Search found 157 matches

by myid
Thu Dec 21, 2017 7:28 am
Forum: Kernel-Mode Development
Topic: How to redirect registry key in registry callback?
Replies: 4
Views: 8166

Re: How to redirect registry key in registry callback?

Brock wrote:Microsoft's sample code doesn't work on Microsoft's Regedit? What do you mean it "cannot" work? Have you verified this with other registry editors/viewers?
https://github.com/Microsoft/Windows-dr ... ry/regfltr
You can test this code if you don't believe me.
by myid
Wed Dec 20, 2017 11:15 am
Forum: Kernel-Mode Development
Topic: How to redirect registry key in registry callback?
Replies: 4
Views: 8166

Re: How to redirect registry key in registry callback?

This should help you override and redirect the operation but I haven't tested it. http://joyasystems.com/sample-code%2FWindows%20Driver%20Samples%2FRegFltr%20Sample%20Driver%2FC%2B%2B%2Fsys%2Fpost.c *see example CallbackPostNotificationOverrideError()* This code is come from WDK demo code package, ...
by myid
Tue Dec 19, 2017 2:04 pm
Forum: Kernel-Mode Development
Topic: How to redirect registry key in registry callback?
Replies: 4
Views: 8166

How to redirect registry key in registry callback?

Hi, everyone. How to redirect registry key in registry callback? I use RegEdit to test, OS environment is WIN7. For example: redirect \\REGISTRY\\MACHINE\\SOFTWARE\\1111 to \\REGISTRY\\MACHINE\\SOFTWARE\\2222. These two keys are already exists. I try to filter RegNtPreCreateKeyEx and RegNtPreOpenKey...
by myid
Thu Nov 30, 2017 1:14 pm
Forum: Kernel-Mode Development
Topic: IoCallDriver return STATUS_PENDING, will it BSOD if NOT wait
Replies: 19
Views: 18221

Re: IoCallDriver return STATUS_PENDING, will it BSOD if NOT

Are you sending the IRP directly to that system driver, or to the highest device in its device stack? If the latter, be aware that filter drivers may also register a completion routine and may postpone IRP completion by returning STATUS_MORE_PROCESSING_REQUIRED. So, the cancel routine returns and t...
by myid
Thu Nov 30, 2017 2:39 am
Forum: Kernel-Mode Development
Topic: IoCallDriver return STATUS_PENDING, will it BSOD if NOT wait
Replies: 19
Views: 18221

Re: IoCallDriver return STATUS_PENDING, will it BSOD if NOT

So, I think it is safe to free the event object after IoCancelIrp return TRUE. That would be true if the cancel routine had a requirement to complete the IRP. As far as I remember, the documentation does not mention this requirement. My IRP will send to a system driver. I have found its source code...
by myid
Wed Nov 29, 2017 4:25 pm
Forum: Kernel-Mode Development
Topic: IoCallDriver return STATUS_PENDING, will it BSOD if NOT wait
Replies: 19
Views: 18221

Re: IoCallDriver return STATUS_PENDING, will it BSOD if NOT

This may happen when you call IoCancelIrp after the IRP is completed and freed. You need to syhcnronize the code of your completion routine with the call to IoCancelIrp, so you never touch (or cancel) the IRP after its completion. I have read the source code of IoCancelIrp, it return after the Canc...
by myid
Wed Nov 29, 2017 1:20 pm
Forum: Kernel-Mode Development
Topic: IoCallDriver return STATUS_PENDING, will it BSOD if NOT wait
Replies: 19
Views: 18221

Re: IoCallDriver return STATUS_PENDING, will it BSOD if NOT

IoCancelIrp returns TRUE if and only if the IRP has a cancel routine. The function calls the cancel routine and sets the cancel bit of the IRP. I do not think that the cancel routine must complete the IRP (possibly with the STATUS_CANCELLED result). So, when the call to the IoCancelIrp returns, the...
by myid
Wed Nov 29, 2017 2:48 am
Forum: Kernel-Mode Development
Topic: IoCallDriver return STATUS_PENDING, will it BSOD if NOT wait
Replies: 19
Views: 18221

Re: IoCallDriver return STATUS_PENDING, will it BSOD if NOT

By calling IoCancelIrp , you are telling the driver currently owning the IRP that you wish to cancel it. It is up to the owning driver what it does with such an IRP. Eventually, it should complete it with STATUS_CANCELLED (or some other error status), so your completion routine is called (if you in...
by myid
Tue Nov 28, 2017 7:27 am
Forum: Kernel-Mode Development
Topic: IoCallDriver return STATUS_PENDING, will it BSOD if NOT wait
Replies: 19
Views: 18221

Re: IoCallDriver return STATUS_PENDING, will it BSOD if NOT

Hmmm, I think the problem is that the event object may be freed even when a thread is waiting for it. The following scenario leads to the issue: 1) you allocate the event object, 2) you build the IRP, 3) you pass the IRP to the target driver (IoCallDriver), 4) you start waiting for the event object...
by myid
Mon Nov 27, 2017 9:08 am
Forum: Kernel-Mode Development
Topic: IoCallDriver return STATUS_PENDING, will it BSOD if NOT wait
Replies: 19
Views: 18221

Re: IoCallDriver return STATUS_PENDING, will it BSOD if NOT

How are you building the IRP? Also, if KeWaitForSingleObject returns STATUS_TIMEOUT, you should not use the iosb.Status value since the IRP is not complete (and hence, this value is not initialized by the completing driver). Thanks, but this is not the key point. It still BSOD after I delete this l...