Windows software drivers(part1: memory description list)
I am reading ch3 “windows kernel” of Bruce Dang’s book–“Practical Reverse Engineering” and decides to write some notes down for later reference.
The following are important constructs typically found in software drivers:
- dispatch routines
- device I/O control from user mode
- buffering methods
- symbolic links
- raising and lowering IRQL levels
- (Memory Description List) MDL management
This post focus on the major API to manipulate memory description list. e.g.
MDL are usually used by rootkit to overwrite KeServiceDescripterTable with User space input.