Million

sum explanation     TIB & FS, GS Segment Register     TIB   (Thread Information Block)     TIB      ←     FS  (x86)             ←     GS  (x64)       typedef struct _NT_TIB {     PVOID    ExceptionList;     PVOID    StackBase;     PVOID    StackLimit;     PVOID    SubSystemTib;     PVOID    FiberData;     PVOID    ArbitraryUserPointer;     struct  _NT_TIB *Self; } NT_TIB;   typedef NT_TIB *PNT_TIB;     is in WinNT.h         Address Index ?   typedef struct _NT_TIB                 x86    x64 {...

When Windows changed to 64-bit, the system folder name "System32" was kept the same. (The name is 32, but it is a 64-bit system folder used by 64-bit applications) When a 32-bit application accesses the system folder in 64-bit Windows, it is redirected to the 'SysWOW64' folder, not System32 (the system folder for 32-bit applications in 64-bit Windows is \Windows\SysWOW64).  

I Msinfo32.exe   Software Environment - System Drivers     List of loaded drivers :  [Started] "Yes" Kernel Driver List :  [Type] "Kernel Driver"   Driver File :  [File]     II Registry   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services   ACPI Driver   III Folder   C:\Windows\System32\drivers     ______________________________________________________________________________________________________ desc     View list of installed drivers     You can view the list of installed (registered) drivers by running Msinfo32.exe in the Run dialog box of the Start menu.   Software Environment - System Drivers       The list of currently loaded drivers is displayed as "Yes" in the Started column.   The type of driver can be checked through the Type column.  ex) "Kernel Driver"   The driver file (.sys) can be found through the File column.   Additionally, you can...

General register designations.    

____________________________________________________________________________________   When a process (program) is executed in Windows,   Windows creates a structure named  EPROCESS  in the kernel memory space to manage it,   and the  ETHREAD  structure is created together as many threads as the process uses.     And create substructures named  PCB  and  TCB , respectively.     EPROCESS - PCB (Process Control Block) ETHREAD  - TCB (Thread Control Block)     Since the above structures exist in the kernel area, they can only be accessed in kernel mode.     A structure called  PEB   TEB  is also created in the user memory space for the purpose of obtaining information easily in user mode (user program).     PEB: Process Environment Block TEB: Thread Environment Block       PEB           TEB   ...