Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Sept/Oct 2019 Issue of The NT Insider available


Download PDF here: http://insider.osr.com/2019/ntinsider_2019_01.pdf

It’s a particularly BIG issue, too: 40 pages of technical goodness, ranging from WDF to Minifilters. Check it out.
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

How to find DPC Stack beginning?

My driver sometimes needs to defines current stack begging and receives it via KeGetCurrentThread(). For Win10 it is:

PKTHREAD pCurrentThread = KeGetCurrentThread();
pEnvironmentPointer = (PVOID) * (PUINT64)((PCHAR)pCurrentThread + 0x038);

The problem occurs with DPC. As written kernel always switches to the DPC stack from the current thread stack when handling DPCs.
The stack example may be found here": https://social.msdn.microsoft.com/Forums/en-US/ac41bbe8-39d4-4739-a009-7532d22b2cd4/dpc-stack-size-and-switch?forum=wdk

DpcStack : 0xfffff800`03c31fb0 Void from PCRB
Current thread Stack - Base fffff8800 2261000 Limit fffff880 0225b000

Child-SP RetAddr : Call Site
fffff80003c31fa8 fffff800026d2905 : nt!KiRetireDpcList
fffff80003c31fb0 fffff800026d271c : nt!KxRetireDpcList+0x5 (TrapFrame @ // switch is here!!!!
fffff8800225fd80 fffff8000271545c : nt!KiDispatchInterruptContinue
fffff8800225fdb0 fffff8800183627b : nt!KiDpcInterrupt+0xcc (TrapFrame @
fffff8800225ff40 fffff88001835ef5 : tcpip!UdpSendMessages+0x36b
fffff88002260330 fffff800026dbefa : tcpip!UdpTlProviderSendMessagesCalloutRoutine+0x15
fffff88002260360 fffff880018364b8 : nt!KeExpandKernelStackAndCalloutEx+0xda

The problem: on DPC KeGetCurrentThread() reports pointer on base, not DPC stack!?!
Question: How to find DPC Stack begging?

.
Other source is WinDBG which reports inside "analize -v":

DPC_STACK_BASE: FFFFF8004F60DFB0

Where is this address is? :neutral:

Comments

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,443

    My driver sometimes needs to defines current stack begging

    Why? What larger problem are you trying to solve, that you think you need this?

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Peter,
    I output (Log) stack in some internal assertion for following analyzing.

    Procedure is written independently from IRQ Level.
    But I was not aware about stack switching on DPC.
    The problem how to find end of interesting stack zone...

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,443

    Windows has switched stacks in DPCs for a long time... like since Vista. Windows also now (as of Win10 I think) switches stacks for ISRs, by the way.

    Have you considered using RtlCaptureStackBackTrace in some way?

    There’s also an Rtl routine that walks the stack for debugging... but I can find it (and don’t think it was ever documented in any case).

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Peter,
    thanks a lot!

    I did not aware about existing this API.
    I will check how it works (a bit later), it is seen what I'm needs...

    And it's documented.
    Header is inside ntifs.h (way?), but really it is not important.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Writing WDF Drivers 21 Oct 2019 OSR Seminar Space & ONLINE
Internals & Software Drivers 18 Nov 2019 Dulles, VA
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 27 Apr 2020 OSR Seminar Space & ONLINE