The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
I have a filter and a callback I receive can come in at DPC_LEVEL in any process.
Most of the time it enters as PASSIVE, so FltQuerySecurityObject()/ZwQuerySecurityObject()/ObGetObjectSecurity() etc can succeed, but they all run at <= PASSIVE. Often I will get BSOD, sometimes random (double fault etc), but they really do appear to come from here. As the docs themselves state "ObGetObjectSecurity should only be called at IRQL Level = PASSIVE_LEVEL with APCs enabled, otherwise deadlocks or crashes may occur."
So is it possible to analyze the SecurityDescriptor of a FileObject at DISPATCH? (All code is synchronous at the moment).
If not what are the options - Worker item (at PASSIVE), thread pool, any other non-async methods preferably?
|Upcoming OSR Seminars|
|OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!||Kernel Debugging||30 Mar 2020||OSR Seminar Space|
|Developing Minifilters||15 Jun 2020||LIVE ONLINE|
|Writing WDF Drivers||22 June 2020||LIVE ONLINE|
|Internals & Software Drivers||28 Sept 2020||Dulles, VA|