Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


How to find DPC Stack beginning?

My driver sometimes needs to defines current stack begging and receives it via KeGetCurrentThread(). For Win10 it is:

PKTHREAD pCurrentThread = KeGetCurrentThread();
pEnvironmentPointer = (PVOID) * (PUINT64)((PCHAR)pCurrentThread + 0x038);

The problem occurs with DPC. As written kernel always switches to the DPC stack from the current thread stack when handling DPCs.
The stack example may be found here": https://social.msdn.microsoft.com/Forums/en-US/ac41bbe8-39d4-4739-a009-7532d22b2cd4/dpc-stack-size-and-switch?forum=wdk

DpcStack : 0xfffff800`03c31fb0 Void from PCRB
Current thread Stack - Base fffff8800 2261000 Limit fffff880 0225b000

Child-SP RetAddr : Call Site
fffff80003c31fa8 fffff800026d2905 : nt!KiRetireDpcList
fffff80003c31fb0 fffff800026d271c : nt!KxRetireDpcList+0x5 (TrapFrame @ // switch is here!!!!
fffff8800225fd80 fffff8000271545c : nt!KiDispatchInterruptContinue
fffff8800225fdb0 fffff8800183627b : nt!KiDpcInterrupt+0xcc (TrapFrame @
fffff8800225ff40 fffff88001835ef5 : tcpip!UdpSendMessages+0x36b
fffff88002260330 fffff800026dbefa : tcpip!UdpTlProviderSendMessagesCalloutRoutine+0x15
fffff88002260360 fffff880018364b8 : nt!KeExpandKernelStackAndCalloutEx+0xda

The problem: on DPC KeGetCurrentThread() reports pointer on base, not DPC stack!?!
Question: How to find DPC Stack begging?

.
Other source is WinDBG which reports inside "analize -v":

DPC_STACK_BASE: FFFFF8004F60DFB0

Where is this address is? :neutral:

Comments

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,807

    My driver sometimes needs to defines current stack begging

    Why? What larger problem are you trying to solve, that you think you need this?

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Peter,
    I output (Log) stack in some internal assertion for following analyzing.

    Procedure is written independently from IRQ Level.
    But I was not aware about stack switching on DPC.
    The problem how to find end of interesting stack zone...

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,807

    Windows has switched stacks in DPCs for a long time... like since Vista. Windows also now (as of Win10 I think) switches stacks for ISRs, by the way.

    Have you considered using RtlCaptureStackBackTrace in some way?

    There’s also an Rtl routine that walks the stack for debugging... but I can find it (and don’t think it was ever documented in any case).

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Peter,
    thanks a lot!

    I did not aware about existing this API.
    I will check how it works (a bit later), it is seen what I'm needs...

    And it's documented.
    Header is inside ntifs.h (way?), but really it is not important.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA