第1章 系统信息和控制 1
ZwQuerySystemInformation 1
ZwSetSystemInformation 2
SYSTEM_INFORMATION_CLASS 3
SystemBasicInformation 4
SystemProcessorInformation 5
SystemPerformanceInformation 6
SystemTimeOfDayInformation 12
SystemProcessesAndThreadsInformation 13
SystemCallCounts 17
SystemConfigurationInformation 18
SystemProcessorTimes 18
SystemGlobalFlag 19
SystemModuleInformation 20
SystemLockInformation 21
SystemHandleInformation 22
SystemObjectInformation 23
SystemPagefileInformation 25
SystemInstructionEmulationCounts 26
SystemCacheInformation 27
SystemPoolTagInformation 28
SystemProcessorStatistics 29
SystemDpcInformation 29
SystemLoadImage 30
SystemUnloadImage 31
SystemTimeAdjustment 31
SystemCrashDumpInformation 32
SystemExceptionInformation 32
SystemCrashDumpStateInformation 33
SystemKemelDebuggerInformation 33
SystemContextSwitchInformation 34
SystemRegistryQuotaInformation 34
SystemPrioritySeparation 35
SystemLoadAndCallImage 35
SystemTimeZoneInformation 36
SystemLockasideInformation 37
SystemSetTimeSlipEvent 38
SystemCreateSession 38
SystemDeleteSession 39
SystemRangeStartInformation 39
SystemVerifierInformation 39
SystemAddVerifier 40
SystemSessionProcessesInformation 40
SystemPoolBlocksInformation 40
SystemMemoryUsageInformation 42
例子1.1:一个不完整的ToolHelp库的实现 43
例子1.2:列出一个打开进程的句柄 47
ZwQuerySystemEnvironmentValue 49
ZwSetSystemEnvironmentValue 50
ZwShutdownSystem 51
ZwSystemDebugControl 52
例子1.3: 设置内部断点 56
例子1.4: 得到跟踪信息 58
第2章 对象、对象目录和符号链接 60
OBJECT_ATTRIBUTES 60
ZwQueryObject 62
ZwSetInformationoObject 63
OBJECT_INFORMATION_CLASS 64
ObjectBasicInformation 64
ObjectNameInformation 65
ObjectTypeInformation 66
ObjectAllTypesInformation 67
ObjectHandleInformation 68
ZwDuplicateObject 68
ZwMakeTemporaryObject 69
ZwCIose 70
例子2.1:列出一个打开进程的句柄 71
ZwQuerySecurityObject 72
ZwSetSecurityObject 74
ZwCreateDirectoryObject 75
ZwOpenDirectoryObject 76
ZwQueryDirectoryObject 77
ZwCreateSymbolicLinkObject 78
ZwOpenSymbolicLinkObject 79
ZwQuerySymbolicLinkObject 80
第3章 虚拟内存 82
ZwAllocateVirtualMemory 82
ZwFreeVirtualMemory 83
zwQueryVirtualMemory 84
MEMORY_INFORMATION_CLASS 86
MemoryBasicInformation 86
MemoryWorkingSetList 87
ZwLockVirtualMemory 88
MemorySectionName 88
ZwUnlockVirtualMemory 89
ZwReadVirtualMemory 90
ZwWriteVirtualMemory 91
ZwProtectVirtualMemory 92
ZwFlushVirtualMemory 94
ZwAllocateUserPhysicalPages 95
ZwFreeUserPhysicalPages 96
ZwMapUserPhysicalPages 96
ZwMapUserPhysicalPagesScatter 97
ZwGetWriteWatch 98
ZwResetWriteWatch 99
第4章 区\段 101
ZwCreateSection 101
ZwOpenSection 103
ZwQuerySection 104
SectionBasicInformation 105
SECTION_INFORMATION_CLASS 105
SectionImageInformation 106
ZwExtendSection 107
ZwMapViewOfSection 108
ZwUnmapViewOfSection 110
ZwAreMappedFilesTheSame 110
第5章 线程 112
ZwCreateThread 112
ZwOpenThread 114
ZwTerminateThread 115
ZwQueryInformationThread 116
ZwSetInformationThread 117
THREADINFOCLASS 118
ThreadBasicInformation 119
ThreadEnableAlignmentFaultFixup 120
ThreadImpersonationToken 120
ThreadAffinityMask 120
ThreadPriority 120
ThreadBasePriority 120
ThreadEventPair 121
ThreadQuerySetWin32StartAddress 121
ThreadZeroTlsCell 121
ThreadPerformanceCount 121
ThreadIsIoPending 122
ZwSuspendThread 122
ThreadHideFromDebugger 122
ThreadPriorityBoost 122
ThreadSetTlsArrayAddress 122
ThreadIdealProcessor 122
ThreadAmlLastThread 122
ZwResumeThread 123
ZwGetContextThread 124
ZwSetContextThread 125
ZwQueueApcThread 125
ZwAlertThread 127
ZwTestAlert 127
ZwAlertResumeThread 128
ZwRegisterThreadTerminatePort 129
ZwImpersonateThread 129
ZwImpersonateAnonymousToken 130
第6章 进程 132
ZwCreateProcess 132
ZwOpenProcess 134
ZwTerminateProcess 135
ZwQueryInformationProcess 136
ZwSetInformationProcess 137
PROCESSINFOCLASS 138
ProeessBasicInformation 139
ProcessQuotaLimits 140
ProcessIoCounters 140
ProcessVmCounters 141
ProcessTimes 142
ProcessBasePriority 143
ProeessRaisePriority 143
ProcessDebugPort 143
ProcessExceptionPort 143
ProcessAccessToken 144
ProcessDefaultHardErrorMode 144
ProcessPooledUsageAndLimits 144
ProcessWorkingSetWatch 145
ProcessUserModeIOPL 146
ProcessEnableAlignmentFaultFixup 146
ProcessPriorityClass 146
ProcessWx86Information 147
ProcessHandleCount 147
ProcessAffinityMask 147
ProcessPriorityBoost 147
ProcessDeviceMap 147
ProcessSessionInformation 148
ProcessForegroundInformation 149
ProeessWow64Information 149
RtlCreateProcessParameters 149
RtlDestroyProcessParameters 150
PROCESS_PARAMETERS 151
RtlCreateQueryDebugBuffer 154
RtlQueryProcessDebugInformation 154
RtlDestroyQueryDebugBuffer 155
DEBUC_BUFFER 156
DEBUG_MODULE_INFORMATION 157
DEBUG_HEAP_INTORMATION 158
DEBUG_LOCK_INFORMATION 159
例子6.1:分叉一个Win32进程 160
例子6.2:创建一个Win32进程 164
例子6.3:使用RtlQueryProcessDebugInformatioton实现拓展ToolHelp库 168
ZwCreateJobObject 175
第7章 作业 175
ZwOpenJobObject 176
ZwTerminateJobObject 177
ZwAssignProcessToJobObject 177
ZwQueryInformationJobObject 178
ZwSetInformationJobObject 179
JOBOBJECTINFOCIASS 180
JobObjectBasicAccountingInformation 180
JobObjectBasicLimitInformation 181
JobObjectBasicProessIdList 183
JobObjectBasicUIRestrictions 184
JobObjectSecurityLimitInformation 184
JobObjectEndOfJobTimeInformation 185
JobObjectAssociateCompletionPortInformation 186
JobObjectBasicAndIoAccountingInformation 187
JobObjectExtendedLimitInformation 187
第8章 标记(Token) 189
ZwCreateToken 189
ZwOpenProeessToken 191
ZwOpenThreadToken 192
ZwDuplicateToken 193
ZwFilterToken 195
ZwAdjustPrivilegesToken 196
ZwAdjustGroupsToken 197
ZwQueryInformationToken 198
ZwSetInformationToken 199
TOKEN_INFORMATION_CLASS 200
TokenUser 200
TokenGroups和TokenRestrictedSids 201
TokenPrivileges 201
TokenOwner 202
TokenPrimaryGroup 202
TokenDefaultDacl 202
TokenImpersonationLevel 203
TokenStatistics 203
TokenType 203
TokenSource 203
TokenSessionId 205
例子8.1:为SYSTEM用户创建一个命令窗口 205
第9章 同步 207
ZwWaitForSingleObject 207
ZwSignalAndWaitForSingleObject 208
ZwWaitForMultipleObjects 209
ZwCreateTimer 210
ZwOpenTimer 211
ZwCancelTimer 212
ZwSetTimer 213
ZwQueryTimer 214
TIMER_INFORMATION_CLASS 215
TimeBasicInformation 215
ZwCreateEvent 215
ZwSetEvent 217
ZwOpenEvent 217
ZwPulseEvent 218
ZwResetEvent 219
ZwClearEvent 220
ZwQueryEvent 220
EVENT_INFORMATION_CLASS 221
EventBasicInformation 221
ZwCreateSemaphore 222
ZwOpenSemaphore 223
ZwReleaseSemaphore 224
ZwQuerySemaphore 224
SEMAPHORE_INFORMATION_CLASS 225
SemaphoreBasicInformation 226
ZwCreateMutant 226
ZwOpenMutant 227
ZwReleaseMutant 228
ZwQueryMutant 228
MUTANT_INFORMATION_CLASS 229
ZwCreateIoCompletion 230
MutantBasicInformation 230
ZwOpenIoCompletion 231
ZwSetIoCompletion 232
ZwRemoveIoCompletion 233
ZwQueryIoCompletion 234
IoCompletionBasicInformation 235
ZwCreateEventPair 235
IO_COMPLETION_INFORMATION_CLASS 235
ZwOpenEventPair 236
ZwWaitLowEventPair 237
ZwWaitHighEventPair 238
ZwSetLowWaitHighEventPair 238
ZwSetHighWaitLowEventPair 239
ZwSetLowEventPair 240
ZwSetHighEventPair 240
ZwSetSystemTime 242
第10章 时间 242
ZwQuerySystemTime 242
ZwQueryPerformanceCounter 243
ZwSetTimerResolution 244
ZwQueryTimerResolution 245
ZwDelayExecution 245
ZwYieldExecution 246
ZwGetTickCount 246
第11章 执行配置 248
KPROFTLE_SOURCE 248
ZwCreateProfile 248
ZwSetIntervalProfile 249
ZwQueryIntervalProfile 250
ZwStartProfile 251
ZwStopProfile 251
例子11.1∶配置内核 252
PORT_MESSAGE 256
第12章 端口(局部过程调用) 256
PORT_SECTION_WRITE 257
PORT_SECTION_READ 258
ZwCreatePort 259
ZwCreateWaitablePort 260
ZwConnectPort 261
ZwSecureConnectPort 262
ZwListenPort 263
ZwAcceptConnectPort 264
ZwCompleteConnectPort 265
ZwRequestPort 266
ZwRequestWaitReplyPort 266
ZwReplyPort 267
ZwReplyWaitReplyPort 268
ZwReplyWaitReceivePort 268
ZwReplyWaitReceivePortEx 269
ZwReadRequestData 270
ZwWriteRequestData 271
ZwQueryInformationPort 272
PORT_INFORMATION_CLASS 273
PortBasicInformation 273
ZwImpersonateClientOfPort 274
例子12.1∶连接到一个命名端口 274
第13章 文件 278
ZwCreateFile 278
ZwOpenFile 281
ZwDeleteFile 284
ZwFlushBuffersFile 284
ZwCancelIoFile 285
ZwReadFile 286
ZwWriteFile 287
ZwReadFileScatter 288
ZwWriteFileGather 290
ZwLockFile 291
ZwUnlockFile 293
ZwDeviceIoControlFile 294
ZwFsControlFile 295
ZwNotifyChangeDirectoryFile 297
FILE_NOTIFY_INFORMATION 298
ZwQueryEaFile 299
ZwSetEaFile 300
FILE_FULL_EA_INFORMATION 301
FILE_GET_EA_INFORMATION 302
ZwCreateNamedPipeFile 302
ZwCreateMailslotFile 305
ZwQueryVolumeInformationFile 306
ZwSetVolumeInformationFile 307
FS_INFORMATION_CIASS 308
FileFsVolumeInformation 309
FileFsLabelInformation 309
FileFsDeviceInformation 310
FileFsSizeInformation 310
FileFsAttributeInformation 311
FileFsControlInformation 312
FileFsFullSizeInformation 312
FileFsObjectIdInformation 313
ZwQueryQuotaInformationFile 313
ZwSetQuotaInformationFile 315
FILE_USER_QUOTA_INFORMATION 316
FILE_QUOTA_LIST_INFORMATION 316
ZwQueryAttributesFile 317
ZwQueryFullAttributesFile 318
ZwQueryInformationFile 318
ZwSetInformationFile 319
ZwQueryDirectoryFile 320
ZwQueryOleDirectoryFile 322
FileDirectoryInformation 324
FILE_INFORMATION_CLASS 324
FileFullDirectoryInformation 326
FileBothDirectoryInformation 328
FileBasicInformation 329
FileStandardInformation 330
FileInternalInformation 331
FileEalnformation 331
FileRenameInformation和FileLinkInformation 332
FileNameInformation 332
FileAccessInformation 332
FileNamesInformation 333
FileDispositionInformation 334
FilePositionInformtion 334
FileModeInformation 334
FileAlignmentInformation 335
FileAllInformation 335
FileEndOfFileInformation 336
FileStreamInformation 336
FileAllocationInformation 336
FilePipeInformation 337
FilePipeLocalInformation 337
FilePipeRemoteInformation 338
FileMailslotQueryInformation 339
FileMailslotSetInformation 339
FileCompressionInformation 340
FileQuotaInformation 341
FileReparsePointInformation 341
FileCompletionInformation 341
FileMoveClusterInformation 341
FileObjectIdInformation 341
FileNetworkOpenInformation 342
FileAttributeTagInformation 343
例子13.1∶通过文件标识符打开一个文件 344
第14章 注册表关键项 345
ZwCreateKey 345
ZwOpenKey 346
ZwDeleteKey 347
ZwFlushKey 348
ZwSaveKey 349
ZwSaveMergedKey 349
ZwRestoreKey 350
ZwLoadKey 351
ZwLoadKey2 352
ZwQueryOpenSubKeys 353
ZwUnloadKey 353
ZwReplaceKey 354
ZwSetInformationKey 355
KEY_SET_INFORMATION_CLASS 356
KeyLastWriteTimeInformation 356
ZwQueryKey 356
ZwEnumerateKey 357
KEY_INFORMATION_CLASS 358
KeyNodeInformation 359
KeyBasicInformation 359
KeyFullInformation 360
KeyNameInformation 361
ZwNotifyChangeKey 361
ZwNotifyChangeMultipleKeys 363
ZwDeleteValueKey 365
ZwSetValueKey 366
ZwQueryValueKey 367
ZwEnumerateValueKey 368
KEY_VALUE_INFORMATION_CLASS 369
KeyValueBasicInformation 369
KeyValueFullInformation和KeyValueFullInformationAlign64 370
KeyValuePartialInformation 371
ZwQueryMultipleValueKey 372
KEY_VALUE_ENTRY 373
ZwInitializeRegistry 374
ZwPrivilegeObjectAuditAlarm 375
ZwPrivilegeCheck 375
第15章 安全性和审计 375
ZwPrivilegedServiceAuditAlarm 377
ZwAccessCheck 378
ZwAccessCheckAndAuditAlarm 379
ZwAccessCheckByType 380
ZwAccessCheckByTypeAndAuditAlarm 382
ZwAccessCheckByTypeResultList 384
ZwAccessCheckByTypeResultListAndAuditAlarm 386
ZwAccessCheckByteResultListAndAuditAlarmByHandle 388
ZwOpenObjectAuditAlarm 390
ZwCloseObjectAuditAlarm 392
ZwDeleteObjectAuditAlarm 392
第16章 即插即用和电源管理 394
ZwRequestWakeupLatency 394
ZwRequestDeviceWakeup 394
ZwCancelDeviceWakeupRequest 395
ZwSetThreadExecutionState 396
ZwIsSystemResumeAutomatic 396
ZwGetDevicePowerState 397
ZwSetSystemPowerState 398
ZwInitiatePowerAction 399
ZwPowerInformation 401
POWER_INFORMATION_LEVEL 402
SystemPowerPolicyAc,SystemPowerPolicDc,SystemPowerPolicyCurrent 402
SystemPowerCapabilities 403
SystemBatteryState 404
SystemPowerStateHandler 404
ProcessorStateHandler 404
AdministratorPowerPolicy 404
ProcessorInformation 405
SystemPowerInformation 405
ZwPlugPlayControl 405
ZwGetPlugPlayEvent 406
ZwRaiseException 408
第17章 其他系统服务 408
ZwContinue 409
ZwW32Call 409
ZwCallbackReturn 411
ZwSetLowWaitHighThread 412
ZwSetHighWaitLowThread 412
ZwLoadDriver 413
ZwUnloadDriver 414
ZwFlushInstructionCache 414
ZwFlushWriteBuffer 415
ZwQueryDefaultLocale 416
ZsSetDefaultLocale 416
ZwQueryDefaultUILanguage 417
ZwSetDefaultUILanguage 418
ZwQueryInstallUILanguage 418
ZwAllocateUuids 419
ZwAllocateLocallyUniqueId 419
ZwSetUuidSeed 420
ZwRaiseHardError 421
ZwSetDefaultHardErrorPort 422
ZwDisplayString 423
ZwCreatePagingFile 424
ZwAddAtom 424
ZwFindAtom 425
ZwDeleteAtom 426
ZwQueryInformationAtom 427
ATOM_INFORMATION_CLASS 428
AtomBasicInformation 428
AtomListInformation 428
ZwSetLdtEntries 429
ZwVdmControl 429
Unimplemented System Services 430
附录A 从内核模式调用系统服务 431
例子A.1:重新实现NtQueryEvent 434
例子A.2:动态粘接到ntdll.dl 435
附录B 内核模式具体针对Intel平台的入口点 438
KiTrap03 438
KiTrap04 438
KiGetTickCount 438
KiCallbackReturn 439
KiSetLowWaitHighThread 439
KiDebugService 439
KiSystemService 439
附录C 异常和调试 441
例子C.1:KiDispatchException的伪代码 441
例子C.2:KiUserExceptionDispatcher的伪代码 443
内核调试器 444
例子C.3:DebugService的伪代码 444
DEBU_MESSAGE 445
用户模式调试器 445
调试消息路由 446
由路由进程添加的值 447
OutputDebugString 447
跟踪对DLL所导出的例程的调用 447
例子C.4:跟踪实用程序 447
附录D 取NTFS盘上结构 460
NTFS_RECORD_HEADER 460
FILE_RECORD_HEADER 461
ATTRLBUTE 462
RESIDENT_ATTRIBUTE 463
NONRESIDENT_ATTRIBUTE 464
AttributeStandardInformation 465
AttributeAttributeList 467
AttributeFileName 468
AttributeObjectId 469
AttributeVolumeInformation 470
AttributeSecurityDescriptor 470
AttributeVolumeName 470
AttributeData 471
AttributeIndexBoot 471
AttributeIndexAllocation 471
DIRECTORY_INDEX 472
DIRECTORY_ENTRY 472
AttributeBitmap 473
AttributeReparsePoint 473
AttributeEAInformation 474
AttributeEA 474
AttributePropertySet 475
AttributeLoggedUtilityStream 475
特殊文件 475
从被删除的文件恢复数据 478
例子D.1:从一个文件恢复数据 478
例子D.2:对被恢复的数据解压缩 484