The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
I've recently been hit by a bit of a spate of BSODs from 9 or 10 different customers who use the driver I maintain. Nothing has changed in the driver for quite a while, so I think this might be a bad interaction with a Windows update that my driver can't cope with. Most of the customers have reported the issue on 20H2 in the last week although a few on earlier versions of Win 10 too.
Most of the BSODs have occurred when the Windows Hello/Biometrics process "NgcIso.exe" runs although in one case it was when the customer started a Hyper-V Gen 2 VM and had virtualised TPM turned on. I note that Windows Hello can use TPM too so this seems to be a link.
The heart of the problem seems to be that my driver uses PsSetLoadImageNotifyRoutine in order to receive notifications about image loads. During our image load call-back, if the image is ntdll.dll we look into the user mode address of the image and look up a particular structure called the LdrSystemDllInitBlock since this contains an array containing which mitigation policies are set for the newly starting process.
In the case of these TPM processes, what seems to be happening is that the user mode memory associated with the image is unavailable. The documentation for:
Says, "The operating system invokes this routine after an image has been mapped to memory, but before its entrypoint is called." but I'm wondering if that's not the case with these processes.
Does anyone have any insight about this? I've seen code online where people try to probe the memory associated with these image loads with a combination of IoAllocateMdl/MmProbeAndLockPages. That suggests to me that other people have encountered issues trying to access this memory in certain circumstances, although I confess I don't understand how IoAllocateMdl would be appropriate in these circumstances.
|Upcoming OSR Seminars|
|OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!|
|Writing WDF Drivers||7 Dec 2020||LIVE ONLINE|
|Internals & Software Drivers||25 Jan 2021||LIVE ONLINE|
|Developing Minifilters||8 March 2021||LIVE ONLINE|