RE:: X64 APC Delivering

Don_Burn_1 · July 21, 2010, 9:51am

Why would you want to do something like this? All the APC handling
stuff is undocumented, and as has been tested more than once,
performance of an APC callback solution is poor versus using an I/O
Completion Port.

Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
From: xxxxx@altervista.org [mailto:xxxxx@altervista.org]
Posted At: Wednesday, July 21, 2010 9:47 AM
Posted To: ntdev
Conversation: X64 APC Delivering
Subject: X64 APC Delivering

Hi all!
I’m an italian developer. I’m developing a Kernel driver for a
university
research that queues an user apc to a process with the objective to
map a dll
in a user process… Everything work fine: the user mode mapped APC
code is
this:

APCLoadLibraryFunc PROC
; void APCLoadLibraryFunc(PVOID NormalContext, PVOID SystemArgument1,
PVOID
SystemArgument2); ; RCX = NormalContext ; RDX = SystemArgument1 ; R8 =
SystemArgument2
int 3
nop
sub RSP, 38h mov
[rsp+30h], RAX
mov RAX, 123456789ABCDEF7h ; <— LoadLibraryW address, filled
by driver
call RAX
mov RAX, [RSP+30h]
add RSP, 38h
ret
nop
dummySpace BYTE 14 DUP(90h)
dummyString WORD 255 DUP(0); <– Offset +0x040
APCLoadLibraryFunc ENDP

In a test program made by me, with SleepEx, all work fine, the APC is
delivered and the dll is mapped (address of its name is in the
NormalContext
parameter) in the process. All work fine also in every other Non
Microsoft
processes.

But in almost Microsoft processes like explorer.exe or services.exe
this code
is broken in the line “call RAX” because it raise an exception in the
routine
ntdll!RtlQueryInformationActivationContext+0x372 at this statement:
mov
r12,qword ptr [rsp+0C8h] ss:00000000`024cf028=0000000000000000.

Someone know why this appened? Why my code in a non Microsoft process
work
fine but not in Microsoft Process? Is a sort of protection mechanism?
What
RtlQueryInformationActivationContext really does?
This strange behavior happens only in Windows Server 2008 R2 X64 and
Windows 7
x64, in the 32 bit os version all work fine… This behaviour is
revealed also
if i call any kernel32 API in the APC function (not only loadlibrary
or
CreateThread).

I will be grateful to whichever can give me a suggestion.
Thanks very much and sorry for my poor english.

Andrea Allievi

__________ Information from ESET Smart Security, version of virus
signature
database 5297 (20100721) __________

The message was checked by ESET Smart Security.

http://www.eset.com

Doron_Holan · July 21, 2010, 9:54am

First i hope you realize this entirely undocumented territory. How are you getting the address of loadlibraryw? If you are assuming a fixed constant addressof kernel32 across all processes, ASLR invalidates that.

d

dent from a phpne with no keynoard

-----Original Message-----
From: xxxxx@altervista.org
Sent: July 21, 2010 6:48 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] X64 APC Delivering

Hi all!
I’m an italian developer. I’m developing a Kernel driver for a university research that queues an user apc to a process with the objective to map a dll in a user process… Everything work fine: the user mode mapped APC code is this:

APCLoadLibraryFunc PROC
; void APCLoadLibraryFunc(PVOID NormalContext, PVOID SystemArgument1, PVOID SystemArgument2);
; RCX = NormalContext
; RDX = SystemArgument1
; R8 = SystemArgument2
int 3
nop
sub RSP, 38h mov [rsp+30h], RAX
mov RAX, 123456789ABCDEF7h ; <— LoadLibraryW address, filled by driver
call RAX
mov RAX, [RSP+30h]
add RSP, 38h
ret
nop
dummySpace BYTE 14 DUP(90h)
dummyString WORD 255 DUP(0); <– Offset +0x040
APCLoadLibraryFunc ENDP

In a test program made by me, with SleepEx, all work fine, the APC is delivered and the dll is mapped (address of its name is in the NormalContext parameter) in the process. All work fine also in every other Non Microsoft processes.

But in almost Microsoft processes like explorer.exe or services.exe this code is broken in the line “call RAX” because it raise an exception in the routine ntdll!RtlQueryInformationActivationContext+0x372 at this statement: mov r12,qword ptr [rsp+0C8h] ss:00000000`024cf028=0000000000000000.

Someone know why this appened? Why my code in a non Microsoft process work fine but not in Microsoft Process? Is a sort of protection mechanism? What RtlQueryInformationActivationContext really does?
This strange behavior happens only in Windows Server 2008 R2 X64 and Windows 7 x64, in the 32 bit os version all work fine… This behaviour is revealed also if i call any kernel32 API in the APC function (not only loadlibrary or CreateThread).

I will be grateful to whichever can give me a suggestion.
Thanks very much and sorry for my poor english.

Andrea Allievi

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer