Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

Debugging NdrClientCall3

Santos_MerinoSantos_Merino Member Posts: 1
Hi all,

After being a frequent (passive) user of this list, I have the need of opening
a new thread in order to ask for some help.

During the last days I have been trying to understand some internal functions
of Windows (more concretely, Windows 10 x64). However, in some cases I am meshing
with NdrClientCall3. The problem I have is that I do not know how to determine
the process (and the corresponding target function) it is communicating with.
Next you can find an exemplary snippet of code (taken from WinDbg during one
of my debugging sessions):

...
mov rdx,qword ptr [rbx]
mov rcx,qword ptr [ncryptprov!g_RpcBindingContext+0x8]
mov eax,dword ptr [rsp+0A0h]
mov dword ptr [rsp+48h],eax
mov dword ptr [rsp+40h],r14d
mov qword ptr [rsp+38h],r15
mov qword ptr [rsp+30h],rdi
mov qword ptr [rsp+28h],rdx
mov qword ptr [rsp+20h],rcx
mov r9,qword ptr [ncryptprov!g_RpcBindingContext]
xor r8d,r8d
lea edx,[r8+9]
lea rcx,[ncryptprov!mp_scrambled_store <PERF> (ncryptprov+0x42060)]
call qword ptr [ncryptprov!_imp_NdrClientCall3]
mov rbx,rax
...

At this point of the discussion my question should be clear (I guess), i.e., how can
I continue the debugging process without having to skip the function being executed
in the other side? Or, in other words, how can I determine which is the process and
target function we are communicating with?

Thanks in advance for your help.

Regards,
Santos
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Developing Minifilters 24 May 2021 Live, Online
Writing WDF Drivers 14 June 2021 Live, Online
Internals & Software Drivers 27 September 2021 Live, Online
Kernel Debugging TBD 2021 Live, Online