Contents

Segmentation 121

Paging 123

Linear to Physical Address Translation 127

A Quicker Approach 128

Comments on EPROCESS and KPROCESS 128

4.3 User Space and Kernel Space 130

4-Gigabyte Tuning (4GT) 130

To Each His Own 131

Jumping the Fence 133

User-Space Topography 133

Kernel-Space Dynamic Allocation 135

Address Windowing Extension 136

PAE Versus 4GT Versus AWE 137

4,4 User Mode and Kernel Mode 137

How Versus Where 137

Kernel-Mode Components 139

User-Mode Components 141

4.5 Other Memory Protection Features 144

Data Execution Prevention 144

Address Space Layout Randomization 148

/GS Compiler Option 151

/SAFESEH Linker Option 155

4.6 The Native API 155

The IVT Grows Up 156

A Closer Look at the IDT 157

System Calls via Interrupt 159

The SYSENTER Instruction 159

The System Service Dispatch Tables 160

Enumerating the Native API 163

Nt*() Versus Zw*{) System Calls 164

The Life Cycle of a System Call 166

Other Kernel-Mode Routines 168

Kernel-Mode API Documentation 172

4 7 The BOOT Process 174

Startup for BIOS Firmware 175

Startup for EFI Firmware 177

The Windows Boot Manager . 177

viii