4,6 The Native API

Windows Driver Developmeiit Kit - Micr... |

File Edit J£iew Tools Window Help

� I How Do I - Qj Search

Contentj

i)l 'X

Ftltered fay;

(unflhered)

B- Windows Driver Kit

Windows Driver Kit Introduction

� New Information

i)- Getting Started with Windaw; Drivers

& Kemel-Modc Dnvcr Architerture

OeST�n Guide

I-; Reference

14� Standard Driver Routines

Dr'rver Support Routines

Kernel Data Types

WD� Samples

Windows Driver Foundation

m., n�vir� �nH nrn/»rTng»wHatinn

�Content? [�Indot [[� HeTp Favoiites |

Ready

Figure 4.16

are a number of books and articles that have appeared over the years that

might be helpful. Table 4.12 offers a sample, chronological list of notevi�orthy

attempts to document the undocumented.

Table 4.12 Books on Undocumented Aspects of Windows

Title

Author

Publisher

Undocumented Windows NT

Prasad Dabak

Sandeep Thadke etal.

Hungry Minds, 1999

Windows NT/2000 Native API

Reference

Gary Nebbett

Sams, 2000

Undocumented Windows 2000

Secrets

Sven Schreiber

Addison-Wesley, 2001

As you can see, the books in the table are more than a decade old. This

speaks to the fact that the Native API is an elusive moving target. It refuses to

sit still. Given the effort required to reverse call stacks, most authors can only

sit and watch as all their hard work fades quickly into obsolescence (the alter¬

native is to tread water forever). At Black Hat DC 2010,1 remember listening

to H.D. Moore describe how they foiled a publisher's attempt to document

Metasploit simply by coding faster than the authors could keep up.

If formal documentation fails you, another avenue of approach is to troll

through the header tiles that come with the Windows Driver Kit (e.g., ntddk.h,

ntdGf.h) and the Windows SDK (e.g., Winternl .h). Occasionally, you'll run

into some embedded comments that shed light on what things represent.

Parti I 173