Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
I have a kernel buffer, and I need to determine what is the pool tag assosicated with its pool, and also what is the pool's start address. How can I achieve this?
Poolfind and Poolused both take a tag as input, but I want that as an output.
Upcoming OSR Seminars | ||
---|---|---|
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead! | ||
Kernel Debugging | 16-20 October 2023 | Live, Online |
Developing Minifilters | 13-17 November 2023 | Live, Online |
Internals & Software Drivers | 4-8 Dec 2023 | Live, Online |
Writing WDF Drivers | 10-14 July 2023 | Live, Online |
Comments
When I use this on an address within any driver, I get this:
So it seems like Microsoft doesn't allocate driver content buffers from pools? In that case, Where does it allocate the buffer from then? Meaning, what type of "Buffer" Is this then if it's not a from a pool?
When you said "content", did you mean "context"? They're certainly allocated from a pool, but it may not be a tagged pool. And as it says, there's not enough info in your kernel-only dump to tell.
Tim Roberts, [email protected]
Providenza & Boekelheide, Inc.
with the pointer?
While !pool can work on that, I am first always suspicious of a memory
corruption if my pointer is not allocation-aligned (2 * sizeof(PVOID)).
So when I use this on a address within any driver, I get this:
Its a live debugging, I'm basically trying to find a way to tell whether a kernel buffer/pool is a mapped driver file that was loaded by the kernel or not.
Was hoping I can tell it using a pool tag, but it seems like they are either not allocated with a tag, or they belong to a special kernel "buffer" and are not pools at all?
So is there anyway I can tell whether an address belongs to the mapped driver buffer that the kernel allocates when loading drivers? (Note that I'm not talking about the pools that the driver itself is allocating, but the buffer that the kernel allocates when loading drivers)
This is just an address of a instruction inside a driver, as I explained in the above message, I am just trying to tell whether an address belongs to the mapped driver buffer that the kernel allocates when loading drivers or not?
I know that kernel pools also have headers as well, so If drivers are allocated from the normal kernel pool, can I somehow use the header of the pool to determine if an address/buffer/pool belongs is a buffer that windows kernel allocated when loading a driver or not?
> This is just an address of a instruction inside a driver, as I
> explained in the above message, I am just trying to tell whether an
> address belongs to the mapped driver buffer that the kernel allocates
> when loading drivers or not?
This thread started off asking about a pool start address of a kernel
buffer, but above says address of instruction inside a driver.
If we're talking about the latter then you can manually list modules
`lm` and find what module range contains the address, or way more simply
locate nearest 'ln' and it will identify the nearest symbol and module.
But that is quite simple so it seems there's some other nuance you're
looking for.
-Nathan
!pool works for pool but not everything is pool. !address is what you want here:
-scott
OSR