Stack Overflow
Stack Overflow

Questions tagged [windows-kernel]

The Windows kernel (also called NT kernel) provides services for user-mode applications and has a modular architecture that allows loading kerner drivers (either real hardware device drivers or virtual drivers).

The Windows kernel (also called NT kernel) provides services for user-mode applications and has a modular architecture that allows loading kerner drivers (either real hardware device drivers or virtual drivers).

This tag is for questions about the internals of the NT kernel and/or driver development specific to the Windows architecture.

284 questions
6
votes
2 answers

Windbg conditional breakpoint with string compare in a nested structure

I've been trying to hit a breakpoint inside a function only if a string in a nested struct as an argument matches a specific pattern of my choosing, like so: bp `main.c:2236` ".block { .if ( $spat(\"@@(stNames->NameComponent.Buffer)\", \"*ab*\"…
lopan
  • 107
  • 1
  • 5
6
votes
1 answer

How to unload Windows Kernel Mode Driver from the inside?

I'm writing a Windows kernel driver and i'm trying to implement the following. Suppose the driver has been called from user mode via DeviceIoControl function with a specific IOCTL code. How can driver unload itself in this situation? In other words,…
ElThor
  • 161
  • 1
  • 4
6
votes
3 answers

what is the difference between pdo and fdo in windows device drivers?

I am studying windows device drivers on my own and I find it's very difficult to differentiate between PDO and FDO. Let me tell you the flow that I have in my head correct me if I am wrong !! when system boots it loads the root bus driver that will…
Amit Bhaira
  • 1,687
  • 6
  • 18
  • 31
5
votes
1 answer

Windows Kernel Driver: How to determine if thread terminated?

I have a thread that to some operations and it needs to be alive until a flag says otherwise. I use PsCreateSystemThread to create the thread and then use ObReferenceObjectByHandle to get ETHREAD object reference to waiting for the thread to…
Oriel Cochavi
  • 345
  • 1
  • 4
  • 12
5
votes
2 answers

The categories of commands of WinDBG?

I see some references and tutorials about the commnads of WinDBG. Some of them like this lm, this .echo, this !running, and this nt!_PDB. What is difference between these categories xxx .xxx !xxx xxx!yyy ? They look so confused.
KyL
  • 987
  • 12
  • 24
5
votes
1 answer

WinForms deep nested controls resize kernel bug - Splitter Panels not scaling controls properly

(initial guess at nested proved to be incorrect. Problem seems to be that SplitContainer panels do not scale their hosted controls properly.) I have some forms that have tab controls that fail to resize properly at load time.…
rheitzman
  • 2,247
  • 3
  • 20
  • 36
5
votes
4 answers

Can I access Windows Kernel system calls directly?

I have been doing research into Windows internals, and have just recently learned about system calls and I am wondering if it is possible to use these system calls like functions? I understand they aren't really meant to be accessed externally. For…
user1632018
  • 2,485
  • 10
  • 52
  • 87
5
votes
2 answers

How do I tell whether a Windows kernel Event object is auto-reset or manual-reset?

Windows allows the creation of (named) Event objects. An Event (the synchronization primitive in Windows) can be of type auto-reset (in which case you could say it's kind of a semaphore) or it can be of type manual-reset in which case it remains set…
Martin Ba
  • 37,187
  • 33
  • 183
  • 337
4
votes
0 answers

Use BLE L2CAP CoC on Windows

I am trying to use Windows PC as a Central and connect it to BLE L2CAP CoC opened by Android smartphone using BluetoothAdapter#listenUsingL2capChannel(). From what I found after looking through MSDN documentation dedicated to the use of Bluetooth on…
Mirron
  • 73
  • 7
4
votes
1 answer

Why this mov gs instruction causes a fault in VMWare Workstation guest running Windows 7 OS?

When I run the following assembly sequence in a kernel mode of Windows 7 x64 running in a VMWare Workstation virtual machine: xor eax, eax mov ax, gs mov gs, ax ; this instruction that last mov gs, ax instruction immediately causes that VM to…
c00000fd
  • 20,994
  • 29
  • 177
  • 400
4
votes
0 answers

Windows Filtering Platform Network Slowdown Due to Spinlock

I am writing a Windows Filtering Platform Kernel Mode Driver, the goal of the driver is to capture all traffic on a particular layer, and communicate this traffic back down to user-mode so that it can be further analyses. The driver never needs to…
Dan
  • 3,879
  • 5
  • 36
  • 50
4
votes
2 answers

How much of C++11 is usable in Windows Kernel

The latest WDK is delivered to be used with Visual Studio 15, which supports C++11. However, I have not seen documentation about how much of the functionality is usable. Obviously, I wouldn't use std::thread and std::mutex, but less clearly, is the…
mksteve
  • 12,614
  • 3
  • 28
  • 50
4
votes
1 answer

User to kernel transition and XMM register state

I am using AES-NI in a kernel code. The AES new instructions use XMM registers and I want to be sure that the transition from user to kernel mode and the transition back to user mode will preserve the state of the XMM registers. The MSDN link reads:…
Fred Norristo
  • 41
  • 1
4
votes
1 answer

FsRtlIsNameInExpression never matches anything

I do string matching in a kernel driver using the Boyer-Moore algorithm, but I also need to implement basic wildcard support. This answer on SO mentionned the function FsRtlIsNameInExpression, which looks just right for my needs. It even looks like…
ixe013
  • 9,559
  • 3
  • 46
  • 77
3
votes
0 answers

What exactly does the 32-bit win32k.sys/win32kfull.sys do on a 64-bit Windows operating system?

tl;dr The 32-bit binaries SysWow64/win32k[full].sys cannot be loaded into a running 64-bit kernel and do not have useful PE resources. What is their purpose on a 64-bit Windows machine? I'm studying the behavior of Windows' wow64 functionality to…
nanofarad
  • 40,330
  • 4
  • 86
  • 117
1
2
3
18 19