Yeah, I don’t use it either. I just found myself there one time after
googling for something that I don’t recall. In any case, something like
five of the most recent posts were by a certain “Shark_M,” and the
subjects were along the lines of BitLocker being part of a government
conspiracy, … The usual stuff and probably only thing that
self-absorbed people take away from Schneier’s superb book. I just read
your post. I would certainly agree with your point about lack of an
index. I can’t say that I knew who Rob Short was, so I read the little
blurb, and it sounds very interesting. As I’m having a little trouble
getting going this morning, I think I’ll watch it, assuming it is still
there.
Thanks,
mm
>> xxxxx@acm.org 2007-04-17 10:27 >>>
I have the problem of Channel 9 that since there is no easy way to
search
for data the one time I looked a while later I got a question in the
area
of the Channel 9 presentation and beat my head against the wal trying
to
find the answer again. I wrote a blog posting on Channel 9
http://msmvps.com/blogs/windrvr/archive/2007/03/01/tuning-channel-9.aspx
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply
“Martin O’Brien” wrote in message
news:xxxxx@ntdev…
> Don:
>
> Thanks. I only looked at Channel 9 once, but I have to wonder if it
is
> the same guy. I would have to call his question one of if not the
most
> blatantly transparent posts I’ve ever seen on this list, although (1)
is
> pretty nice. (3) is just sort of frightening. If you find yourself
> bored one day, and are amused by the occasional conspiracy theory as
I
> am from time to time, search Channel 9 for “Shark_M AND BitLocker.”
> Just ridiculous.
>
> mm
>
>
>
>>>> xxxxx@acm.org 2007-04-17 10:08 >>>
> Martin,
>
> I don’t look at Channel 9, but I am assuming he is the same
> “Shark”
> who in the past has on this forum asked:
>
> 1. How to disable F8 “safe mode boot”
> 2. How to prevent a disk being formatted (something about once
> his
> software was on a system never lettting it be destroyed)
> 3. Why hooking the PNP calls were crashing his machine (and I
do
> mean
> hook)?
> 4. How to hook IoCallDriver so he could reject calls even if
he
> was
> not a filter in the stack?
> 5. How to create a program or service that could not be
> terminated?
>
> Most of those have one purpose in my mind - MALWARE.
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
> Remove StopSpam to reply
>
> “Martin O’Brien” wrote in message
> news:xxxxx@ntdev…
>> Is this (Shark Marian) the same one who makes unreasonably silly
> posts
>> on Channel 9 about conspiracies involving BitLocker? If so, for
> someone
>> who purports to be paranoid, this dude desperately needs to work on
> his
>> “cover,” as presently it consists of making a spectacle of himself.
>>
>> mm
>>
>>>>> xxxxx@privtek.com 2007-04-17 09:14 >>>
>> The object header is all zeroes.
>>
>> - Dan.
>>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com
>> [mailto:xxxxx@lists.osr.com] On Behalf Of Petr Kurtin
>> Sent: Tuesday, April 17, 2007 2:56 AM
>> To: Windows System Software Devs Interest List
>> Subject: Re:[ntdev] How to get the kenel address of
> PspTerminateProcess
>> and
>> ObpFreeObject?
>>
>>
>> “object” (8089db40) is object’s body, i.e. real object address is
>> (8089db40-0x18) for XP SP2
>> what does “!object 0x8089DB28” say now?
>>
>> Petr Kurtin
>>
>> “Dan Kyler” wrote in message
> news:xxxxx@ntdev…
>>>I recently analyzed a crash dump (0x7e, 0xc0000005) from one of our
>>>internal
>>> servers where the stack looked like:
>>>
>>> f78cad68 80932cce 8089db40 00000001 8659c020
>>> nt!ObpRemoveObjectRoutine+0xca
>>> f78cad80 8087f925 00000000 00000000 8659c020
>>> nt!ObpProcessRemoveObjectQueue+0x36
>>> f78cadac 80948bb2 00000000 00000000 00000000
> nt!ExpWorkerThread+0xeb
>>> f78caddc 8088d4d2 8087f83a 00000000 00000000
>>> nt!PspSystemThreadStartup+0x2e
>>> 00000000 00000000 00000000 00000000 00000000
> nt!KiThreadStartup+0x16
>>>
>>> The object being deleted (8089db40) is KiInitialProcess, which is
> not
>>
>>> an actual object manager object, it’s an EPROCESS structure built
>> into
>>> the kernel.
>>>
>>> I wonder if we somehow picked up shark mouse’s virus.
>>>
>>> - Dan.
>>>
>>> -----Original Message-----
>>> From: xxxxx@lists.osr.com
>>> [mailto:xxxxx@lists.osr.com] On Behalf Of Mark Roddy
>>> Sent: Sunday, April 15, 2007 10:07 AM
>>> To: Windows System Software Devs Interest List
>>> Subject: RE: [ntdev] How to get the kenel address of
>>> PspTerminateProcess
>>> and
>>> ObpFreeObject?
>>>
>>>
>>> At least sharkmouse aka marian shark could change his/her email
>>> address
>>> and
>>> name, just to make this a bit more interesting.
>>>
>>>> -----Original Message-----
>>>> From: xxxxx@lists.osr.com [mailto:bounce-283619-
>>>> xxxxx@lists.osr.com] On Behalf Of Don Burn
>>>> Sent: Sunday, April 15, 2007 9:48 AM
>>>> To: Windows System Software Devs Interest List
>>>> Subject: Re:[ntdev] How to get the kenel address of
>>>> PspTerminateProcess and ObpFreeObject?
>>>>
>>>> There is absolutely no viable reason to get these calls. Calling
>>>> PspTerminateProcess will leave junk around and cause serious
>>>> problems, you typically should not be terminating a process from
a
>>>> driver, but if you
>>>> need to do so ZwTerminateProcess is at least semi-documented.
>> Calling
>>>> ObpFreeObject is worse than stupid, if you want to free an object
>>>> dereference it if you have a reference and let the OS do the
>> cleanup,
>>>> if you do not have a reference dereferencing it or calling
>>>> ObpFreeObject are just ways to crash the system.
>>>>
>>>>
>>>> –
>>>> Don Burn (MVP, Windows DDK)
>>>> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>>>> Website: http://www.windrvr.com
>>>> Blog: http://msmvps.com/blogs/WinDrvr
>>>> Remove StopSpam to reply
>>>>
>>>> wrote in message news:xxxxx@ntdev…
>>>> > thanks,now i have get some windows xp sp2 build version’s
> address
>>
>>>> > of those two apis,and works well,and now i have no union method
> to
>>
>>>> > get
>>>> the
>>>> > address of others windows build version,i do not want to get
> each
>>>> build
>>>> > version of the apis address,so i ask this question,if i get the
>>>> address
>>>> > of those apis,i promise can get the windows work well,who i
help
>>>> > me?
>>>> >
>>>> >
>>>>
>>>>
>>>>
>>>> —
>>>> Questions? First check the Kernel Driver FAQ at
>>>> http://www.osronline.com/article.cfm?id=256
>>>>
>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>>
>>>
>>> —
>>> Questions? First check the Kernel Driver FAQ at
>>> http://www.osronline.com/article.cfm?id=256
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>>
>>
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer