Windows XP interrupt request levels: 31: HIGH_LEVEL 30: POWER_LEVEL 29: IPI_LEVEL 28: CLOCK2_LEVEL, CLOCK1_LEVEL 27: PROFILE_LEVEL … Device interrupt levels 2: DISPATCH_LEVEL 1: APC_LEVEL 0: PASSIVE_LEVEL Controlling IRQL: KIRQL oldirql; ASSERT(KeGetCurrentIrql()

Registry: IoOpenDeviceRegistryKey IoOpenDeviceInterfaceRegistryKey ZwOpenKey ZwClose ZwQueryValueKey ZwSetValueKey RtlDeleteRegistryValue … File: Must running at PASSIVE_LEVEL ZwCreateFile ZwClose ZwReadFile ZwWriteFile

Linked List: LIST_ENTRY SINGLE_LIST_ENTRY CONTAINING_RECORD Double Linked List: InitializeListHead InsertHeadList InsertTailList IsListEmpty RemoveEntryList RemoveHeadList RemoveTailList Single Link List PushEntryList PopEntryList String (A or W version) RtlCopyMemory RtlCopyBytes RtlZeroMemory RtlInitUnicodeString, RtlInitAnsiString, RtlAnsiStringToUnicodeString RtlFreeUnicodeString RtlStringCbCopyA, RtlStringCcbCopyA RtlStringCbCatA, RtlStringCcbCatA RtlStringCbPrintfA, RtlStringCcbPrintA RtlStringCbVprintfA, RtlStringCcbVPrintA … Continue reading →