Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

RE:: X64 APC Delivering

Don_Burn_1Don_Burn_1 Member Posts: 4,311
Why would you want to do something like this? All the APC handling
stuff is undocumented, and as has been tested more than once,
performance of an APC callback solution is poor versus using an I/O
Completion Port.


Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr




> -----Original Message-----
> From: xxxxx@altervista.org [mailto:xxxxx@altervista.org]
> Posted At: Wednesday, July 21, 2010 9:47 AM
> Posted To: ntdev
> Conversation: X64 APC Delivering
> Subject: X64 APC Delivering
>
> Hi all!
> I'm an italian developer. I'm developing a Kernel driver for a
university
> research that queues an user apc to a process with the objective to
map a dll
> in a user process... Everything work fine: the user mode mapped APC
code is
> this:
>
> APCLoadLibraryFunc PROC
> ; void APCLoadLibraryFunc(PVOID NormalContext, PVOID SystemArgument1,
PVOID
> SystemArgument2); ; RCX = NormalContext ; RDX = SystemArgument1 ; R8 =
> SystemArgument2
> int 3
> nop
> sub RSP, 38h mov
[rsp+30h], RAX
> mov RAX, 123456789ABCDEF7h ; <--- LoadLibraryW address, filled
by driver
> call RAX
> mov RAX, [RSP+30h]
> add RSP, 38h
> ret
> nop
> dummySpace BYTE 14 DUP(90h)
> dummyString WORD 255 DUP(0); <-- Offset +0x040
APCLoadLibraryFunc ENDP
>
> In a test program made by me, with SleepEx, all work fine, the APC is
> delivered and the dll is mapped (address of its name is in the
NormalContext
> parameter) in the process. All work fine also in every other Non
Microsoft
> processes.
>
> But in almost Microsoft processes like explorer.exe or services.exe
this code
> is broken in the line "call RAX" because it raise an exception in the
routine
> ntdll!RtlQueryInformationActivationContext+0x372 at this statement:
mov
> r12,qword ptr [rsp+0C8h] ss:00000000`024cf028=0000000000000000.
>
> Someone know why this appened? Why my code in a non Microsoft process
work
> fine but not in Microsoft Process? Is a sort of protection mechanism?
What
> RtlQueryInformationActivationContext really does?
> This strange behavior happens only in Windows Server 2008 R2 X64 and
Windows 7
> x64, in the 32 bit os version all work fine... This behaviour is
revealed also
> if i call any kernel32 API in the APC function (not only loadlibrary
or
> CreateThread).
>
> I will be grateful to whichever can give me a suggestion.
> Thanks very much and sorry for my poor english.
>
> Andrea Allievi
>
>
> __________ Information from ESET Smart Security, version of virus
signature
> database 5297 (20100721) __________
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>

Comments

  • Doron_HolanDoron_Holan Member - All Emails Posts: 10,428
    First i hope you realize this entirely undocumented territory. How are you getting the address of loadlibraryw? If you are assuming a fixed constant addressof kernel32 across all processes, ASLR invalidates that.

    d

    dent from a phpne with no keynoard

    -----Original Message-----
    From: xxxxx@altervista.org <xxxxx@altervista.org>
    Sent: July 21, 2010 6:48 AM
    To: Windows System Software Devs Interest List <xxxxx@lists.osr.com>
    Subject: [ntdev] X64 APC Delivering


    Hi all!
    I'm an italian developer. I'm developing a Kernel driver for a university research that queues an user apc to a process with the objective to map a dll in a user process... Everything work fine: the user mode mapped APC code is this:

    APCLoadLibraryFunc PROC
    ; void APCLoadLibraryFunc(PVOID NormalContext, PVOID SystemArgument1, PVOID SystemArgument2);
    ; RCX = NormalContext
    ; RDX = SystemArgument1
    ; R8 = SystemArgument2
    int 3
    nop
    sub RSP, 38h mov [rsp+30h], RAX
    mov RAX, 123456789ABCDEF7h ; <--- LoadLibraryW address, filled by driver
    call RAX
    mov RAX, [RSP+30h]
    add RSP, 38h
    ret
    nop
    dummySpace BYTE 14 DUP(90h)
    dummyString WORD 255 DUP(0); <-- Offset +0x040
    APCLoadLibraryFunc ENDP

    In a test program made by me, with SleepEx, all work fine, the APC is delivered and the dll is mapped (address of its name is in the NormalContext parameter) in the process. All work fine also in every other Non Microsoft processes.

    But in almost Microsoft processes like explorer.exe or services.exe this code is broken in the line "call RAX" because it raise an exception in the routine ntdll!RtlQueryInformationActivationContext+0x372 at this statement: mov r12,qword ptr [rsp+0C8h] ss:00000000`024cf028=0000000000000000.

    Someone know why this appened? Why my code in a non Microsoft process work fine but not in Microsoft Process? Is a sort of protection mechanism? What RtlQueryInformationActivationContext really does?
    This strange behavior happens only in Windows Server 2008 R2 X64 and Windows 7 x64, in the 32 bit os version all work fine... This behaviour is revealed also if i call any kernel32 API in the APC function (not only loadlibrary or CreateThread).

    I will be grateful to whichever can give me a suggestion.
    Thanks very much and sorry for my poor english.

    Andrea Allievi

    ---
    NTDEV is sponsored by OSR

    For our schedule of WDF, WDM, debugging and other seminars visit:
    http://www.osr.com/seminars

    To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
    d
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Writing WDF Drivers 25 Feb 2019 OSR Seminar Space
Developing Minifilters 8 April 2019 OSR Seminar Space