核心内存转储A kernel memory dump contains only the kernel-mode read/ write pages present in physical memory at the time of the crash. This type of dump doesn't contain pages belonging to user processes. Because only kernel-mode code can directly cause Windows to crash, however, it's unlikel...
Alex Ionescu is a chief software architect and consultant expert in low-level system software, kernel development, security training, and reverse engineering. He teaches Windows internals course with David Solomon, and is active in the security research community. ...
作者 是 x64dbg 项目的创始人和维护者,该项目是Windows的调试器。他讨论了Windows内部的基础知识,包括进程、地址空间初始化、动态链接库(DLL)加载等内容。他还介绍了调试器的工作原理以及如何使用它来观察Windows加载和执行过程。主要内容: [💡] 介绍了Windows内部基础知识。 [💡] 演示了进程的创建和初始化,...
Windows Internals, 5th Edition (Chapter 14, "Crash Dump Analysis") by David A. Solomon, Mark E. Russinovich and Alex Ionescu (Microsoft Press, June 2009) Windows 7 Resource Kit (Chapter 32, "Troubleshooting Stop Messages") by Mitch Tulloch, Tony Northrup, Jerry Honeycutt, Ed Wilson, and th...
Windows Internals 6th Edition This information will help understand the parameters being passed to the API function which we crash at. 2: kd>!stack -p Call Stack : 12 frames ## Stack-Pointer Return-Address Call-Site 00 ffff8e0df0a9fad8 fffff8075141aec1 nt!KeBugCheckEx+0 ...
This course takes a deep dive into the internals of the Windows kernel from a security perspective. Attendees learn about behind the scenes working of various components of the windows kernel with emphasis on internal algorithms, data structures and debugger usage. Every topic in this course is ac...
The Testlimit utility, which I wrote for the 4th Edition of Windows Internals to demonstrate various Windows limits, calls VirtualAlloc repeatedly until it gets an error when you specify the –r switch. Thus, when you run the 32-bit version of Testlimit on 32-bit Windows, it will consume ...
Post this training you will not have to read and learn OS internals from any books but you will debug and understand it as and when you need it. Course Structure This course has 3 chapters In Chapter 1 we discuss the necessary concepts to get us started and mostly focus on the commands...
Those familiar with the internals of Windows NT associate the assembly language instruction "INT 0x2E" with system calls, since it's with this instruction that Windows NT and Windows 2000 transition from user mode to the kernel-mode system call interface where the native API is implemented. ...
However, this post is not about such small research updates — but rather about a much bigger piece of work that has taken up my time these last 12 months — the release of Windows Internals, 7th Edition (Part 1)! Windows Internals, 7th Edition Some history… After the release of the ...