The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
Hi, let's say I'm inspecting a process and found this:
THREAD ffffd6097211a700 Cid 0edc.0f40 Teb: 000000551979e000 Win32Thread: ffffd6095dbc7080 WAIT: (WrUserRequest) UserMode Non-Alertable ffffd60971c08f80 QueueObject Not impersonating DeviceMap ffffbf085d2e0fb0 Owning Process ffffd60971c66540 Image: sihost.exe Attached Process N/A Image: N/A Wait Start TickCount 333686 Ticks: 18333 (0:00:04:46.453) Context Switch Count 130 IdealProcessor: 1 UserTime 00:00:00.015 KernelTime 00:00:00.093 Win32 Start Address combase!CRpcThreadCache::RpcWorkerThreadEntry (0x00007ffb2f187870) Stack Init ffff86047ae1bc90 Current ffff86047ae1b250 Base ffff86047ae1c000 Limit ffff86047ae16000 Call 0000000000000000 Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident.
!thread ffffd6097211a700 Unable to get field ReservedForNtRpc of type TEB at 0xffffd6097211a700
I try, without success things like:
.pagein /f /p ffffd60971c66540 ffff86047ae16000
using kernel and user mode stack area addresses (the latter obtained in TEB) but pages are not loaded after the
Is there some OS settings I'm forgetting to check or some extra task I'm missing?
|Upcoming OSR Seminars|
|OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!|
|Internals & Software Drivers||30 Nov 2020||LIVE ONLINE|
|Writing WDF Drivers||7 Dec 2020||LIVE ONLINE|
|Developing Minifilters||Early 2021||LIVE ONLINE|