Tricks & Protips

This page contains mostly source code snippets, but also short prose describing ideas about what might be possible with this research.  Right now it is a holding area for some topics I want to flesh out.

Dumping list of filters

Here is a code snippet from DmpFlt.cpp that uses an undocumented structure to enumerate all crash dump filters in the dump stack:


    @brief Enumerates crash dump filter drivers loaded in the crash path

    @details Debug function only

    @return N/A

PrintFilters (
    PFILTER_CONTEXT context;
    PLIST_ENTRY entry, listHead;

    context = (PFILTER_CONTEXT)g_Context->InitializationData; 
    listHead = &context->Link;
    entry = listHead;

        context = CONTAINING_RECORD(entry, FILTER_CONTEXT, Link);

        NT_ASSERT(context != NULL);

        DBGPRINT("DmpFlt: FILTER_CONTEXT at %p:n", context);
        DBGPRINT("tFilterInitializationData %pn", &context->FilterInitData);
        DBGPRINT("tFilterExtension %pn", &context->FilterExtension);
        DBGPRINT("tCommonContext %pn", context->Context);
        DBGPRINT("tUnknown %pn", context->UnknownPointer);
        DBGPRINT("tUnknown %08xn", context->UnknownNumber);

        entry = entry->Blink;

    } while (entry != NULL && entry != listHead);

All you need here is InitializationData, which is actually the RegistryPath argument to your dump filter’s DriverEntry routine.

%d bloggers like this: