KeInitializeSemaphore, function, 170
KeInitializeSpinLock, function, 170
Kerio Personal Firewall, overview, 294
kernel
call table hooking detection, 277
function hooking detection, 277
hooking problems, 42
Kernel Debugger, overview, 6
kernel hook prevention, prevention technique, 298
Kernel Hooks
basic components of, 31
code for defining a hook function, 31–33
code for kernel memory protection, 29–30
DriverUnload function, 34
example, 33–38
functional groups, 39–41
Ghost.c file code, 33–36
hookManager.c file, 36–37
hookManager.c file code, 36–37
hookManager.h file, 37–38
hookManager.h file code, 37–38
kernel hook functions, 31–33
kernel hook macros, 30–31
kernel memory protection, 28–31
problems with, 42
summary, 42
system service table, 27–28
Kernel (Ki), functional group, 40
kernel memory, scanning, 278
kernel mode device driver, wOpenFile, 20
kernel module detection, IceSword, 313
kernel system call table hook detection, IceSword, 314
kernel32Base variable, Ghost.c, 51–52
kernel32.dll, Ghost.h, 50–51
KeServiceDescriptorTable
hookManager.h file, 37–38
system call table, 27–30
KeWaitForSingleObject, function, 170
key code mapping, key processing versus, 171
key codes, interpreting, 170–171
key logger
insertion diagram, 169
synchronization diagram, 170
Key Logging
example, 171–185
example testing, 185
filterManager.c file, 173–174
filterManager.c file code, 173–174
filterManager.h file, 174
Ghost.c file, 172–173
Ghost.c file code, 172–173
IoManager.c file, 174
IoManager.c file code, 174
IRP intercept method, 169–170
key codes, 170–171
keyboard filter, 168–170
keyManager.c file, 176–184
keyManager.c file code, 176–184
keyManager.h file, 174–175
keyManager.h file code, 174–175
processing levels, 167–168
SOURCES, 172
summary, 186
threading and synchronization, 170
key processing
diagram, 171
key code mapping versus, 171
keyboard filter, adding a, 168–170
keyboard I/O, completion routine, 168
keyboardData global variable, key logging, 172–173
KeyLoggerThread, function, 185
keyManager.c file
code, 176–184
key logging, 176–184
keyManager.h file
code, 174–175
key logging, 174–175
Ki (Kernel), functional group, 40
KiRaiseUserExceptionDispatcher, routine, 40
KiUserApcDispatcher, routine, 40
KiUserCallbackDispatcher, routine, 40
KiUserExceptionDispatcher, routine, 40
known good environment, defined, 276