Hibernation hook

Hi all,

I’m trying to hook hibernate process under Windows 2k. I got diskperf driver
from DDK samples, named it as dperf.sys and installed it as filter disk
driver. I noticed that when I press sleep button, Windows sends
IOCTL_SCSI_GET_ADDRESS, IOCTL_DISK_GET_DRIVE_LAYOUT,
IOCTL_SCSI_GET_DUMP_POINTERS.
I looked at structure DUMP_POINTERS in IoCompletion routine. It looks like
this:
Length 28
pDump->AdapterObject 0x0
pDump->AllocateCommonBuffers 0x0
pDump->CommonBufferPa 0x0
pDump->CommonBufferSize 0x0
pDump->CommonBufferVa 0x0
pDump->DeviceObject 0x8187A030
pDump->DumpData 0x81644F08
pDump->MappedRegisterBase 0x0
pDump->Spare1 0x0 0x0 0x0

After this Windows loads HIBER_WMILIB.SYS and HIBER_ATAPI.SYS

I made sure that pDump->DeviceObject is valid. This is physical device
attached by my filter driver and created by atapi.sys driver.

I replaced field pDump->DeviceObject to my deviceobject pointer. Now Windows
loads HIBER_WMILIB.SYS and HIBER_DPERF.SYS, then it prepares hibernation,
and then it start hibernation. It switches monitor into VGA mode, shows
progress bar and call DriverEntry of my driver. This call occurs in
DISPATCH_LEVEL, arguments looks very strange. DriverObject == NULL,
RegistryPath points to some structure, but not UNICODE_STRING. I looked at
memory dump of this pointer. Only first 12 bytes are not zero.

Can anybody suggest me what I have to do in DriverEntry on this “hiber”
loading?

Thanks
Valery Druba

Hi,

You’re deep in undocumented territory here. As I’m sure you’ve noticed,
details on how hibernation works are pretty scant.

What exactly are you trying to accomplish?

Regards,

-scott

–
Scott Noone
Software Engineer
OSR Open Systems Resources, Inc.
http://www.osronline.com

“Valery Druba” wrote in message
news:xxxxx@ntdev…
> Hi all,
>
> I’m trying to hook hibernate process under Windows 2k. I got diskperf
> driver
> from DDK samples, named it as dperf.sys and installed it as filter disk
> driver. I noticed that when I press sleep button, Windows sends
> IOCTL_SCSI_GET_ADDRESS, IOCTL_DISK_GET_DRIVE_LAYOUT,
> IOCTL_SCSI_GET_DUMP_POINTERS.
> I looked at structure DUMP_POINTERS in IoCompletion routine. It looks like
> this:
> Length 28
> pDump->AdapterObject 0x0
> pDump->AllocateCommonBuffers 0x0
> pDump->CommonBufferPa 0x0
> pDump->CommonBufferSize 0x0
> pDump->CommonBufferVa 0x0
> pDump->DeviceObject 0x8187A030
> pDump->DumpData 0x81644F08
> pDump->MappedRegisterBase 0x0
> pDump->Spare1 0x0 0x0 0x0
>
> After this Windows loads HIBER_WMILIB.SYS and HIBER_ATAPI.SYS
>
> I made sure that pDump->DeviceObject is valid. This is physical device
> attached by my filter driver and created by atapi.sys driver.
>
> I replaced field pDump->DeviceObject to my deviceobject pointer. Now
> Windows
> loads HIBER_WMILIB.SYS and HIBER_DPERF.SYS, then it prepares hibernation,
> and then it start hibernation. It switches monitor into VGA mode, shows
> progress bar and call DriverEntry of my driver. This call occurs in
> DISPATCH_LEVEL, arguments looks very strange. DriverObject == NULL,
> RegistryPath points to some structure, but not UNICODE_STRING. I looked at
> memory dump of this pointer. Only first 12 bytes are not zero.
>
> Can anybody suggest me what I have to do in DriverEntry on this “hiber”
> loading?
>
> Thanks
> Valery Druba
>
>
>

Hi, Scott

You are right. There is no any details about this process. Exactly I need to
encrypt hiber file. Do you know more documented way?

Thanks,
Valery

Hi,

You’re deep in undocumented territory here. As I’m sure you’ve noticed,
details on how hibernation works are pretty scant.

What exactly are you trying to accomplish?

Regards,

-scott

–
Scott Noone
Software Engineer
OSR Open Systems Resources, Inc.
http://www.osronline.com

“Valery Druba” wrote in message
> news:xxxxx@ntdev…
> > Hi all,
> >
> > I’m trying to hook hibernate process under Windows 2k. I got diskperf
> > driver
> > from DDK samples, named it as dperf.sys and installed it as filter disk
> > driver. I noticed that when I press sleep button, Windows sends
> > IOCTL_SCSI_GET_ADDRESS, IOCTL_DISK_GET_DRIVE_LAYOUT,
> > IOCTL_SCSI_GET_DUMP_POINTERS.
> > I looked at structure DUMP_POINTERS in IoCompletion routine. It
> looks like
> > this:
> > Length 28
> > pDump->AdapterObject 0x0
> > pDump->AllocateCommonBuffers 0x0
> > pDump->CommonBufferPa 0x0
> > pDump->CommonBufferSize 0x0
> > pDump->CommonBufferVa 0x0
> > pDump->DeviceObject 0x8187A030
> > pDump->DumpData 0x81644F08
> > pDump->MappedRegisterBase 0x0
> > pDump->Spare1 0x0 0x0 0x0
> >
> > After this Windows loads HIBER_WMILIB.SYS and HIBER_ATAPI.SYS
> >
> > I made sure that pDump->DeviceObject is valid. This is physical device
> > attached by my filter driver and created by atapi.sys driver.
> >
> > I replaced field pDump->DeviceObject to my deviceobject pointer. Now
> > Windows
> > loads HIBER_WMILIB.SYS and HIBER_DPERF.SYS, then it prepares
> hibernation,
> > and then it start hibernation. It switches monitor into VGA mode, shows
> > progress bar and call DriverEntry of my driver. This call occurs in
> > DISPATCH_LEVEL, arguments looks very strange. DriverObject == NULL,
> > RegistryPath points to some structure, but not UNICODE_STRING.
> I looked at
> > memory dump of this pointer. Only first 12 bytes are not zero.
> >
> > Can anybody suggest me what I have to do in DriverEntry on this “hiber”
> > loading?
> >
> > Thanks
> > Valery Druba
> >
> >
> >
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@arcadia.spb.ru
To unsubscribe send a blank email to xxxxx@lists.osr.com

Hi,

AFAIK there is no documented way to do this. Also, I don’t believe that
you’re going to get much further with your current approach than you have
gotten. Having your driver loaded in place of the driver that is going to be
writing the hibernation file isn’t going to get you where you need to be.

Regards,

-scott

–
Scott Noone
Software Engineer
OSR Open Systems Resources, Inc.
http://www.osronline.com

“Valery Druba” wrote in message
news:xxxxx@ntdev…
> Hi, Scott
>
> You are right. There is no any details about this process. Exactly I need
> to
> encrypt hiber file. Do you know more documented way?
>
> Thanks,
> Valery
>
>>
>>
>> Hi,
>>
>> You’re deep in undocumented territory here. As I’m sure you’ve noticed,
>> details on how hibernation works are pretty scant.
>>
>> What exactly are you trying to accomplish?
>>
>> Regards,
>>
>> -scott
>>
>> –
>> Scott Noone
>> Software Engineer
>> OSR Open Systems Resources, Inc.
>> http://www.osronline.com
>>
>>
>>
>> “Valery Druba” wrote in message
>> news:xxxxx@ntdev…
>> > Hi all,
>> >
>> > I’m trying to hook hibernate process under Windows 2k. I got diskperf
>> > driver
>> > from DDK samples, named it as dperf.sys and installed it as filter disk
>> > driver. I noticed that when I press sleep button, Windows sends
>> > IOCTL_SCSI_GET_ADDRESS, IOCTL_DISK_GET_DRIVE_LAYOUT,
>> > IOCTL_SCSI_GET_DUMP_POINTERS.
>> > I looked at structure DUMP_POINTERS in IoCompletion routine. It
>> looks like
>> > this:
>> > Length 28
>> > pDump->AdapterObject 0x0
>> > pDump->AllocateCommonBuffers 0x0
>> > pDump->CommonBufferPa 0x0
>> > pDump->CommonBufferSize 0x0
>> > pDump->CommonBufferVa 0x0
>> > pDump->DeviceObject 0x8187A030
>> > pDump->DumpData 0x81644F08
>> > pDump->MappedRegisterBase 0x0
>> > pDump->Spare1 0x0 0x0 0x0
>> >
>> > After this Windows loads HIBER_WMILIB.SYS and HIBER_ATAPI.SYS
>> >
>> > I made sure that pDump->DeviceObject is valid. This is physical device
>> > attached by my filter driver and created by atapi.sys driver.
>> >
>> > I replaced field pDump->DeviceObject to my deviceobject pointer. Now
>> > Windows
>> > loads HIBER_WMILIB.SYS and HIBER_DPERF.SYS, then it prepares
>> hibernation,
>> > and then it start hibernation. It switches monitor into VGA mode, shows
>> > progress bar and call DriverEntry of my driver. This call occurs in
>> > DISPATCH_LEVEL, arguments looks very strange. DriverObject == NULL,
>> > RegistryPath points to some structure, but not UNICODE_STRING.
>> I looked at
>> > memory dump of this pointer. Only first 12 bytes are not zero.
>> >
>> > Can anybody suggest me what I have to do in DriverEntry on this “hiber”
>> > loading?
>> >
>> > Thanks
>> > Valery Druba
>> >
>> >
>> >
>>
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@arcadia.spb.ru
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>

Does the hibernation file write go through the driver stack? Meaning,
if there was a filter driver on the stack that say, encrypted the entire
volume, then the hibernation file would get encrypted as well.

Chuck

----- Original Message -----
From: “Scott Noone”
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”
Sent: Thursday, October 07, 2004 8:59 PM
Subject: Re:[ntdev] Hibernation hook

> Hi,
>
> AFAIK there is no documented way to do this. Also, I don’t believe
> that you’re going to get much further with your current approach than
> you have gotten. Having your driver loaded in place of the driver that
> is going to be writing the hibernation file isn’t going to get you
> where you need to be.
>
> Regards,
>
> -scott
>
> –
> Scott Noone
> Software Engineer
> OSR Open Systems Resources, Inc.
> http://www.osronline.com
>
> “Valery Druba” wrote in message
> news:xxxxx@ntdev…
>> Hi, Scott
>>
>> You are right. There is no any details about this process. Exactly I
>> need to
>> encrypt hiber file. Do you know more documented way?
>>
>> Thanks,
>> Valery
>>
>>>
>>>
>>> Hi,
>>>
>>> You’re deep in undocumented territory here. As I’m sure you’ve
>>> noticed,
>>> details on how hibernation works are pretty scant.
>>>
>>> What exactly are you trying to accomplish?
>>>
>>> Regards,
>>>
>>> -scott
>>>
>>> –
>>> Scott Noone
>>> Software Engineer
>>> OSR Open Systems Resources, Inc.
>>> http://www.osronline.com
>>>
>>>
>>>
>>> “Valery Druba” wrote in message
>>> news:xxxxx@ntdev…
>>> > Hi all,
>>> >
>>> > I’m trying to hook hibernate process under Windows 2k. I got
>>> > diskperf
>>> > driver
>>> > from DDK samples, named it as dperf.sys and installed it as filter
>>> > disk
>>> > driver. I noticed that when I press sleep button, Windows sends
>>> > IOCTL_SCSI_GET_ADDRESS, IOCTL_DISK_GET_DRIVE_LAYOUT,
>>> > IOCTL_SCSI_GET_DUMP_POINTERS.
>>> > I looked at structure DUMP_POINTERS in IoCompletion routine. It
>>> looks like
>>> > this:
>>> > Length 28
>>> > pDump->AdapterObject 0x0
>>> > pDump->AllocateCommonBuffers 0x0
>>> > pDump->CommonBufferPa 0x0
>>> > pDump->CommonBufferSize 0x0
>>> > pDump->CommonBufferVa 0x0
>>> > pDump->DeviceObject 0x8187A030
>>> > pDump->DumpData 0x81644F08
>>> > pDump->MappedRegisterBase 0x0
>>> > pDump->Spare1 0x0 0x0 0x0
>>> >
>>> > After this Windows loads HIBER_WMILIB.SYS and HIBER_ATAPI.SYS
>>> >
>>> > I made sure that pDump->DeviceObject is valid. This is physical
>>> > device
>>> > attached by my filter driver and created by atapi.sys driver.
>>> >
>>> > I replaced field pDump->DeviceObject to my deviceobject pointer.
>>> > Now
>>> > Windows
>>> > loads HIBER_WMILIB.SYS and HIBER_DPERF.SYS, then it prepares
>>> hibernation,
>>> > and then it start hibernation. It switches monitor into VGA mode,
>>> > shows
>>> > progress bar and call DriverEntry of my driver. This call occurs
>>> > in
>>> > DISPATCH_LEVEL, arguments looks very strange. DriverObject ==
>>> > NULL,
>>> > RegistryPath points to some structure, but not UNICODE_STRING.
>>> I looked at
>>> > memory dump of this pointer. Only first 12 bytes are not zero.
>>> >
>>> > Can anybody suggest me what I have to do in DriverEntry on this
>>> > “hiber”
>>> > loading?
>>> >
>>> > Thanks
>>> > Valery Druba

The real trick is DEcrypting the hiberfile. Its read in by the bootloader,
it would be extremely difficult to hook that and decrypt the file.

Jason

|---------±-------------------------------->
| | “Chuck Batson” |
| | | | on.com> |
| | Sent by: |
| | bounce-189615-16922@li|
| | sts.osr.com |
| | |
| | |
| | 10/07/2004 10:19 AM |
| | Please respond to |
| | “Windows System |
| | Software Devs Interest|
| | List” |
| | |
|---------±-------------------------------->
>------------------------------------------------------------------------------------------------------------------------------|
| |
| To: “Windows System Software Devs Interest List” |
| cc: |
| Subject: Re: Re:[ntdev] Hibernation hook |
>------------------------------------------------------------------------------------------------------------------------------|

Does the hibernation file write go through the driver stack? Meaning,
if there was a filter driver on the stack that say, encrypted the entire
volume, then the hibernation file would get encrypted as well.

Chuck

----- Original Message -----
From: “Scott Noone”
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”
Sent: Thursday, October 07, 2004 8:59 PM
Subject: Re:[ntdev] Hibernation hook

> Hi,
>
> AFAIK there is no documented way to do this. Also, I don’t believe
> that you’re going to get much further with your current approach than
> you have gotten. Having your driver loaded in place of the driver that
> is going to be writing the hibernation file isn’t going to get you
> where you need to be.
>
> Regards,
>
> -scott
>
> –
> Scott Noone
> Software Engineer
> OSR Open Systems Resources, Inc.
> http://www.osronline.com
>
> “Valery Druba” wrote in message
> news:xxxxx@ntdev…
>> Hi, Scott
>>
>> You are right. There is no any details about this process. Exactly I
>> need to
>> encrypt hiber file. Do you know more documented way?
>>
>> Thanks,
>> Valery
>>
>>>
>>>
>>> Hi,
>>>
>>> You’re deep in undocumented territory here. As I’m sure you’ve
>>> noticed,
>>> details on how hibernation works are pretty scant.
>>>
>>> What exactly are you trying to accomplish?
>>>
>>> Regards,
>>>
>>> -scott
>>>
>>> –
>>> Scott Noone
>>> Software Engineer
>>> OSR Open Systems Resources, Inc.
>>> http://www.osronline.com
>>>
>>>
>>>
>>> “Valery Druba” wrote in message
>>> news:xxxxx@ntdev…
>>> > Hi all,
>>> >
>>> > I’m trying to hook hibernate process under Windows 2k. I got
>>> > diskperf
>>> > driver
>>> > from DDK samples, named it as dperf.sys and installed it as filter
>>> > disk
>>> > driver. I noticed that when I press sleep button, Windows sends
>>> > IOCTL_SCSI_GET_ADDRESS, IOCTL_DISK_GET_DRIVE_LAYOUT,
>>> > IOCTL_SCSI_GET_DUMP_POINTERS.
>>> > I looked at structure DUMP_POINTERS in IoCompletion routine. It
>>> looks like
>>> > this:
>>> > Length 28
>>> > pDump->AdapterObject 0x0
>>> > pDump->AllocateCommonBuffers 0x0
>>> > pDump->CommonBufferPa 0x0
>>> > pDump->CommonBufferSize 0x0
>>> > pDump->CommonBufferVa 0x0
>>> > pDump->DeviceObject 0x8187A030
>>> > pDump->DumpData 0x81644F08
>>> > pDump->MappedRegisterBase 0x0
>>> > pDump->Spare1 0x0 0x0 0x0
>>> >
>>> > After this Windows loads HIBER_WMILIB.SYS and HIBER_ATAPI.SYS
>>> >
>>> > I made sure that pDump->DeviceObject is valid. This is physical
>>> > device
>>> > attached by my filter driver and created by atapi.sys driver.
>>> >
>>> > I replaced field pDump->DeviceObject to my deviceobject pointer.
>>> > Now
>>> > Windows
>>> > loads HIBER_WMILIB.SYS and HIBER_DPERF.SYS, then it prepares
>>> hibernation,
>>> > and then it start hibernation. It switches monitor into VGA mode,
>>> > shows
>>> > progress bar and call DriverEntry of my driver. This call occurs
>>> > in
>>> > DISPATCH_LEVEL, arguments looks very strange. DriverObject ==
>>> > NULL,
>>> > RegistryPath points to some structure, but not UNICODE_STRING.
>>> I looked at
>>> > memory dump of this pointer. Only first 12 bytes are not zero.
>>> >
>>> > Can anybody suggest me what I have to do in DriverEntry on this
>>> > “hiber”
>>> > loading?
>>> >
>>> > Thanks
>>> > Valery Druba

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@attotech.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Nope, you won’t see hibernation file (or crash dump file) I/O in a standard
filter driver. A special copy of the storage stack is used during these
operations and filter drivers are bypassed.

-scott

–
Scott Noone
Software Engineer
OSR Open Systems Resources, Inc.
http://www.osronline.com

“Chuck Batson” wrote in message
news:xxxxx@ntdev…
> Does the hibernation file write go through the driver stack? Meaning, if
> there was a filter driver on the stack that say, encrypted the entire
> volume, then the hibernation file would get encrypted as well.
>
> Chuck
>
> ----- Original Message -----
> From: “Scott Noone”
> Newsgroups: ntdev
> To: “Windows System Software Devs Interest List”
> Sent: Thursday, October 07, 2004 8:59 PM
> Subject: Re:[ntdev] Hibernation hook
>
>
>> Hi,
>>
>> AFAIK there is no documented way to do this. Also, I don’t believe that
>> you’re going to get much further with your current approach than you have
>> gotten. Having your driver loaded in place of the driver that is going to
>> be writing the hibernation file isn’t going to get you where you need to
>> be.
>>
>> Regards,
>>
>> -scott
>>
>> –
>> Scott Noone
>> Software Engineer
>> OSR Open Systems Resources, Inc.
>> http://www.osronline.com
>>
>> “Valery Druba” wrote in message
>> news:xxxxx@ntdev…
>>> Hi, Scott
>>>
>>> You are right. There is no any details about this process. Exactly I
>>> need to
>>> encrypt hiber file. Do you know more documented way?
>>>
>>> Thanks,
>>> Valery
>>>
>>>>
>>>>
>>>> Hi,
>>>>
>>>> You’re deep in undocumented territory here. As I’m sure you’ve noticed,
>>>> details on how hibernation works are pretty scant.
>>>>
>>>> What exactly are you trying to accomplish?
>>>>
>>>> Regards,
>>>>
>>>> -scott
>>>>
>>>> –
>>>> Scott Noone
>>>> Software Engineer
>>>> OSR Open Systems Resources, Inc.
>>>> http://www.osronline.com
>>>>
>>>>
>>>>
>>>> “Valery Druba” wrote in message
>>>> news:xxxxx@ntdev…
>>>> > Hi all,
>>>> >
>>>> > I’m trying to hook hibernate process under Windows 2k. I got diskperf
>>>> > driver
>>>> > from DDK samples, named it as dperf.sys and installed it as filter
>>>> > disk
>>>> > driver. I noticed that when I press sleep button, Windows sends
>>>> > IOCTL_SCSI_GET_ADDRESS, IOCTL_DISK_GET_DRIVE_LAYOUT,
>>>> > IOCTL_SCSI_GET_DUMP_POINTERS.
>>>> > I looked at structure DUMP_POINTERS in IoCompletion routine. It
>>>> looks like
>>>> > this:
>>>> > Length 28
>>>> > pDump->AdapterObject 0x0
>>>> > pDump->AllocateCommonBuffers 0x0
>>>> > pDump->CommonBufferPa 0x0
>>>> > pDump->CommonBufferSize 0x0
>>>> > pDump->CommonBufferVa 0x0
>>>> > pDump->DeviceObject 0x8187A030
>>>> > pDump->DumpData 0x81644F08
>>>> > pDump->MappedRegisterBase 0x0
>>>> > pDump->Spare1 0x0 0x0 0x0
>>>> >
>>>> > After this Windows loads HIBER_WMILIB.SYS and HIBER_ATAPI.SYS
>>>> >
>>>> > I made sure that pDump->DeviceObject is valid. This is physical
>>>> > device
>>>> > attached by my filter driver and created by atapi.sys driver.
>>>> >
>>>> > I replaced field pDump->DeviceObject to my deviceobject pointer. Now
>>>> > Windows
>>>> > loads HIBER_WMILIB.SYS and HIBER_DPERF.SYS, then it prepares
>>>> hibernation,
>>>> > and then it start hibernation. It switches monitor into VGA mode,
>>>> > shows
>>>> > progress bar and call DriverEntry of my driver. This call occurs in
>>>> > DISPATCH_LEVEL, arguments looks very strange. DriverObject == NULL,
>>>> > RegistryPath points to some structure, but not UNICODE_STRING.
>>>> I looked at
>>>> > memory dump of this pointer. Only first 12 bytes are not zero.
>>>> >
>>>> > Can anybody suggest me what I have to do in DriverEntry on this
>>>> > “hiber”
>>>> > loading?
>>>> >
>>>> > Thanks
>>>> > Valery Druba
>
>
>

hibernation and crash dump (they use the same mechanism) go through a
separate instance of the storage port driver. No filters are involved.

-p

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Chuck Batson
Sent: Thursday, October 07, 2004 7:20 AM
To: Windows System Software Devs Interest List
Subject: Re: Re:[ntdev] Hibernation hook

Does the hibernation file write go through the driver stack?
Meaning, if there was a filter driver on the stack that say,
encrypted the entire volume, then the hibernation file would
get encrypted as well.

Chuck

----- Original Message -----
From: “Scott Noone”
> Newsgroups: ntdev
> To: “Windows System Software Devs Interest List”
> Sent: Thursday, October 07, 2004 8:59 PM
> Subject: Re:[ntdev] Hibernation hook
>
>
> > Hi,
> >
> > AFAIK there is no documented way to do this. Also, I don’t believe
> > that you’re going to get much further with your current
> approach than
> > you have gotten. Having your driver loaded in place of the
> driver that
> > is going to be writing the hibernation file isn’t going to get you
> > where you need to be.
> >
> > Regards,
> >
> > -scott
> >
> > –
> > Scott Noone
> > Software Engineer
> > OSR Open Systems Resources, Inc.
> > http://www.osronline.com
> >
> > “Valery Druba” wrote in message
> > news:xxxxx@ntdev…
> >> Hi, Scott
> >>
> >> You are right. There is no any details about this process.
> Exactly I
> >> need to
> >> encrypt hiber file. Do you know more documented way?
> >>
> >> Thanks,
> >> Valery
> >>
> >>>
> >>>
> >>> Hi,
> >>>
> >>> You’re deep in undocumented territory here. As I’m sure you’ve
> >>> noticed,
> >>> details on how hibernation works are pretty scant.
> >>>
> >>> What exactly are you trying to accomplish?
> >>>
> >>> Regards,
> >>>
> >>> -scott
> >>>
> >>> –
> >>> Scott Noone
> >>> Software Engineer
> >>> OSR Open Systems Resources, Inc.
> >>> http://www.osronline.com
> >>>
> >>>
> >>>
> >>> “Valery Druba” wrote in message
> >>> news:xxxxx@ntdev…
> >>> > Hi all,
> >>> >
> >>> > I’m trying to hook hibernate process under Windows 2k. I got
> >>> > diskperf
> >>> > driver
> >>> > from DDK samples, named it as dperf.sys and installed
> it as filter
> >>> > disk
> >>> > driver. I noticed that when I press sleep button, Windows sends
> >>> > IOCTL_SCSI_GET_ADDRESS, IOCTL_DISK_GET_DRIVE_LAYOUT,
> >>> > IOCTL_SCSI_GET_DUMP_POINTERS.
> >>> > I looked at structure DUMP_POINTERS in IoCompletion routine. It
> >>> looks like
> >>> > this:
> >>> > Length 28
> >>> > pDump->AdapterObject 0x0
> >>> > pDump->AllocateCommonBuffers 0x0
> >>> > pDump->CommonBufferPa 0x0
> >>> > pDump->CommonBufferSize 0x0
> >>> > pDump->CommonBufferVa 0x0
> >>> > pDump->DeviceObject 0x8187A030
> >>> > pDump->DumpData 0x81644F08
> >>> > pDump->MappedRegisterBase 0x0
> >>> > pDump->Spare1 0x0 0x0 0x0
> >>> >
> >>> > After this Windows loads HIBER_WMILIB.SYS and HIBER_ATAPI.SYS
> >>> >
> >>> > I made sure that pDump->DeviceObject is valid. This is physical
> >>> > device
> >>> > attached by my filter driver and created by atapi.sys driver.
> >>> >
> >>> > I replaced field pDump->DeviceObject to my deviceobject
> pointer.
> >>> > Now
> >>> > Windows
> >>> > loads HIBER_WMILIB.SYS and HIBER_DPERF.SYS, then it prepares
> >>> hibernation,
> >>> > and then it start hibernation. It switches monitor into
> VGA mode,
> >>> > shows
> >>> > progress bar and call DriverEntry of my driver. This
> call occurs
> >>> > in
> >>> > DISPATCH_LEVEL, arguments looks very strange. DriverObject ==
> >>> > NULL,
> >>> > RegistryPath points to some structure, but not UNICODE_STRING.
> >>> I looked at
> >>> > memory dump of this pointer. Only first 12 bytes are not zero.
> >>> >
> >>> > Can anybody suggest me what I have to do in DriverEntry on this
> >>> > “hiber”
> >>> > loading?
> >>> >
> >>> > Thanks
> >>> > Valery Druba
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as:
> xxxxx@windows.microsoft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

Seems to me there should be a way. How does the hibernation file get
read/saved on special purpose configurations like a RAID volume? There
must be a way to get a driver in there, right? (Sorry, I don’t know,
I’m just speculating for the purpose of stimulating conversation.)

Chuck

----- Original Message -----
From:
To: “Windows System Software Devs Interest List”
Sent: Thursday, October 07, 2004 9:29 PM
Subject: Re: Re:[ntdev] Hibernation hook

> The real trick is DEcrypting the hiberfile. Its read in by the
> bootloader,
> it would be extremely difficult to hook that and decrypt the file.
>
> Jason
>
>
>
> |---------±-------------------------------->
> | | “Chuck Batson” |
> | | > | | on.com> |
> | | Sent by: |
> | | bounce-189615-16922@li|
> | | sts.osr.com |
> | | |
> | | |
> | | 10/07/2004 10:19 AM |
> | | Please respond to |
> | | “Windows System |
> | | Software Devs Interest|
> | | List” |
> | | |
> |---------±-------------------------------->
>
> >------------------------------------------------------------------------------------------------------------------------------|
> |
> |
> | To: “Windows System Software Devs Interest List”
> |
> | cc:
> |
> | Subject: Re: Re:[ntdev] Hibernation hook
> |
>
> >------------------------------------------------------------------------------------------------------------------------------|
>
>
>
>
> Does the hibernation file write go through the driver stack? Meaning,
> if there was a filter driver on the stack that say, encrypted the
> entire
> volume, then the hibernation file would get encrypted as well.
>
> Chuck
>
> ----- Original Message -----
> From: “Scott Noone”
> Newsgroups: ntdev
> To: “Windows System Software Devs Interest List”
> Sent: Thursday, October 07, 2004 8:59 PM
> Subject: Re:[ntdev] Hibernation hook
>
>
>> Hi,
>>
>> AFAIK there is no documented way to do this. Also, I don’t believe
>> that you’re going to get much further with your current approach than
>> you have gotten. Having your driver loaded in place of the driver
>> that
>> is going to be writing the hibernation file isn’t going to get you
>> where you need to be.
>>
>> Regards,
>>
>> -scott
>>
>> –
>> Scott Noone
>> Software Engineer
>> OSR Open Systems Resources, Inc.
>> http://www.osronline.com
>>
>> “Valery Druba” wrote in message
>> news:xxxxx@ntdev…
>>> Hi, Scott
>>>
>>> You are right. There is no any details about this process. Exactly I
>>> need to
>>> encrypt hiber file. Do you know more documented way?
>>>
>>> Thanks,
>>> Valery
>>>
>>>>
>>>>
>>>> Hi,
>>>>
>>>> You’re deep in undocumented territory here. As I’m sure you’ve
>>>> noticed,
>>>> details on how hibernation works are pretty scant.
>>>>
>>>> What exactly are you trying to accomplish?
>>>>
>>>> Regards,
>>>>
>>>> -scott
>>>>
>>>> –
>>>> Scott Noone
>>>> Software Engineer
>>>> OSR Open Systems Resources, Inc.
>>>> http://www.osronline.com
>>>>
>>>>
>>>>
>>>> “Valery Druba” wrote in message
>>>> news:xxxxx@ntdev…
>>>> > Hi all,
>>>> >
>>>> > I’m trying to hook hibernate process under Windows 2k. I got
>>>> > diskperf
>>>> > driver
>>>> > from DDK samples, named it as dperf.sys and installed it as
>>>> > filter
>>>> > disk
>>>> > driver. I noticed that when I press sleep button, Windows sends
>>>> > IOCTL_SCSI_GET_ADDRESS, IOCTL_DISK_GET_DRIVE_LAYOUT,
>>>> > IOCTL_SCSI_GET_DUMP_POINTERS.
>>>> > I looked at structure DUMP_POINTERS in IoCompletion routine. It
>>>> looks like
>>>> > this:
>>>> > Length 28
>>>> > pDump->AdapterObject 0x0
>>>> > pDump->AllocateCommonBuffers 0x0
>>>> > pDump->CommonBufferPa 0x0
>>>> > pDump->CommonBufferSize 0x0
>>>> > pDump->CommonBufferVa 0x0
>>>> > pDump->DeviceObject 0x8187A030
>>>> > pDump->DumpData 0x81644F08
>>>> > pDump->MappedRegisterBase 0x0
>>>> > pDump->Spare1 0x0 0x0 0x0
>>>> >
>>>> > After this Windows loads HIBER_WMILIB.SYS and HIBER_ATAPI.SYS
>>>> >
>>>> > I made sure that pDump->DeviceObject is valid. This is physical
>>>> > device
>>>> > attached by my filter driver and created by atapi.sys driver.
>>>> >
>>>> > I replaced field pDump->DeviceObject to my deviceobject pointer.
>>>> > Now
>>>> > Windows
>>>> > loads HIBER_WMILIB.SYS and HIBER_DPERF.SYS, then it prepares
>>>> hibernation,
>>>> > and then it start hibernation. It switches monitor into VGA mode,
>>>> > shows
>>>> > progress bar and call DriverEntry of my driver. This call occurs
>>>> > in
>>>> > DISPATCH_LEVEL, arguments looks very strange. DriverObject ==
>>>> > NULL,
>>>> > RegistryPath points to some structure, but not UNICODE_STRING.
>>>> I looked at
>>>> > memory dump of this pointer. Only first 12 bytes are not zero.
>>>> >
>>>> > Can anybody suggest me what I have to do in DriverEntry on this
>>>> > “hiber”
>>>> > loading?
>>>> >
>>>> > Thanks
>>>> > Valery Druba
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@attotech.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@cbatson.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

I’m pretty sure even the most specialized RAID controllers have a BIOS that
supports INT13, and that is what I understand the Boot-loader for Windows
NT/2K/XP uses to get the file loaded into memory.

Just my thoughts, of course. I’m sure some of the guys that do
disk-controller drivers and such can give a more better answer.

–
Mats

xxxxx@lists.osr.com wrote on 10/07/2004 03:46:54 PM:

Seems to me there should be a way. How does the hibernation file get
read/saved on special purpose configurations like a RAID volume? There
must be a way to get a driver in there, right? (Sorry, I don’t know,
I’m just speculating for the purpose of stimulating conversation.)

Chuck

----- Original Message -----
From:
> To: “Windows System Software Devs Interest List”
> Sent: Thursday, October 07, 2004 9:29 PM
> Subject: Re: Re:[ntdev] Hibernation hook
>
>
> > The real trick is DEcrypting the hiberfile. Its read in by the
> > bootloader,
> > it would be extremely difficult to hook that and decrypt the file.
> >
> > Jason
> >
> >
> >
> > |---------±-------------------------------->
> > | | “Chuck Batson” |
> > | | > > | | on.com> |
> > | | Sent by: |
> > | | bounce-189615-16922@li|
> > | | sts.osr.com |
> > | | |
> > | | |
> > | | 10/07/2004 10:19 AM |
> > | | Please respond to |
> > | | “Windows System |
> > | | Software Devs Interest|
> > | | List” |
> > | | |
> > |---------±-------------------------------->
> >
> >
>
>------------------------------------------------------------------------------------------------------------------------------

> |
> > |
> > |
> > | To: “Windows System Software Devs Interest List”
> > |
> > | cc:
> > |
> > | Subject: Re: Re:[ntdev] Hibernation hook
> > |
> >
> >
>
>------------------------------------------------------------------------------------------------------------------------------

> |
> >
> >
> >
> >
> > Does the hibernation file write go through the driver stack? Meaning,
> > if there was a filter driver on the stack that say, encrypted the
> > entire
> > volume, then the hibernation file would get encrypted as well.
> >
> > Chuck
> >
> > ----- Original Message -----
> > From: “Scott Noone”
> > Newsgroups: ntdev
> > To: “Windows System Software Devs Interest List”
> > Sent: Thursday, October 07, 2004 8:59 PM
> > Subject: Re:[ntdev] Hibernation hook
> >
> >
> >> Hi,
> >>
> >> AFAIK there is no documented way to do this. Also, I don’t believe
> >> that you’re going to get much further with your current approach than
> >> you have gotten. Having your driver loaded in place of the driver
> >> that
> >> is going to be writing the hibernation file isn’t going to get you
> >> where you need to be.
> >>
> >> Regards,
> >>
> >> -scott
> >>
> >> –
> >> Scott Noone
> >> Software Engineer
> >> OSR Open Systems Resources, Inc.
> >> http://www.osronline.com
> >>
> >> “Valery Druba” wrote in message
> >> news:xxxxx@ntdev…
> >>> Hi, Scott
> >>>
> >>> You are right. There is no any details about this process. Exactly I
> >>> need to
> >>> encrypt hiber file. Do you know more documented way?
> >>>
> >>> Thanks,
> >>> Valery
> >>>
> >>>>
> >>>>
> >>>> Hi,
> >>>>
> >>>> You’re deep in undocumented territory here. As I’m sure you’ve
> >>>> noticed,
> >>>> details on how hibernation works are pretty scant.
> >>>>
> >>>> What exactly are you trying to accomplish?
> >>>>
> >>>> Regards,
> >>>>
> >>>> -scott
> >>>>
> >>>> –
> >>>> Scott Noone
> >>>> Software Engineer
> >>>> OSR Open Systems Resources, Inc.
> >>>> http://www.osronline.com
> >>>>
> >>>>
> >>>>
> >>>> “Valery Druba” wrote in message
> >>>> news:xxxxx@ntdev…
> >>>> > Hi all,
> >>>> >
> >>>> > I’m trying to hook hibernate process under Windows 2k. I got
> >>>> > diskperf
> >>>> > driver
> >>>> > from DDK samples, named it as dperf.sys and installed it as
> >>>> > filter
> >>>> > disk
> >>>> > driver. I noticed that when I press sleep button, Windows sends
> >>>> > IOCTL_SCSI_GET_ADDRESS, IOCTL_DISK_GET_DRIVE_LAYOUT,
> >>>> > IOCTL_SCSI_GET_DUMP_POINTERS.
> >>>> > I looked at structure DUMP_POINTERS in IoCompletion routine. It
> >>>> looks like
> >>>> > this:
> >>>> > Length 28
> >>>> > pDump->AdapterObject 0x0
> >>>> > pDump->AllocateCommonBuffers 0x0
> >>>> > pDump->CommonBufferPa 0x0
> >>>> > pDump->CommonBufferSize 0x0
> >>>> > pDump->CommonBufferVa 0x0
> >>>> > pDump->DeviceObject 0x8187A030
> >>>> > pDump->DumpData 0x81644F08
> >>>> > pDump->MappedRegisterBase 0x0
> >>>> > pDump->Spare1 0x0 0x0 0x0
> >>>> >
> >>>> > After this Windows loads HIBER_WMILIB.SYS and HIBER_ATAPI.SYS
> >>>> >
> >>>> > I made sure that pDump->DeviceObject is valid. This is physical
> >>>> > device
> >>>> > attached by my filter driver and created by atapi.sys driver.
> >>>> >
> >>>> > I replaced field pDump->DeviceObject to my deviceobject pointer.
> >>>> > Now
> >>>> > Windows
> >>>> > loads HIBER_WMILIB.SYS and HIBER_DPERF.SYS, then it prepares
> >>>> hibernation,
> >>>> > and then it start hibernation. It switches monitor into VGA mode,
> >>>> > shows
> >>>> > progress bar and call DriverEntry of my driver. This call occurs
> >>>> > in
> >>>> > DISPATCH_LEVEL, arguments looks very strange. DriverObject ==
> >>>> > NULL,
> >>>> > RegistryPath points to some structure, but not UNICODE_STRING.
> >>>> I looked at
> >>>> > memory dump of this pointer. Only first 12 bytes are not zero.
> >>>> >
> >>>> > Can anybody suggest me what I have to do in DriverEntry on this
> >>>> > “hiber”
> >>>> > loading?
> >>>> >
> >>>> > Thanks
> >>>> > Valery Druba
> >
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@attotech.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> >
> >
> >
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@cbatson.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.
> osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@3dlabs.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

> ForwardSourceID:NT00004DB6

If the RAID device is the boot device and requires an HBA from the raid
vendor then the dumpdevice stack will include the raid vendor’s HBA driver,
which can then do whatever it needs to do. RAID and Hibernation are
generally disjoint concepts.

However this generally does not help on the boot side - you still have to
deal with the bios level boot. We’ve actually discussed the encrypted boot
volume design challenges several times here.

=====================
Mark Roddy

-----Original Message-----
From: Chuck Batson [mailto:xxxxx@cbatson.com]
Sent: Thursday, October 07, 2004 10:47 AM
To: Windows System Software Devs Interest List
Subject: Re: Re:[ntdev] Hibernation hook

Seems to me there should be a way. How does the hibernation file get
read/saved on special purpose configurations like a RAID volume? There must
be a way to get a driver in there, right? (Sorry, I don’t know, I’m just
speculating for the purpose of stimulating conversation.)

Chuck

----- Original Message -----
From:
To: “Windows System Software Devs Interest List”
Sent: Thursday, October 07, 2004 9:29 PM
Subject: Re: Re:[ntdev] Hibernation hook

> The real trick is DEcrypting the hiberfile. Its read in by the
> bootloader,
> it would be extremely difficult to hook that and decrypt the file.
>
> Jason
>
>
>
> |---------±-------------------------------->
> | | “Chuck Batson” |
> | | > | | on.com> |
> | | Sent by: |
> | | bounce-189615-16922@li|
> | | sts.osr.com |
> | | |
> | | |
> | | 10/07/2004 10:19 AM |
> | | Please respond to |
> | | “Windows System |
> | | Software Devs Interest|
> | | List” |
> | | |
> |---------±-------------------------------->
>
>
>---------------------------------------------------------------------------
---------------------------------------------------|
> |
> |
> | To: “Windows System Software Devs Interest List”
> |
> | cc:
> |
> | Subject: Re: Re:[ntdev] Hibernation hook
> |
>
>
>---------------------------------------------------------------------------
---------------------------------------------------|
>
>
>
>
> Does the hibernation file write go through the driver stack? Meaning,
> if there was a filter driver on the stack that say, encrypted the
> entire
> volume, then the hibernation file would get encrypted as well.
>
> Chuck
>
> ----- Original Message -----
> From: “Scott Noone”
> Newsgroups: ntdev
> To: “Windows System Software Devs Interest List”
> Sent: Thursday, October 07, 2004 8:59 PM
> Subject: Re:[ntdev] Hibernation hook
>
>
>> Hi,
>>
>> AFAIK there is no documented way to do this. Also, I don’t believe
>> that you’re going to get much further with your current approach than
>> you have gotten. Having your driver loaded in place of the driver
>> that
>> is going to be writing the hibernation file isn’t going to get you
>> where you need to be.
>>
>> Regards,
>>
>> -scott
>>
>> –
>> Scott Noone
>> Software Engineer
>> OSR Open Systems Resources, Inc.
>> http://www.osronline.com
>>
>> “Valery Druba” wrote in message
>> news:xxxxx@ntdev…
>>> Hi, Scott
>>>
>>> You are right. There is no any details about this process. Exactly I
>>> need to
>>> encrypt hiber file. Do you know more documented way?
>>>
>>> Thanks,
>>> Valery
>>>
>>>>
>>>>
>>>> Hi,
>>>>
>>>> You’re deep in undocumented territory here. As I’m sure you’ve
>>>> noticed,
>>>> details on how hibernation works are pretty scant.
>>>>
>>>> What exactly are you trying to accomplish?
>>>>
>>>> Regards,
>>>>
>>>> -scott
>>>>
>>>> –
>>>> Scott Noone
>>>> Software Engineer
>>>> OSR Open Systems Resources, Inc.
>>>> http://www.osronline.com
>>>>
>>>>
>>>>
>>>> “Valery Druba” wrote in message
>>>> news:xxxxx@ntdev…
>>>> > Hi all,
>>>> >
>>>> > I’m trying to hook hibernate process under Windows 2k. I got
>>>> > diskperf
>>>> > driver
>>>> > from DDK samples, named it as dperf.sys and installed it as
>>>> > filter
>>>> > disk
>>>> > driver. I noticed that when I press sleep button, Windows sends
>>>> > IOCTL_SCSI_GET_ADDRESS, IOCTL_DISK_GET_DRIVE_LAYOUT,
>>>> > IOCTL_SCSI_GET_DUMP_POINTERS.
>>>> > I looked at structure DUMP_POINTERS in IoCompletion routine. It
>>>> looks like
>>>> > this:
>>>> > Length 28
>>>> > pDump->AdapterObject 0x0
>>>> > pDump->AllocateCommonBuffers 0x0
>>>> > pDump->CommonBufferPa 0x0
>>>> > pDump->CommonBufferSize 0x0
>>>> > pDump->CommonBufferVa 0x0
>>>> > pDump->DeviceObject 0x8187A030
>>>> > pDump->DumpData 0x81644F08
>>>> > pDump->MappedRegisterBase 0x0
>>>> > pDump->Spare1 0x0 0x0 0x0
>>>> >
>>>> > After this Windows loads HIBER_WMILIB.SYS and HIBER_ATAPI.SYS
>>>> >
>>>> > I made sure that pDump->DeviceObject is valid. This is physical
>>>> > device
>>>> > attached by my filter driver and created by atapi.sys driver.
>>>> >
>>>> > I replaced field pDump->DeviceObject to my deviceobject pointer.
>>>> > Now
>>>> > Windows
>>>> > loads HIBER_WMILIB.SYS and HIBER_DPERF.SYS, then it prepares
>>>> hibernation,
>>>> > and then it start hibernation. It switches monitor into VGA mode,
>>>> > shows
>>>> > progress bar and call DriverEntry of my driver. This call occurs
>>>> > in
>>>> > DISPATCH_LEVEL, arguments looks very strange. DriverObject ==
>>>> > NULL,
>>>> > RegistryPath points to some structure, but not UNICODE_STRING.
>>>> I looked at
>>>> > memory dump of this pointer. Only first 12 bytes are not zero.
>>>> >
>>>> > Can anybody suggest me what I have to do in DriverEntry on this
>>>> > “hiber”
>>>> > loading?
>>>> >
>>>> > Thanks
>>>> > Valery Druba
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@attotech.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@cbatson.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@stratus.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Writing crash dumps and writing the paging file both employ a “direct to
disk” model for writing. They do not rely upon the normal storage stack
and obtain physical block information from the file system as part of
their initialization process. This process is not documented for a
very good reason - the mechanism they use can (and has) change from one
version to another version depending upon the needs of the OS.

For example, prior to Server '03 there was no support for a crash dump
file above 4GB. Now there is. I am not sure if '03 will support
hibernation files at or above that size, but that’s just a matter of
time now that we live in a world of 2GB memory in laptop computers.

From what I’ve seen, building a decryption driver for booting is
reasonably well understood. Encrypting the paging and hibernation files
is not.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

Looking forward to seeing you at the Next OSR File Systems Class October
18, 2004 in Silicon Valley!

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Chuck Batson
Sent: Thursday, October 07, 2004 10:20 AM
To: ntdev redirect
Subject: Re: Re:[ntdev] Hibernation hook

Does the hibernation file write go through the driver stack? Meaning,
if there was a filter driver on the stack that say, encrypted the entire

volume, then the hibernation file would get encrypted as well.

Chuck

----- Original Message -----
From: “Scott Noone”
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”
Sent: Thursday, October 07, 2004 8:59 PM
Subject: Re:[ntdev] Hibernation hook

> Hi,
>
> AFAIK there is no documented way to do this. Also, I don’t believe
> that you’re going to get much further with your current approach than
> you have gotten. Having your driver loaded in place of the driver that

> is going to be writing the hibernation file isn’t going to get you
> where you need to be.
>
> Regards,
>
> -scott
>
> –
> Scott Noone
> Software Engineer
> OSR Open Systems Resources, Inc.
> http://www.osronline.com
>
> “Valery Druba” wrote in message
> news:xxxxx@ntdev…
>> Hi, Scott
>>
>> You are right. There is no any details about this process. Exactly I
>> need to
>> encrypt hiber file. Do you know more documented way?
>>
>> Thanks,
>> Valery
>>
>>>
>>>
>>> Hi,
>>>
>>> You’re deep in undocumented territory here. As I’m sure you’ve
>>> noticed,
>>> details on how hibernation works are pretty scant.
>>>
>>> What exactly are you trying to accomplish?
>>>
>>> Regards,
>>>
>>> -scott
>>>
>>> –
>>> Scott Noone
>>> Software Engineer
>>> OSR Open Systems Resources, Inc.
>>> http://www.osronline.com
>>>
>>>
>>>
>>> “Valery Druba” wrote in message
>>> news:xxxxx@ntdev…
>>> > Hi all,
>>> >
>>> > I’m trying to hook hibernate process under Windows 2k. I got
>>> > diskperf
>>> > driver
>>> > from DDK samples, named it as dperf.sys and installed it as filter

>>> > disk
>>> > driver. I noticed that when I press sleep button, Windows sends
>>> > IOCTL_SCSI_GET_ADDRESS, IOCTL_DISK_GET_DRIVE_LAYOUT,
>>> > IOCTL_SCSI_GET_DUMP_POINTERS.
>>> > I looked at structure DUMP_POINTERS in IoCompletion routine. It
>>> looks like
>>> > this:
>>> > Length 28
>>> > pDump->AdapterObject 0x0
>>> > pDump->AllocateCommonBuffers 0x0
>>> > pDump->CommonBufferPa 0x0
>>> > pDump->CommonBufferSize 0x0
>>> > pDump->CommonBufferVa 0x0
>>> > pDump->DeviceObject 0x8187A030
>>> > pDump->DumpData 0x81644F08
>>> > pDump->MappedRegisterBase 0x0
>>> > pDump->Spare1 0x0 0x0 0x0
>>> >
>>> > After this Windows loads HIBER_WMILIB.SYS and HIBER_ATAPI.SYS
>>> >
>>> > I made sure that pDump->DeviceObject is valid. This is physical
>>> > device
>>> > attached by my filter driver and created by atapi.sys driver.
>>> >
>>> > I replaced field pDump->DeviceObject to my deviceobject pointer.
>>> > Now
>>> > Windows
>>> > loads HIBER_WMILIB.SYS and HIBER_DPERF.SYS, then it prepares
>>> hibernation,
>>> > and then it start hibernation. It switches monitor into VGA mode,
>>> > shows
>>> > progress bar and call DriverEntry of my driver. This call occurs
>>> > in
>>> > DISPATCH_LEVEL, arguments looks very strange. DriverObject ==
>>> > NULL,
>>> > RegistryPath points to some structure, but not UNICODE_STRING.
>>> I looked at
>>> > memory dump of this pointer. Only first 12 bytes are not zero.
>>> >
>>> > Can anybody suggest me what I have to do in DriverEntry on this
>>> > “hiber”
>>> > loading?
>>> >
>>> > Thanks
>>> > Valery Druba

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Presumably, the bootloader already knows how to handle that type of thing.
After all, it has to load the kernel, registry, and some drivers during a
normal boot.

Jason

|---------±-------------------------------->
| | “Chuck Batson” |
| | | | on.com> |
| | Sent by: |
| | bounce-189621-16922@li|
| | sts.osr.com |
| | |
| | |
| | 10/07/2004 10:46 AM |
| | Please respond to |
| | “Windows System |
| | Software Devs Interest|
| | List” |
| | |
|---------±-------------------------------->
>------------------------------------------------------------------------------------------------------------------------------|
| |
| To: “Windows System Software Devs Interest List” |
| cc: |
| Subject: Re: Re:[ntdev] Hibernation hook |
>------------------------------------------------------------------------------------------------------------------------------|

Seems to me there should be a way. How does the hibernation file get
read/saved on special purpose configurations like a RAID volume? There
must be a way to get a driver in there, right? (Sorry, I don’t know,
I’m just speculating for the purpose of stimulating conversation.)

Chuck

----- Original Message -----
From:
To: “Windows System Software Devs Interest List”
Sent: Thursday, October 07, 2004 9:29 PM
Subject: Re: Re:[ntdev] Hibernation hook

> The real trick is DEcrypting the hiberfile. Its read in by the
> bootloader,
> it would be extremely difficult to hook that and decrypt the file.
>
> Jason
>
>
>
> |---------±-------------------------------->
> | | “Chuck Batson” |
> | | > | | on.com> |
> | | Sent by: |
> | | bounce-189615-16922@li|
> | | sts.osr.com |
> | | |
> | | |
> | | 10/07/2004 10:19 AM |
> | | Please respond to |
> | | “Windows System |
> | | Software Devs Interest|
> | | List” |
> | | |
> |---------±-------------------------------->
>
>
>------------------------------------------------------------------------------------------------------------------------------|

> |
> |
> | To: “Windows System Software Devs Interest List”
> |
> | cc:
> |
> | Subject: Re: Re:[ntdev] Hibernation hook
> |
>
>
>------------------------------------------------------------------------------------------------------------------------------|

>
>
>
>
> Does the hibernation file write go through the driver stack? Meaning,
> if there was a filter driver on the stack that say, encrypted the
> entire
> volume, then the hibernation file would get encrypted as well.
>
> Chuck
>
> ----- Original Message -----
> From: “Scott Noone”
> Newsgroups: ntdev
> To: “Windows System Software Devs Interest List”
> Sent: Thursday, October 07, 2004 8:59 PM
> Subject: Re:[ntdev] Hibernation hook
>
>
>> Hi,
>>
>> AFAIK there is no documented way to do this. Also, I don’t believe
>> that you’re going to get much further with your current approach than
>> you have gotten. Having your driver loaded in place of the driver
>> that
>> is going to be writing the hibernation file isn’t going to get you
>> where you need to be.
>>
>> Regards,
>>
>> -scott
>>
>> –
>> Scott Noone
>> Software Engineer
>> OSR Open Systems Resources, Inc.
>> http://www.osronline.com
>>
>> “Valery Druba” wrote in message
>> news:xxxxx@ntdev…
>>> Hi, Scott
>>>
>>> You are right. There is no any details about this process. Exactly I
>>> need to
>>> encrypt hiber file. Do you know more documented way?
>>>
>>> Thanks,
>>> Valery
>>>
>>>>
>>>>
>>>> Hi,
>>>>
>>>> You’re deep in undocumented territory here. As I’m sure you’ve
>>>> noticed,
>>>> details on how hibernation works are pretty scant.
>>>>
>>>> What exactly are you trying to accomplish?
>>>>
>>>> Regards,
>>>>
>>>> -scott
>>>>
>>>> –
>>>> Scott Noone
>>>> Software Engineer
>>>> OSR Open Systems Resources, Inc.
>>>> http://www.osronline.com
>>>>
>>>>
>>>>
>>>> “Valery Druba” wrote in message
>>>> news:xxxxx@ntdev…
>>>> > Hi all,
>>>> >
>>>> > I’m trying to hook hibernate process under Windows 2k. I got
>>>> > diskperf
>>>> > driver
>>>> > from DDK samples, named it as dperf.sys and installed it as
>>>> > filter
>>>> > disk
>>>> > driver. I noticed that when I press sleep button, Windows sends
>>>> > IOCTL_SCSI_GET_ADDRESS, IOCTL_DISK_GET_DRIVE_LAYOUT,
>>>> > IOCTL_SCSI_GET_DUMP_POINTERS.
>>>> > I looked at structure DUMP_POINTERS in IoCompletion routine. It
>>>> looks like
>>>> > this:
>>>> > Length 28
>>>> > pDump->AdapterObject 0x0
>>>> > pDump->AllocateCommonBuffers 0x0
>>>> > pDump->CommonBufferPa 0x0
>>>> > pDump->CommonBufferSize 0x0
>>>> > pDump->CommonBufferVa 0x0
>>>> > pDump->DeviceObject 0x8187A030
>>>> > pDump->DumpData 0x81644F08
>>>> > pDump->MappedRegisterBase 0x0
>>>> > pDump->Spare1 0x0 0x0 0x0
>>>> >
>>>> > After this Windows loads HIBER_WMILIB.SYS and HIBER_ATAPI.SYS
>>>> >
>>>> > I made sure that pDump->DeviceObject is valid. This is physical
>>>> > device
>>>> > attached by my filter driver and created by atapi.sys driver.
>>>> >
>>>> > I replaced field pDump->DeviceObject to my deviceobject pointer.
>>>> > Now
>>>> > Windows
>>>> > loads HIBER_WMILIB.SYS and HIBER_DPERF.SYS, then it prepares
>>>> hibernation,
>>>> > and then it start hibernation. It switches monitor into VGA mode,
>>>> > shows
>>>> > progress bar and call DriverEntry of my driver. This call occurs
>>>> > in
>>>> > DISPATCH_LEVEL, arguments looks very strange. DriverObject ==
>>>> > NULL,
>>>> > RegistryPath points to some structure, but not UNICODE_STRING.
>>>> I looked at
>>>> > memory dump of this pointer. Only first 12 bytes are not zero.
>>>> >
>>>> > Can anybody suggest me what I have to do in DriverEntry on this
>>>> > “hiber”
>>>> > loading?
>>>> >
>>>> > Thanks
>>>> > Valery Druba
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@attotech.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@cbatson.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@attotech.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

The port-level function driver owns the crash and hibernation
responsibilities via separate instantiations of runtime, crash and hiber
images of this same driver (I’m over-simplifying, of course). You’d
have to write your own storage port driver for each HBA you need to
support, which is an colossal task. However even writing your own port
driver(s) is still not good enough; you will need a decryption engine in
ntloader if you want to resume from S4.

MKE.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Chuck Batson
Sent: Thursday, October 07, 2004 7:47 AM
To: Windows System Software Devs Interest List
Subject: Re: Re:[ntdev] Hibernation hook

Seems to me there should be a way. How does the hibernation file get
read/saved on special purpose configurations like a RAID volume? There
must be a way to get a driver in there, right? (Sorry, I don’t know,
I’m just speculating for the purpose of stimulating conversation.)

Chuck

----- Original Message -----
From:
To: “Windows System Software Devs Interest List”
Sent: Thursday, October 07, 2004 9:29 PM
Subject: Re: Re:[ntdev] Hibernation hook

> The real trick is DEcrypting the hiberfile. Its read in by the
> bootloader,
> it would be extremely difficult to hook that and decrypt the file.
>
> Jason
>
>
>
> |---------±-------------------------------->
> | | “Chuck Batson” |
> | | > | | on.com> |
> | | Sent by: |
> | | bounce-189615-16922@li|
> | | sts.osr.com |
> | | |
> | | |
> | | 10/07/2004 10:19 AM |
> | | Please respond to |
> | | “Windows System |
> | | Software Devs Interest|
> | | List” |
> | | |
> |---------±-------------------------------->
>
>
>-----------------------------------------------------------------------
-------------------------------------------------------|
> |
> |
> | To: “Windows System Software Devs Interest List”
> |
> | cc:
> |
> | Subject: Re: Re:[ntdev] Hibernation hook
> |
>
>
>-----------------------------------------------------------------------
-------------------------------------------------------|
>
>
>
>
> Does the hibernation file write go through the driver stack? Meaning,
> if there was a filter driver on the stack that say, encrypted the
> entire
> volume, then the hibernation file would get encrypted as well.
>
> Chuck
>
> ----- Original Message -----
> From: “Scott Noone”
> Newsgroups: ntdev
> To: “Windows System Software Devs Interest List”
> Sent: Thursday, October 07, 2004 8:59 PM
> Subject: Re:[ntdev] Hibernation hook
>
>
>> Hi,
>>
>> AFAIK there is no documented way to do this. Also, I don’t believe
>> that you’re going to get much further with your current approach than
>> you have gotten. Having your driver loaded in place of the driver
>> that
>> is going to be writing the hibernation file isn’t going to get you
>> where you need to be.
>>
>> Regards,
>>
>> -scott
>>
>> –
>> Scott Noone
>> Software Engineer
>> OSR Open Systems Resources, Inc.
>> http://www.osronline.com
>>
>> “Valery Druba” wrote in message
>> news:xxxxx@ntdev…
>>> Hi, Scott
>>>
>>> You are right. There is no any details about this process. Exactly I
>>> need to
>>> encrypt hiber file. Do you know more documented way?
>>>
>>> Thanks,
>>> Valery
>>>
>>>>
>>>>
>>>> Hi,
>>>>
>>>> You’re deep in undocumented territory here. As I’m sure you’ve
>>>> noticed,
>>>> details on how hibernation works are pretty scant.
>>>>
>>>> What exactly are you trying to accomplish?
>>>>
>>>> Regards,
>>>>
>>>> -scott
>>>>
>>>> –
>>>> Scott Noone
>>>> Software Engineer
>>>> OSR Open Systems Resources, Inc.
>>>> http://www.osronline.com
>>>>
>>>>
>>>>
>>>> “Valery Druba” wrote in message
>>>> news:xxxxx@ntdev…
>>>> > Hi all,
>>>> >
>>>> > I’m trying to hook hibernate process under Windows 2k. I got
>>>> > diskperf
>>>> > driver
>>>> > from DDK samples, named it as dperf.sys and installed it as
>>>> > filter
>>>> > disk
>>>> > driver. I noticed that when I press sleep button, Windows sends
>>>> > IOCTL_SCSI_GET_ADDRESS, IOCTL_DISK_GET_DRIVE_LAYOUT,
>>>> > IOCTL_SCSI_GET_DUMP_POINTERS.
>>>> > I looked at structure DUMP_POINTERS in IoCompletion routine. It
>>>> looks like
>>>> > this:
>>>> > Length 28
>>>> > pDump->AdapterObject 0x0
>>>> > pDump->AllocateCommonBuffers 0x0
>>>> > pDump->CommonBufferPa 0x0
>>>> > pDump->CommonBufferSize 0x0
>>>> > pDump->CommonBufferVa 0x0
>>>> > pDump->DeviceObject 0x8187A030
>>>> > pDump->DumpData 0x81644F08
>>>> > pDump->MappedRegisterBase 0x0
>>>> > pDump->Spare1 0x0 0x0 0x0
>>>> >
>>>> > After this Windows loads HIBER_WMILIB.SYS and HIBER_ATAPI.SYS
>>>> >
>>>> > I made sure that pDump->DeviceObject is valid. This is physical
>>>> > device
>>>> > attached by my filter driver and created by atapi.sys driver.
>>>> >
>>>> > I replaced field pDump->DeviceObject to my deviceobject pointer.
>>>> > Now
>>>> > Windows
>>>> > loads HIBER_WMILIB.SYS and HIBER_DPERF.SYS, then it prepares
>>>> hibernation,
>>>> > and then it start hibernation. It switches monitor into VGA mode,
>>>> > shows
>>>> > progress bar and call DriverEntry of my driver. This call occurs
>>>> > in
>>>> > DISPATCH_LEVEL, arguments looks very strange. DriverObject ==
>>>> > NULL,
>>>> > RegistryPath points to some structure, but not UNICODE_STRING.
>>>> I looked at
>>>> > memory dump of this pointer. Only first 12 bytes are not zero.
>>>> >
>>>> > Can anybody suggest me what I have to do in DriverEntry on this
>>>> > “hiber”
>>>> > loading?
>>>> >
>>>> > Thanks
>>>> > Valery Druba
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@attotech.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@cbatson.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@intel.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Slight correction: you’d need an Int13 handler to do the decrytion, not
specifically ntloader.
MKE

-----Original Message-----
From: Eschmann, Michael K
Sent: Thursday, October 07, 2004 8:55 AM
To: ‘Windows System Software Devs Interest List’
Subject: RE: Re:[ntdev] Hibernation hook

The port-level function driver owns the crash and hibernation
responsibilities via separate instantiations of runtime, crash and hiber
images of this same driver (I’m over-simplifying, of course). You’d
have to write your own storage port driver for each HBA you need to
support, which is an colossal task. However even writing your own port
driver(s) is still not good enough; you will need a decryption engine in
ntloader if you want to resume from S4.

MKE.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Chuck Batson
Sent: Thursday, October 07, 2004 7:47 AM
To: Windows System Software Devs Interest List
Subject: Re: Re:[ntdev] Hibernation hook

Seems to me there should be a way. How does the hibernation file get
read/saved on special purpose configurations like a RAID volume? There
must be a way to get a driver in there, right? (Sorry, I don’t know,
I’m just speculating for the purpose of stimulating conversation.)

Chuck

----- Original Message -----
From:
To: “Windows System Software Devs Interest List”
Sent: Thursday, October 07, 2004 9:29 PM
Subject: Re: Re:[ntdev] Hibernation hook

> The real trick is DEcrypting the hiberfile. Its read in by the
> bootloader,
> it would be extremely difficult to hook that and decrypt the file.
>
> Jason
>
>
>
> |---------±-------------------------------->
> | | “Chuck Batson” |
> | | > | | on.com> |
> | | Sent by: |
> | | bounce-189615-16922@li|
> | | sts.osr.com |
> | | |
> | | |
> | | 10/07/2004 10:19 AM |
> | | Please respond to |
> | | “Windows System |
> | | Software Devs Interest|
> | | List” |
> | | |
> |---------±-------------------------------->
>
>
>-----------------------------------------------------------------------
-------------------------------------------------------|
> |
> |
> | To: “Windows System Software Devs Interest List”
> |
> | cc:
> |
> | Subject: Re: Re:[ntdev] Hibernation hook
> |
>
>
>-----------------------------------------------------------------------
-------------------------------------------------------|
>
>
>
>
> Does the hibernation file write go through the driver stack? Meaning,
> if there was a filter driver on the stack that say, encrypted the
> entire
> volume, then the hibernation file would get encrypted as well.
>
> Chuck
>
> ----- Original Message -----
> From: “Scott Noone”
> Newsgroups: ntdev
> To: “Windows System Software Devs Interest List”
> Sent: Thursday, October 07, 2004 8:59 PM
> Subject: Re:[ntdev] Hibernation hook
>
>
>> Hi,
>>
>> AFAIK there is no documented way to do this. Also, I don’t believe
>> that you’re going to get much further with your current approach than
>> you have gotten. Having your driver loaded in place of the driver
>> that
>> is going to be writing the hibernation file isn’t going to get you
>> where you need to be.
>>
>> Regards,
>>
>> -scott
>>
>> –
>> Scott Noone
>> Software Engineer
>> OSR Open Systems Resources, Inc.
>> http://www.osronline.com
>>
>> “Valery Druba” wrote in message
>> news:xxxxx@ntdev…
>>> Hi, Scott
>>>
>>> You are right. There is no any details about this process. Exactly I
>>> need to
>>> encrypt hiber file. Do you know more documented way?
>>>
>>> Thanks,
>>> Valery
>>>
>>>>
>>>>
>>>> Hi,
>>>>
>>>> You’re deep in undocumented territory here. As I’m sure you’ve
>>>> noticed,
>>>> details on how hibernation works are pretty scant.
>>>>
>>>> What exactly are you trying to accomplish?
>>>>
>>>> Regards,
>>>>
>>>> -scott
>>>>
>>>> –
>>>> Scott Noone
>>>> Software Engineer
>>>> OSR Open Systems Resources, Inc.
>>>> http://www.osronline.com
>>>>
>>>>
>>>>
>>>> “Valery Druba” wrote in message
>>>> news:xxxxx@ntdev…
>>>> > Hi all,
>>>> >
>>>> > I’m trying to hook hibernate process under Windows 2k. I got
>>>> > diskperf
>>>> > driver
>>>> > from DDK samples, named it as dperf.sys and installed it as
>>>> > filter
>>>> > disk
>>>> > driver. I noticed that when I press sleep button, Windows sends
>>>> > IOCTL_SCSI_GET_ADDRESS, IOCTL_DISK_GET_DRIVE_LAYOUT,
>>>> > IOCTL_SCSI_GET_DUMP_POINTERS.
>>>> > I looked at structure DUMP_POINTERS in IoCompletion routine. It
>>>> looks like
>>>> > this:
>>>> > Length 28
>>>> > pDump->AdapterObject 0x0
>>>> > pDump->AllocateCommonBuffers 0x0
>>>> > pDump->CommonBufferPa 0x0
>>>> > pDump->CommonBufferSize 0x0
>>>> > pDump->CommonBufferVa 0x0
>>>> > pDump->DeviceObject 0x8187A030
>>>> > pDump->DumpData 0x81644F08
>>>> > pDump->MappedRegisterBase 0x0
>>>> > pDump->Spare1 0x0 0x0 0x0
>>>> >
>>>> > After this Windows loads HIBER_WMILIB.SYS and HIBER_ATAPI.SYS
>>>> >
>>>> > I made sure that pDump->DeviceObject is valid. This is physical
>>>> > device
>>>> > attached by my filter driver and created by atapi.sys driver.
>>>> >
>>>> > I replaced field pDump->DeviceObject to my deviceobject pointer.
>>>> > Now
>>>> > Windows
>>>> > loads HIBER_WMILIB.SYS and HIBER_DPERF.SYS, then it prepares
>>>> hibernation,
>>>> > and then it start hibernation. It switches monitor into VGA mode,
>>>> > shows
>>>> > progress bar and call DriverEntry of my driver. This call occurs
>>>> > in
>>>> > DISPATCH_LEVEL, arguments looks very strange. DriverObject ==
>>>> > NULL,
>>>> > RegistryPath points to some structure, but not UNICODE_STRING.
>>>> I looked at
>>>> > memory dump of this pointer. Only first 12 bytes are not zero.
>>>> >
>>>> > Can anybody suggest me what I have to do in DriverEntry on this
>>>> > “hiber”
>>>> > loading?
>>>> >
>>>> > Thanks
>>>> > Valery Druba
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@attotech.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@cbatson.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@intel.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

I see. That means it’s not possible to use a filter driver to encrypt
the boot drive?

At some point, you’ll need the lowest-level hardware driver to access
the disk, right? What if I have a RAID system over a PCI card? There
would need to be a driver for the disk as well as the PCI bus driver?
Where is the list of drivers required for this special storage stack
kept?

Chuck

----- Original Message -----
From: “Scott Noone”
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”
Sent: Thursday, October 07, 2004 9:38 PM
Subject: Re:[ntdev] Re:Hibernation hook

> Nope, you won’t see hibernation file (or crash dump file) I/O in a
> standard filter driver. A special copy of the storage stack is used
> during these operations and filter drivers are bypassed.
>
> -scott
>
> –
> Scott Noone
> Software Engineer
> OSR Open Systems Resources, Inc.
> http://www.osronline.com
>
> “Chuck Batson” wrote in message
> news:xxxxx@ntdev…
>> Does the hibernation file write go through the driver stack?
>> Meaning, if there was a filter driver on the stack that say,
>> encrypted the entire volume, then the hibernation file would get
>> encrypted as well.
>>
>> Chuck
>>
>> ----- Original Message -----
>> From: “Scott Noone”
>> Newsgroups: ntdev
>> To: “Windows System Software Devs Interest List”
>>
>> Sent: Thursday, October 07, 2004 8:59 PM
>> Subject: Re:[ntdev] Hibernation hook
>>
>>
>>> Hi,
>>>
>>> AFAIK there is no documented way to do this. Also, I don’t believe
>>> that you’re going to get much further with your current approach
>>> than you have gotten. Having your driver loaded in place of the
>>> driver that is going to be writing the hibernation file isn’t going
>>> to get you where you need to be.
>>>
>>> Regards,
>>>
>>> -scott
>>>
>>> –
>>> Scott Noone
>>> Software Engineer
>>> OSR Open Systems Resources, Inc.
>>> http://www.osronline.com
>>>
>>> “Valery Druba” wrote in message
>>> news:xxxxx@ntdev…
>>>> Hi, Scott
>>>>
>>>> You are right. There is no any details about this process. Exactly
>>>> I need to
>>>> encrypt hiber file. Do you know more documented way?
>>>>
>>>> Thanks,
>>>> Valery
>>>>
>>>>>
>>>>>
>>>>> Hi,
>>>>>
>>>>> You’re deep in undocumented territory here. As I’m sure you’ve
>>>>> noticed,
>>>>> details on how hibernation works are pretty scant.
>>>>>
>>>>> What exactly are you trying to accomplish?
>>>>>
>>>>> Regards,
>>>>>
>>>>> -scott
>>>>>
>>>>> –
>>>>> Scott Noone
>>>>> Software Engineer
>>>>> OSR Open Systems Resources, Inc.
>>>>> http://www.osronline.com
>>>>>
>>>>>
>>>>>
>>>>> “Valery Druba” wrote in message
>>>>> news:xxxxx@ntdev…
>>>>> > Hi all,
>>>>> >
>>>>> > I’m trying to hook hibernate process under Windows 2k. I got
>>>>> > diskperf
>>>>> > driver
>>>>> > from DDK samples, named it as dperf.sys and installed it as
>>>>> > filter disk
>>>>> > driver. I noticed that when I press sleep button, Windows sends
>>>>> > IOCTL_SCSI_GET_ADDRESS, IOCTL_DISK_GET_DRIVE_LAYOUT,
>>>>> > IOCTL_SCSI_GET_DUMP_POINTERS.
>>>>> > I looked at structure DUMP_POINTERS in IoCompletion routine. It
>>>>> looks like
>>>>> > this:
>>>>> > Length 28
>>>>> > pDump->AdapterObject 0x0
>>>>> > pDump->AllocateCommonBuffers 0x0
>>>>> > pDump->CommonBufferPa 0x0
>>>>> > pDump->CommonBufferSize 0x0
>>>>> > pDump->CommonBufferVa 0x0
>>>>> > pDump->DeviceObject 0x8187A030
>>>>> > pDump->DumpData 0x81644F08
>>>>> > pDump->MappedRegisterBase 0x0
>>>>> > pDump->Spare1 0x0 0x0 0x0
>>>>> >
>>>>> > After this Windows loads HIBER_WMILIB.SYS and HIBER_ATAPI.SYS
>>>>> >
>>>>> > I made sure that pDump->DeviceObject is valid. This is physical
>>>>> > device
>>>>> > attached by my filter driver and created by atapi.sys driver.
>>>>> >
>>>>> > I replaced field pDump->DeviceObject to my deviceobject pointer.
>>>>> > Now
>>>>> > Windows
>>>>> > loads HIBER_WMILIB.SYS and HIBER_DPERF.SYS, then it prepares
>>>>> hibernation,
>>>>> > and then it start hibernation. It switches monitor into VGA
>>>>> > mode, shows
>>>>> > progress bar and call DriverEntry of my driver. This call occurs
>>>>> > in
>>>>> > DISPATCH_LEVEL, arguments looks very strange. DriverObject ==
>>>>> > NULL,
>>>>> > RegistryPath points to some structure, but not UNICODE_STRING.
>>>>> I looked at
>>>>> > memory dump of this pointer. Only first 12 bytes are not zero.
>>>>> >
>>>>> > Can anybody suggest me what I have to do in DriverEntry on this
>>>>> > “hiber”
>>>>> > loading?
>>>>> >
>>>>> > Thanks
>>>>> > Valery Druba

Since when does the fact something has previously been discussed stop it
from being beaten to death ad nauseum?

I’ll go back to NTFSD now and answer one more time why it takes so long
for IRP_MJ_CLOSE to be sent after the user closes the file…

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

Looking forward to seeing you at the Next OSR File Systems Class October
18, 2004 in Silicon Valley!

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Roddy, Mark
Sent: Thursday, October 07, 2004 11:07 AM
To: ntdev redirect
Subject: RE: Re:[ntdev] Hibernation hook

If the RAID device is the boot device and requires an HBA from the raid
vendor then the dumpdevice stack will include the raid vendor’s HBA
driver,
which can then do whatever it needs to do. RAID and Hibernation are
generally disjoint concepts.

However this generally does not help on the boot side - you still have
to
deal with the bios level boot. We’ve actually discussed the encrypted
boot
volume design challenges several times here.

=====================
Mark Roddy

-----Original Message-----
From: Chuck Batson [mailto:xxxxx@cbatson.com]
Sent: Thursday, October 07, 2004 10:47 AM
To: Windows System Software Devs Interest List
Subject: Re: Re:[ntdev] Hibernation hook

Seems to me there should be a way. How does the hibernation file get
read/saved on special purpose configurations like a RAID volume? There
must
be a way to get a driver in there, right? (Sorry, I don’t know, I’m
just
speculating for the purpose of stimulating conversation.)

Chuck

----- Original Message -----
From:
To: “Windows System Software Devs Interest List”
Sent: Thursday, October 07, 2004 9:29 PM
Subject: Re: Re:[ntdev] Hibernation hook

> The real trick is DEcrypting the hiberfile. Its read in by the
> bootloader,
> it would be extremely difficult to hook that and decrypt the file.
>
> Jason
>
>
>
> |---------±-------------------------------->
> | | “Chuck Batson” |
> | | > | | on.com> |
> | | Sent by: |
> | | bounce-189615-16922@li|
> | | sts.osr.com |
> | | |
> | | |
> | | 10/07/2004 10:19 AM |
> | | Please respond to |
> | | “Windows System |
> | | Software Devs Interest|
> | | List” |
> | | |
> |---------±-------------------------------->
>
>
>-----------------------------------------------------------------------
----
---------------------------------------------------|
> |
> |
> | To: “Windows System Software Devs Interest List”
> |
> | cc:
> |
> | Subject: Re: Re:[ntdev] Hibernation hook
> |
>
>
>-----------------------------------------------------------------------
----
---------------------------------------------------|
>
>
>
>
> Does the hibernation file write go through the driver stack? Meaning,
> if there was a filter driver on the stack that say, encrypted the
> entire
> volume, then the hibernation file would get encrypted as well.
>
> Chuck
>
> ----- Original Message -----
> From: “Scott Noone”
> Newsgroups: ntdev
> To: “Windows System Software Devs Interest List”
> Sent: Thursday, October 07, 2004 8:59 PM
> Subject: Re:[ntdev] Hibernation hook
>
>
>> Hi,
>>
>> AFAIK there is no documented way to do this. Also, I don’t believe
>> that you’re going to get much further with your current approach than
>> you have gotten. Having your driver loaded in place of the driver
>> that
>> is going to be writing the hibernation file isn’t going to get you
>> where you need to be.
>>
>> Regards,
>>
>> -scott
>>
>> –
>> Scott Noone
>> Software Engineer
>> OSR Open Systems Resources, Inc.
>> http://www.osronline.com
>>
>> “Valery Druba” wrote in message
>> news:xxxxx@ntdev…
>>> Hi, Scott
>>>
>>> You are right. There is no any details about this process. Exactly I
>>> need to
>>> encrypt hiber file. Do you know more documented way?
>>>
>>> Thanks,
>>> Valery
>>>
>>>>
>>>>
>>>> Hi,
>>>>
>>>> You’re deep in undocumented territory here. As I’m sure you’ve
>>>> noticed,
>>>> details on how hibernation works are pretty scant.
>>>>
>>>> What exactly are you trying to accomplish?
>>>>
>>>> Regards,
>>>>
>>>> -scott
>>>>
>>>> –
>>>> Scott Noone
>>>> Software Engineer
>>>> OSR Open Systems Resources, Inc.
>>>> http://www.osronline.com
>>>>
>>>>
>>>>
>>>> “Valery Druba” wrote in message
>>>> news:xxxxx@ntdev…
>>>> > Hi all,
>>>> >
>>>> > I’m trying to hook hibernate process under Windows 2k. I got
>>>> > diskperf
>>>> > driver
>>>> > from DDK samples, named it as dperf.sys and installed it as
>>>> > filter
>>>> > disk
>>>> > driver. I noticed that when I press sleep button, Windows sends
>>>> > IOCTL_SCSI_GET_ADDRESS, IOCTL_DISK_GET_DRIVE_LAYOUT,
>>>> > IOCTL_SCSI_GET_DUMP_POINTERS.
>>>> > I looked at structure DUMP_POINTERS in IoCompletion routine. It
>>>> looks like
>>>> > this:
>>>> > Length 28
>>>> > pDump->AdapterObject 0x0
>>>> > pDump->AllocateCommonBuffers 0x0
>>>> > pDump->CommonBufferPa 0x0
>>>> > pDump->CommonBufferSize 0x0
>>>> > pDump->CommonBufferVa 0x0
>>>> > pDump->DeviceObject 0x8187A030
>>>> > pDump->DumpData 0x81644F08
>>>> > pDump->MappedRegisterBase 0x0
>>>> > pDump->Spare1 0x0 0x0 0x0
>>>> >
>>>> > After this Windows loads HIBER_WMILIB.SYS and HIBER_ATAPI.SYS
>>>> >
>>>> > I made sure that pDump->DeviceObject is valid. This is physical
>>>> > device
>>>> > attached by my filter driver and created by atapi.sys driver.
>>>> >
>>>> > I replaced field pDump->DeviceObject to my deviceobject pointer.
>>>> > Now
>>>> > Windows
>>>> > loads HIBER_WMILIB.SYS and HIBER_DPERF.SYS, then it prepares
>>>> hibernation,
>>>> > and then it start hibernation. It switches monitor into VGA mode,
>>>> > shows
>>>> > progress bar and call DriverEntry of my driver. This call occurs
>>>> > in
>>>> > DISPATCH_LEVEL, arguments looks very strange. DriverObject ==
>>>> > NULL,
>>>> > RegistryPath points to some structure, but not UNICODE_STRING.
>>>> I looked at
>>>> > memory dump of this pointer. Only first 12 bytes are not zero.
>>>> >
>>>> > Can anybody suggest me what I have to do in DriverEntry on this
>>>> > “hiber”
>>>> > loading?
>>>> >
>>>> > Thanks
>>>> > Valery Druba
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@attotech.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@cbatson.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@stratus.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

The boot loader goes through one of two paths to read from the disk:

1. using the platform’s INT13 support
2. by loading ntbootdd.sys (a copy of the miniport for the boot
   controller) and sending it scsi commands

In the first case (the most common) the adapter’s BIOS is called, which
can handle any RAID functionality that it needs to

In the second case the miniport for the controller can do what the BIOS
would have done.

-p

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@attotech.com
Sent: Thursday, October 07, 2004 8:23 AM
To: Windows System Software Devs Interest List
Subject: Re: Re:[ntdev] Hibernation hook

Presumably, the bootloader already knows how to handle that
type of thing.
After all, it has to load the kernel, registry, and some
drivers during a normal boot.

Jason

|---------±-------------------------------->
| | “Chuck Batson” |
| | > | | on.com> |
> | | Sent by: |
> | | bounce-189621-16922@li|
> | | sts.osr.com |
> | | |
> | | |
> | | 10/07/2004 10:46 AM |
> | | Please respond to |
> | | “Windows System |
> | | Software Devs Interest|
> | | List” |
> | | |
> |---------±-------------------------------->
>
> >-------------------------------------------------------------
> -----------------------------------------------------------------|
> |
> |
> | To: “Windows System Software Devs Interest
> List”
> |
> | cc:
> |
> | Subject: Re: Re:[ntdev] Hibernation hook
> |
>
> >-------------------------------------------------------------
> -----------------------------------------------------------------|
>
>
>
>
> Seems to me there should be a way. How does the hibernation
> file get read/saved on special purpose configurations like a
> RAID volume? There must be a way to get a driver in there,
> right? (Sorry, I don’t know, I’m just speculating for the
> purpose of stimulating conversation.)
>
> Chuck
>
> ----- Original Message -----
> From:
> To: “Windows System Software Devs Interest List”
> Sent: Thursday, October 07, 2004 9:29 PM
> Subject: Re: Re:[ntdev] Hibernation hook
>
>
> > The real trick is DEcrypting the hiberfile. Its read in by the
> > bootloader, it would be extremely difficult to hook that
> and decrypt
> > the file.
> >
> > Jason
> >
> >
> >
> > |---------±-------------------------------->
> > | | “Chuck Batson” |
> > | | > > | | on.com> |
> > | | Sent by: |
> > | | bounce-189615-16922@li|
> > | | sts.osr.com |
> > | | |
> > | | |
> > | | 10/07/2004 10:19 AM |
> > | | Please respond to |
> > | | “Windows System |
> > | | Software Devs Interest|
> > | | List” |
> > | | |
> > |---------±-------------------------------->
> >
> >
> >-------------------------------------------------------------
> -----------------------------------------------------------------|
>
> > |
> > |
> > | To: “Windows System Software Devs Interest List”
> > |
> > | cc:
> > |
> > | Subject: Re: Re:[ntdev] Hibernation hook
> > |
> >
> >
> >-------------------------------------------------------------
> -----------------------------------------------------------------|
>
> >
> >
> >
> >
> > Does the hibernation file write go through the driver
> stack? Meaning,
> > if there was a filter driver on the stack that say, encrypted the
> > entire volume, then the hibernation file would get
> encrypted as well.
> >
> > Chuck
> >
> > ----- Original Message -----
> > From: “Scott Noone”
> > Newsgroups: ntdev
> > To: “Windows System Software Devs Interest List”
>
> > Sent: Thursday, October 07, 2004 8:59 PM
> > Subject: Re:[ntdev] Hibernation hook
> >
> >
> >> Hi,
> >>
> >> AFAIK there is no documented way to do this. Also, I don’t believe
> >> that you’re going to get much further with your current
> approach than
> >> you have gotten. Having your driver loaded in place of the driver
> >> that is going to be writing the hibernation file isn’t
> going to get
> >> you where you need to be.
> >>
> >> Regards,
> >>
> >> -scott
> >>
> >> –
> >> Scott Noone
> >> Software Engineer
> >> OSR Open Systems Resources, Inc.
> >> http://www.osronline.com
> >>
> >> “Valery Druba” wrote in message
> >> news:xxxxx@ntdev…
> >>> Hi, Scott
> >>>
> >>> You are right. There is no any details about this
> process. Exactly I
> >>> need to encrypt hiber file. Do you know more documented way?
> >>>
> >>> Thanks,
> >>> Valery
> >>>
> >>>>
> >>>>
> >>>> Hi,
> >>>>
> >>>> You’re deep in undocumented territory here. As I’m sure you’ve
> >>>> noticed, details on how hibernation works are pretty scant.
> >>>>
> >>>> What exactly are you trying to accomplish?
> >>>>
> >>>> Regards,
> >>>>
> >>>> -scott
> >>>>
> >>>> –
> >>>> Scott Noone
> >>>> Software Engineer
> >>>> OSR Open Systems Resources, Inc.
> >>>> http://www.osronline.com
> >>>>
> >>>>
> >>>>
> >>>> “Valery Druba” wrote in message
> >>>> news:xxxxx@ntdev…
> >>>> > Hi all,
> >>>> >
> >>>> > I’m trying to hook hibernate process under Windows 2k. I got
> >>>> > diskperf driver from DDK samples, named it as dperf.sys and
> >>>> > installed it as filter disk driver. I noticed that
> when I press
> >>>> > sleep button, Windows sends IOCTL_SCSI_GET_ADDRESS,
> >>>> > IOCTL_DISK_GET_DRIVE_LAYOUT, IOCTL_SCSI_GET_DUMP_POINTERS.
> >>>> > I looked at structure DUMP_POINTERS in IoCompletion routine. It
> >>>> looks like
> >>>> > this:
> >>>> > Length 28
> >>>> > pDump->AdapterObject 0x0
> >>>> > pDump->AllocateCommonBuffers 0x0
> >>>> > pDump->CommonBufferPa 0x0
> >>>> > pDump->CommonBufferSize 0x0
> >>>> > pDump->CommonBufferVa 0x0
> >>>> > pDump->DeviceObject 0x8187A030
> >>>> > pDump->DumpData 0x81644F08
> >>>> > pDump->MappedRegisterBase 0x0
> >>>> > pDump->Spare1 0x0 0x0 0x0
> >>>> >
> >>>> > After this Windows loads HIBER_WMILIB.SYS and HIBER_ATAPI.SYS
> >>>> >
> >>>> > I made sure that pDump->DeviceObject is valid. This is
> physical
> >>>> > device attached by my filter driver and created by atapi.sys
> >>>> > driver.
> >>>> >
> >>>> > I replaced field pDump->DeviceObject to my
> deviceobject pointer.
> >>>> > Now
> >>>> > Windows
> >>>> > loads HIBER_WMILIB.SYS and HIBER_DPERF.SYS, then it prepares
> >>>> hibernation,
> >>>> > and then it start hibernation. It switches monitor
> into VGA mode,
> >>>> > shows progress bar and call DriverEntry of my driver.
> This call
> >>>> > occurs in DISPATCH_LEVEL, arguments looks very strange.
> >>>> > DriverObject == NULL, RegistryPath points to some
> structure, but
> >>>> > not UNICODE_STRING.
> >>>> I looked at
> >>>> > memory dump of this pointer. Only first 12 bytes are not zero.
> >>>> >
> >>>> > Can anybody suggest me what I have to do in
> DriverEntry on this
> >>>> > “hiber”
> >>>> > loading?
> >>>> >
> >>>> > Thanks
> >>>> > Valery Druba
> >
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@attotech.com To
> > unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> >
> >
> >
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as:
> xxxxx@cbatson.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@attotech.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as:
> xxxxx@windows.microsoft.com To unsubscribe send a blank
> email to xxxxx@lists.osr.com
>

You can encrypt the “normal” contents of the boot drive using a standard
disk filter, there’s no issue there. Things get hairy though if you want to
start supporting encrypted crash dump/hibernation files.

Windows figures out whatever drivers it’s going to need to write a crash
dump/hibernation file based on the characteristics of the boot drive. The
drivers that are loaded end up in the loaded module list with the dump_ and
hiber_ prefix.

-scott

–
Scott Noone
Software Engineer
OSR Open Systems Resources, Inc.
http://www.osronline.com

“Chuck Batson” wrote in message
news:xxxxx@ntdev…
>I see. That means it’s not possible to use a filter driver to encrypt the
>boot drive?
>
> At some point, you’ll need the lowest-level hardware driver to access the
> disk, right? What if I have a RAID system over a PCI card? There would
> need to be a driver for the disk as well as the PCI bus driver? Where is
> the list of drivers required for this special storage stack kept?
>
> Chuck
>
> ----- Original Message -----
> From: “Scott Noone”
> Newsgroups: ntdev
> To: “Windows System Software Devs Interest List”
> Sent: Thursday, October 07, 2004 9:38 PM
> Subject: Re:[ntdev] Re:Hibernation hook
>
>
>> Nope, you won’t see hibernation file (or crash dump file) I/O in a
>> standard filter driver. A special copy of the storage stack is used
>> during these operations and filter drivers are bypassed.
>>
>> -scott
>>
>> –
>> Scott Noone
>> Software Engineer
>> OSR Open Systems Resources, Inc.
>> http://www.osronline.com
>>
>> “Chuck Batson” wrote in message
>> news:xxxxx@ntdev…
>>> Does the hibernation file write go through the driver stack? Meaning, if
>>> there was a filter driver on the stack that say, encrypted the entire
>>> volume, then the hibernation file would get encrypted as well.
>>>
>>> Chuck
>>>
>>> ----- Original Message -----
>>> From: “Scott Noone”
>>> Newsgroups: ntdev
>>> To: “Windows System Software Devs Interest List”
>>> Sent: Thursday, October 07, 2004 8:59 PM
>>> Subject: Re:[ntdev] Hibernation hook
>>>
>>>
>>>> Hi,
>>>>
>>>> AFAIK there is no documented way to do this. Also, I don’t believe that
>>>> you’re going to get much further with your current approach than you
>>>> have gotten. Having your driver loaded in place of the driver that is
>>>> going to be writing the hibernation file isn’t going to get you where
>>>> you need to be.
>>>>
>>>> Regards,
>>>>
>>>> -scott
>>>>
>>>> –
>>>> Scott Noone
>>>> Software Engineer
>>>> OSR Open Systems Resources, Inc.
>>>> http://www.osronline.com
>>>>
>>>> “Valery Druba” wrote in message
>>>> news:xxxxx@ntdev…
>>>>> Hi, Scott
>>>>>
>>>>> You are right. There is no any details about this process. Exactly I
>>>>> need to
>>>>> encrypt hiber file. Do you know more documented way?
>>>>>
>>>>> Thanks,
>>>>> Valery
>>>>>
>>>>>>
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> You’re deep in undocumented territory here. As I’m sure you’ve
>>>>>> noticed,
>>>>>> details on how hibernation works are pretty scant.
>>>>>>
>>>>>> What exactly are you trying to accomplish?
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> -scott
>>>>>>
>>>>>> –
>>>>>> Scott Noone
>>>>>> Software Engineer
>>>>>> OSR Open Systems Resources, Inc.
>>>>>> http://www.osronline.com
>>>>>>
>>>>>>
>>>>>>
>>>>>> “Valery Druba” wrote in message
>>>>>> news:xxxxx@ntdev…
>>>>>> > Hi all,
>>>>>> >
>>>>>> > I’m trying to hook hibernate process under Windows 2k. I got
>>>>>> > diskperf
>>>>>> > driver
>>>>>> > from DDK samples, named it as dperf.sys and installed it as filter
>>>>>> > disk
>>>>>> > driver. I noticed that when I press sleep button, Windows sends
>>>>>> > IOCTL_SCSI_GET_ADDRESS, IOCTL_DISK_GET_DRIVE_LAYOUT,
>>>>>> > IOCTL_SCSI_GET_DUMP_POINTERS.
>>>>>> > I looked at structure DUMP_POINTERS in IoCompletion routine. It
>>>>>> looks like
>>>>>> > this:
>>>>>> > Length 28
>>>>>> > pDump->AdapterObject 0x0
>>>>>> > pDump->AllocateCommonBuffers 0x0
>>>>>> > pDump->CommonBufferPa 0x0
>>>>>> > pDump->CommonBufferSize 0x0
>>>>>> > pDump->CommonBufferVa 0x0
>>>>>> > pDump->DeviceObject 0x8187A030
>>>>>> > pDump->DumpData 0x81644F08
>>>>>> > pDump->MappedRegisterBase 0x0
>>>>>> > pDump->Spare1 0x0 0x0 0x0
>>>>>> >
>>>>>> > After this Windows loads HIBER_WMILIB.SYS and HIBER_ATAPI.SYS
>>>>>> >
>>>>>> > I made sure that pDump->DeviceObject is valid. This is physical
>>>>>> > device
>>>>>> > attached by my filter driver and created by atapi.sys driver.
>>>>>> >
>>>>>> > I replaced field pDump->DeviceObject to my deviceobject pointer.
>>>>>> > Now
>>>>>> > Windows
>>>>>> > loads HIBER_WMILIB.SYS and HIBER_DPERF.SYS, then it prepares
>>>>>> hibernation,
>>>>>> > and then it start hibernation. It switches monitor into VGA mode,
>>>>>> > shows
>>>>>> > progress bar and call DriverEntry of my driver. This call occurs in
>>>>>> > DISPATCH_LEVEL, arguments looks very strange. DriverObject == NULL,
>>>>>> > RegistryPath points to some structure, but not UNICODE_STRING.
>>>>>> I looked at
>>>>>> > memory dump of this pointer. Only first 12 bytes are not zero.
>>>>>> >
>>>>>> > Can anybody suggest me what I have to do in DriverEntry on this
>>>>>> > “hiber”
>>>>>> > loading?
>>>>>> >
>>>>>> > Thanks
>>>>>> > Valery Druba
>
>
>

Point taken.

=====================
Mark Roddy

-----Original Message-----
From: Tony Mason [mailto:xxxxx@osr.com]
Sent: Thursday, October 07, 2004 12:04 PM
To: Windows System Software Devs Interest List
Subject: RE: Re:[ntdev] Hibernation hook

Since when does the fact something has previously been discussed stop it
from being beaten to death ad nauseum?

I’ll go back to NTFSD now and answer one more time why it takes so long for
IRP_MJ_CLOSE to be sent after the user closes the file…

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

Looking forward to seeing you at the Next OSR File Systems Class October 18,
2004 in Silicon Valley!

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Roddy, Mark
Sent: Thursday, October 07, 2004 11:07 AM
To: ntdev redirect
Subject: RE: Re:[ntdev] Hibernation hook

If the RAID device is the boot device and requires an HBA from the raid
vendor then the dumpdevice stack will include the raid vendor’s HBA driver,
which can then do whatever it needs to do. RAID and Hibernation are
generally disjoint concepts.

However this generally does not help on the boot side - you still have to
deal with the bios level boot. We’ve actually discussed the encrypted boot
volume design challenges several times here.

=====================
Mark Roddy

-----Original Message-----
From: Chuck Batson [mailto:xxxxx@cbatson.com]
Sent: Thursday, October 07, 2004 10:47 AM
To: Windows System Software Devs Interest List
Subject: Re: Re:[ntdev] Hibernation hook

Seems to me there should be a way. How does the hibernation file get
read/saved on special purpose configurations like a RAID volume? There must
be a way to get a driver in there, right? (Sorry, I don’t know, I’m just
speculating for the purpose of stimulating conversation.)

Chuck

----- Original Message -----
From:
To: “Windows System Software Devs Interest List”
Sent: Thursday, October 07, 2004 9:29 PM
Subject: Re: Re:[ntdev] Hibernation hook

> The real trick is DEcrypting the hiberfile. Its read in by the
> bootloader, it would be extremely difficult to hook that and decrypt
> the file.
>
> Jason
>
>
>
> |---------±-------------------------------->
> | | “Chuck Batson” |
> | | > | | on.com> |
> | | Sent by: |
> | | bounce-189615-16922@li|
> | | sts.osr.com |
> | | |
> | | |
> | | 10/07/2004 10:19 AM |
> | | Please respond to |
> | | “Windows System |
> | | Software Devs Interest|
> | | List” |
> | | |
> |---------±-------------------------------->
>
>
>-----------------------------------------------------------------------
----
---------------------------------------------------|
> |
> |
> | To: “Windows System Software Devs Interest List”
> |
> | cc:
> |
> | Subject: Re: Re:[ntdev] Hibernation hook
> |
>
>
>-----------------------------------------------------------------------
----
---------------------------------------------------|
>
>
>
>
> Does the hibernation file write go through the driver stack? Meaning,
> if there was a filter driver on the stack that say, encrypted the
> entire volume, then the hibernation file would get encrypted as well.
>
> Chuck
>
> ----- Original Message -----
> From: “Scott Noone”
> Newsgroups: ntdev
> To: “Windows System Software Devs Interest List”
> Sent: Thursday, October 07, 2004 8:59 PM
> Subject: Re:[ntdev] Hibernation hook
>
>
>> Hi,
>>
>> AFAIK there is no documented way to do this. Also, I don’t believe
>> that you’re going to get much further with your current approach than
>> you have gotten. Having your driver loaded in place of the driver
>> that is going to be writing the hibernation file isn’t going to get
>> you where you need to be.
>>
>> Regards,
>>
>> -scott
>>
>> –
>> Scott Noone
>> Software Engineer
>> OSR Open Systems Resources, Inc.
>> http://www.osronline.com
>>
>> “Valery Druba” wrote in message
>> news:xxxxx@ntdev…
>>> Hi, Scott
>>>
>>> You are right. There is no any details about this process. Exactly I
>>> need to encrypt hiber file. Do you know more documented way?
>>>
>>> Thanks,
>>> Valery
>>>
>>>>
>>>>
>>>> Hi,
>>>>
>>>> You’re deep in undocumented territory here. As I’m sure you’ve
>>>> noticed, details on how hibernation works are pretty scant.
>>>>
>>>> What exactly are you trying to accomplish?
>>>>
>>>> Regards,
>>>>
>>>> -scott
>>>>
>>>> –
>>>> Scott Noone
>>>> Software Engineer
>>>> OSR Open Systems Resources, Inc.
>>>> http://www.osronline.com
>>>>
>>>>
>>>>
>>>> “Valery Druba” wrote in message
>>>> news:xxxxx@ntdev…
>>>> > Hi all,
>>>> >
>>>> > I’m trying to hook hibernate process under Windows 2k. I got
>>>> > diskperf driver from DDK samples, named it as dperf.sys and
>>>> > installed it as filter disk driver. I noticed that when I press
>>>> > sleep button, Windows sends IOCTL_SCSI_GET_ADDRESS,
>>>> > IOCTL_DISK_GET_DRIVE_LAYOUT, IOCTL_SCSI_GET_DUMP_POINTERS.
>>>> > I looked at structure DUMP_POINTERS in IoCompletion routine. It
>>>> looks like
>>>> > this:
>>>> > Length 28
>>>> > pDump->AdapterObject 0x0
>>>> > pDump->AllocateCommonBuffers 0x0
>>>> > pDump->CommonBufferPa 0x0
>>>> > pDump->CommonBufferSize 0x0
>>>> > pDump->CommonBufferVa 0x0
>>>> > pDump->DeviceObject 0x8187A030
>>>> > pDump->DumpData 0x81644F08
>>>> > pDump->MappedRegisterBase 0x0
>>>> > pDump->Spare1 0x0 0x0 0x0
>>>> >
>>>> > After this Windows loads HIBER_WMILIB.SYS and HIBER_ATAPI.SYS
>>>> >
>>>> > I made sure that pDump->DeviceObject is valid. This is physical
>>>> > device attached by my filter driver and created by atapi.sys
>>>> > driver.
>>>> >
>>>> > I replaced field pDump->DeviceObject to my deviceobject pointer.
>>>> > Now
>>>> > Windows
>>>> > loads HIBER_WMILIB.SYS and HIBER_DPERF.SYS, then it prepares
>>>> hibernation,
>>>> > and then it start hibernation. It switches monitor into VGA mode,
>>>> > shows progress bar and call DriverEntry of my driver. This call
>>>> > occurs in DISPATCH_LEVEL, arguments looks very strange.
>>>> > DriverObject == NULL, RegistryPath points to some structure, but
>>>> > not UNICODE_STRING.
>>>> I looked at
>>>> > memory dump of this pointer. Only first 12 bytes are not zero.
>>>> >
>>>> > Can anybody suggest me what I have to do in DriverEntry on this
>>>> > “hiber”
>>>> > loading?
>>>> >
>>>> > Thanks
>>>> > Valery Druba
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@attotech.com To
> unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@cbatson.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@stratus.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@osr.com To unsubscribe send
a blank email to xxxxx@lists.osr.com

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com