Search found 28 matches

by Li Yong
Fri Jun 08, 2018 11:52 am
Forum: Kernel-Mode Development
Topic: Is possible remove a file protected by a file system filter driver?
Replies: 13
Views: 16532

Re: Is possible remove a file protected by a file system filter driver?

Vrtule I tried follow what you suggested, but without success, see my last question.
Why i cannot delete a file protected by a FSD filter/minifilter?
by Li Yong
Tue May 08, 2018 9:43 pm
Forum: Kernel-Mode Development
Topic: Is possible remove a file protected by a file system filter driver?
Replies: 13
Views: 16532

Re: Is possible remove a file protected by a file system filter driver?

EP_X0FF , thank you by link of reference. This text below (about IRP hooks) also confirm the suggestion of Vrtule (see part where explains how bypass), already that FSD's use IRP hooks to prevent exclusion of yours files by some Anti Rootkit tool :D IRP Major Function Hook Description The driver ob...
by Li Yong
Thu May 03, 2018 12:53 pm
Forum: Kernel-Mode Development
Topic: Is possible remove a file protected by a file system filter driver?
Replies: 13
Views: 16532

Re: Is possible remove a file protected by a file system filter driver?

Vrtule, could direct me to file name and specific line of code (KSBinSword) where i can find this approach that you suggested please?
I'm not able to find :oops:, but in a fast analyse seems that is used the approach suggested by tangptr and here seems be a relative code.

thank
by Li Yong
Thu May 03, 2018 3:35 am
Forum: Kernel-Mode Development
Topic: how to delete driver file and still Keep communication
Replies: 10
Views: 11140

Re: how to delete driver file and still Keep communication

If success, could provide a code example please? i also need of this functionality force delete . waiting... ;) I still do not understand, maybe close the kernel handle can be deleted, you can try. Only closing opened handles not will solve to files locked by a FSD (File System Driver) or Minifilte...
by Li Yong
Wed May 02, 2018 12:18 pm
Forum: Kernel-Mode Development
Topic: how to delete driver file and still Keep communication
Replies: 10
Views: 11140

Re: how to delete driver file and still Keep communication

If success, could provide a code example please? i also need of this functionality force delete.

waiting... ;)
by Li Yong
Tue May 01, 2018 4:40 pm
Forum: Kernel-Mode Development
Topic: how to delete driver file and still Keep communication
Replies: 10
Views: 11140

Re: how to delete driver file and still Keep communication

Starting from Windows 10 you cannot delete file of loaded driver as it locked on disk. If you want similar functionality from your screenshot you need to send IRP to filesystem device driver. Search for KSBinSword for "code". However conseqences of this is unknown for Windows 10. Good suggestion EP...
by Li Yong
Fri Apr 20, 2018 9:25 pm
Forum: Newbie Questions
Topic: c - How implement a realloc function in kernel mode?
Replies: 7
Views: 8121

Re: c - How implement a realloc function in kernel mode?

Thank you VrTule and EP_X0FF. Really, linked list solved my trouble :D
by Li Yong
Tue Apr 17, 2018 5:16 pm
Forum: Newbie Questions
Topic: c - How implement a realloc function in kernel mode?
Replies: 7
Views: 8121

Re: c - How implement a realloc function in kernel mode?

Based in your answer, here was my last attempt, but without success. ///////////////////////////////////// START ARRAYLIST ///////////////////////////////////////// typedef char* value_type; typedef struct arraylist{ size_t size; value_type* data; }arraylist; ////////////////////////////////////////...
by Li Yong
Mon Apr 16, 2018 8:08 pm
Forum: Newbie Questions
Topic: c - How implement a realloc function in kernel mode?
Replies: 7
Views: 8121

Re: c - How implement a realloc function in kernel mode?

If you know the size of the buffer being "reallocated", you can use something like this: void *CustomRealloc(POOL_TYPE PoolType, const void *Buffer, size_t Size, size_t NewSize) { void *ret = NULL; ret = ExAllocatePoolWithTag(PoolType, NewSize), Tag); if (ret != NULL) { memcpy(ret, Buffer, Size); E...
by Li Yong
Mon Apr 16, 2018 12:07 pm
Forum: Newbie Questions
Topic: c - How implement a realloc function in kernel mode?
Replies: 7
Views: 8121

c - How implement a realloc function in kernel mode?

I have search in several places on web some implementation of realloc function to kernel driver development in Windows and pratically nothing was found. But was found a talk between some driver programmers about this function (including malloc ) that can be see in this link and exists a code snnipet...