I was reading an old thread (t/techniques-for-making-a-copy-of-a-camera-frame-in-an-upper-filter-driver/57762) and the consensus was that in the Completion routine for IOCTL_KS_READ_STREAM you can find the frame buffer in Irp->MdlAddress. I indeed see this when debugging in windows 11 23H2 and earlier but on Windows 11 24H2 it seems this assumption is now broken. In the completion routine I always see that Irp->MdlAddress is null
I am trying to do a similar thing to the original poster but I am not sure where I can find the frame buffer. Or is the assumption now that I need to read it from the Data field of each KSSTREAM_HEADER.
Any help would be welcome.
Thanks
This has changed a couple of times. In Windows 7, ksthunk.sys did set the MdlAddress field to the buffer, but in Windows 8, that behavior stopped. Thus, I changed my drivers to use the SystemBuffer and do the MDL mapping myself. It's interesting that it came back.
You can also get different behavior from 32-bit and 64-bit applications. ksthunk.sys originally existing to insulate the driver from having to know that, and it helpfully did some of the mapping. Maybe that's no longer being done.
Thanks so much for the response @Tim_Roberts.
When it comes to doing the MDL mapping manually. Do you do it in the completion routine or do you set it up on the initial IRP handling and pass it through to the completion routine. Since the completion routine comes in at DISPATCH IRQL you can't use MmProbeAndLockPages.
Unless I have completely missed something about my understanding here.
I did it in a KMDF IRP preprocess routine and created a request context to hold the MDL. You probably don't need the context; you could do the mapping and shove it into Irp->MdlAddress.