The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
Dear OSR Community,
I have stumbled on this API "FsRtlCreateSectionForDataScan".
I have read "https://www.osr.com/nt-insider/2019-issue1/fsrtlcreatesectionfordatascan-and-flt-variant-explained/" which does clarify a few things.
However, MSDN still tells me to "Use [it] with extreme caution".
So here is my question: is it safe to call this API from within a LoadImageNotify routine?
It appears that, more often than not, the FILE_OBJECT passed by Windows to us in the PIMAGE_INFO_EX has a 0 handle count, so that it cannot
be converted into a HANDLE (I think this is because the handle has already been closed by the DLL loader). This precludes using ZwCreateSection in this case
and would make "FsRtlCreateSectionForDataScan" very handy.
Thank you for your responses.
|Upcoming OSR Seminars|
|OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!||Kernel Debugging||30 Mar 2020||OSR Seminar Space|
|Developing Minifilters||15 Jun 2020||LIVE ONLINE|
|Writing WDF Drivers||22 June 2020||LIVE ONLINE|
|Internals & Software Drivers||28 Sept 2020||Dulles, VA|