Customer Reviews

Undocumented Windows NTŪ

5 star:		(2)
4 star:		(3)
3 star:		(0)
2 star:		(1)
1 star:		(0)

 

 

Part I: Essentials

When I opened _Undocumented Windows NT_, I expected it to start where Solomon's _Inside Windows NT 2nd ed._ left off. Unfortunately, the first half is only a rehash of readily available information, sprinkled with a few beginner-level tips and techniques for budding reverse-engineering fans.

Part II: Undocumented Windows NT

Part II presents the system service dispatch mechanism (operative term: KiSystemServiceTable), which is anything but a secret, at least since Nishad Herath published his article on just that topic in October 1998 (archived at http://www.cmkrnl.com/arc-newint2e.html -- sorry, amazon.com strips HTML tags). Personally, I found the article easier to read and absorb, too.

Putting LPCs to work is a good chapter. Nebbett's _Native API Reference_ is, after all, just that, a reference, while the authors of _Undocumented Windows NT_ do a decent job of explaining how to use LPC. Hooking existing and adding new software interrupts is a holdover from the bad old DOS days, and about as useful. Besides, the authors make the same mistake that already marred my enjoyment of the first part of the book -- they have enough background material on CPU architecture to bore the developer who has read the Intel manuals (which we all did, I hope), but not enough to enlighten the programmer who has skipped the processor manuals.

Part III: Appendices

The rest of the book can safely be ignored: the contents of the thirty pages filled with a description of the PE format is available (for free) on the MSDN web site, and in an updated version, too, and the appendix claiming to offer details on NT's system services cannot stand up to Nebbett's work, which dedicates a whole 500 pages to just that one topic.

Summary

The book does hold promise, judging from the table of contents; but now it is time for the authors to hunker down, and get some spelunking done for the second edition, which, one hopes, will be forthcoming. Once the book has doubled in page count for the same covered material, I'll take another look at it.

A week ago, I posted a review of _Undocumented Wndows NT_, a review that contains one factual error and one fallacious assumption which caused me to view the work in a worse light than I would otherwise have done.

The error is in attributing the reverse-engineering of the KiSystemServiceTable mechanism to Nishad Herath. Nishad has done an excellent, and by all appearances independent, job, but I was now given proof that the authors got there first. Kudos goes to Dabak/Phadke/Borate, and I retract the implied statement that they are offering information they could have found on dejanews -- such information was not available when they wrote the chapter in question.

The flawed assumption of mine was that the blurb on the cover, by which I judged _Undocumented Windows NT_, was written by the authors: it was not. The authors' summary can be found higher up on this page, and it does more accurately reflect the contents of the book. The mismatch between the expectations raised by the blurb and the actual contents caused me to give a lower rating than I would otherwise have given; I hope to correct the average by submitting this review with a corrected, higher, rating.

Finally, I would like to point out a minor, but helpful detail: While the authors do not offer as much information on NT's native API as Gary Nebbett's _Windows NT/2000 Native API Reference_, which I mentioned in my earlier review, it must be pointed out that they provide a header file with the necessary function and structure declarations, something that is missing from the Nebbett book.

Felix Kasza.

The book is the first one that I've encountered that explains, with good working examples, how to fundamentally extend Windows NT functionality through new system services, software interrupts, and ring 0 code.

It also provides good explanations of the virtual memory and LPC facilities, with very helpful specific code examples.

The book does have a version 1.0 flavor to it. The editing and publishing are mediocre and there are many other areas of NT that I would love to see the authors apply their impressive investigative skills to.

If you are interested in understanding as much about the internals of NT as anyone that doesn't have access to the NT source code can, this book is well worth examining.

It took a long time until someone dared to write an "undocumented" book about Windows NT. For strange reasons, the most renowned authors of "undocumented" books totally ignored NT for a long time and mainly focused on Windows 9x. The author trio from Pune, India, finally filled this gap. Besides the chapters about Interrupt and Native API hooking, the most interesting part of this book is certainly chapter 8, which covers the LPC (Local Procedure Call) facility (i.e. NT's basic interprocess communication mechanism) in great depth. I'm not aware of a more comprehensive documentation of this topic. All three editions of "Inside Windows NT/2000" just lay out the basic facts, but Dabak et al. show how to put LPC to work with several code samples. Highly recommeded!

I have loved this book. It is much more easier to read than the more detailed book Windows Internals but still give you a good overall understanding on how Windows works. After having read this book, the cryptic access violation error messages suddenly made more sense. The most enlightning chapters of the book are the ones discussing how the OS manages the process memory space and how a process is launched. Do not get fooled thinking that because the book is on NT that its information is outdated. Not much has changed since and its content is still accuratly accurate.

Good Book about Hooking, Win32 Reverse Eng. and something Undocumented action(?).... Well explain about NT system architecture.. If you find API Hooking book on NT.....(Not VxD Call) .. This book.. FOR YOU