The Process Protector Driver
  6. Object Notification Registration
  7. Managing Protected Processes
  8. The Pre-Callback
  9. The Client Application
  10. Registry Notifications
  11. Registry Overview
  12. Using Registry Notifications
  13. Handling Pre-Notifications
  14. Handling Post-Operations
  15. Extending the SysMon Driver
  16. Handling Registry Callback
  17. Modified Client Code
  18. Performance Considerations
  19. Miscellaenous Notes
  20. Summary

Chapter 11: Advanced Programming Techniques (Part 2)

  1. Timers
  2. Kernel Timers
  3. Timer Resolution
  4. High-Resolution Timers
  5. I/O Timer
  6. Generic Tables
  7. Splay Trees
  8. Tables Sample Driver
  9. Testing the Tables Driver
  10. AVL Trees
  11. Hash Tables
  12. Singly Linked Lists
  13. Sequenced Singly-Linked Lists
  14. Callback Objects

Chapter 12: File System Mini-Filters

  1. Introduction
  2. Loading and Unloading
  3. Initialization
  4. Pipes and Mailslots
  5. Direct Access Volume (DAX or DAS)
  6. Operations Callback Registration
  7. The Altitude
  8. Installation
  9. Installing the Driver
  10. Processing I/O Operations
  11. Pre Operation Callbacks
  12. Post Operation Callbacks
  13. File Names
  14. File Name Parts
  15. RAII FLT_FILE_NAME_INFORMATION wrapper
  16. The Delete Protector Driver
  17. Handling Pre-Create
  18. Handling Pre-Set Information
  19. DelProtect Configuration
  20. Testing the Modified Driver
  21. The Directory Hiding Driver
  22. Managing Directories
  23. Phase 1: Prevent Access
  24. Phase 2: Making a Directory Invisible
  25. Contexts
  26. Context Types
  27. Managing Contexts
  28. Initiating I/O Requests
  29. The File Backup Driver
  30. The Post Create Callback
  31. The Pre-Write Callback
  32. The Post-Cleanup Callback
  33. Testing the Driver
  34. Restoring Backups
  35. File Copying with a Section Object
  36. User Mode Communication
  37. Creating the Communication Port
  38. User Mode Connection
  39. Sending and Receiving Messages
  40. Enhanced Backup Driver
  41. The User Mode Client
  42. Debugging
  43. Exercises
  44. Summary

Chapter 13: The Windows Filtering Platform

  1. WFP Overview
  2. The WFP API
  3. User-Mode Examples
  4. Enumerating Objects
  5. Adding Filters
  6. Callout Drivers
  7. Callout Driver Basics
  8. Callout Registration
  9. Demo: Callout Driver
  10. The Driver
  11. Managing Processes
  12. Callout Callbacks
  13. Demo: User-Mode Client
  14. Testing
  15. Debugging
  16. Summary

Chapter 14: Introduction to KMDF

  1. Introduction to WDF
  2. UMDF
  3. Introduction to KMDF
  4. KMDF Objects
  5. Core Object Types
  6. Object Creation
  7. Context Memory
  8. The Booster KMDF Driver
  9. Driver Initialization
  10. KMDF vs. WDM
  11. KMDF vs. WDM
  12. Device I/O Control Handling
  13. The INF File
  14. The Install Sections
  15. Device Installation
  16. The User-Mode Client
  17. Installing and Testing
  18. Registering a Device Class
  19. Summary

Chapter 15: Miscellaneous Topics

  1. Driver Signing
  2. Driver Verifier
  3. Example Driver Verifier Sessions
  4. Filter Drivers
  5. Filter Driver Implementation
  6. Attaching Filters
  7. Attaching Filters at Arbitrary Time
  8. Filter Cleanup
  9. More on Hardware-Based Filter Drivers
  10. Device Monitor
  11. Adding a Device to Filter
  12. Removing a Filter Device
  13. Initialization and Unload
  14. Handling Requests
  15. Testing the Driver
  16. Results of Requests
  17. Driver Hooking
  18. Kernel Libraries
  19. Summary

Appendix: The Kernel Template Library

  1. Standard Library
  2. Synchronization
  3. Memory
  4. Strings
  5. Containers
  6. File System Mini-Filters

The Leanpub 60 Day 100% Happiness Guarantee

Within 60 days of purchase you can get a 100% refund on any Leanpub purchase, in two clicks.

Now, this is technically risky for us, since you'll have the book or course files either way. But we're so confident in our products and services, and in our authors and readers, that we're happy to offer a full money back guarantee for everything we sell.

You can only find out how good something is by trying it, and because of our 100% money back guarantee there's literally no risk to do so!

So, there's no reason not to click the Add to Cart button, is there?

See full terms...

Earn $8 on a $10 Purchase, and $16 on a $20 Purchase

We pay 80% royalties on purchases of $7.99 or more, and 80% royalties minus a 50 cent flat fee on purchases between $0.99 and $7.98. You earn $8 on a $10 sale, and $16 on a $20 sale. So, if we sell 5000 non-refunded copies of your book for $20, you'll earn $80,000.

(Yes, some authors have already earned much more than that on Leanpub.)

In fact, authors have earned over $14 million writing, publishing and selling on Leanpub.

Learn more about writing on Leanpub

Free Updates. DRM Free.

If you buy a Leanpub book, you get free updates for as long as the author updates the book! Many authors use Leanpub to publish their books in-progress, while they are writing them. All readers get free updates, regardless of when they bought the book or how much they paid (including free).

Most Leanpub books are available in PDF (for computers) and EPUB (for phones, tablets and Kindle). The formats that a book includes are shown at the top right corner of this page.

Finally, Leanpub books don't have any DRM copy-protection nonsense, so you can easily read them on any supported device.

Learn more about Leanpub's ebook formats and where to read them

Write and Publish on Leanpub

You can use Leanpub to easily write, publish and sell in-progress and completed ebooks and online courses!

Leanpub is a powerful platform for serious authors, combining a simple, elegant writing and publishing workflow with a store focused on selling in-progress ebooks.

Leanpub is a magical typewriter for authors: just write in plain text, and to publish your ebook, just click a button. (Or, if you are producing your ebook your own way, you can even upload your own PDF and/or EPUB files and then publish with one click!) It really is that easy.

Learn more about writing on Leanpub