Why would you want to do something like this? All the APC handling
stuff is undocumented, and as has been tested more than once,
performance of an APC callback solution is poor versus using an I/O
Completion Port.
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
-----Original Message-----
From: xxxxx@altervista.org [mailto:xxxxx@altervista.org]
Posted At: Wednesday, July 21, 2010 9:47 AM
Posted To: ntdev
Conversation: X64 APC Delivering
Subject: X64 APC DeliveringHi all!
I’m an italian developer. I’m developing a Kernel driver for a
university
research that queues an user apc to a process with the objective to
map a dll
in a user process… Everything work fine: the user mode mapped APC
code is
this:APCLoadLibraryFunc PROC
; void APCLoadLibraryFunc(PVOID NormalContext, PVOID SystemArgument1,
PVOID
SystemArgument2); ; RCX = NormalContext ; RDX = SystemArgument1 ; R8 =
SystemArgument2
int 3
nop
sub RSP, 38h mov
[rsp+30h], RAX
mov RAX, 123456789ABCDEF7h ; <— LoadLibraryW address, filled
by driver
call RAX
mov RAX, [RSP+30h]
add RSP, 38h
ret
nop
dummySpace BYTE 14 DUP(90h)
dummyString WORD 255 DUP(0); <– Offset +0x040
APCLoadLibraryFunc ENDPIn a test program made by me, with SleepEx, all work fine, the APC is
delivered and the dll is mapped (address of its name is in the
NormalContext
parameter) in the process. All work fine also in every other Non
Microsoft
processes.But in almost Microsoft processes like explorer.exe or services.exe
this code
is broken in the line “call RAX” because it raise an exception in the
routine
ntdll!RtlQueryInformationActivationContext+0x372 at this statement:
mov
r12,qword ptr [rsp+0C8h] ss:00000000`024cf028=0000000000000000.Someone know why this appened? Why my code in a non Microsoft process
work
fine but not in Microsoft Process? Is a sort of protection mechanism?
What
RtlQueryInformationActivationContext really does?
This strange behavior happens only in Windows Server 2008 R2 X64 and
Windows 7
x64, in the 32 bit os version all work fine… This behaviour is
revealed also
if i call any kernel32 API in the APC function (not only loadlibrary
or
CreateThread).I will be grateful to whichever can give me a suggestion.
Thanks very much and sorry for my poor english.Andrea Allievi
__________ Information from ESET Smart Security, version of virus
signature
database 5297 (20100721) __________The message was checked by ESET Smart Security.