Stack Overflow
Stack Overflow

Questions tagged [kernel-mode]

Kernel mode, also referred to as system mode, is one of the two distinct modes of operation of the CPU, in which core operating system components, including device drivers, execute.

Kernel mode, also referred to as system mode, is one of the two distinct modes of operation of the CPU, in which core operating system components, including device drivers, execute.

All code that runs in kernel mode shares a single virtual address space. This means that a kernel-mode driver is not isolated from other drivers and the operating system itself. If a kernel-mode driver accidentally writes to the wrong virtual address, data that belongs to the operating system or another driver could be compromised. If a kernel-mode driver crashes, the entire operating system crashes.

http://msdn.microsoft.com/en-us/library/windows/hardware/ff554836(v=vs.85).aspx
http://www.linfo.org/kernel_mode.html

144 questions
-1
votes
1 answer

Cannot cast struct pointer to PUCHAR

I'm testing a code (based in this reference) and i'm receiving a error that says: 'type cast': cannot convert from 'SYSTEM_SERVICE_TABLE' to 'PUCHAR' How can solve it? Edition: The goal is try find Shadow SSDT table address on Windows 10…
user13342579
-1
votes
1 answer

How retrieve complete filename with NtQueryDirectoryFile in recursive mode?

I'm using this code to go through all files and directories recursively. Now i want know how extract complete filename (path + filename + extension)? the following line(also present on reference code) give only filename + exension (without directory…
user13342579
-1
votes
1 answer

Injecting a DLL from LoadImageNotifyRoutine, hangs on ZwMapViewOfSection

So I'm making a crackme and one of the parts is to hook a certain function and wait for a certain combination a params to happen, then the challenge is done. For that, I'm creating a driver to inject a DLL into processes that have a specific DLL and…
Denis Rozimovschii
  • 428
  • 1
  • 6
  • 19
-1
votes
1 answer

Is there a way to synchronize this without locks?

Say I have 3 functions that can be called by an upper layer: Start - Will only be called if we haven't been started yet, or Stop was previously called Stop - Will only be called after a successful call to Start Process - Can be called at any time…
Nick Banks
  • 4,298
  • 5
  • 39
  • 65
-1
votes
4 answers

How to delete a file from kernel-mode?

I have a minifilter (kernel-mode). I want to delete a file with specific path (\Device\HarddiskVolume1\file.txt or C:\file.txt) from kernel-mode Is there any way to do that? UPDATE: 20150130 I try to use ZwDeleteFile routine as Harry Johnston said.…
GSP
  • 574
  • 3
  • 7
  • 34
-1
votes
1 answer

How does an instruction know if it's running in privilleged or user mode?

In a class the prof said "an [assembly] instruction knows if it's running in privileged or user mode because if a trap is produced then it's user mode". First off I assume it can't be any trap but a specific trap saying that the command cannot be…
Celeritas
  • 14,489
  • 36
  • 113
  • 194
-1
votes
1 answer

Full file path with drive letter

I am a beginner in driver development. I am developing a filter driver(Kernel Mode). I want to get the full path of every file which is opened. I have a file object and an IRP. I am using &pFileObject->fileName to display the path. It shows the…
Muhammad Irfan
  • 735
  • 1
  • 11
  • 17
-2
votes
3 answers

How can I debug a kernel driver crash in Windows?

I wrote a kernel driver that hooks into a process and hides a folder. This driver works very well, until I connect an external hard disk. At this point, my OS (either Windows XP or Server 2003) crashes with a blue screen of death (BSOD). What could…
M.Rezaei
  • 992
  • 3
  • 11
  • 28
-2
votes
1 answer

Kernel Mode: How read a txt file line by line?

I need read each line of a txt file and pass this line as parameter to a method. I have found this example: LARGE_INTEGER byteOffset; ntstatus = ZwCreateFile(&handle, GENERIC_READ, …
user8767827
1 2 3
9
10