Chapter 4/ System Briefing

Table 4.11 Kernel-Mode Routine Prefixes (continued}

Prefix

Kernel-Mode Component

Description

Se

Security reference monitor

Validates permissions at runtime when accessing

objects

Tm

Transaction management

Support for the classic two-phase commit

schenne

Vf

Verifier routines

Checks the integrity of kernel-mode code

Whea

Hardware error architecture

Defines a mechanism for reporting hardware

errors

Wmi

Management instrumentation

Allows kernel-mode code to interact with the

WMI service

Zw

Native call APIs

The safe (user-callable) versions of the Nt*()

routines

Kernel-Mode API Documentation

As mentioned earlier, the documentation for Icernel-mode functions is lacking

(for whatever reason, different people will feed you different stories). Thus,

when you come across a kernel-mode routine that you don't recognize, the

following resources can be referenced to hunt for clues:

■ Official documentation.

■ Unofficial (non-Microsoft) documentation.

■ Header files.

■ Debug symbols.

■ Raw disassembly.

These sources are hsted according to their degree of clarity and your level

of desperation. In the optimal scenario, the routine will be described in the

Windows Driver Kit (WDK) documentation. There arc a number of kernel-

mode functions documented in the WDK help file under the Driver Support

Routines node (see Figure 4.16).

There's also MSDN online at http://msdn.microsoft.com. You can visit their

support page and perform a general search as part of your campaign to ferret

out information. This website is hit or miss. You tend to get either good infor¬

mation immediately or nothing at all.

If you search the official Microsoft documentation and strike out, you can al¬

ways try documentation that has been compiled by third-party sources. There