hi,i’m working on win7 x64 on my first driver,
how can i debugging my custom interrupt service routine?
thanks for your answers.
Use the debugger (WinDbg) and set a break point.
Peter
OSR
set a breakpoint using the debugger.
Mark Roddy
On Thu, Jan 10, 2013 at 10:08 AM, wrote:
> hi,i’m working on win7 x64 on my first driver,
> how can i debugging my custom interrupt service routine?
> thanks for your answers.
>
> —
> NTDEV is sponsored by OSR
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
if i set a breakpoint on my ISR entry with windbg the system hang.
That’s very odd. It’s always worked for me. Sounds like you haven’t setup WinDbg correctly or you have another interesting problem… such as a hardware issue.
Just to check: You are running WinDbg on a DIFFERENT system than the one one which you’re driver is running, right? You’re not trying to do this on one machine?
Peter
OSR
i’m working whit windbg on win7 x64 and the driver is running on vmware win7 x64, i have tried to do the same thing on virtualbox xp x86 and it work, it’s a problem of x64 or of my system?
Hmmmm… well, I’m not sure how you’re debugging a hardware device (it must be a hardware device, because you have interrupts) in a VM, actually.
Try using a physically separate machine. It’s a virtualization problem, I bet.
Peter
OSR
I would not be wrong in expressing (in which case I apologize), I mean my driver should handle Illegal instruction exception, that is the routine that I have to debug
xxxxx@libero.it wrote:
I would not be wrong in expressing (in which case I apologize), I mean my driver should handle Illegal instruction exception, that is the routine that I have to debug
What? How do you expect to handle an illegal instruction exception?
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
> xxxxx@libero.it wrote:
> I would not be wrong in expressing (in which case I apologize), I mean
> my driver should handle Illegal instruction exception, that is the
> routine that I have to debugWhat? How do you expect to handle an illegal instruction exception?
+1. This is simply not an interesting thing to do. Or, as best I can
guess, even sensible.
Intercepting an illegal instruction exception from user space is not
something that can make sense. For one thing, the definition of “illegal
instruction” is a moving target, and changes from platform to platform and
year to year. Last year’s “illegal instruction” is one of this year’s
SIPX (Supercool Inner Product eXtensions) instructions.
And intercepting an illegal instruction that occurs in the kernel is
simply a colossal design error.
Because the illegal instruction exception already has a handler, this
suggests that the IDT has to be patched, and we all know How We Feel About
That.
This seems to be more of a question of the best angle for pig wings. OP,
what problem do you think this is going to solve? You should be more
explicit about the goals. Illegal instruction traps indicate deep and
unforgivable bugs in the code, and should be “handled” by making the
problem (such as clobbering the return address on the stack) go away.
joe
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
NTDEV is sponsored by OSR
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
I assume you mean that your ISR sometimes fails and raises an illegal
instruction exception. This is most likely a memory corruption issue; and
most likely you are trashing the stack somehow.
wrote in message news:xxxxx@ntdev…
I would not be wrong in expressing (in which case I apologize), I mean my
driver should handle Illegal instruction exception, that is the routine that
I have to debug
Most such errors occur as a result of a buffer overrun which clobbers the
return address, which results in a return to East Hyperspace, which is
largely populated by illegal instructions (which slip across the borders
from West Hyperspace, in case you’re wondering).
So the question is perhaps "how do I detect the cause of an illegal
instruction trap which occurs when my ISR is called, which is quite
different from stating that the “driver” (whatever THAT means!) “should
handle” illegal instruction traps (a “driver” has many components, and
viewing it as a monolithic object is not productive).
And, as I stated in one of my replies, a driver should not generate
illegal instruction errors from ANY of its components, let alone the ISR.
So either the question was mis-stated, or the OP is looking for the wrong
solution for a much deeper problem.
joe
I assume you mean that your ISR sometimes fails and raises an illegal
instruction exception. This is most likely a memory corruption issue; and
most likely you are trashing the stack somehow.wrote in message news:xxxxx@ntdev…
I would not be wrong in expressing (in which case I apologize), I mean my
driver should handle Illegal instruction exception, that is the routine
that
I have to debug
NTDEV is sponsored by OSR
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
the exception is caused from user space,probably i was wrong labeling my function as ISR(wrong name) but is a custom nt!KiGeneralProtectionFault (hooked from IDT)
Hooking the IDT falls into the category of Worst Practices. It should be
avoided at all times, since it is not only an undocumented and unsupported
mechanism, but also because Microsoft is being (properly) extremely
aggressive in making sure this will become impossible. Hooking the IDT is
essentially a malware trick, and in any sane operating system (which we
are starting to see happening in Windows) it should be impossible.
You have committed one of the most fundamental errors possible here, which
is to ask how to implement something which is almost certainly the wrong
solution to the problem, instead of stating the problem you are trying to
solve and asking for what would best solve it. I could do all of this
entirely in user space, before breakfast, and would never, ever consider
any solution that involves patching the IDT.
So: what problem are you actually trying to solve? Note that your chances
of getting assistance from this group for any solution which patches the
IDT is probably vanishingly small. Your chances of getting constructive
help for your actual problem, however, are probably pretty good. Just as
soon as you can explain it, and we can think about it. Note that the
feedback might be to change the requirements of your solution, because the
problem as stated may not have a solution, or may not need a solution.
But until that problem is known, be aware that you have chosen what is
almost certainly not just the “wrong” solution, but the /worst possible/
solution to the unstated problem.
joe
the exception is caused from user space,probably i was wrong labeling my
function as ISR(wrong name) but is a custom nt!KiGeneralProtectionFault
(hooked from IDT)
NTDEV is sponsored by OSR
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
the goal is to to change the value given by the rdtsc instruction instruction, the only way I know is through this procedure: making rdtsc instruction illegal catch the exception, if the exception is given by rdtsc instruction I put in eax and edx changed values??, if the exception is given by another case, i perform the old exception handler.
the function works fine, but if I add the call to Dbgprint the system hang is for this reason that I wanted to debug the function.
just to clarify, I have no intention to create a malware.
It occurred to me that you must give a fairly precise statement of the
problem you are trying to solve. You cannot be sloppy about it. For
example, in an earlier message you said you wanted to handle illegal
instructions. Then in this message, you say that you need to handle GP
faults. Why did you think we would assume that they are the same thing?
They aren’t. Is your goal to suppress that message that says the program
has stopped running? Be aware that the MessageBox you see is issued from
the running application, not from the kernel. What do you propose to do
with a program that has attempted an operation on an illegal memory
address? Who wrote the program? Why is the program buggy? Why do you
need to handle the bug? Why can’t the program handle the error itself?
Why do you feel compelled to build a solution in the kernel? Almost
anything I can imagine to make sense can not only be done from user space,
but /must/ be done from user space! I cannot imagine anything the kernel
should do that the normal handler can’t do. But without a spec as to what
the goals are, nothing can be suggested.
Oh yes, one constructive suggestion: delete every trace of your kernel
code from every machine that contains it. Start over, and start with a
requirements document that states the problem and specifies the desired
characteristics of a solution. You have chosen a bad implementation, no
matter what the requirements are.
joe
the exception is caused from user space,probably i was wrong labeling my
function as ISR(wrong name) but is a custom nt!KiGeneralProtectionFault
(hooked from IDT)
NTDEV is sponsored by OSR
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
You just changed the specs again. Now you want to trap one particular
instruction. Why do you think you have to hook that in the kernel? For
that matter, why is your app issuing an RDTSC instruction? And if it is
your app, why not change what it is calling? And if you are trying to do
timing, note that an RDTSC which is not properly serialized will give an
incorrect result, and if it is serialized, the serialization significantly
alters the performance by breaking the instruction pipe. So we have to
back up a level and ask, “why do you want to use RDTSC?” and the
accompanying “is it being used correctly?”
The answer might be that you are trying to solve the wrong problem and are
using the wrong solution.
So go back and explain what you think intercepting RDTSC is going to do.
Note that the overheads you introduce with your IDT hook might well end up
making the data nonsensical. I used to do performance measurement for a
living, so I have some idea what this could mess up.
joe
the goal is to to change the value given by the rdtsc instruction
instruction, the only way I know is through this procedure: making rdtsc
instruction illegal catch the exception, if the exception is given by
rdtsc instruction I put in eax and edx changed values??, if the exception
is given by another case, i perform the old exception handler.
the function works fine, but if I add the call to Dbgprint the system hang
is for this reason that I wanted to debug the function.
just to clarify, I have no intention to create a malware.
NTDEV is sponsored by OSR
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
I know that I do not know much in the field(so thank you for the patience you are showing), is not my application that use RDTSC instruction,RDTSC is usually used to check if a program is under debugging (anti-debug trick), my driver is like this “deroko.phearless.org/ring0.html fake rdtsc” (is used with themida and other protections), the problem is not that my driver doesn’t work, the problem is that i can’t stepping through my exception handler with windbg and i don’t understand why calling Dbgprint from exception handler cause hang, if you know another method to do that i don’t have problem to use that
Unfortunately, the fie is a zipfile, and my iPad crrently has no software
to look at it. But from your description, it sounds like you might be
trying to crack copy protection; if you can’t convince us oterwise, you’ll
have to take this discussion to a cracker newgroup.
joe
I know that I do not know much in the field(so thank you for the patience
you are showing), is not my application that use RDTSC instruction,RDTSC
is usually used to check if a program is under debugging (anti-debug
trick), my driver is like this “deroko.phearless.org/ring0.html fake
rdtsc” (is used with themida and other protections), the problem is not
that my driver doesn’t work, the problem is that i can’t stepping through
my exception handler with windbg and i don’t understand why calling
Dbgprint from exception handler cause hang, if you know another method to
do that i don’t have problem to use that
NTDEV is sponsored by OSR
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Altering copy protection systems is usually not a valid engineering goal, so
unless this is a project to get a specific legacy application that you can’t
modify to run in an altered environment, you are on very thin ice.
Note that any copy protection scheme that relies on the results from this
instruction is easy to bypass using an emulator.
wrote in message news:xxxxx@ntdev…
I know that I do not know much in the field(so thank you for the patience
you are showing), is not my application that use RDTSC instruction,RDTSC is
usually used to check if a program is under debugging (anti-debug trick), my
driver is like this “deroko.phearless.org/ring0.html fake rdtsc” (is used
with themida and other protections), the problem is not that my driver
doesn’t work, the problem is that i can’t stepping through my exception
handler with windbg and i don’t understand why calling Dbgprint from
exception handler cause hang, if you know another method to do that i don’t
have problem to use that