Moving to Kernel Space (updated references with an eye on security)
来源:互联网 发布:vim c语言 编辑:程序博客网 时间:2024/05/29 03:13
转自:http://bbs.pediy.com/showthread.php?p=881391#post881391
If you develop and debug user space applications (and/or doing crash dump analysis in user space) or specialize in user space security and you want to understand Windows kernel dumps and device drivers better (and probably start writing your own kernel tools) or understand malware rootkits better here is the reading list I found the most effective over the last 7 years:
0.0. Read and re-read Windows Internals book in parallel while reading all other books. I read all editions by the way. It will show you the big picture and useful WinDbg commands and techniques but you need to read device driver books to fill the gaps and be confident in kernel space:
0.1. Start with The Windows 2000 Device Driver Book: A Guide for Programmers. This short book will show you the basics and you can start writing your drivers and kernel tools immediately.
0.2. Next read Windows NT Device Driver Development book to consolidate your knowledge. This book has been reprinted by OSR (I own the original New Riders Press edition):
0.3. Don’t stop here. Read Developing Windows NT Device Drivers: A Programmer’s Handbook. This is the very good book explaining everything in great detail and good pictures. You will finally understand various buffering methods.
0.4. Continue with WDM drivers and modern presentation: Programming the Microsoft Windows Driver Model. Must read even if your drivers are not WDM.
0.5. Finally read Developing Drivers with the Windows Driver Foundation book. It also covers ETW (event tracing for Windows), WinDbg extensions, PREfast and static driver verifier.
0.6. There is a forthcoming book Windows 7 Device Driver at the time of this writing that also covers WDF so you might want to start with #0.6 and continue with #0.5 as a reference:
Additional reading (not including DDK Help which you will use anyway) can be done in parallel after finishing “Windows NT Device Driver Development” book:
1.1. OSR NT Insider articles. I have their full printed collection 1996 - 2006 plus all the latest issues (looks like print editions are discontinued and the new ones are only digital):
http://www.osronline.com/
1.2. Windows NT File System Internals reprinted by OSR (I have the original O’Reilly edition):
1.3. Windows NT/2000 Native API Reference is fun to browse occasionally and indispensable if you don’t have access to Windows source code:
1.4. Rootkits: Subverting the Windows Kernel book will show you Windows kernel from the hacker perspective. In addition you will find the overview of kernel areas not covered in other books.
1.5. The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System is another excellent book that is up to date and explains kernel staff from ab initio. I’m reading it at the time of this writing and recommend it to read first or in parallel to all other books:
Of course, you must know C language and its idioms really well. Really know it down to assembly language level! I’ll publish other reading lists soon including reverse engineering classics. Stay tuned.
- Moving to Kernel Space (updated references with an eye on security)
- Countdown to SegWit: These Are the Dates to Keep an Eye On
- Item27 Familiarize yourself with alternatives to overloading on universal references
- user space to kernel space
- How to set up Eclipse with Android SDK on Ubuntu linux 9.04/9.10 (updated)
- SQL to MongoDB: An Updated Mapping
- How to Load XML with JavaScript on an HTML5 Page
- Given an array [a1b2c3d4] convert to [abcd1234] with 0(1) space and O(n) time
- How to Scan a Shopping Cart with an Automated Security Scanner
- how to access file in kernel space
- Eye on me
- Keep an eye on these 5 new features in RHEL 7
- Moving Data from HDFS to Hive Using an External Table
- a hotfix to resolve an issue with memory mapped files on Windows
- How to Set Up an IKEv2 VPN Server with StrongSwan on Ubuntu 16.04
- Model One-to-Many Relationships with Document References
- references an unknown entity
- iOS-Bug收集:You must rebuild it with bitcode enabled (Xcode setting ENABLE_BITCODE), obtain an updated
- J2EE、CORBA、DNA三种主流中间件平台比较(4)
- Linux [ 网络常用命令 ]
- 在Win7旗舰版上安装oracle10g
- css命名规范
- Unable to start activity ComponentInfo 解决方法
- Moving to Kernel Space (updated references with an eye on security)
- java.lang.NoSuchMethodException:构造函数<init>失败
- ADF BC:修改 data control 名称
- Android下获得屏幕大小及方向判定
- 解决gedit乱码及无法打开空文档的问题
- Nginx配置文件详细说明
- xcode4技巧总结
- 兵熊熊一个,将熊熊一窝:Yahoo应该把董事会全炒了
- android 使用SAX解析xml