Undocumented Windows 2000 Secrets: A Programmer's Cookbook [Paperback]

Sven B. Schreiber (Author), Sven Schreiber (Author)

Book Description

Publication Date: May 7, 2001

Microsoft documents only a small fraction of Windows 2000's internals, and the information Microsoft leaves out is of immense value to system-level developers. In Undocumented Windows 2000 Secrets, Sven Schreiber tears away the veil, exposing the portions of Windows 2000 that system programmers care about most. Schreiber focuses on the internals of the Native API, security, symbol files, system memory, debugging, kernel-mode drivers, kernel functions, kernel objects, and object management. He introduces sophisticated techniques aimed at enabling developers to write more effective device drivers, file system extensions, and other system-level software. Coverage includes: using the Windows 2000 debugging interfaces; loading, parsing, and utilizing Windows 2000 symbol files; exploring Windows 2000 system memory; hooking calls to the user-mode subset of the Native API; and calling kernel functions from user-mode applications. You'll find a wealth of code resources for system exploration, kernel-mode programming, spying on interfaces, and much more. This book is an essential companion to Microsoft's DDK documentation.

Editorial Reviews

From the Author

In the days of DOS and Windows 3.x, several knowing authors wrote books about undocumented features about these operating systems - essential details for programmers accidentally or intentionally missing from the original Microsoft documentation. This tradition continued when Windows 3.11 evolved into Windows 95 and its successors. However, when the first usable Version of Windows NT (Version 3.5) surfaced in 1995, none of the renowned writers of "undocumented" books took any notice.

It lasted until 1999, until the first "Undocumented Windows NT" book was finally published by Prasad Dabak, Sandeep Phadke, and Milind Borate from India. The next leap forward was Gary Nebbett's "Windows NT/2000 Native API Reference" (2000), comprehensively documenting an essential subset of the NT kernel's huge, but largely undocumented, programming interface. My book "Undocumented Windows 2000 Secrets" is intended to be one more piece in this mosaic.

My main intention in writing this book was to lead the readers through some of the basic, but hidden, mechanisms of the Windows 2000 and NT 4.0 kernel with the help of detailed sample code. My point of view is that a programmer always gets the most thorough understanding of an operating system by experimenting with it. The sample programs discussed in my book and packed onto the book's companion CD should serve as starting points for further exploration, and the text surrounding them provides the necessary theoretical background needed to get started.

I would be the happiest man on earth if my book would spur the inquiring minds of developers everywhere, kicking off an avalanche of research that unveils all mysteries that still surround most parts of the Windows NT/2000 kernel. I never believed that treating the operating system as a black box was a good programming paradigm. And I still don't believe it.

From the Back Cover

Most of the Windows 2000 and NT operating system kernels beneath the Win32 surface have not been publicly documented by Microsoft. Therefore, system programmers must explore the operating system on their own to learn more about its internal structures and functions--information essential to developing more sophisticated system level software. In Undocumented Windows 2000 Secrets, Windows programming aficionado Sven B. Schreiber reveals numerous undocumented features of the Windows 2000 and NT 4.0 kernel--secrets he has discovered through years of close examination and exploration. Much of this material is published here for the first time, most notably, the specification of the Microsoft PDB file format and the documentation of the system's core object structures. The author describes these features in depth, shows how to put them to work, and introduces expert techniques for writing high-quality system-level software. You will find an introduction to the basic architecture of Windows 2000, a guide to setting up your workstation to explore the kernel, and an introduction to kernel-mode driver programming. Specific topics featured include the following:
* Using the Windows 2000 debugging interfaces
* Loading, parsing, and utilizing the Windows 2000 symbol files
* Foundations of the native API, including the Win32 kernel-mode interface and the Windows 2000 Runtime Library
* Basics of kernel-mode driver development
* Windows 2000 system memory, including a sample memory spy device and a sample memory dump utility
* Hooking calls to the user-mode subset of the native API
* Calling kernel API functions from user-mode applications
* Windows 2000 kernel objects, covering basic object structures and accessing live system objects
Each chapter incorporates sample code that demonstrates these functions in action and which can be reused by any programmer to give an immediate boost to their Windows programs. The accompanying CD contains the source code for all of the samples in the book, as well as compiled and linked binary builds. The CD also includes the Multi-Format Visual Disassembler by Jean-Louis Seigne and the PE and COFF File Viewer by Wayne Radburn. These programs are not just barebones applications but full-fledged debugging applications and libraries. The companion Web site, orgon/w2k_internals/, contains additional samples and updates. You will not only learn about many practical tools and techniques, but you will also gain a deeper understanding into Windows 2000 internals that will enhance your overall ability to debug and optimize Windows applications. 0201721872B06012001

See all Editorial Reviews

Product Details

• Paperback: 592 pages
• Publisher: Addison-Wesley Professional (May 7, 2001)
• Language: English
• ISBN-10: 0201721872
• ISBN-13: 978-0201721874
• Product Dimensions: 9.2 x 7.4 x 1.2 inches
• Shipping Weight: 3 pounds
• Average Customer Review: 4.6 out of 5 stars  See all reviews (12 customer reviews)
• Amazon Best Sellers Rank: #1,373,856 in Books (See Top 100 in Books)

More About the Author

Discover books, learn about writers, read author blogs, and more.

Customer Reviews

Most Helpful Customer Reviews

43 of 43 people found the following review helpful:

5.0 out of 5 stars A Truly Extraordinary Book, December 26, 2001

By 

Moishe Halibard - See all my reviews

This review is from: Undocumented Windows 2000 Secrets: A Programmer's Cookbook (Paperback)

I will start will a caveat - the name "Undocumented Windows 2000 Secrets" is clearly modeled on two books written by Matt Pietrek - "Undocumented Windows" and "Windows 95 Programming Secrets". Despite this deliberate title plagiarism, the style and content of Schreiber's book is quite different to those of Pietrek. Pietrek concentrated on examining the Win32 API functions, disassembling them, exposing many functions not formerly documented, but used internally, and occasionally exploring the Kernel-mode modules which lie beneath the entire Win32 API. Schreiber has almost nothing to say about the Win32 API, exposes no new Win32 API functions, and shows disassembly for none of them.

Caveat aside, Schreiber has done some remarkable work here. Firstly, he knows how to write. Given the generally poor style of most programming books, which are either entirely incomprehensible and poorly edited, or banal, silly, and full of margin pictures etc, this books stands as a shining example of how to present difficult content. The English is flawless, and chapters follow a clear design and progression. Difficult material is presented as such, and I for one, enjoy Schreiber telling me how hard he worked on a certain problem, and how revolutionary is his generic solution. Assembly code is presented with an apology that it could not have been written in straight "C", and clearly explained.

He also avoids the pitfall of ignoring older systems. This book is clearly not about the 9x family, so I have no problem with him ignoring that, but he does an excellent job of pointing out that everything he writes is valid for NT version 4, except in a few cases that he highlights.

He is also very careful about not covering ground already adequately covered by others, and provides clear references to other books where relevant, for example Nebbett's "Native API Reference" and Solomon & Russinovich's "Inside Windows 2000".

So, what does he cover? Firstly, how to debug system-level programs, using low-level debuggers, and also shows the internal structure of Microsoft debug files. Then a review of the Native API - not a catalogue like Nebbett, but the mechanism of invoking them, and how the system instructions flow from one module to another.

Then comes a wonderful introduction to writing a simple Kernel Mode device driver. Anybody who has tried this will know that most device driver documentation is written for those already expert, and if all you want is a minimal driver to access some Kernel Mode function, you have to grope around in the dark vainly hoping for somebody to guide you. Well, here it is at last - a clear guide to writing simple device drivers, clearly explained, and even with an MSDev Wizard to whip up a framework! For this alone it is worth getting the book.

Using his device driver, he explores Win2000 memory, and most importantly, develops a wonderful generic mechanism for monitoring and intercepting all calls to the Native API - managed from a user-mode GUI application! He then builds a user-mode application that allows you to make a call to any Kernel function from the user mode, seamlessly calling down to the minimal device driver. Wow!

Finally, he gives a concise description of Kernel Objects, and covers the most important ones.

The appendixes are really huge catalogues of the various WindDBG commands, the Native APIs, and the structures on encounters in the Kernel Mode.

Do I have any criticism? Amazingly, none at all! And this is the first Amazon review I have written in which I have none!

In summary, if you are at all interested in understanding Win2000 internals, monitoring calls to the Kernel Mode, or making your own calls to privileged functions, this book is one of the most important, and most accessible books on the market. Also, the author is available on email - I contacted him, and within a day received a good response. So, after all, Schreiber may go down in history as Peitrek's successor!

10 of 10 people found the following review helpful:

5.0 out of 5 stars A Programmer's Cookbook, July 9, 2001

By 

jwright (uk) - See all my reviews

This review is from: Undocumented Windows 2000 Secrets: A Programmer's Cookbook (Paperback)

This book would suit anyone attempting the painful transition from user mode to kernel mode programming, as well as hardened system hackers. It is very hands on, and doesn't induce the same level of insomnia as the DDK documentation. If, like myself you don't intend to actually implement any more undocumented techniques than as absolutely necessary, it's still great to understand what's going on behind the scenes. It's refreshing to read something written by someone who isn't afraid to rip open the black boxes and leave the panel's strewn on the floor!

8 of 8 people found the following review helpful:

5.0 out of 5 stars Want to know what's underneath Win2K/ WinXP? Read this book!, June 1, 2001

By 

Progress Mtshali (Columbia, SC USA) - See all my reviews

This review is from: Undocumented Windows 2000 Secrets: A Programmer's Cookbook (Paperback)

This is an excellent book that I started reading and couldn't put down for days. The author explains complex Win2K internal structures clearly. By providing the source and binaries of the tools he developed, he made it very easy to run the tools and examine the internals while reading the book - sort of like lab experiments! I've read some articles published in DDJ, WD, MSDN, etc. in the past that were difficult to understand. After reading this book, I've re-read some of them and they now make sense.

I've also used some of the tools to delve into Windows XP! and have already seen what some of the differences between Win2K and WinXP are. I'm applying some of the techniques in this book to recompile the code that the author graciously provided and make the necessary changes to see what's underneath WinXP. I wrote a kernel-mode driver for the first time after using the author's win2k_wiz to create a skeleton. Wow! that made it easy!

In my opinion Schreiber has joined the ranks of Pietrek, Schulman, Russinovich, and the other OS gurus.