I have a fsfilter driver, I monitor that IRP_MJ_CREATE is called when hibernation is enabled. But when hibernation is goning, i can’t see any WRITE/FASTIOWRITE/CLEANUP/CLOSE requests in my filter.
Does hibernation writes hiberfil.sys in any other way or it’s a bug of my filter?
Regards
Haibo
> Does hibernation writes hiberfil.sys in any other way
Yes, which is very hard to be filtered. FSD is not involved at all.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
It is a completely independent storage stack with no file system involvement
at all.
wrote in message news:xxxxx@ntfsd…
>I have a fsfilter driver, I monitor that IRP_MJ_CREATE is called when
>hibernation is enabled. But when hibernation is goning, i can’t see any
>WRITE/FASTIOWRITE/CLEANUP/CLOSE requests in my filter.
> Does hibernation writes hiberfil.sys in any other way or it’s a bug of my
> filter?
>
>
> Regards
> Haibo
>
Can i filter these writes from disk filter?
Regards
Haibo
This is a question for NTDEV since you are talking disk filter. These can
be filtered, but for older OS’es it takes special knowledge that most people
do not have, since you need to know a lot of details of the crash dump
stack. For Vista and later Microsoft provides capabilities for this but
your firm must convince Microsoft to provide the data to your company. So
the answer is yes but not easily.
–
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
wrote in message news:xxxxx@ntfsd…
> Can i filter these writes from disk filter?
>
> Regards
> Haibo
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 4514 (20091016)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
Information from ESET NOD32 Antivirus, version of virus signature database 4514 (20091016)
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
> This is a question for NTDEV since you are talking disk filter. These can
be filtered, but for older OS’es it takes special knowledge that most people
do not have
There was an open-source full disk encryption tool (TrueCrypt?) with such a path.
It used Ps notify routine on driver binary load, then, if the driver’s name is “dump_xxxx” or “hiber_xxx”, it was hooking DriverEntry and then some values passed as the first parameter to its DriverEntry.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
Maxim is right. I used the same technology when I was working for a full
disk encryption company. then you can intercept all the WRITE I/O to the
hibernation file.
On Fri, Oct 16, 2009 at 12:33 PM, Maxim S. Shatskih
wrote:
> > This is a question for NTDEV since you are talking disk filter. These
> can
> > be filtered, but for older OS’es it takes special knowledge that most
> people
> > do not have
>
> There was an open-source full disk encryption tool (TrueCrypt?) with such a
> path.
>
> It used Ps notify routine on driver binary load, then, if the driver’s name
> is “dump_xxxx” or “hiber_xxx”, it was hooking DriverEntry and then some
> values passed as the first parameter to its DriverEntry.
>
> –
> Maxim S. Shatskih
> Windows DDK MVP
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
The problem with these approaches is you are essentially hooking, and like
all hooking you have the never unload and related problems. This can be
done with these hacks but it does require care, I’ve done it, I know OSR has
done it, and I believe there are several others who have done this so that
the hooking is not present.
–
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“Michael Zhu” wrote in message
news:xxxxx@ntfsd…
> Maxim is right. I used the same technology when I was working for a full
> disk encryption company. then you can intercept all the WRITE I/O to the
> hibernation file.
>
> On Fri, Oct 16, 2009 at 12:33 PM, Maxim S. Shatskih
> wrote:
>
>> > This is a question for NTDEV since you are talking disk filter. These
>> can
>> > be filtered, but for older OS’es it takes special knowledge that most
>> people
>> > do not have
>>
>> There was an open-source full disk encryption tool (TrueCrypt?) with such
>> a
>> path.
>>
>> It used Ps notify routine on driver binary load, then, if the driver’s
>> name
>> is “dump_xxxx” or “hiber_xxx”, it was hooking DriverEntry and then some
>> values passed as the first parameter to its DriverEntry.
>>
>> –
>> Maxim S. Shatskih
>> Windows DDK MVP
>> xxxxx@storagecraft.com
>> http://www.storagecraft.com
>>
>>
>> —
>> NTFSD is sponsored by OSR
>>
>> For our schedule of debugging and file system seminars
>> (including our new fs mini-filter seminar) visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 4515 (20091016)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
Information from ESET NOD32 Antivirus, version of virus signature database 4515 (20091016)
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
Don Burn wrote:
The problem with these approaches is you are essentially hooking, and like
all hooking you have the never unload and related problems. This can be
done with these hacks but it does require care, I’ve done it, I know OSR has
done it, and I believe there are several others who have done this so that
the hooking is not present.
Don,
Did you mean to say ‘without these hacks’? And I agree it can be done
without hooking but requires understanding and a lot of coffee … (or
beer, thanks Scott).
Pete
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
How this could be done without hooking? Can Don or someone else shed some
light on?
And when the system hibernates or crashes, who will care about the unload
problems?
On Fri, Oct 16, 2009 at 4:23 PM, Peter Scott wrote:
> Don Burn wrote:
>
>> The problem with these approaches is you are essentially hooking, and like
>> all hooking you have the never unload and related problems. This can be
>> done with these hacks but it does require care, I’ve done it, I know OSR has
>> done it, and I believe there are several others who have done this so that
>> the hooking is not present.
>>
>>
> Don,
>
> Did you mean to say ‘without these hacks’? And I agree it can be done
> without hooking but requires understanding and a lot of coffee … (or beer,
> thanks Scott).
>
> Pete
>
> –
> Kernel Drivers
> Windows File System and Device Driver Consulting
> www.KernelDrivers.com
> 866.263.9295
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
Well on why you care about hooking what do you do when a person changes the
crash dump stack? Depending on what you do you can crash the system. And
this is especially fun if two drivers decide to filter.
Basically you have to build a disk filter driver that that catches the dump
pointer IOCTL’s and then does the work itself to load the lower layers.
This is messy and hits undocumented things but can be done.
Of course once you get to Vista SP1 you can just ask Microsoft for the stuff
you need to filter the stack since it is built in.
–
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“Michael Zhu” wrote in message
news:xxxxx@ntfsd…
> How this could be done without hooking? Can Don or someone else shed some
> light on?
>
> And when the system hibernates or crashes, who will care about the unload
> problems?
>
> On Fri, Oct 16, 2009 at 4:23 PM, Peter Scott
> wrote:
>
>> Don Burn wrote:
>>
>>> The problem with these approaches is you are essentially hooking, and
>>> like
>>> all hookingôüLüäúLäúL have the never unload and related problems.
>>> This can be
>>> done with these hacks but it does require care, I’ve done it, I know OSR
>>> has
>>> done it, and I believe there are several others who have done this so
>>> that
>>> the hooking is not present.
>>>
>>>
>> Don,
>>
>> Did you mean to say ‘without these hacks’? And I agree it can be done
>> without hooking but requires understanding and a lot of coffee … (or
>> beer,
>> thanks Scott).
>>
>> Pete
>>
>> –
>> Kernel Drivers
>> Windows File System and Dev4XKDZK$VKDriver Consulting
>> www.KernelDrivers.com
>> 866.263.9295
>>
>>
>> —
>> NTFSD is sponsored by OSR
>>
>> For our schedule of debugging and file system seminars
>> (including our new fs mini-filter seminar) visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 4522 (20091019)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
Information from ESET NOD32 Antivirus, version of virus signature database 4522 (20091019)
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
Don Burn wrote:
Well on why you care about hooking what do you do when a person changes the
crash dump stack? Depending on what you do you can crash the system. And
this is especially fun if two drivers decide to filter.
In addition, check out filtering the appropriate xxx_dump.sys and
xxx_hiber.sys where xxx is the corresponding driver in the stack. It is
these driver which are sent the actual IO for the dump and hiber
processing, not the standard stack.
Pete
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
A few different ways to do this and unfortunately they’re all a pain. Except
for Vista and later though, that architecture is relatively straightforward.
-scott
–
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com
“Peter Scott” wrote in message
news:xxxxx@ntfsd…
> Don Burn wrote:
>> Well on why you care about hooking what do you do when a person changes
>> the crash dump stack? Depending on what you do you can crash the system.
>> And this is especially fun if two drivers decide to filter.
>>
>
> In addition, check out filtering the appropriate xxx_dump.sys and
> xxx_hiber.sys where xxx is the corresponding driver in the stack. It is
> these driver which are sent the actual IO for the dump and hiber
> processing, not the standard stack.
>
> Pete
>
> –
> Kernel Drivers
> Windows File System and Device Driver Consulting
> www.KernelDrivers.com
> 866.263.9295
>
> for Vista and later though, that architecture is relatively straightforward.
Is it documented?
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
If you ask Microsoft for it and they will give it to you yes it is
documented.
–
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“Maxim S. Shatskih” wrote in message
news:xxxxx@ntfsd…
> for Vista and later though, that architecture is relatively
> straightforward.
Is it documented?
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
Information from ESET NOD32 Antivirus, version of virus signature
database 4524 (20091019)
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
Information from ESET NOD32 Antivirus, version of virus signature database 4524 (20091019)
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com