The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
I tried to find the answer to this and spend hours reading books about rootkits and googling but no luck, the closest thing i found was a series of tweets which didn't help much
basically there is a bootkit that hooks something at the minifilter layer, and i heard that it is sometimes possible to use the ATA_PASS_THROUGH IOCTL from user-mode to bypass some of these hooks even at the minifilter layer, but where can i find a place that explains how exactly i have to use ATA_PASS_THROUGH from a usermode application to read sectors from disk? i want to read the MBR but the bootkit is returning a fake MBR, i want to try the user-mode approach before trying to write a kernel driver to bypass it.
so where can i learn more about how its possible to use ATA_PASS_THROUGH from user-mode to read sectors from disks or write to them? any open-source project or something?
|Upcoming OSR Seminars|
|OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!|
|Developing Minifilters||24 May 2021||Live, Online|
|Writing WDF Drivers||14 June 2021||Live, Online|
|Internals & Software Drivers||27 September 2021||Live, Online|
|Kernel Debugging||TBD 2021||Live, Online|