DRIVER_VERIFIER_IOMANAGER_VIOLATION in Windows Server 2003 SP2 with latest updates ON

Recently, I’ve received following error when trying to test my TDI filter driver on Server 2003 SP2 with latest updates ON: DRIVER_VERIFIER_IOMANAGER_VIOLATION (c9) Arguments: Arg1: 00000208, (Fatal error) This IRP is about to run out of stack locations. Someone may have forwarded this IRP from another stack. (IRP specified.) This violation message appeared, when I …

Continue reading ‘DRIVER_VERIFIER_IOMANAGER_VIOLATION in Windows Server 2003 SP2 with latest updates ON’ »

The case of Task Manager that does not kill

Quite long time ago, my friend Vadym Stetsiak described a bug of Task Manager, which allows to disallow (!) the killing of a process, if it’s name is lsass.exe. In order to test this bug, you can rename any executable file into lsass.exe, run it, and than try to kill it from Task Manager. You …

Continue reading ‘The case of Task Manager that does not kill’ »

A shame on Kaspersky …

As one of the stages in my work, I do tests of different antiviruses with components I develop. This allows me to handle incompatibility issues, profiling BSODS and other critical errors that might appear during software lifecycle 😉 These days I was looking at Kaspersky (latest trial version from official site, as it was mentioned …

Continue reading ‘A shame on Kaspersky …’ »

Undefeatable files & folders in Windows XP SP2 – a bug in SHFileOperationW

Recently I was surprised with one interesting behavior of my Windows XP box. I was playing with long name files and noticed that major part of my shell extensions do not work with files, whose path is longer then 260 symbols. I also noticed, that Windows Shell does not allow me to create long file …

Continue reading ‘Undefeatable files & folders in Windows XP SP2 – a bug in SHFileOperationW’ »

Bug in wininet: RETR command is not supported since IE7 release

If your FTP client relies on Wininet and supports resuming of downloads then it fail to work under IE7 because RETR command is not working properly when you invoke it using FtpCommand(…) function. The function fails with access violation, outputting the “0xC0000005: Access violation reading location 0x00000001” message. The problem was reported in wininet NG …

Continue reading ‘Bug in wininet: RETR command is not supported since IE7 release’ »

PDBExt plugin (32 bit) v(0.2) for IDA Pro v(5.0 and higher) is released

As I promised, here is the next version of plugin. This version introduces extended set of settings. In addition to ‘local’ settings (which are specific per project) there are so called “global” settings. This feature seems to be very useful for me, because when I worked under several projects I constantly was forced to specify …

Continue reading ‘PDBExt plugin (32 bit) v(0.2) for IDA Pro v(5.0 and higher) is released’ »

PDBExt plugin (32 bit) v(0.1) for IDA Pro v(5.0 and higher) is released

IDA Pro allows you to load symbols for windows components. However, this feature is not fully suitable for me, because it constantly loads them from internet. Looks inefficient, especially if you use IDA on different machines – symbols get downloaded for each of them. I prefer everything that can be controlled, so my idealistic vision …

Continue reading ‘PDBExt plugin (32 bit) v(0.1) for IDA Pro v(5.0 and higher) is released’ »

Seems like “malware” may have a chance to exist under Windows Vista

Microsoft to give Vista kernel access to security firms – an interesting article that explains why Microsoft is going to publish new API to allow 3rd party security software to access the Vista kernel. This is a really amazing news, because once these gates will be opened to 3rd party security software they can be …

Continue reading ‘Seems like “malware” may have a chance to exist under Windows Vista’ »

Why does Windows do not provide more flexible API for Shell Context Menu Handlers?

Recently, I came across an interesting situation. My PC (XP SP2) was making some calculations. CPU activity was high. I was surfing through my folders and clicked on one of them using right button of the mouse. The context menu appeared after 10-20 seconds … “Why does it takes so long” – I asked myself? …

Continue reading ‘Why does Windows do not provide more flexible API for Shell Context Menu Handlers?’ »

TDI Filter drivers in Vista: new article is coming

WNDP team is going to publish on its blog the document which describes in details how to create TDI clients and TDI filter drivers in Vista. An interesting thing is that Vista does not allow to hook the dispatch table of TDI provider. The TDI filter should use IoAttachDeviceToDeviceStack or IoAttachDevice to layer itself between …

Continue reading ‘TDI Filter drivers in Vista: new article is coming’ »

Sometimes you DO need to invent the wheels

There is a well-known approach that states ‘there is no need to re-invent the wheel’. In other words, it means that if you decided to implement some functionality in your program, you should googlize to make sure it’s not implemented by other people and if it is then just use it and don’t waste the …

Continue reading ‘Sometimes you DO need to invent the wheels’ »

OllyDbg, Windows XP SP2 (32-bit) and Kaspersky Antivirus

I use OllyDbg debugger from time to time. The most wonderful debugger I ever seen: it’s light, powerful and does not require installation … This evening I got a few BSOD’s on my Windows XP SP2 after running OllyDbg. So I started the investigations. Analyzing minidump using WinDbg showed that system went down because of …

Continue reading ‘OllyDbg, Windows XP SP2 (32-bit) and Kaspersky Antivirus’ »

The magics of FILE_FLAG_BACKUP_SEMANTICS flag or contradiction in the MSDN library

MSDN: “The FILE_FLAG_BACKUP_SEMANTICS flag specified in the call to CreateFile gives the backup application process permission to read the access-control settings of the file or directory. With this permission, the backup application process can then call GetKernelObjectSecurity and SetKernelObjectSecurity to read and than reset the access-control settings.”. However there is another (undocumented) behavour of FILE_FLAG_BACKUP_SEMANTICS …

Continue reading ‘The magics of FILE_FLAG_BACKUP_SEMANTICS flag or contradiction in the MSDN library’ »

Finally Microsoft implemented InternetReadFileExW function …

Some time ago I was surprised when noticed that UNICODE version of WinInet function InternetReadFileEx is not implemented. Disassembling wininet.dll gave me the following results: .text:000007FF7D0D16A0 ; InternetReadFileExW proc near .text:000007FF7D0D16A0 sub rsp, 28h .text:000007FF7D0D16A4 mov ecx, 78h .text:000007FF7D0D16A9 call cs:SetLastError .text:000007FF7D0D16AF xor eax, eax .text:000007FF7D0D16B1 add rsp, 28h .text:000007FF7D0D16B5 retn .text:000007FF7D0D16B5 InternetReadFileExW endp So …

Continue reading ‘Finally Microsoft implemented InternetReadFileExW function …’ »