I’ve been doing some research into the Windows Filtering Platform and the information available at each of the various filtering layers. In particular, I’ve been focusing on the information available in Windows 7 as that predates some ETW trace points that contain interesting network event data. After attaching a filter to the FWPM_LAYER_ALE_AUTH_CONNECT_V4 layer, I […]
Beware MmBuildMdlForNonPagedPool and Kernel Stacks
Well, this one took us by surprise… MmBuildMdlForNonPagedPool is the standard shortcut function drivers use to build MDLs describing non-pageable memory. Despite the name, the buffer described by the MDL does not necessarily need to come from non-paged pool. For example, the documentation says it’s legal to call MmBuildMdlForNonPagedPool on the buffer returned by MmAllocateContiguousMemorySpecifyCache, […]
Beware of IoBuildDeviceIoControlRequest
Diagnosed yet another crash today that is likely due to the usage of IoBuildDeviceIoControlRequest. Long ago I was burned by this API and vowed to never use it again, but somehow I neglected to share this with everyone else. Sorry about that! The trouble with this API is that it’s an attractive nuisance. You need […]
Meltdown and Spectre: What about drivers?
The week the Meltdown and Spectre vulnerabilities was one of the most fun weeks I’ve had in a while. Not only were the vulnerabilities mind-bendingly clever, that week had just about everything you could possibly want in a story: mystery, intrigue, heroes, villains, and probably the greatest patch ever submitted. After consuming as much information […]
Tracking an NTSTATUS to its Source
I found myself in a situation this week where I really wanted to call the API SeTokenIsAdmin. I vaguely remembered some issues around this API, and Googling quickly brought up a couple of threads from NTDEV and NTFSD hinting at a security issue that was fixed in 2015: https://www.osronline.com/ShowThread.cfm?link=201029 https://www.osronline.com/showthread.cfm?link=264871 (Yes, I was on one […]
Attestation Signing — It’s NOT a Mystery
All of a sudden, you can’t load your driver on 64-bit Windows. It works sometimes. But it won’t install or load when Secure Boot is enabled. You heard something about needing an EV Certificate… you got one… it doesn’t help. What do you do now? Over the past few weeks, we’ve been contacted by several […]
Visual Studio 2017 Released — Driver Devs: Stay Where You Are
Good News: Today Visual Studio (VS) 2017 was released to General Availability. You can download it here. Bad News: The Windows Driver Kit (WDK) doesn’t support this latest version of Visual Studio, so us driver devs are stuck on VS 2015 for our driver development. There’s really not that much to say about it, except […]
Of Windows, Git, FUSE, and Moral Equivalence
It’s a known fact these days that Microsoft is feeling the Git love. As stated by Microsoft and reported by Ars Technica, the Windows operating system is even moving from its long lived centralized source control system to Git. Strange days indeed! However, in all of this there’s an interesting technical bit related to Windows file systems. As […]
C Is Not Reasonable
Those of you who’ve read my Pontifications over the years know that the things that annoy me are truly countless in number. But most of the things that annoy me do so because I simply cannot understand why they are the way they are. Take, for one example, how arithmetic is performed in C. Now, […]
Debugging Target RS1? Good Luck!
[Last updated 31 Aug 2016, 16:11 Eastern time] Update: As of 31 August 2016, we have verified that RS1 symbols are now present and indexed on the MSFT Symbol Server. Yay! We’re back in business! The hits to driver developers just keep on coming when it comes to RS1. The latest? The symbols for WDF01000.SYS and […]
OSR Open Systems Resources, Inc.