314 questions
0
votes
0
answers
30
views
how does a IRP sent from a pressing a key in the keyboard look like? and how can I acsess that information?
disclaimer, I am a bit new to kernel and driver programing so excuse me if I don't use the correct terms.
I am trying to write a keyboard filter driver in windows 10 that will log and save the user's ...
- 35
0
votes
0
answers
62
views
Difference of mem::take and mem::swap leading to kernel panic Rust
With the below context (Rust Windows driver), I have highlighted the mem::swap with a comment:
use core::mem;
pub struct DriverMessagesWithMutex {
lock: FAST_MUTEX,
is_empty: bool,
data: ...
0
votes
1
answer
30
views
How to find the service name corresponding to a svchost process in my WFP driver's ALE Callout?
In my WFP driver, I register a callout for the FWPM_LAYER_ALE_AUTH_CONNECT_V4 layer
Now in my callout, in case the process that made the connection was svchost, I want to extract the SID of the ...
- 1,046
0
votes
0
answers
45
views
How to iterate through each file on each volume of each disk?
In Windows kernel programming, I want to iterate through each disk, then iterate through all volumes on those disks, and finally print out the file paths of all files on each volume. How can I do this?...
- 11
1
vote
0
answers
30
views
How obtain the device path for all files on each disk device?
I have retrieved the disk devices using IoGetDeviceInterfaces() and then parsed the string to obtain the DeviceObject for the disk device. What should I do next to traverse all the files on this disk ...
- 11
0
votes
0
answers
58
views
Minifilter - Failure in Registration
I was developing a basic kernel-mode minifilter driver for x64 Windows 10. It compiled without any problem. But when I installed and ran it using sc start driver, the output I get in dbgview is this: ...
- 1
0
votes
1
answer
100
views
Why use Thread Control Blocks (TCB) Instead of Kernel stack for saving thread info?
Some Background
I have been studying operating systems and I am currently learning about system calls and how they are handled using interrupts. The course I am following (Berkly CS 162) Shows that ...
- 1
0
votes
0
answers
42
views
Best way to intercept write IRPs to \driver\volmgr devices, without using UpperFilter registry?
Assume you want to intercept IRP_MJ_WRITE IRPs sent to \driver\volmgr, in particular, the device for the root partition (for example C:), and you want to monitor any writes to starting sector of this ...
- 1,046
2
votes
0
answers
93
views
Windows Minifilter: How to capture the primary IRP_MJ_CREATE in an FLT callback
As we know, when it comes to filesystem mini-filter drivers, there is no simple correspondence between the UserMode API calls and the IRP requests passed through an FLT instance; So when the ...
- 104
0
votes
0
answers
27
views
Error C4013: "MmCopyVirtualMemory" undefined in KMDF driver
i get the error when i try to compill the code Error C4013: "MmCopyVirtualMemory" undefined; Assumption: external with return type int.here the code:
#include <ntifs.h>
#include <...
0
votes
0
answers
23
views
Understanding the Use of Intrin.h Functions in User Mode
I'm trying to understand how certain functions from intrin.h work in user mode, as I initially thought they were limited to kernel mode. Specifically, I've used the following functions, and they seem ...
- 13
0
votes
0
answers
43
views
_xsaveopt64 Usage in Kernel-Mode
I need to manage extended processor state using _xsaveopt64. My current approach with _fxsave64 and _fxrstor64 has been as follows:
alignas(16) char fxStateBuffer[512];
// Saving state
_fxsave64(...
- 29
0
votes
0
answers
74
views
smbios table header invalid?
i have this hardware id spoofer im working on, and the thing is that i get this result running it
Processing SMBIOS header: Type=0, Length=26
Processing SMBIOS header: Type=0, Length=26
Processing ...
0
votes
0
answers
132
views
Visual Studio 2022 : error 1296 Hardware 'Test_(01)' does not have an associated service using install section 'A9_GBD'
I upgraded my Visual Studio from 2017 to 2022, and also the SDK and WDK do the brand release. In the past with older releases I have no issue with V3 printer INF File. Now I always get an error with ...
- 1
0
votes
0
answers
39
views
How to examine whether ERESOURCE is null before deleting it?
When I want to create a C++ RAII wrappers for executive resources,I've come across this issue.
#include <ntddk.h>
class ExecutiveResource
{
public:
ExecutiveResource()
{
...
- 1
2
votes
1
answer
168
views
After modifying msr[lstar], why the expected breakpoint cannot be hit?
I discovered a driver vulnerability that allows arbitrary modification of the msr register.
A common attack scenario is to modify msr[lstar] to point it to the attacker's malicious code. Then, when ...
- 21
0
votes
1
answer
94
views
Unresolved external symbols in <wsk.h> while building [duplicate]
I try to Winsock kernel and write a test project that set up the wsk environment, but the error occured while building project the visual studio can not link the definitions of wsk functions.
I ...
- 1
1
vote
0
answers
49
views
Custom memory allocator with unique pool tag
I'm developing a driver for Windows in kernel space and am working on implementing a custom memory allocator that adheres to the constraints of kernel development, such as the prohibition of using ...
- 111
0
votes
1
answer
81
views
Validating a client from kernel in Windows
I made a desktop application in C# and a kernel driver for Windows (mostly targeted at Windows 10 and 11). Now my goal is to sell these two, but I am wondering on ways to harden against piracy. I ...
- 150
0
votes
1
answer
221
views
Windows kernel debugging with windbg through network: is there an alternative to ".kdfiles"?
I have a Windows kernel driver mydriver, which is involved in the Windows boot sequence. I run windbg on a host machine to debug the target machine. My target machine, which runs the driver, is a ...
- 28.2k
0
votes
0
answers
49
views
How can you get a DEVICE_OBJECT from the name of the device?
How can you get a DEVICE_OBJECT from the name of the device using the wdk?
0
votes
0
answers
26
views
Coding drivers to support different modes on chipsets
If I wrote a brand new driver for non-supporting monitor mode or master mode chipsets, would it be possible to allow them to support these modes after?
For example, I have ALFA USB WiFi AWUS036NH ...
user23463388
1
vote
1
answer
268
views
TEB representation for ARM64, xpr register
I'm trying to figure out ARM64 architecture using ARM build of Windows 11. I can see that the KeGetCurrentIrql function is converted to:
ldrb w0, [xpr, #0x38]
ret
If I understand this correctly, ...
- 22.2k
0
votes
0
answers
49
views
How to merge discontinuous memory
In my driver, I need to merge some discontinuous memory to one entire continuous memory area, and I don't want to allocate a new buffer to copy. So I need to map memory to a specific address. Do I ...
- 1
-2
votes
1
answer
276
views
How Windows Handle to associate corresponding object type?
There are two files. One is LearnHanle.exe (It is spelled incorrectly, should be LearnHandle.exe), and the other is pop.exe.
Source code of these files are here:
// LearnHanle.cpp
#include <...
- 13
0
votes
0
answers
213
views
Viewing the named security attributes for token in windbg (kernel mode)
When examining the tokens in user mode windbg !token command prints the named attributes in Security Attributes Information section. E.g.
Security Attributes Information:
00 Attribute Name: TSA://...
- 293
0
votes
0
answers
65
views
Windows 10 64-bit (x86_64) ISR hook handler issue
I'm working on a tool to monitor RDTSC instruction being called by arbitrary program on Windows through ISR hook by a Windows kernel. Everything is working fine on Windows 7 64-bit however, it seems ...
- 1
0
votes
0
answers
162
views
How to retrieve the cycle time of each processor in the system?
I'm planning to use QueryThreadCycleTime() to in order to calculate the percentage of CPU some specific thread has used during a given interval (between two samples).
The main issue is I need to know ...
- 4,496
2
votes
1
answer
91
views
Memory Access Control in Windows Memory Management
Why can't windows kernel disallow cheater programs processes to access games memory at runtime through ACL (Access Control List) or other access control methods??
- 81
0
votes
1
answer
107
views
How can I see API calls for specific processes in the Windows kernel driver?
If I use the callback routine function, I can get information such as threads, processes, and PEPROCESS, and I think I can use it, but I don't think so. Also, isn't it easy to monitor API calls for ...
- 3
1
vote
0
answers
333
views
Windows Minifilter Driver: Error Faced - fltmc load failed with error: 0x8007007f the specified procedure could not be found
This post is for any driver developer facing the same issue and looking for some solution.
I Faced this error while loading the minifilter driver.
The minifilter driver build was successful.
The ...
- 31
0
votes
1
answer
84
views
Suspending a NDIS LWF
My filter driver consists exclusively of global state, shared among all filter modules. When a [rare] configuration change needs to take place (coming in the form of an IOCTL from UM), I need to be ...
- 147
0
votes
2
answers
379
views
How investigate disk cache usage in Win32 application?
I have a workload similar to the following:
while True:
data = get_data_from_network();
filename = sha1(data);
write_to_file(filename, data, data.size());
Occasionally I read back from ...
- 762
2
votes
1
answer
122
views
x86 - Does Windows map dlls to the same physcal page in different processes?
Suppose we have process A and processB, both are using example.dll.
Now let's suppose that this dll was mapped to different addresses in process A and process B(say, it's due to ASLR or some other ...
- 309
-1
votes
1
answer
427
views
WinUI3 MONZA::DdiThreadingContext Exception while drag and drop
I'm getting the below exception when dropping a dragged item (any item) and the Drop callback doesn't work. I tried declaring the callback in other components, but to the same result.
C++/WinRT ...
- 2,429
0
votes
0
answers
122
views
How to find PHANDLE of a process in a windows kernel mode driver?
So basically, I am trying to create a kernel mode driver and there is no proper documentation so I just want to terminate a process, but that needs a PHANDLE and the only way I know to get a PHANDLE ...
0
votes
0
answers
145
views
Why does GS segment selector value does not change after SWAPGS instruction? (windows kernel debugging)
I'm trying to learn how the kernel works, during the process, using WinDbg, i have put a breakpoint at the Page Fault handler, after "swapgs" and "lfence" instructions:
Page Fault ...
0
votes
1
answer
110
views
Mouse filter driver gets IRP_MJ_CLOSE after starting
I Have following custom mouse driver for Windows which i cannot load properly in the windows kernel
#include <ntddk.h>
#include <ntstrsafe.h>
#pragma warning(disable : 4201)
typedef ...
- 51
0
votes
0
answers
148
views
DnsQuery_A : Get all DNS entries in system using Windows kernel routine
I am trying to Get all DNS entries on system using some Windows kernel routine did not find is there kernel mode any routine for it.
I know there is user mode API DnsQuery_A/W where I can go ...
- 337
0
votes
1
answer
98
views
How do I delay mouse movements in real time windows kernel?
You can manipulate the x and y values in real time but how would you delay those values to make the cursor look like it's slow traveling to the next position. Is this even possible?
I've tried messing ...
1
vote
1
answer
443
views
driver handling \Device\
In windows there are device like \Device\ that could be found using Winobj from Sysinternals.
How can we find out which kernel side driver is handling operations for that device?
Im sorry for not ...
- 59
0
votes
0
answers
59
views
Is it possible to bind multiple IO Completion ports to a single FilterMngr Port?
Currently my program has a single filter port and using the filter manager api functions listens to the request and send the response data to the driver. I want to implement a multithreaded way of ...
0
votes
1
answer
1k
views
Break on syscalls only from target process in kernel windbg debugging
I'm debugging a user-mode process "myprocess.exe" which has a long running operations, constantly doing system calls to kernel mode, how can i break on syscalls, for example: i want to break ...
- 1
0
votes
1
answer
396
views
InitializeSecurityContextW returns SEC_E_INVALID_HANDLE after second call
I'm trying to implement secure sockets in my kernel mode application using Winsock Kernel and Schannel. I'm using this code as a reference to establish the secure connection. However, I encounter a ...
- 279
0
votes
1
answer
145
views
NdisGetDataBuffer returns null
I'd like to extract TCP packet from incoming connection. I've created a driver that should intercept inbound connection and analyze Packet structure. For unknown reason to me, NdisGetDataBuffer always ...
0
votes
0
answers
873
views
When to use Trace Message Headers (tmh)
I am using Visual Studio and I selected the regular KMDF template. However, when everything loaded up, I noticed that I was getting errors saying, "cannot open source file "queue.tmh"&...
0
votes
1
answer
714
views
Creating Windows device drivers
I am wanting to make custom mouse, keyboard, and controller drivers for windows. That being said I know theres already default drivers out there but how can I find their source code? I really want to ...
- 118
1
vote
2
answers
275
views
Is it relevant for CreateFile whether other handles to the same file have been opened by the same or a different process?
When working with filesystem files on Windows, and specifically with the CreateFile API:
With regard to access sharing, that is having multiple, independent, CreateFile calls to open the same file, ...
- 38.7k
0
votes
1
answer
372
views
Delay in the kernel driver
I'm using while loop in the kernel driver for read memory, but I get high cpu usage.
In C# there is Sleep(); which reduces cpu usage in the while loop.
What can I use in the kernel driver on Windows?
- 1
0
votes
1
answer
230
views
Irp information return PVOID
I'm writing Windows kernel driver in C++ and I have to return PVOID which has information about address in memory. Unfortunately, Irp->IoStatus.Information is only able to handle ULONG which ...