The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
I'm working on a project using Win10IoT with the Universal Write Filter (UWF). For those unfamiliar with UWF, it's a feature that redirects all write attempts on a protected volume to a virtual overlay, ensuring no modifications have been made to the protected (in this case O/S) volume across reboots. Enabling UWF disables page files, but at runtime with the UWF enabled, you can create and/or increase the page file sizes using SystemPropertiesAdvanced.exe.
After wasting time using WMI/CIM to adjust the page files, only to find out there is no way for the commit limit to increase without a reboot, I used DR. Memory's strace tool on SystemPropertiesAdvanced.exe to try to figure out what exactly it was doing. Parsing the log, I came across the undocumented function NtCreatePagingFile, which gave me a nice:
arg 0: 72/74 "\Device\HarddiskVolume2\pagefile.sys" (type=UNICODE_STRING*, size=0x4)
arg 1: (type=ULARGE_INTEGER*, size=0x4)
arg 2: (type=ULARGE_INTEGER*, size=0x4)
arg 3: 0x0 (type=unsigned int, size=0x4)
retval: 0x0 (type=NTSTATUS, size=0x4)
...entry to go off of. I then wrote an application that enables the SE_CREATE_PAGEFILE_NAME privilege and tries to call NtCreatePagingFile with the appropriate NT file path. Unfortunately, the operation consistently fails with STATUS_OBJECT_NAME_NOT_FOUND. Something appears to be wrong with the "PUNICODE_STRING PageFileName" parameter. If I try something malformed, I get STATUS_OBJECT_NAME_INVALID, so it's at least getting past the file name validation. I've tried ensuring the file exists, ensuring the file does not exist, altering the file's permissions, etc. I'm afraid that I'm not sure exactly where I'm going wrong, and STATUS_OBJECT_NAME_NOT_FOUND doesn't provide enough information for me to really dig into it further. Does anyone have any ideas?
|Upcoming OSR Seminars|
|OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!||Kernel Debugging||30 Mar 2020||OSR Seminar Space|
|Developing Minifilters||15 Jun 2020||LIVE ONLINE|
|Writing WDF Drivers||22 June 2020||LIVE ONLINE|
|Internals & Software Drivers||28 Sept 2020||Dulles, VA|