Byte Bites

Verifier shutdown watchdog

Satya Das — Wed, 04 Aug 2010 05:56:27 +0000

If Windows 7 is taking a long time to shutdown, and you are running with driver verifier turned on, you may come across the following message in kernel debugger to your rescue - Driver Verifier detected that this system didn’t finish shutting down in more than 20 minutes. To display information about the thread that [...]

[[ This is a content summary only. Visit my website for full links, other content, and more! ]]

Atomic bit test and set

Satya Das — Tue, 29 Jun 2010 18:48:58 +0000

Drivers sometimes need to use atomic bit test and set operations in code. Drivers may be calling other functions that rely on bit testing and setting1 but more often than not calls are made to one of those InterlockedCompareExchangeXXX functions or the shorter InterlockedXXX functions if comparing current value is inessential. So it did not [...]

[[ This is a content summary only. Visit my website for full links, other content, and more! ]]

x64 calling convention

Satya Das — Mon, 05 Apr 2010 04:31:42 +0000

Many of you are probably already familiar with the x64 calling convention1 2 in 64-bit Windows – where generally speaking first four parameters3 are passed in registers RCX, RDX, R8 and R9 with 32 bytes of spill area reserved on stack just in case callee has to store the parameters on stack in order to [...]

[[ This is a content summary only. Visit my website for full links, other content, and more! ]]

Kernel Debugging on ESXi 4.0

Satya Das — Sat, 13 Feb 2010 03:04:23 +0000

I got a new Dell T5500 desktop machine a while back and the first thing to do was to open it up and see what was in there of course. And looking at the dual quad-core Xeons and the 6GB memory, I quickly realized I had to find something daunting enough for this machine. It [...]

[[ This is a content summary only. Visit my website for full links, other content, and more! ]]

FltEnlistInTransaction behaviour

Satya Das — Thu, 14 Jan 2010 05:41:56 +0000

FltEnlistInTransaction is a filter manager function that file system mini-filters can use in Vista+ platforms to subscribe to relevant transaction notifications. It is declared in fltkernel.h as follows The idea is when a transaction is committed for example, mini-filter transaction callback is called with all event details and whatever...

[[ This is a content summary only. Visit my website for full links, other content, and more! ]]

Memory dumping on Windows 7

Satya Das — Sat, 02 Jan 2010 01:16:47 +0000

It seems collecting memory dumps on Windows 7 has its own challenges. First things first – engineers always get the best information from a full memory dump but Windows 7 defaults dump type to Kernel Memory Dump. One of the first things to prepare machines for testing or development is changing the dump type to [...]

[[ This is a content summary only. Visit my website for full links, other content, and more! ]]

Computing on GPU – DirectCompute

Satya Das — Tue, 08 Dec 2009 01:26:26 +0000

A while back, I blogged about offloading computation traditionally done on CPU to GPU. Here is an excellent presentation from Chas Boyd at PDC 2009 about DirectCompute, which enables a DirectX 11 application to use GPU for computing tasks. The presentation not only gives an overview of a typical GPU, but also shows among other [...]

[[ This is a content summary only. Visit my website for full links, other content, and more! ]]

Physical Memory Imaging

Satya Das — Sun, 29 Nov 2009 07:37:49 +0000

I came across this interesting 2007 paper on Live Memory Acquisition for Windows Operating Systems by Naja Davis that shows some of the tools and techniques used by forensics analysts1 to get at the physical memory and analyze memory contents to get list of processes, threads, files, passwords and other data in memory. Memory acquisition [...]

[[ This is a content summary only. Visit my website for full links, other content, and more! ]]

A tale of two asserts

Satya Das — Fri, 02 Oct 2009 03:47:36 +0000

There are two popular ways to assert in drivers. One can use the the regular ASSERT macro (int 3) or the relatively newer NT_ASSERT macro (int 2C). Since ASSERT calls RtlAssert, when the debugger breaks in, code would be several frames off of where the ASSERT was. If you use NT_ASSERT however, the debugger would [...]

[[ This is a content summary only. Visit my website for full links, other content, and more! ]]

Deleting a file/directory

Satya Das — Mon, 14 Sep 2009 08:37:33 +0000

How do you delete a file or directory1 in Win32/64 ? You have primarily three options - DeleteFile, RemoveDirectory MoveFileEx (…, MOVEFILE_DELAY_UNTIL_REBOOT…) CreateFile (…, FILE_FLAG_DELETE_ON_CLOSE…) followed by CloseHandle First of all DeleteFile cannot be used to delete a directory, you are supposed to use...

[[ This is a content summary only. Visit my website for full links, other content, and more! ]]