want to run ISR without additional hardware

NTDEV
1

For the purpose of research and testing I am looking for a way to allow us
to write and test device drivers with an ISR that will run on most systems
without requiring any additional hardware.

Does anyone have a good suggestion for a simple piece of unused legacy
hardware that we all have onboard of which we could claim the resources ,
that can generate interrupts so we could write a test driver for it ? Or a
way to substitute a driver of a very generic simple piece of hardware that
interrupts ?

//Daniel

2

I’m struggling to understand how simply generating interrupts in a hardware-specific way leads to anything interesting other than (a) running at DIRQL, (b) having to do hardware-specific stuff to make the interrupts happen or stop.

But… be that as it may. Hmmmmm… Your requirements:

  1. Simple
  2. Legacy
  3. We all have onboard
  4. We could claim the resources
  5. can generate interrupts

Serial port is, of course, the instant idea. But I’m not sure that fits criteria #3, above.

Most mainboards have an SMBUS controller in the PCH, so you could probably uninstall “nodrv” and use that controller. Getting data to arrive at the host controller (resulting in interrupts) might be random though, as there’s usually little traffic on an SMBUS (unless you have something you can plug into it).

Are you averse to using an add-in board (yes, I realize this does not meet constraint #3 above)? If not, you could get a simple watchdog timer board… nothing simpler than that, really.

Or, for that matter, you could use the DIO-24 device we sell in the OSR Online Store. A simpler device has not been created, and you can generate interrupts by flipping a switch.

I’l be curious to see what other folks suggest. But, again… perhaps I’m limited, but I don’t see what that’s generalizable can come from this exercise.

Peter
OSR

3

The standard security researcher / malware author approach (and I do make a distinction between those two) is to send a carefully formed ping packet down the networking stack with a payload that is formed in the way that the Intel processor manuals describe for message-signaled interrupts. The receive buffers are then described in a way that the first part, the part that’s big enough for the networking headers, is in main memory and the second part, your carefully crafted payload, is described with a physical address that points to the Local APIC. See the link below for details.

http://theinvisiblethings.blogspot.com/2011/05/following-white-rabbit-software-attacks.html

  • Jake Oshins
    Windows Kernel Team

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@resplendence.com
Sent: Wednesday, January 9, 2013 4:42 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] want to run ISR without additional hardware

For the purpose of research and testing I am looking for a way to allow us to write and test device drivers with an ISR that will run on most systems without requiring any additional hardware.

Does anyone have a good suggestion for a simple piece of unused legacy hardware that we all have onboard of which we could claim the resources , that can generate interrupts so we could write a test driver for it ? Or a way to substitute a driver of a very generic simple piece of hardware that interrupts ?

//Daniel

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

4

What sort of research and testing?

In the past I have generated an ISR call using the ‘INT x’ asm instruction. It turned out to be a dumb idea for a production driver (race conditions with the parent bus driver that used an actual hardware interrupt) but maybe it might fulfil the requirements of your research and testing, unless your ISR environment requires that the interrupt was actually generated via the lapic…

James

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-522952-
xxxxx@lists.osr.com] On Behalf Of xxxxx@resplendence.com
Sent: Wednesday, 9 January 2013 11:42 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] want to run ISR without additional hardware

For the purpose of research and testing I am looking for a way to allow us
to write and test device drivers with an ISR that will run on most systems
without requiring any additional hardware.

Does anyone have a good suggestion for a simple piece of unused legacy
hardware that we all have onboard of which we could claim the resources ,
that can generate interrupts so we could write a test driver for it ? Or a
way to substitute a driver of a very generic simple piece of hardware that
interrupts ?

//Daniel

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

5

Thanks for the replies so far. One of the things I am doing is measuring and
reporting ISR->DPC->User latencies. So far I have been using the OsrUsbFx2
for that and it works great but now I am thinking about how to get this to
work without the additional hardware so that it can run anywhere.

//Daniel

“James Harper” wrote in message news:xxxxx@ntdev…
What sort of research and testing?
In the past I have generated an ISR call using the ‘INT x’ asm instruction.
It turned out to be a dumb idea for a production driver (race >conditions
with the parent bus driver that used an actual hardware interrupt) but
maybe it might fulfil the requirements of your research >and testing,
unless your ISR environment requires that the interrupt was actually
generated via the lapic…

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-522952-
xxxxx@lists.osr.com] On Behalf Of xxxxx@resplendence.com
Sent: Wednesday, 9 January 2013 11:42 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] want to run ISR without additional hardware

For the purpose of research and testing I am looking for a way to allow us
to write and test device drivers with an ISR that will run on most systems
without requiring any additional hardware.

Does anyone have a good suggestion for a simple piece of unused legacy
hardware that we all have onboard of which we could claim the resources ,
that can generate interrupts so we could write a test driver for it ? Or a
way to substitute a driver of a very generic simple piece of hardware that
interrupts ?

//Daniel

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

6

> .One of the things I am doing is measuring and reporting ISR->DPC->User latencies.

So far I have been using the OsrUsbFx2 for that and it works great but now I am thinking about
how to get this to work without the additional hardware so that it can run anywhere.

Well, in order to raise interrupt in a software all you have to do is write to LAPIC’s ICR.Therefore, you don’t seem to need any additional hardware here. Find some unused interrupt vector and modify IDT in such a way that your target vector’s corresponding entry points to your custom stub which invokes your custom ISR which queues a DPC which, in turn, signals an event that a test thread is waiting on. If you do it this way you will be able to measure the latencies of interest. What you are going to do with this info is already a different. question…

Anton Bassov

7

An INTx instruction doesn’t leave the Local APIC in a position to handle an EOI, which is necessary if you want to run an ISR that was registered the way that drivers should.

  • Jake Oshins
    (former MSI guy)
    Windows Kernel Team

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of James Harper
Sent: Wednesday, January 9, 2013 12:47 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] want to run ISR without additional hardware

What sort of research and testing?

In the past I have generated an ISR call using the ‘INT x’ asm instruction. It turned out to be a dumb idea for a production driver (race conditions with the parent bus driver that used an actual hardware interrupt) but maybe it might fulfil the requirements of your research and testing, unless your ISR environment requires that the interrupt was actually generated via the lapic…

James

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-522952-
xxxxx@lists.osr.com] On Behalf Of xxxxx@resplendence.com
Sent: Wednesday, 9 January 2013 11:42 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] want to run ISR without additional hardware

For the purpose of research and testing I am looking for a way to
allow us to write and test device drivers with an ISR that will run on
most systems without requiring any additional hardware.

Does anyone have a good suggestion for a simple piece of unused legacy
hardware that we all have onboard of which we could claim the
resources , that can generate interrupts so we could write a test
driver for it ? Or a way to substitute a driver of a very generic
simple piece of hardware that interrupts ?

//Daniel

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

8

Is there a way to generate a MSI programmatically?

9

Did you see Jake’s previous post that describes a… rather clever… way to do this?

Peter
OSR

10

Yes, I saw the post and read the article, but what I meant is API something like HalRequestMSI(Affinity, Vector)

11

It was elaborated on this list that MSI can be added in IRP_MN_QUERY_RESOURCE_REQUIREMENTS / IRP_MN_FILTER_RESOURCE_REQUIREMENTS.

So, naturally the question arises how to signal such an interrupt

Anybody?

12

There are two ways of interpreting your question.

A) How are message-signaled interrupts placed on the bus?

The answer is that the “data” value is written to the “address” value. After you claim an interrupt, you can connect it with IoConnectInterruptEx. That succeeds and returns, among other things, a table giving you information including these address and data values. First hit in this search: http://www.bing.com/search?q=IO_INTERRUPT_MESSAGE_INFO_ENTRY+structure+(Windows+Drivers)&qs=n&form=QBLH&pq=io_interrupt_message_info_entry+structure+(windows+drivers)&sc=0-0&sp=-1&sk=

It’s not even necessary for your device to contain an MSI or MSI-X capability structure for this to work. If you can make your device do a 32-bit DMA write to an arbitrary address, you can generate an interrupt. (See my post a couple of days ago about making this happen just by using ICMP.)

B) How is this generally used in drivers?

In general, most people build devices with MSI or MSI-X capabilities and they use that hardware to do those DMA writes. Those tables, though, are finite and usually somewhat smaller than you’d like. So they overclaim interrupts and use the hardware as a cache for all the possible interrupts they might want to send.

As a concrete example, imagine a NIC with a 16-entry MSI-X table in a machine with 24 processor cores. The NIC signals to NDIS that it can handle an RSS hash table of 16 entries, or alternatively, 16 MAC addresses through VMQ, and then claims 24 interrupt messages. When those get associated with a processor core, the driver swaps the interrupt for that processor into the MSI-X table at the right offset for that internal queue and away you go.

  • Jake Oshins
    (once and former interrupt guy)
    Windows Kernel Team

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@hotmail.com
Sent: Saturday, January 12, 2013 1:32 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] want to run ISR without additional hardware

It was elaborated on this list that MSI can be added in IRP_MN_QUERY_RESOURCE_REQUIREMENTS / IRP_MN_FILTER_RESOURCE_REQUIREMENTS.

So, naturally the question arises how to signal such an interrupt

Anybody?

NTDEV is sponsored by OSR

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

13

Jake

Thank you for your elaboration; let me refine my question ? how to simulate a MSI w/o having MSI capable / DMA writes capable HW? Is there something like HalRequestMSI(Affinity, Vector)?

TIA
Amdrew