Check IoCallDriver and IoCompleteRequest with enabled Verifier


Environment: Win2003, KDAR Version: 0.0.9
With enabled verifier script have two false positives:
checking IoCallDriver and IoCompleteRequest...
IoCallDriver: PATCHED -> 809ab0c2
IoCompleteRequest: PATCHED -> 809ab8b0
kd> x nt!IovCallDriver
809ab0c2 nt!IovCallDriver = <no type information>
kd> x nt!IovCompleteRequest
809ab8b0 nt!IovCompleteRequest = <no type information>
P.S. Very good scripts, thank you for public access
Closed Jan 18, 2010 at 7:32 PM by kernelnet


kernelnet wrote Dec 11, 2009 at 7:53 PM

It's expectable false positive. DV set intersepter at IoCallDriver and IoCompleteRequest to track IRP handling. I cannot decide it has to work with DV or not? Maybe it's worth print warning about DV presence?

Thnx for the first report!

EreTIk wrote Dec 16, 2009 at 11:26 AM

I suggest checking equality nt!IovCallDriver / nt!IovCompleteRequest and print a warning: "IoXxx: inspected by Driver Verifier". This is "normal" situation for many users of KDAR.

kernelnet wrote Dec 29, 2009 at 7:32 AM

I'll fix it in 0.0.11

wrote Jan 18, 2010 at 7:32 PM

wrote Feb 13, 2013 at 5:54 PM

wrote May 15, 2013 at 11:17 PM