Kernel Debugging is an essential day to day activity in many reversing sessions, certainly more so for the Windows platforms as it is a closed source, unlike Linux (open source) where reversing has a different connotation mainly related to hardware protocols and understanding of the system as a whole. Therefore, it is advantageous to have a general idea about how the various APIs in Windows work together, how user mode Ring 3 code can communicate with native APIs in Ring 0 or kernel mode, and how the different APIs mechanisms are abstracted from each other. User mode code does not have a direct interface to the kernel and has to implement it via ntdll.dll
as a gateway to ntoskrnl.exe
which is the OS kernel in Windows. Many calls to ntdll.dll
are done via kernel32.dll
which acts yet another upper level abstraction user mode wrapper. The SYSENTER
and SYSEXIT
assembly mnemonics(opcodes), not a call-return pair though...
Windows Malware Analysis Essentials
By :
Windows Malware Analysis Essentials
By:
Overview of this book
Table of Contents (13 chapters)
Windows Malware Analysis Essentials
Credits
About the Author
Acknowledgments
About the Reviewer
www.PacktPub.com
Preface
Free Chapter
Down the Rabbit Hole
Dancing with the Dead
Performing a Séance Session
Traversing Across Parallel Dimensions
Good versus Evil – Ogre Wars
Index
Customer Reviews