Well it likely has nothing at all to do with your problem, but I would just
make one 55MB allocation and divide that up on my own.
Mark Roddy

@Tim_Roberts said:
You really need to understand how totally hopeless this is. Once you have introduced malicious code in the kernel, it's game over. Whatever you can do, they can undo, or prevent. The bad guys have way more experience than you do.

The start address for a kernel thread is just that -- where it started. It doesn't mean that it's executing anywhere near there now. And let's say you get a kernel address. How will you determine that it's part of a driver?

There certainly are legitimate kernel drivers that build code on the fly. You can't assume that any generated code is automatically malicious.

Hopeless.

Tim, i have seen you bring this argument many times that "as long as the system is infected, then there is no hope and they can always bypass you, so just let it go!", If this was true, no EDR/AV would exist as of today.

Sure, they can always bypass the detection techniques, but at least we can try to detect as many as we can..

@craig_howard said:
ASLR takes care of item 2 and item 1 is only found with usermode threats ...

Hmm, not really.
No offence but i think you need to do a little googleFu regarding some of the recent bootkits (MBR and UEFI) and some of the recent manual mappers. So please do explain to me how does ASLR defeat all these bootkits that inject code into kernel memory during boot, and how does ASLR defeat manual mappers? This doesn't even make any sense..
Now most of the ones that i have seen, specially these recent bootkits, other than hooking, will start a kernel thread to some stuff, and those can be used to detect them.

This also means that there has to be a mechanism to communicate multiple interrupts to DPC for processing.

I typically try to engineer things so the DPC merely assumes "interrtupts occurred", without having to know that "exactly 3 interrupts occurred". The DPC should be able to handle whatever the hardware is complaining about, without knowing how many times it whined.

Hi everybody,

Windows Hardware Certification partners can now get news, info, and updates on the new Windows Certification blog. Partners can also post comments and join in conversations with the Certification team and other community members. The blog will replace the certification newsletter. Subscribe today!

Cheers,

--Diane

P.S.: I wish they would call it the Hardware *and Driver* Certification blog! Obviously, file system minifilters, firewalls, etc., aren't hardware....

I only want to listen for a very specific kind of IOCTL (IOCTL_KS_PROPERTY)

Remember that you get literally thousands of IOCTL_KS_PROPERTY requests when a KS filter starts up. You're going to want to be very picky about matching the property set, the property ID, and the flags (GET vs PUT vs BASICSUPPORT) before you get involved. It certainly can be done -- I've done some very strange magic in KS filters -- but it's easy to get it wrong.

It's also easy to get tangled up in the terminology. In that paragraph, I used the term "KS filter" twice with two very different meanings. One is "filter" in the DirectShow sense, in that every KS driver exposes a filter with pins. The other is "filter" in the PnP sense, as in a driver that inserts itself into the IRP chain.

Peter makes a very good point here. When I've done drivers for custom devices, I've always striven to make the interface an abstraction. The user-mode code should specify what it wants, and not how it should be done. That not only adds safety, but it often gives them the opportunity to move to a next generation design without having to rewrite the application code.

I haven't always succeeded in that. A couple of clients really, really wanted to drive the FPGA registers directly. That's OK, but I always leave the DMA mapping to the driver. User mode code cannot be trusted with physical addresses.