Public Remote Windows Internals Training!

Tuesday, April 3, 2018

This is the first public remote class that I will be delivering. It's Windows Internals this time (other classes will be provided in the future). Here are the basic details: Windows Internals Training Instructor: Pavel Yosifovich Public 5-day remote class Dates (updated): June 19, 20, 21, 25, 26 Time: 8 hours / day. Exact hours TBD Price: 1950 USD Register by emailing and specifying “Windows Internals Training” in the title and provide names of participants (discount available for multiple participants from the same company), company name and time zone. You’ll receive instructions for payment and other details. Virtual space is limited! Note the changed dates! Objectives: Understand the Windows system...
no comments

Intercepting COM Objects with CoGetInterceptor

Wednesday, February 28, 2018

A while back I wrote about COM interception with CoTreatAsClass. The idea there is to redirect a CLSID to another CLSID implemented by the interceptor. This has the advantage of automatic redirection in cases where a different implementation is desired. However, it makes it difficult to just wrap the original class because its creation becomes masked as well, and so CoTreatAsClass needs to be called again, removing the redirection just enough time to create the original object. This creates an inherent race condition, where new instances could be created in between and the interception "missed". The COM infrastructure includes other...
tags: , , , ,
no comments

ProcMon vs. ProcMonX

Wednesday, January 17, 2018

The (now classic) Process Monitor tool from Sysinternals allows watching important activities on a system: process and thread creation/termination, image loading/unloading, file system operations and registry operations (and some profiling events). This tool helped me many times in diagnosing issues or just understanding what's going on in a particular scenario. Yesterday I released the first preview of a tool called Process Monitor X (ProcMonX), as a possible alternative to ProcMon. ProcMonX provides information on similar activities to ProcMon, but adds many more events, such as networking, ALPC and memory. In fact, the number of possible events is staggering, since there...
no comments

Driver Introspection with DriverMon

Saturday, November 18, 2017

In the past few weeks I've been working in my non-existent spare time on DriverMon - a driver monitoring tool for Windows. The tool is far from complete, but it's already quite useful. In this post I'll describe how to use it and some of the challenges of building such a tool. Initially I wanted to be able to track every I/O Request Packet (IRP) targeted to monitored devices. The term "devices" here is important, as the Windows I/O system is device-centric rather than driver-centric. That is, requests are delivered to devices, not drivers. A device can be thought of...
no comments

Enumerating Job Objects

Saturday, June 17, 2017

Job objects have been around since Windows 2000, providing a convenient way to set limits and otherwise manage a set of processes. Up until Windows 8 job objects were used sparingly, because a process could only be associated with a single job at most. That would mean an application wanting to set some limits on a process it does not create explicitly had no way of knowing whether that process was already part of a job. If it were, assigning it to another job would simply fail. Starting with Windows 8, jobs can be nested, effectively creating a job hierarchy...
no comments

Getting rid of the Start button – Adding a Hook

Monday, September 16, 2013

In the previous post we saw how to find and remove the start button and move the task bar window to the left to occupy the free space left by the former start button.However, we saw that by opening the system tray, the task bar moves back to its original position. We need to know when that happens, and then use the same trick to move it back to the “right” position.To do that we would need to register somehow for the WM_MOVE message. This is one option, and we can verify this using Spy++’s Message window for task...

Getting rid of the Start button in Windows 8.1

Sunday, September 15, 2013

Windows 8.1 brings back the famous Start button, but alas – it’s not the good Start button from Windows 7. It’s just yet another way to get to the new Home screen. This makes the Start button (at least for me) completely useless, as there are already several ways to get to the Home screen (Windows key on the keyboard, mouse moved to the bottom left corner, touch devices can press the hardware Start button, the Charms bar has a Start button…).There are utilities that can simulate the old Windows 7 Start button, if I don’t have such a...

Interpreting a Handle’s Access Mask

Monday, August 19, 2013

When opening a handle to a kernel object with some Open* Windows API function (e.g. OpenProcess, OpenThread, OpenEvent, …) an access mask must be specified, indicating the type of access requested from the resulting handle. Requiring too much access may cause the call to fail, so a best practice is to require the only access flags that are needed to get the job done.For example, suppose we want to know when a running process terminates. This requires obtaining a handle to the process in question and calling WaitForSingleObject on that handle. For this, only the SYNCHRONIZE access is required: HANDLE...

My first PluralSight course has been published!

Thursday, August 8, 2013

In the last few months, I’ve been working on a course for PluralSight. Creating a video course is not easy, as I found out first hand. In fact, it’s more difficult than writing a book. With a book, I can change a sentence or a paragraph, at any time and any place. A video course is different… changes are hard, and recording sessions cannot be done just anywhere. But I’ve learned a lot from the experience, which should make next courses a bit easier…My first course is about a favorite subject of mine, Windows Internals. This deals with the...

Kernel debugging with a Hyper-V virtual machine

Tuesday, June 25, 2013

One of the best ways of investigating the way Windows works is through a kernel debugger. Windows supports a local kernel debugging mode that can be activated in one of two ways:Setup windows to run in local debugging mode by running bcdedit /debug on from an elevated command prompt and then restart. Finally, run WinDbg and select File / Kernel Debug… from the menu and then select the Local tab and click OK:The main downside here is the need for restart, and more subtly – some apps behave strangely when the debug flag is on.2. Use the LiveKD tool...
no comments