Post Directory

This page is intended to be a categorized directory of series of posts that you might be interesting. It is intended to be periodically updated as new post series (or significant standalone posts) are published.

This section includes information on how to use debuggers (as well as general concepts, examples, and tutorials).

  1. Win32 calling conventions. A series that describes the different Win32 calling conventions in use on x86, from both a programming and debugging / reverse engineering perspective.
  2. Remote debugging. A series that describes various scenarios and usage cases (with examples) of the remote debugging facilities included with the Debugging Tools for Windows (DTW) suite.
  3. Introduction to x64 debugging. A series that describes the basics (if you can call them basics!) of debugging on x64 computers, including native 64-bit debugging and Wow64 debugging.
  4. Debugger commands review. A series that describes the usage of various WinDbg commands.
  5. The kernel object namespace and Win32. An overview of how the kernel object namespace is used with the Win32 API, and how the “magic” behind session isolation works with the Win32 view of the object namespace.
  6. Frame pointer omission (FPO) optimization and consequences when debugging. This series of articles provides details as to what exactly FPO optimization is, and why you want to disable it for release builds in order to improve your program’s debuggability in the field.
  7. Programming against the x64 exception handling support is a seven-part series that describes the fundamentals (and internals) of the new unwind and exception handling related changes in Windows for x64-based systems. It includes detailed information on the internals of functions like RtlUnwindEx, C definitions for the new x64 unwind-related APIs that are actually correct (most of MSDN’s documentation on the subject is either missing or incorrect), and an example stack walk routine for x64 that uses the new unwind metadata to perform much more detailed stack walks than ever possible on x86.
  8. Debugger tricks: API call logging (parts one, two, and three) is a three part series that explores the usage of conditional breakpoints for purposes of logging function calls in a running program. It includes examples of some more complicated conditional breakpoints (such as breakpoints that resume execution for a limited amount of time and then inspect the target’s state, and breakpoints that maintain state across the debugger resuming the target for a short period of time).

Windows Internals:
This section includes detailed information on internal Windows constructs and behaviors.

  1. Thread Local Storage is an eight part series that describes the inner workings of both flavors of TLS (including the elusive __declspec(thread) on Windows. It also outlines some of the new support in Windows Vista for allowing the usage of implicit TLS with demand loaded DLLs.
  2. A catalog of NTDLL kernel mode to user mode callbacks describes how the many special kernel mode to user mode callback routines in NTDLL (such as KiUserExceptionDispatcher) operate internally.

Reverse engineering:
This section includes general information on reverse engineering.

This sections includes topics on computer security (and often, though not exclusively, Windows security in particular).

  1. A brief discussion of Windows Vista’s IE Protected Mode (and user/process level security) describes the new protected mode feature of Internet Explorer in Windows Vista, including an exploration of what it can (and can’t) do as far as protecting you from IE exploits.

This section includes posts that discuss virtualization-related concepts.

  1. Fast kernel debugging for VMware outlines the design principles behind a program that I wrote to improve the performance of Windows kernel debugging in VMware guests. Internals of the kernel debugger protocol and general virtualization concepts are also discussed.