• Windows Architecture , Ring0, Ring3, sysenter, sysexit
• Windows ServiceTable Windbg, analyze
• NtReadFile IO_STACK_LOCATION, IoCopyCurrentStackLocation
• NtReadFile IO_STACK_LOCATIO, IoSkipCurrentIrpStackLocation
• NtReadFile CompletionRoutine, MORE_PROCESSING_REQUIRED
• NtReadFile STATUS_PENDING, asynchronous
• i386 Secure Read Memory part I (PAGE_FAULT_IN_NONPAGED_AREA)
• Secure Read Memory part II (Multiprocessor)
• IoCallDriver FASTCALL, structures, MACROS you should know
• DriverDebug module doc and src
• KMEM Windows XP and Vista implementation (i386)- tested on VMWARE
• VirtualAddress -> PhysicalAddress i386 4kB
• VirtualAddress -> PhysicalAddress i386 4MB
• VirtualAddress -> PhysicalAddress i386 PAE 4KB
• VirtualAddress -> PhysicalAddress i386 PAE 2MB
• VirtualAddress -> PhysicalAddress IA-32E (x64) PAE 4k
• VirtualAddress -> PhysicalAddress IA-32E (x64) PAE 2MB
• PDE PTE Mapping and i386.h
• Unfair SpinLock and Fair SpinLock (Queued SpinLock)
• SpinLock implementation main and spin.c
• Queued Spin Lock Visual Studio symulation - many CPUs
• DeviceStack lower, upper
• IRP and IO_STACK_LOCATION - memory footprint

• OSR Online
• Sysinternals
• Doron Holan
• Lord of The Ring 0
• Kernel Mustard
• Windows Internals - Microsoft Press
• Windows Driver Model - Walter Oney