Windows software drivers(part1: memory description list)

Categories kernel

I am reading ch3 “windows kernel” of Bruce Dang’s book–“Practical Reverse Engineering” and decides to write some notes down for later reference. 

The following are important constructs typically found in software drivers:

  • dispatch routines
  • device I/O control from user mode
  • buffering methods
  • symbolic links
  • raising and lowering IRQL levels
  • (Memory Description List) MDL management

This post focus on the major API to manipulate memory description list. e.g.

  1. IoAllocateMdl()
  2. MmProbeAndLockPages()
  3. MmMapLockedPagesSpecifyCache().

MDL are usually used by rootkit to overwrite KeServiceDescripterTable with  User space input.