Articles

Articles on Windows Internals, Programming, Security and Debugging

© CodeMachine Inc. | codemachine.com | @codemachineinc

WinDBG expression evaluation tutorial

An in-depth tutorial on the MASM and C++ expression evaluators in WinDBG.

Windows 10

WinDBG quick start tutorial

Step by step walk-through for learning basic commands and navigation in WinDBG.

Windows 10

System setup for kernel development and debugging

Instructions for setting up a Windows kernel driver development and debugging environment.

Windows 10

Top Ten useful Kernel APIs

Top ten useful APIs for Windows kernel software driver development.

Windows 10

Interrupt Dispatching Internals

Details of interrupt dispatching changes in recent versions of Windows.

Windows 10

Kernel Debugging Tricks

Video presentation of the top 10 cool kernel debugging tricks in Windows.

Windows 7+

Kernel Callback Functions

Comprehensive list of documented and undocumented APIs available in the Windows kernel to register callback routines.

Windows 8.1

How KMDF converts handles to pointers

Algorithms used by the Windows Kernel Mode Driver Framework (KMDF) to convert handles to KMDF objects to raw kernel mode pointers.

Windows XP+

EX_FAST_REF Pointers

Details of EX_FAST_REF pointer implementation in the Windows Kernel.

Windows 7

Usage of TEB ArbitraryUserPointer

Describes the various uses of the ArbitraryUserPointer field in the Thread Environment Block (TEB) data structure.

Windows 7+

Useful Build Macros

Useful macros for use in the sources file for building kernel drivers using the Windows 7 WDK command line build environment.

Windows XP - Windows 7

NTOSKRNL Component List

List of components within NTOSKRNL along with their respective function prefixes.

Windows 8.1

Windows Object Allocation Pool Types

Describes how Windows selects the pool type to allocate objects from and which pool types are used to allocate various objects.

Windows 8

Windows Kernel Thread List

Lists all the threads created by the Kernel and a brief description of the functionality they each one provides.

Windows 8

Safe kernel thread creation API

Describes a new system thread creation API which solves a very common problem with drivers wherein a driver unloads before all the threads created by the driver are terminated.

Windows 8

How Windows Sets the Default Audio Device

Describes the mechanism used by Windows to select the default device for audio playback.

Windows Vista+

Finding physical memory ranges from a kernel debugger

Describes a debugger technique to obtain the addresses and lengths of various physical memory ranges in use on a Windows system.

Windows Vista+

WinDBG - A rodent killer

Step by step description for getting rid of Poison IVY RAT using just WinDBG.

Windows XP+

Windows on ARM - An assembly language primer

Tutorial on ARM architecture, assembly language, calling convention, exceptions, interrupts, system calls, interlocked operations etc. on Windows 8.

Windows 8+

Dump Analysis - Debugging a Multi-Process Hang

Analysis of an application hang caused by chain of RPC calls.

Windows XP

Debugging Bug Check 0x9F - DRIVER_POWER_STATE_FAILURE

Debugging power IRP watchdog timeouts on Vista and later versions of windows.

Windows Vista+

Catalog of key Windows kernel data structures

Explanation of key data structures used by Windows device drivers, kernel and HAL.

Windows 7+

Command Line Tips

Useful CMD.exe commands related drivers, debugger configuration, memory dump generation, etc.

Windows 7+

X64 Deep Dive

In-depth tutorial on the key aspects of code execution and debugging on X64 like compiler optimizations, exception handling, parameter passing, stack layout and parameter retrieval.

Windows Vista+

X86 Compiler Optimization - Parameter Reuse

Describes optimizations performed by the X86 compiler wherein it reuses the stack based parameter space to store local variables.

Windows XP+

TDI Overview

Overview of Windows Kernel Transport Driver Interface (TDI).

Windows XP+

Windows Object Headers

Describes the changes that have been made to the object header structure in Windows 7.

Windows 7+

Prototype PTEs

Describes Prototype PTEs and how they are used to implement shared memory in Windows.

Windows XP+

X64 Kernel Virtual Address Space

Describes the layout and the components of the Kernel Virtual Address Space.

Windows 7+

NDIS 6 Net Buffer Lists and Net Buffers

Describes internals and usage of NDIS 6 NBLs, NBs and MDLs.

Windows Vista+

Finding AFD Endpoints

Describes a technique to locate AFD socket endpoint structures in a complete or kernel memory dump.

Windows Vista+

Finding Windows Socket Client (WSK) Client Drivers

Describes a technique to locate WSK drivers in a complete or kernel memory dump.

Windows Vista+

Finding Windows Filtering Platform (WFP) Callouts

Describes a technique to locate WFP drivers and the callouts they have established in a complete or kernel memory dump.

Windows Vista+

System Call Instructions

Explanation of mechanisms used to perform a user to kernel mode thread transition.

Windows XP+

timer Abnormalities

Explanation of output and idiosyncrasies of !timer kernel debugger extension command.

Windows XP+

Debugger Command and Script Tips

WinDBG command usage, breakpoints, simple debugger scripts.

Windows XP+