The author of "Hanjiang standalone fishing" teaches you how to read this book efficiently

Read note
How to read this book

 

This article is excerpted from the book "Hanjiang standalone fishing: Windows Kernel security programming"

Note that this book cannot be skipped. Although the content in the book is divided by application fields, it does not adopt a classification to introduce all the basic knowledge, and then it is divided into various fields to introduce the model. But from simple applications to complex applications.
This book first briefly introduces the serial port filtering, and then the keyboard filtering (for password protection ). This is because they are the simplest driver. However, this does not mean that users only focus on network filtering. You can skip them and go directly to the NDIS intermediate layer-driven chapter for reading.
All the chapters in this book adopt the C language programming based on wdk. The programming methods are consistent and consistent. This book describes the introduction, special terms, and basic concepts of all kernel API functions in detail. In the future, we will use it directly without introducing it. Therefore, to smoothly read the chapter of complex Kernel Modules described later, we must base on the previous simple chapter.
Code in the book
The code in the book and the attached CD is only for learning and research. Some of the Code is written by the author, and some are modified or directly referenced public code available for research in the industry. These codes can run normally in the test environment of the author. However, the author does not guarantee that these codes are authorized to be used in commercial development, nor that these codes can run reliably in all versions of Windows and any other software. The commercial kernel code needs to be thoroughly tested. The sample code in this book does not have this process.
When running these codes, you should use appropriate security measures (save unsaved files, use virtual machines, or prepare hard disk restoration images before running them ), so that the system can be recovered in case of system damage. For specific operation methods, refer to Chapter 1st "Kernel Machine Guide" in this book ". I am not responsible for the loss caused by exceptions that occur when running the code.
If the readers of this book apply the Code to commercial software development, all the consequences arising therefrom (such as copyright infringement, technical problems, and corresponding losses ), the authors of this book are not liable for this.
If you find that a sample program cannot run during the test, do the following:
(1) install a clean Windows XP on a virtual machine; do not install any other software.
(2) Make sure that the VM simulates a single-core CPU.
If the program still crashes, keep the dump file and contact the author of the book by email.
Preparations before reading
The reader must first prepare the compiling and debugging environment. The kernel programming environment is not as simple as installing only one software for application programming. The specific methods are described in chapter 1 of this book.
The CD does not provide a complete set of tools for running and debugging the sample code in this book. This is because some software licenses require "do not copy and distribute", so you need to download them online. Fortunately, all the necessary tools and software involved in this book are free of charge. Chapter 1 provides instructions and download URLs, which may be time-sensitive. At the same time, due to the upgrade of the tool software version, these instructions may be different from the actual situation, readers should search for the latest information on the Internet.
The author believes that the basic knowledge required by the readers of this book should be proficient in C Language (Compilation and C ++ are unnecessary. This book only uses C language programming ), at least familiar with a C language application programming method in Windows (such as using VC or C ++ builder ). If you have been engaged in driver development, it is a very good foundation. However, this book is intended for readers who have not been engaged in driver development.
The basic knowledge of operating systems, computer networks, data structures, and algorithms is very helpful for understanding the content of this book. readers who have never learned this knowledge can hardly understand the details of this book.
Technical details
This book is written by actual practitioners. In general, it is a book of practice rather than theory. Therefore, unlike some common programming technology books, this book may not provide detailed descriptions of some specific technical details, such as instructions on kernel function parameters. In general, the parameters of the application-layer API functions and kernel API functions of windows are very complex. It takes a lot of time to describe them in detail. But more importantly, in most cases, parameter combinations are only common. This book describes in detail the parameter configurations used in development based on my actual programming experience, it is often described as "I have never used it. I believe that knowing what details are useful is far more important than understanding what details are. Therefore, readers should understand this point: the situations mentioned in this book are often necessary to master, while those not mentioned in this book are often very uncommon. If the detailed book is not provided, most of it can be found in the help document.
Different from application programming, kernel programming (especially the kernel programming involved in information security software) has some technical points that do not have to be followed. Sometimes, although there is a document, it is not detailed. I have not figured out the cause of some problems, but it must be solved in actual development, so it is likely to be solved through experience. For this reason, although the book says "please be sure to do this" or "The author did this", it cannot be detailed. If you have a better understanding of a problem, please contact me so that you can add a clearer description when re-printing or re-printing.
Vocabulary Translation
There are too many words in this industry that come from English documents. Therefore, it is difficult to translate into Chinese. Generally, the most common translation methods in the industry should be used. However, because the translation books I have read are limited after all, it is unlikely that each word will comply with the industry's most standard translation methods. For the sake of safety, the important words that may cause confusion are all in Chinese (English) when the text of this book appears for the first time.
I was deeply confused when I was reading previous books. For the sake of simplicity, I intentionally used the translation method that I think is more simple. The most typical is "system routine". All functions provided by developers in the wdk (similar to the API functions provided in the SDK) are called "system routine ". I have seen the previous book translated as "system routines ". Since it is a function, I think it is better for readers who are used to application programming to translate it into "kernel API" or "kernel function. Similarly, "dispatch routine" is also translated into a "Distribution Function" by the author ". If you think there is something wrong with it, please criticize and correct it so that it can be modified during re-printing or re-printing.
Driver Development Model Selection
WDF is the development trend of the windows driver programming model, but the traditional NT driver and WDM model are still the basis for understanding driver development. Currently, it is impossible to completely abandon the tradition. On the one hand, drivers written in traditional models are still effective, and there are a lot of examples available for reference. On the other hand, although WDF has been out for a long time, however, many basic examples cannot find the WDF template. Many drivers are unwilling to re-develop after a long time. Although Microsoft has changed most of the old driver examples to the WDF model, in addition, the wdk and the old examples are provided to developers for reference. The era of comprehensively replacing WDM is still not coming. This process also depends on the further improvement of WDF itself.
How to differentiate driver models? The following is a section in chapter 1 of this book:
"The concept of Windows models was originally about driver behavior. For example, a WDM driver must meet N required features (such as power management and plug-and-play. However, if these features are not provided, they are collectively called NT-based drivers.
This book uses a simple differentiation method. Keep everything in Windows 2000 ~ Drivers that can run normally in Windows Vista and do not call WDF-related kernel API functions are called traditional drivers (including NT-type and WDM ). If the WDF-related kernel API is called, it is called the WDF driver.
From my understanding, the WDF programming method is an encapsulation of existing kernel API functions widely used in WDM, especially for series functions starting with I/O, including driver object, device object, and request (IRP) APIs, and the old APIs can be called completely. There are already too many kernel programs that rely on old interfaces. Microsoft has not been able to require WDF programming for a long time.
Therefore, this book emphasizes both. Most of the examples are encoded in the traditional drive mode, while others are encoded in the WDF mode (Virtual Disk and virtual network card ). Readers will find that the two are in the same line. As long as they are familiar with traditional programming methods, it is very easy and pleasant to understand WDF.
Exercises in this book
Some readers do not like to use exercises to practice. They think that "this is just something knowledgeable, writing down is a waste of space for the brain "or" you just need to check the information when necessary. Indeed, many details do not need to be remembered. For a programmer, the most important thing is to understand where the problem should be solved when the demand arises and the problem is obtained. This requires some concepts that have been established in the brain. If you are in a completely ignorant state, it makes no sense to put the whole library in front of you.
Each chapter of this book is accompanied by a small number of exercises. The purpose of these exercises is to allow readers to check themselves and check whether a correct concept has been established after reading the chapter. In addition, there are some common-sense exercises (for example, the meaning of the command INT 3), which will be of great help to readers in their actual work. We recommend that you do not ignore them.