windows-kernel

问题 Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers. Want to improve this question? Update the question so it's on-topic for Stack Overflow. Closed 3 years ago . Improve this question I am an application developer mostly work in C#. I have some knowledge of C/C++. I am very much fascinated and interested in windows Kernel Development. I Sketched out a layout to learn this. 1. Understand Windows internals(By books) 2. Try Simple Modules and keep

问题 I see some references and tutorials about the commnads of WinDBG. Some of them like this lm , this .echo , this !running , and this nt!_PDB . What is difference between these categories xxx .xxx !xxx xxx!yyy ? They look so confused. 回答1: There are built-in commands, meta commands (dot commands) and extension commands (bang commands). My personal opinion is that you needn't care too much about the difference of built-in commands compared to meta commands, since there are enough examples where

问题 i dump some process data. I got DirBase value as 00030000 How windows generate this value ? Any AVL Tree data structure at the begining of kernel gives this data? I want to learn how process is created internally on kernel. What kind of global variables assigns DirBase , ObjectTable etc values. Here is some sample windbg: !process fb667a00 7 PROCESS fb667a00 Cid: 0002 Peb: 00000000 ParentCid: 0000 DirBase: 00030000 ObjectTable: e1000f88 TableSize: 112. When a process created by system. System

问题 I wrote a Windows driver (file system). All my logs print by the DbgPrint function. With the DebugView program ( Capture Kernel - on) I can see all my logs. I want to show/save its logs. So, I want to listen to kernel messages. I tried to write some: struct DbWinBuffer { DWORD dwProcessId; char data[4096 - sizeof(DWORD)]; }; DbWinBuffer* dbBuffer; HANDLE hAckEvent; HANDLE hEvent; HANDLE hSharedFile; SECURITY_DESCRIPTOR sd; SECURITY_ATTRIBUTES sa; sa.nLength = sizeof(SECURITY_ATTRIBUTES); sa

问题 Take a look at this example: a USB device in Windows 7 is reported to have Device instance path(DevinstPath) USB\VID_1EAB&PID_0501\7&25C389C1&0&1 and I know exactly that it corresponds to the so-called hardware-key(hwkey) in registry. Now my question is: When my KMDF driver code has WDFDEVICE handle for that USB device, how can I know its DevinstPath? I know I can send a BusQueryDeviceID to achieve the so-called device-id USB\VID_1EAB&PID_0501 ; send a BusQueryInstanceID to achieve the so

问题 I want to monitor a windows machine. I created a windows service, and my purpose is to be notified when a process tries to create a new registry key. I use RegistryCallback with the following signature NTSTATUS RegistryCallback( _In_ PVOID CallbackContext, _In_opt_ PVOID Argument1, _In_opt_ PVOID Argument2 ) The RegistryCallback was registered with CmRegisterCallback . The problem is I am notified for every registry key creation , however I want to be notified only for creation of new

问题 My system is suffering from a high timer resolution ( NtQueryTimerResolution returns 0.5ms). Maximum timer interval: 15.600 ms Minimum timer interval: 0.500 ms Current timer interval: 0.500 ms Some process must be calling NtSetTimerResolution with a value of 5000 (0.5ms), but how can I determine which one? I saw Intel has a tool called Battery Life Analyzer that shows the current timer resolution per process, but that tool is only available to Intel partners. Is there another tool or a way to

问题 I'm working on a windows service that needs to simulate input at the windows logon screen. Basically move mouse and also forward keystrokes. The service will be running with full privileges so that's not an issue. I've looked into SendInput, but it only works for the current session. I know there are various types of tools that allow such functionality e.g. remote assistance tools are one example that allow IT support to view the logon screen and provide input as well, so it's definitely do

问题 I'm trying to write an APC dll injection driver, I've found this example and thought to modify it to my needs. After I understood the code, this is how I thought to modify it (and my question come from there). In the code, the writer used PsLookupThreadByThreadId to receive a referenced pointer to the ETHREAD structure of the targeted process. PsLookupThreadByThreadId(pSpi->Threads[0].ClientId.UniqueThread,&Thread) but to get the SYSTEM_THREAD_INFORMATION for the UniqueThread handle, he used

问题 I'm running Linux, and I have two Windows 7 machine setup in VirtualBox. Now I'm trying to use the first machine to debug the second one. So I configured the same host pipe for the two machines, In the debugger machine, I launches windbg that waiting for inputs on COM1 : And on the debugee machine, I enabled debug mode and reboot, C:\Users\XX>bcdedit /dbgsettings debugtype Serial debugport 1 baudrate 115200 But they don't seem to know each other, just blindly waiting. Anything wrong? Or was