non-paged memory inside a kernel driver

Discussion in 'Windows Vista Drivers' started by krish, Mar 31, 2008.

  1. krish

    krish Guest

    Hi, what is the maximum size of non-paged memory that I can allocate
    inside inside my kernel driver in XP and Vista? I took the diskperf
    from WDK, modified it and on Vista, 32-bit, 2GB RAM, I tried
    allocating 4/8/100/512 MB and I was able to do it successfully while
    allocating 1GB and above failed. Is there any hard restriction on the
    amount of non-paged memory I can allocate inside my driver?

    Thanks in anticipation.
    krish, Mar 31, 2008
    1. Advertisements

  2. krish

    Don Burn Guest

    Pre-Vista it is 128MB, but even in Vista doing a large allocate is a really
    bad idea, since then the rest of the system will be starved, and likely to

    Don Burn (MVP, Windows DDK)
    Windows 2k/XP/2k3 Filesystem and Driver Consulting
    Remove StopSpam to reply
    Don Burn, Mar 31, 2008
    1. Advertisements

  3. krish

    krish Guest

    Hi Don, large is kind of relative term :). Would you suggest any
    number in terms of percentage of the available memory like 10%, 20%
    etc which you think is safe enough? Or from your experience, what is
    the largest amount that you have seen in a well performing kernel mode
    driver? Thanks.
    krish, Mar 31, 2008
  4. you will not get such a number. let's say 20 instance of such a driver was
    loaded and the number was 10%. then at least half of them would not be able
    to load. moreover, it depends on the state of system memory when you try to
    allocate memory, the virtual address space has to have a big enough gap
    (e.g. it is not fragmented) to fit your allocation.

    what are you going to do with the memory once you have
    allocated it?

    Doron Holan [MSFT], Mar 31, 2008
  5. krish

    krish Guest

    Hi Doron, There is just one instance of the driver and it will be
    loaded during the windows startup. I have two devices one rotating
    disk and one flash. In my driver I keep a table map which tells me
    what data is in the flash and what is in the disk, using which I
    direct the request to either flash or disk. The size of this table is
    big, around 100MB. I do not want this table to ever page out to disk./
    flash, so I need 100MB of non-paged memory inside my driver. Do you
    have any suggestions?
    krish, Mar 31, 2008
  6. krish

    usfinecats Guest

    If you look at Trend Micro's PC-cillan product, and run poolmon you'll
    discover they suck up ~80MBs and never release it (on XP) that's enough to
    hose my application.

    With their stuff running I cannot allocate 10 MB 's on a XP system. I don't
    crash, but then again I cannot perform my tasks.
    usfinecats, Apr 2, 2008
  7. krish

    Don Burn Guest

    Yes that is why a number of consider it MALWARE instead of anti-MALWARE. It
    is ironic that the big names McAfee, Symantec and Trend Micro all produce
    products that do more harm than good.

    Don Burn (MVP, Windows DDK)
    Windows 2k/XP/2k3 Filesystem and Driver Consulting
    Remove StopSpam to reply
    Don Burn, Apr 2, 2008
  8. krish

    David Craig Guest

    I like Symantec. I get it at work and it is not that bad of a load on the
    system. Some versions have been a little excessive, but newer versions are
    better. Every one of them will make mistakes or design decisions that have
    a direct impact on some of us. You have to decide which impact you can live
    with or are you bold and don't want any antivirus or other protection. None
    are light in weight on the system and can't really be and get the job done
    with all the attacks being developed. There are much better programmers
    working on the virus, trojan, etc. software than ever before since a lot of
    money can be made without any criminal liability. Many are in countries
    where there is no civil liability either and that means they can write the
    'toolkits' for the crooks to use.

    I do not work for Symantec and have no current relationship with them other
    than as a customer. I usually buy any Norton stuff at Fry's when it is on
    sale with rebates equal to the purchase price. For the cost of sales tax
    and a couple of stamps, I get new versions without having to pay their
    renewal rates. I like them, but I won't give my money away if I don't have
    to do so.

    David Craig, Apr 3, 2008
  9. with all the attacks being developed. There are much better programmers
    Really? Malware development is a crime in Russia, and suspect US has stricter
    criminal laws (for instance, Russia has no DMCA).
    Maxim S. Shatskih, Apr 3, 2008
  10. krish

    David Craig Guest

    I saw a report about a group in Russia that sells kits for those who want to
    attack various banks and financial institutions by getting spyware on their
    customer's computers to intercept and report account and password
    information. AFAIK here in the U.S., if I never use the software myself to
    commit illegal acts, I can develop it. I might get caught on a conspiracy
    count or sued in civil court, though, if I sell the kits. If I can keep the
    money trail away from myself, I am sure it would be difficult to obtain a
    criminal conviction.

    The capabilities of current viral packages have increased from simple
    exploits to far more complex code that tries dozens of exploits, implements
    rootkits, and hides their actvities far better than before.
    David Craig, Apr 3, 2008
  11. krish

    Don Burn Guest

    My complaints with Symantec are:

    1. Hooking of system calls and in some cases modifying the actions in ways
    against the spec. Sorry do no harm is the first rule of software.

    2. Inserting themselves in the storage stack, then selectively skipping
    drivers below them (and in some versions with hooking drivers above them).
    Gee no one elses filter works, because Symantec owns the machine.

    3. Disabling their code on detection of a kernel debugger, so that you
    cannot easily prove #1 and #2 above.

    4. Having multiple times opened security holes with their product, and not
    informed the customers when they did.

    As someone who has had to debug file system filters in the presence of
    SymanCRAP I urge everyone I know to avoid them like the plague. Their
    protests to the EU about Microsoft blocking hooking (and therefore the
    Symantec product) was to me proof they care more about profit than a product
    that works.

    Don Burn (MVP, Windows DDK)
    Windows 2k/XP/2k3 Filesystem and Driver Consulting

    Don Burn, Apr 3, 2008
  12. I've seen kernel memory leaks up to full memory exaustion when Symantec AV
    was present on the system.

    Alexander Grigoriev, Apr 3, 2008
  13. information. AFAIK here in the U.S., if I never use the software myself to
    What about copy protection breaking? development of such code is a crime under
    Maxim S. Shatskih, Apr 3, 2008
  14. krish

    David Craig Guest

    They make mistakes like any of us. As to hooking, as long as Microsoft
    can't prevent hooks from being used by the bad guys, there is no way to
    detect some viral code unless you can hook. Just because Microsoft's
    antivirus is happy with the lowest detection rates of all major products,
    doesn't mean that others should follow the same rules.

    In the Norton line, the legacy file system filter has been replaced with a
    minifilter. That puts the support issues back on Microsoft, as they have
    rules that storage volumes/class drivers must have specific objects used.
    With the minifilter model, they must comply with the way Microsoft wants
    them to work or they won't be supported by the minifilter manager.

    Item 3 can be a real pain. I think that they have a right to protect
    themselves from reverse engineering no matter how much it hurts us. If you
    have a specific problem, try asking for help on DSL Reports.

    David Craig, Apr 3, 2008
  15. krish

    Don Burn Guest

    And everytime one of my customers has asked they have said "it is your
    problem not ours why should we help", and if you prove it is theirs they
    rattle the "illegal reverse engineering, we will invoke DCMA" claim.
    Personally I believe a significant part of the cost of production file
    system filters is the CRAP that Symantec (and the other biggies in AV) sell.

    Don Burn (MVP, Windows DDK)
    Windows 2k/XP/2k3 Filesystem and Driver Consulting
    Remove StopSpam to reply
    Don Burn, Apr 3, 2008
  16. krish

    Pavel A. Guest

    Technologies like Intel AMT will put end to any hooks and rootkits,
    as scanning code looks at the system from outside;
    rootkits can't hide from it.
    And it is much less expensive as one could think.

    Pavel A., Apr 3, 2008
  17. Ben Voigt [C++ MVP], Apr 3, 2008
  18. krish

    Pavel A. Guest

    Pavel A., Apr 3, 2008
  19. Oh...

    I didn't mean to suggest that firewire is the same as AMT (thanks for the
    link though, I need to read up), but that it yields essentially the same
    capability of reading code from the outside without possibility of
    interception, so you don't have to have AMT in your system.
    Ben Voigt [C++ MVP], Apr 3, 2008
  20. krish

    Pavel A. Guest

    No, AMT (in it's current version) is based on a special controller in the
    chipset. You can't install it on a system that has another chipset.
    Explanations on the Intel public site never been especialy good - mostly
    fuzzy marketing talk; need to see the manuals to understand anything.

    It's true that any DMA device can read host's RAM, there even was a
    report about a worm that downloaded itself into firmware of a wireless
    netcard so it's master could remotely control the machine. A nice hack.

    Pavel A., Apr 4, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.