Very cool if you can maybe show us adding functions to a driver then injecting that driver without hurting the non-tampered with driver functionability !! 😃😄
btw, at 6:64 it shows you ObjectNameAddress (in this case 36feb2e5a8) in my case ObjectNameAddress is 0x0000000a`9232dd88 when I type: du 0xa9232dd88 it dosent show me the string representing path, why is that? (it only prints "VX")
Not sure what you mean by "mounting to a folder" - a volume is independent of any folder. It may be unformatted, which will not allow "standard" access but still possible with APIs.
@@zodiacon seems without calling SetVolumeMountPoint one cannot access files directly on the new volume, otherwise one could subst subfolders as drives directly via Control\Session Manager\DOS Devices ..
Sorry to ask this just in case this has been asked before, I love the windows internals books and was just wondering if anyone knows whether an 8th edition will be on the way or wether the current 7th edition also is completely relevant to windows 11? I assume it is since I have heard that 11’s codebase is the same or most of it is to 10,s. Thanks to any replies!
@@zodiacon Yes, I am on Win 11. I see it now, thanks alot. Uhh, if you don't mind, may I ask you why a Windows Guru like you doesn't prefer Win 11? I don't like Win 11 too but use it though because of hardware/driver compatibility.
@@zodiacon Yes, I agree with you. In addition, its memory use in idle takes increasingly more memory. Even just a simple calculator app can take 100 MB in memory. I miss the old Windows 7 days so much.
Another great video!
I love Windows Internals. It is really a pleasure to watch the videos of one of its co-authors.
great explanation as always
Very cool if you can maybe show us adding functions to a driver then injecting that driver without hurting the non-tampered with driver functionability !! 😃😄
btw, at 6:64
it shows you ObjectNameAddress (in this case 36feb2e5a8)
in my case ObjectNameAddress is 0x0000000a`9232dd88
when I type: du 0xa9232dd88 it dosent show me the string representing path, why is that? (it only prints "VX")
It's a UNICODE_STRING structure, so you may need to use dt ntdll!_UNICODE_STRING and the address
it seems a sata volume can only be accessed after it was mounted into a empty folder. yet can we use a volume without mounting it to any folder?
Not sure what you mean by "mounting to a folder" - a volume is independent of any folder. It may be unformatted, which will not allow "standard" access but still possible with APIs.
@@zodiacon seems without calling SetVolumeMountPoint one cannot access files directly on the new volume, otherwise one could subst subfolders as drives directly via Control\Session Manager\DOS Devices ..
I did access files directly...
That said, there may be subtleties I am missing here.
@@zodiacon your volume was mounted as C. try a volume thats not mounted at all.
Sorry to ask this just in case this has been asked before, I love the windows internals books and was just wondering if anyone knows whether an 8th edition will be on the way or wether the current 7th edition also is completely relevant to windows 11? I assume it is since I have heard that 11’s codebase is the same or most of it is to 10,s. Thanks to any replies!
Yes, the 7th edition is relevant to Windows 11 as well as Windows 10. There are some new stuff in Windows 11, but it's still the same codebase.
@@zodiacon Thanks Pavel, is there likely to be an 8th edition in the future if enough changes occur?
I would say it's likely, but really no way to tell...
@@zodiacon Thanks pavel, really appreciate your replies!
Hey, anyone knows how to download the notepad's symbols? In my case, it seems like windbg doesn't download it automatically.
If you're on Win 11 and using the "new" notepad - I believe the symbols are not provided by MS.
@@zodiacon Yes, I am on Win 11. I see it now, thanks alot. Uhh, if you don't mind, may I ask you why a Windows Guru like you doesn't prefer Win 11? I don't like Win 11 too but use it though because of hardware/driver compatibility.
Win 11 is a failure, in my opinion. The kernel is still good, but the user-facing features are terrible, such as the task bar and explorer.
@@zodiacon Yes, I agree with you. In addition, its memory use in idle takes increasingly more memory. Even just a simple calculator app can take 100 MB in memory. I miss the old Windows 7 days so much.