Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
Best Of
Re: how to get current process image path from mini-filter kernel driver?
https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/fltkernel/nf-fltkernel-fltparsefilename
Re: how to get current process image path from mini-filter kernel driver?
Could you perhaps parse the name yourself? Work back from the end until you get a back slash? Is that too obvious?
Re: How to debug and find out who signaled my event in kernel
ba is a very powerful tool for the "who touched my data?" sort of question. Start by reading through this: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/ba--break-on-access-
Once you know about ba, you'll discover that the tricky bit is knowing what parameters to pass to it: You need to know exactly which address is modified, and you need to know what size the access is.
If you dump out the contents of a KEVENT, you'll notice that there's a bunch of stuff, but (you might have to take my word for it) the most interesting field here is the SignalState member:
typedef struct _DISPATCHER_HEADER {
. . . a bunch of stuff . . .
LONG SignalState;
LIST_ENTRY WaitListHead;
} DISPATCHER_HEADER;
That's what we want, although there's so much stuff in there that it's almost impossible to manually find the offset of SignalState. Fortunately, we don't have to: just ask windbg to do it for us:
kd> dt -v KEVENT .
+0x000 Header :
. . . a bunch of stuff . . .
+0x004 SignalState : Int4B
+0x008 WaitListHead : struct _LIST_ENTRY, 2 elements, 0x10 bytes
Now we know that SignalState is at offset 0x000+0x004 from the start of the structure, and we know it's a 4Byte integer. That gives us the address and size of the access. So if your KEVENT is at address 0xffffd688899592e0, just use the breakpoint ba w4 (0xffffd688899592e0+4) . The w4 is because it's a 4-byte integer, and the +4 is because SignalState is 4 bytes into the KEVENT structure.
If everything goes right, you should get a breakpoint immediately after this instruction in nt!KeSetEvent at the callstack where someone signals your event:
kd> ub @rip L1 nt!KeSetEvent+0x72: fffff806`3fad3e12 c7430401000000 mov dword ptr [rbx+4],1
It will also break in any other time someone changes the event state, e.g., KeClearEvent or even KeWaitForSingleObject if it's an auto-reset event. If you don't like that, you can add an extra bit of logic to skip the breakpoint if the event is being cleared. If rbx+4 was just set to 0, then the event is cleared, so we can modify the breakpoint thusly:
kd> ba w4 (0xffffd688899592e0+4) ".if (dwo(@rbx+4) == 0) { gc }"
which, after breaking in, checks if the dword (aka 4 byte integer) at rbx+4 is equal to zero. If it is, resume execution.
![Jeffrey_Tippet_[MSFT]](https://us.v-cdn.net/6030753/uploads/userpics/837/nB9JZKGHDCHQY.jpg)
Re: How to debug and find out who signaled my event in kernel
Sigh!
@umer_haris-2 You’re posting in the ADMIN forum.
I’ll move it... but please, be a bit more careful.
Peter
Re: How to filter all disk requests using a filter driver?
I was hoping that it would be SCSI reads of various types 6-byte, 12 byte 16 byte.
But it is always 0.
Well, command 0 is TEST UNIT READY, but that seems unlikely.
Also, what dictates whether the disk driver uses IRP_MJ_SCSI or SCSI_PASS_THROUGH/SCSI_PASS_THROUGH_DIRECT to send CDB commands
I don't believe the disk driver ever uses passthrough. That comes from user-mode apps.
Re: Setting up DMA - User Buffer, Handing I/O
Does the driver need to do this before User SW can access the data via the original pointer?
No, PutScatterGatherList says "I'm done with this list, you can free your resources". However, you should call FlushAdapterBuffers when you know a transfer has completed. The need for that call depends on your CPU architecture; on x64 architectures, it often does nothing, but you're still supposed to call it.
Re: PCI device not Enumerated
I dunno. But I know vendor ID 0x0000 isn’t valid. So why not fix that first, and worry about everything else later.
Try sticking the device in multiple different systems. Dump the bus with “rweverything”...
But fix your device first. What’s the point of writing a driver for such a broken device?
Peter
Re: How long does the cache manager (lazy writer) retry I/O previously failed?
I am under the impression that the Cache Manager will keep retrying WRITE's until it gets success or one of a number of specific failure codes. I use STATUS_VOLUME_DISMOUNTED in my own FSD to stop CcWriteBehind calls under some circumstances.
Re: Mini FIlter to Block IO upload operations from Browser URL and some clarifications
is there any change in the IRP callback data to identify whether this IRP is from the particular browser or site
Nope...At the file system level all you get are discreet file system operations (open/close/read/write/etc.).Trying to batch those together into some higher level operation (i.e. "this is likely a browser upload") will require heuristics. And you'll never know which site it's going to as that has nothing to do with the file system.
You can't include Windows.h because that's a user mode header. In drivers we close handles with ZwClose (or FltClose, depending on where the handle came from).
I'd suggest you take a seminar because there's a lot to learn here...In the meantime you probably want to start with something simpler than a file system filter while you get your bearings.
Re: Shadow Copy IRPs
Shadow sets (as per VSS) are a device level (I'm guessing a block level copy on write but I've never bothered to look) thing so you'll never see the "backup".
When the shadow set is surfaced (e.g. to list or restore files) you do see a volume mounted upon a device with an obvious name.