windows/kernel

In this article i am going to talk about some interesting behaviour of IoCreateDriver() function with spin locks and linked lists. First off, IoCreateDriver() is undocumented and not supported. It should never be used in production code by any means, but since this is a blog we can play around with it and learn something useful. This function takes two parameters, a driver name (optional) and a pointer to a PDRIVER_INITIALIZE, note the second parameter is the standard entry point for kernel mode drivers. In our example we will skip the first parameter because we are going to manually map the driver into system memory. We are going to code two drivers (ldr.sys and buggy.sys). ldr.sys will implement the loading part and buggy.sys will be the loaded driver. In the first scenario i am going with the standard way for protecting linked lists: __acquire_lock() __insert_tail_list() __release_lock() We will observe how can the above method blue screen the system, in the second scenario, i am...