Hi All,
I have written a driver to replace the diskdump.sys in 2k. Firstly, it
looks like all ok; but when I make a deep analysis, a strange thing occured:
It havn’t loaded during dumping memory! I realize there are some wrong with
it, but the question that disturbed me is which driver are using to dump
memory. Does w2k really do dumping/hibernation by diskdump.sys? (Even if I
remove the diskdump.sys, the system can correctly do hibernation/dumping.)
Any help would be appreciated.
–
Polo G.Z
EAZ Solution,Inc.
Http://www.eazsolution.com
->Make your life easier!
Windows uses a seperate instance of atapi.sys for crash dumps and
hibernation. When the system crash dumps/hibernates, the OS loads the driver
that is registered to handle dumping, there is a special IRP that needs to
be processed to get your device registered in the dump stack.
Once you have found and registered your driver as a part of the dump stack
it will get called during hiber/c.dumps.
Very useful information, thank you very much. And could you tell me how to
register a driver to handle dumping? I have seached it in osronline, found
nothing except hacking system. - 
----- Original Message -----
From: Developer
Newsgroups: ntdev
To: Windows System Software Devs Interest List
Sent: Monday, October 17, 2005 9:24 PM
Subject: Re: My diskdump.sys doesn’t work.
Windows uses a seperate instance of atapi.sys for crash dumps and
hibernation. When the system crash dumps/hibernates, the OS loads the driver
that is registered to handle dumping, there is a special IRP that needs to
be processed to get your device registered in the dump stack.
Once you have found and registered your driver as a part of the dump stack
it will get called during hiber/c.dumps.
I could, but then I would have to kill you 
(Tom Cruise - Top Gun)
Well do some debuging, thats how I went about it. Infact there is very
little information available anywhere online, those who know it, are tight
lipped about it, but I KNOW that there were a few threads in OSR and they
will give you some insight.
As of now, what I can tell you, without offending the gurus is “debug
dump_atapi” (if you have an IDE connected).
Rest later…
Amitrajit
PS:- What exactly are you trying to achieve?
I want to develop a timer-machine, which means if you have installed our software, you could select any time to boot machine, if the machine is just in hibernation state, it should be booting from that state, and the user can select the time to boot more than one times. In this case, I have to intercept all request to harddisk(include hibernate/dumping). and so far, the diskdump/hibernation is the last problem to resolve, I have to bypass the problem by clear the state now.
Thank you for your reply.
----- Original Message -----
From: Developer
Newsgroups: ntdev
To: Windows System Software Devs Interest List
Sent: Tuesday, October 18, 2005 9:29 PM
Subject: Re: My diskdump.sys doesn’t work.
I could, but then I would have to kill you (Tom Cruise - Top Gun)
Well do some debuging, thats how I went about it. Infact there is very little information available anywhere online, those who know it, are tight lipped about it, but I KNOW that there were a few threads in OSR and they will give you some insight.
As of now, what I can tell you, without offending the gurus is “debug dump_atapi” (if you have an IDE connected).
Rest later…
Amitrajit
PS:- What exactly are you trying to achieve?
then u better debug hiber_atapi instead of dump_atapi.
amitrajit
Thanks, I have debugged dump_atapi, and get some info about it: (I have sent
the email, but it hasn’t been distributed, sorry for the second post.)
typedef struct _DUMP_IRP{
ULONG unknown1[3];
PVOID Buffer; //0ch,
PVOID Buffer1; //10h
ULONG Length; //14h,
}DUMP_IRP, *PDUMP_IRP;
typedef struct _MMDUMP_FUNCTIONS_DESCRIPTOR
{
ULONG StructSize; //0h,
ULONG unknown1[9]; //4h
ULONG DumpData10; //28h
NTSTATUS (__stdcall *DumpInit)(LARGE_INTEGER PartitionOffset); //2ch,
init function pointer
NTSTATUS (__stdcall *DumpWrite)(PLARGE_INTEGER StartOffset, PDUMP_IRP
pDumpIrp); //30h, write function pointer
NTSTATUS (__stdcall *DumpFinish)(void); //34h, finish function pointer
ULONG unknown2[2]; //38h,
ULONG DumpData; //40h
ULONG unknown3[5]; //44h
}MMDUMP_FUNCTIONS_DESCRIPTOR, *PMMDUMP_FUNCTIONS_DESCRIPTOR;
I have written a filter to intercept IRPs with IOCTL_SCSI_GET_DUMP_POINTER
command, and changed the device object to my device in the completion
routine, so my driver get called when dumping. It works fine, but is there a
way to insert a driver to dump stack without replaced anything?
Thanks again.
----- Original Message -----
From: Developer
Newsgroups: ntdev
To: Windows System Software Devs Interest List
Sent: Wednesday, October 19, 2005 1:00 PM
Subject: Re: My diskdump.sys doesn’t work.
then u better debug hiber_atapi instead of dump_atapi.
amitrajit
>I have written a filter to intercept IRPs with IOCTL_SCSI_GET_DUMP_POINTER
command, and changed the device object to my device in the completion
routine, so my driver get called when dumping.
Good, so you did find out the information in the OSR threads after all! Good
work.
It works fine, but is there a, way to insert a driver to dump stack without
replaced anything?
Yes there is. We have done it, thanks to the tips and hints of a senior
developer (I am not sure whether he would like him to be named).
Our driver is *not* complete still, but it does work to some extent.
Also, I din’t exactly follow the approach adviced by this senior developer,
though mine also works, so does all the others ( three) I know of.
amitrajit