The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
I need to writte a program entrypoint onwards when its loaded from disk to memory. In order to do that i use PsSetLoadImageNotifyRoutine to check when image is loaded. When i get that the .exe file is beeing loaded i get its addres entry point (base addres of the image that i get from Imager_INFO + reading the header to get the offset entry point).
The problem comes when i try to writte the memory as i get a STATUS_ACCESS_VIOLATION which i supoused that is happening due to the fact that the memory does not have write permission (correctme if wrong and is due to another thing). Then what i would like to do is to use MmProtectMdlSystemAddress to change permissions, writte it and restore permissions. In order to do that i use IoAllocateMdl+ MmProbeAndLockPages+... But it gets stuck on ProbeAndLock due to the fact that system handles a lock to it (Doc: To avoid deadlocks, load-image notify routines must not call system routines that map, allocate, query, free, or perform other operations on user-space virtual memory.).
In order to solve this i read this option https://stackoverflow.com/questions/50610741/windows-kernel-driver-zwallocatevirtualmemory-causing-thread-to-terminate but the instruction KeInitializeApc to insert the APC is not documented. What should i do? Should i use KeInitializeApc or is there another aproach to modify the memory without using it?
|Upcoming OSR Seminars|
|OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!|
|Developing Minifilters||24 May 2021||Live, Online|
|Writing WDF Drivers||14 June 2021||Live, Online|
|Internals & Software Drivers||2 August 2021||Live, Online|
|Kernel Debugging||27 Sept 2021||Live, Online|