Breaking into win2k.sys each time I do a rdesktop

I have a linux machine.

I have my windows development machine on which I do rdesktop to from my
desktop linux machine.
My deployment machine is a Server 2008 machine.

I wanted to trace into sources of DriverEntry of my driver, So I just put a
breakpoint using “bp DriverEntry”.

Now, after that it used to break into other driver’s DriverEntry, fair
enough.

Now whenever I do a rdesktop on my deployment machine, I see that I got a
break in my WinDbg on DriverEntry of win2k module.

Below is what I get on my windbg

*Breakpoint 1 hit
win32k!DriverEntry:

*After this I said go in windbg and simply closed rdesktop window without
logging in.
Again did a rdesktop on that deployment machine and saw windbg break again
at DriverEntry of win32k.

It doesn’t have to do anything with my development, Asking just out of
curiosity why is happening like this?

Regards
Deepak

So you have a break point set purposely on win32k!DriverEntry because you
did not let the debugger know what module you wanted.

It could have picked just about anything. Almost all kernel drivers have a
DriverEntry.

You need to ?qualify? the breakpoint with the name of your driver
(modulename).

Read the Windbg docs for the bp command. That will explain it better than
I.

Good Luck,

Dave Cattley

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Deepak Gupta
Sent: Friday, February 20, 2009 4:39 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Breaking into win2k.sys each time I do a rdesktop

I have a linux machine.

I have my windows development machine on which I do rdesktop to from my
desktop linux machine.
My deployment machine is a Server 2008 machine.

I wanted to trace into sources of DriverEntry of my driver, So I just put a
breakpoint using “bp DriverEntry”.

Now, after that it used to break into other driver’s DriverEntry, fair
enough.

Now whenever I do a rdesktop on my deployment machine, I see that I got a
break in my WinDbg on DriverEntry of win2k module.

Below is what I get on my windbg

Breakpoint 1 hit
win32k!DriverEntry:

After this I said go in windbg and simply closed rdesktop window without
logging in.
Again did a rdesktop on that deployment machine and saw windbg break again
at DriverEntry of win32k.

It doesn’t have to do anything with my development, Asking just out of
curiosity why is happening like this?

Regards
Deepak

— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

> Almost all kernel drivers have a DriverEntry.
Almost? (or, as Anton would say, almost???)
Which ones do not?

----- Original Message -----
From: David R. Cattley
To: Windows System Software Devs Interest List
Sent: Friday, February 20, 2009 9:58 AM
Subject: RE: [ntdev] Breaking into win2k.sys each time I do a rdesktop

So you have a break point set purposely on win32k!DriverEntry because you did not let the debugger know what module you wanted.

It could have picked just about anything. Almost all kernel drivers have a DriverEntry.

You need to ?qualify? the breakpoint with the name of your driver (modulename).

Read the Windbg docs for the bp command. That will explain it better than I.

Good Luck,

Dave Cattley

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Deepak Gupta
Sent: Friday, February 20, 2009 4:39 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Breaking into win2k.sys each time I do a rdesktop

I have a linux machine.

I have my windows development machine on which I do rdesktop to from my desktop linux machine.
My deployment machine is a Server 2008 machine.

I wanted to trace into sources of DriverEntry of my driver, So I just put a breakpoint using “bp DriverEntry”.

Now, after that it used to break into other driver’s DriverEntry, fair enough.

Now whenever I do a rdesktop on my deployment machine, I see that I got a break in my WinDbg on DriverEntry of win2k module.

Below is what I get on my windbg

Breakpoint 1 hit
win32k!DriverEntry:

After this I said go in windbg and simply closed rdesktop window without logging in.
Again did a rdesktop on that deployment machine and saw windbg break again at DriverEntry of win32k.

It doesn’t have to do anything with my development, Asking just out of curiosity why is happening like this?

Regards
Deepak

— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

On Fri, Feb 20, 2009 at 8:28 PM, David R. Cattley wrote:

> So you have a break point set purposely on win32k!DriverEntry because you
> did not let the debugger know what module you wanted.
>
I know this David that every driver will break there.

Forgive me, may be I asked in a wrong way.

My question is whenever I do rdesktop, it breaks in win32k!DriverEntry, I
say go “g” in windbg.
Close the rdesktop window without logging in.
Again do a rdesktop, it again breaks into win32k!DriverEntry, my query was
why does on each rdesktop it breaks in DriverEntry.
It should get loaded previously or on the first time itself.

>
>
> It could have picked just about anything. Almost all kernel drivers have a
> DriverEntry.
>
>
>
> You need to ‘qualify’ the breakpoint with the name of your driver
> (modulename).
>
>
>
> Read the Windbg docs for the bp command. That will explain it better than
> I.
>
>
>
> Good Luck,
>
> Dave Cattley
>
>
>
>
>
> From: xxxxx@lists.osr.com [mailto:
> xxxxx@lists.osr.com] *On Behalf Of *Deepak Gupta
> Sent: Friday, February 20, 2009 4:39 AM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] Breaking into win2k.sys each time I do a rdesktop
>
>
>
> I have a linux machine.
>
> I have my windows development machine on which I do rdesktop to from my
> desktop linux machine.
> My deployment machine is a Server 2008 machine.
>
> I wanted to trace into sources of DriverEntry of my driver, So I just put a
> breakpoint using “bp DriverEntry”.
>
> Now, after that it used to break into other driver’s DriverEntry, fair
> enough.
>
> Now whenever I do a rdesktop on my deployment machine, I see that I got a
> break in my WinDbg on DriverEntry of win2k module.
>
> Below is what I get on my windbg
>
> *Breakpoint 1 hit
> win32k!DriverEntry:
>
> *After this I said go in windbg and simply closed rdesktop window without
> logging in.
> Again did a rdesktop on that deployment machine and saw windbg break again
> at DriverEntry of win32k.
>
> It doesn’t have to do anything with my development, Asking just out of
> curiosity why is happening like this?
>
> Regards
> Deepak
>
>
> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Not that this is on topic, or even useful information… but how about drivers that declare a different entry point when they’re linked?

I’m not saying it’s PRACTICAL… I’m just saying it’s possible. So, while Mr. Cattley’s qualification might be a little too careful, he IS technically correct,

Peter
OSR

On Fri, Feb 20, 2009 at 10:20 AM, Deepak Gupta wrote:

>
> Forgive me, may be I asked in a wrong way.
>
> My question is whenever I do rdesktop, it breaks in win32k!DriverEntry, I
> say go “g” in windbg.
> Close the rdesktop window without logging in.
> Again do a rdesktop, it again breaks into win32k!DriverEntry, my query was
> why does on each rdesktop it breaks in DriverEntry.
> It should get loaded previously or on the first time itself.
>
>>
It’s because win32k is a per-session driver. Every new session will load
win32k.sys.

–
Steve Johnson

They all have an ‘entry point’ - as to what it is called as a symbol name, I
am sure that can vary.

You see, I was trying to point out that DriverEntry is a *very* common
symbol name for NT drivers.

I was trying to do it without starting a wilding diverging discussion on all
the ways you could trick the linker into having your entry point named
something else. (Let’s all look in MAKEFILE.NEW to see how KMDF, for
instance, gets in there with its FxDriverEntry)

So I was carefully trying to avoid making any absolute statements like

“… all drivers have a DriverEntry…” and the like. You want to hazard a
guess what a statement like that would trigger on this list?

At the very least a typical Gdi ‘driver’ will have an entry point
canonically named DrvEnableDriver and it generally will not have a symbol
named DriverEntry.

note again the use of “typical” and “generally”

-Dave

“Alex Shvedov” wrote in message news:xxxxx@ntdev…
> Almost all kernel drivers have a DriverEntry.
Almost? (or, as Anton would say, almost???)
Which ones do not?

On Fri, Feb 20, 2009 at 8:53 PM, Steve Johnson wrote:

> On Fri, Feb 20, 2009 at 10:20 AM, Deepak Gupta wrote:
>
>>
>> Forgive me, may be I asked in a wrong way.
>>
>> My question is whenever I do rdesktop, it breaks in win32k!DriverEntry, I
>> say go “g” in windbg.
>> Close the rdesktop window without logging in.
>> Again do a rdesktop, it again breaks into win32k!DriverEntry, my query was
>> why does on each rdesktop it breaks in DriverEntry.
>> It should get loaded previously or on the first time itself.
>>
>>>
> It’s because win32k is a per-session driver. Every new session will load
> win32k.sys.
>

Again out of curiosity, So if some one wants to load multiple instances of
his/her driver, Is that possible?
Or it is something very specific to win32k.sys?

Regards
Deepak

>
>
> –
> Steve Johnson
>
> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

It is possible in seperate sessions, but the calls are not documented.

–
Don Burn (MVP, Windows DDK)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

“Deepak Gupta” wrote in message news:xxxxx@ntdev…
> On Fri, Feb 20, 2009 at 8:53 PM, Steve Johnson
> wrote:
>
>> On Fri, Feb 20, 2009 at 10:20 AM, Deepak Gupta
>> wrote:
>>
>>>
>>> Forgive me, may be I asked in a wrong way.
>>>
>>> My question is whenever I do rdesktop, it breaks in win32k!DriverEntry,
>>> I
>>> say go “g” in windbg.
>>> Close the rdesktop window without logging in.
>>> Again do a rdesktop, it again breaks into win32k!DriverEntry, my query
>>> was
>>> why does on each rdesktop it breaks in DriverEntry.
>>> It should get loaded previously or on the first time itself.
>>>
>>>>
>> It’s because win32k is a per-session driver. Every new session will load
>> win32k.sys.
>>
>
> Again out of curiosity, So if some one wants to load multiple instances of
> his/her driver, Is that possible?
> Or it is something very specific to win32k.sys?
>
> Regards
> Deepak
>
>>
>>
>> –
>> Steve Johnson
>>
>> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
>> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
>> the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>

Is this curiosity or you see seem some perceived benefit of loading multiple times? Note that when you become a session based driver alot of the rules change and things can get hairy quickly

d

Sent from my phone with no t9, all spilling mistakes are not intentional.

From: Deepak Gupta
Sent: Friday, February 20, 2009 7:31 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Breaking into win2k.sys each time I do a rdesktop

On Fri, Feb 20, 2009 at 8:53 PM, Steve Johnson > wrote:
On Fri, Feb 20, 2009 at 10:20 AM, Deepak Gupta > wrote:

Forgive me, may be I asked in a wrong way.

My question is whenever I do rdesktop, it breaks in win32k!DriverEntry, I say go “g” in windbg.
Close the rdesktop window without logging in.
Again do a rdesktop, it again breaks into win32k!DriverEntry, my query was why does on each rdesktop it breaks in DriverEntry.
It should get loaded previously or on the first time itself.

It’s because win32k is a per-session driver. Every new session will load win32k.sys.

Again out of curiosity, So if some one wants to load multiple instances of his/her driver, Is that possible?
Or it is something very specific to win32k.sys?

Regards
Deepak

–
Steve Johnson

— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

On Fri, Feb 20, 2009 at 9:07 PM, Doron Holan wrote:

> Is this curiosity or you see seem some perceived benefit of loading
> multiple times? Note that when you become a session based driver alot of the
> rules change and things can get hairy quickly
>

I have lot of other things on my plate which are already quite hairy
It was just out of curiosity.

All, thanks a lot for clearing my queries.

Regards
Deepak

>
>
> d
>
> Sent from my phone with no t9, all spilling mistakes are not intentional.
>
> ------------------------------
> From: Deepak Gupta
> Sent: Friday, February 20, 2009 7:31 AM
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] Breaking into win2k.sys each time I do a rdesktop
>
>
>
> On Fri, Feb 20, 2009 at 8:53 PM, Steve Johnson wrote:
>
>> On Fri, Feb 20, 2009 at 10:20 AM, Deepak Gupta wrote:
>>
>>>
>>> Forgive me, may be I asked in a wrong way.
>>>
>>> My question is whenever I do rdesktop, it breaks in win32k!DriverEntry, I
>>> say go “g” in windbg.
>>> Close the rdesktop window without logging in.
>>> Again do a rdesktop, it again breaks into win32k!DriverEntry, my query
>>> was why does on each rdesktop it breaks in DriverEntry.
>>> It should get loaded previously or on the first time itself.
>>>
>>>>
>> It’s because win32k is a per-session driver. Every new session will load
>> win32k.sys.
>>
>
> Again out of curiosity, So if some one wants to load multiple instances of
> his/her driver, Is that possible?
> Or it is something very specific to win32k.sys?
>
> Regards
> Deepak
>
>>
>>
>> –
>> Steve Johnson
>>
>> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
>> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
>> the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

> I’m not saying it’s PRACTICAL… I’m just saying it’s possible.
Well, then it is a matter of terminology: a driver ( as smth
loaded by the OS) absolutely must have DriverEntry, from
WDK’s “Writing a DriverEntry Routine”:

“Each driver must have a DriverEntry routine … .
The I/O manager calls the DriverEntry routine when it
loads the driver.”

An additional DLL linked in by a driver (in the above
meaning of the term) certainly can have any entry point.

Oh well, you are right, “Not that this is on topic, or
even useful information…”

----- Original Message -----
From:
To: “Windows System Software Devs Interest List”
Sent: Friday, February 20, 2009 10:20 AM
Subject: RE:[ntdev] Breaking into win2k.sys each time I do a rdesktop

>

>
> Not that this is on topic, or even useful information… but how about
> drivers that declare a different entry point when they’re linked?
>
> I’m not saying it’s PRACTICAL… I’m just saying it’s possible. So, while
> Mr. Cattley’s qualification might be a little too careful, he IS
> technically correct,
>
> Peter
> OSR
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

Not that I would suggest the edit to the WDK Docs but

is obviously wishfully stating a rule. Substitute “entry point” for
“DriverEntry” and then you have the truth of the matter. The entrypoint is
not ‘exported by name’ but is recorded in the PE header as a RVA. The I/O
manager does not give two shakes what it is ‘called’ in the symbol table
(that is not even available to the loader to query if it wanted to).

Since when did the rules (or hopeful wishes) define the reality?

More useless information but since it is lunch time here …

Cheers,
Dave

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Alex Shvedov
Sent: Friday, February 20, 2009 11:36 AM
To: Windows System Software Devs Interest List
Subject: Re: RE:[ntdev] Breaking into win2k.sys each time I do a rdesktop

I’m not saying it’s PRACTICAL… I’m just saying it’s possible.
Well, then it is a matter of terminology: a driver ( as smth
loaded by the OS) absolutely must have DriverEntry, from
WDK’s “Writing a DriverEntry Routine”:

“Each driver must have a DriverEntry routine … .
The I/O manager calls the DriverEntry routine when it
loads the driver.”

An additional DLL linked in by a driver (in the above
meaning of the term) certainly can have any entry point.

Oh well, you are right, “Not that this is on topic, or
even useful information…”

----- Original Message -----
From:
To: “Windows System Software Devs Interest List”
Sent: Friday, February 20, 2009 10:20 AM
Subject: RE:[ntdev] Breaking into win2k.sys each time I do a rdesktop

>

>
> Not that this is on topic, or even useful information… but how about
> drivers that declare a different entry point when they’re linked?
>
> I’m not saying it’s PRACTICAL… I’m just saying it’s possible. So, while

> Mr. Cattley’s qualification might be a little too careful, he IS
> technically correct,
>
> Peter
> OSR
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

I’m glad we’re arguing an esoteric point. It’s so interesting and useful.

SURELY you’re not saying that the WDK docs are definitive when it comes to the architecture of Windows. Right?

Properly stated, every driver must have a DriverEntry routine which may or not be named DriverEntry.

Mr. Cattley is entirely correct when he says:

But, why are you interested in “splitting hairs” Mr. Shvedov? I mean… what’s the point?

From the PRACTICAL point of view: Given that folks are strongly discouraged from inventing their own build procedures (to the point where doing so is barely practical), and the long tradition of naming the initial entry point in the driver DriverEntry, several things now rely on that name being the initial entry point of the driver. Thus, the only PRACTICAL thing to do is to name the initial entry point in your driver DriverEntry. In fact, in class – where I try not to make pointless, pendantic arguments, I simply tell people the function HAS to be named DriverEntry (“DriverEntry: all one word… capital D, capital E”).

Good heavens… why do people want to argue about such things?

Peter
OSR

Good heavens… why do people want to argue about such things?

Were we arguing?

The meatball sub was incredible. Recess is over. I promise now to shut up
and go back to trying to make a living

-Dave

> I mean… what’s the point?
Peter, from my previous post:

> Oh well, you are right, “Not that this is on topic, or
even useful information…”

I thought that it is enough to stop this sub-thread.

Thank you in advance for your cooperation.

----- Original Message -----
From:
To: “Windows System Software Devs Interest List”
Sent: Friday, February 20, 2009 12:31 PM
Subject: RE:[ntdev] Breaking into win2k.sys each time I do a rdesktop

> I’m glad we’re arguing an esoteric point. It’s so interesting and useful.
>
>

>
> SURELY you’re not saying that the WDK docs are definitive when it comes to
> the architecture of Windows. Right?
>
> Properly stated, every driver must have a DriverEntry routine which may or
> not be named DriverEntry.
>
> Mr. Cattley is entirely correct when he says:
>
>

>
> But, why are you interested in “splitting hairs” Mr. Shvedov? I mean…
> what’s the point?
>
> From the PRACTICAL point of view: Given that folks are strongly
> discouraged from inventing their own build procedures (to the point where
> doing so is barely practical), and the long tradition of naming the
> initial entry point in the driver DriverEntry, several things now rely on
> that name being the initial entry point of the driver. Thus, the only
> PRACTICAL thing to do is to name the initial entry point in your driver
> DriverEntry. In fact, in class – where I try not to make pointless,
> pendantic arguments, I simply tell people the function HAS to be named
> DriverEntry (“DriverEntry: all one word… capital D, capital E”).
>
> Good heavens… why do people want to argue about such things?
>
> Peter
> OSR
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

This is a case of the model abstraction (wherein DriverEntry is the entrypoint) is layered over the actual way things work (where the entrypoint is just an offset in the PE header and not a named symbol that is required to be exported).

It’s the same as that while main() is the entrypoint on a C program, the loader has a different way to locate the actual entrypoint symbol than a name lookup.

In actuality, most C apps built vs the Microsoft CRT has an entrypoint that is really called “mainCRTStartup”, which does some initialization work and then calls main(), which is what you would think of as the program start.

Similarly, for drivers, anything built with the default /GS settings has an actual entrypoint usually named GsDriverEntry, which then calls the DriverEntry symbol after generating the stack cookie seed value.

This paradigm allows extra init code to be slipped transparently in before the user startup code runs as necessary.

• S

-----Original Message-----
From: Alex Shvedov
Sent: Friday, February 20, 2009 08:37
To: Windows System Software Devs Interest List
Subject: Re: RE:[ntdev] Breaking into win2k.sys each time I do a rdesktop

> I’m not saying it’s PRACTICAL… I’m just saying it’s possible.
Well, then it is a matter of terminology: a driver ( as smth
loaded by the OS) absolutely must have DriverEntry, from
WDK’s “Writing a DriverEntry Routine”:

“Each driver must have a DriverEntry routine … .
The I/O manager calls the DriverEntry routine when it
loads the driver.”

An additional DLL linked in by a driver (in the above
meaning of the term) certainly can have any entry point.

Oh well, you are right, “Not that this is on topic, or
even useful information…”

----- Original Message -----
From:
To: “Windows System Software Devs Interest List”
Sent: Friday, February 20, 2009 10:20 AM
Subject: RE:[ntdev] Breaking into win2k.sys each time I do a rdesktop

>

>
> Not that this is on topic, or even useful information… but how about
> drivers that declare a different entry point when they’re linked?
>
> I’m not saying it’s PRACTICAL… I’m just saying it’s possible. So, while
> Mr. Cattley’s qualification might be a little too careful, he IS
> technically correct,
>
> Peter
> OSR
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

If you use a different symbol, then you break the nice automagical support for /GS, among other things. Those code pieces *do* link to a symbol by name, and you’ll get strange linker errors if you break that.

Just because an abstraction is not enforced by every single part of the system along the way is not license to consider breaking it to be a particularly wise nor recommended or supported thing to do.

• S

-----Original Message-----
From: David R. Cattley
Sent: Friday, February 20, 2009 09:15
To: Windows System Software Devs Interest List
Subject: RE: RE:[ntdev] Breaking into win2k.sys each time I do a rdesktop

Not that I would suggest the edit to the WDK Docs but

is obviously wishfully stating a rule. Substitute “entry point” for
“DriverEntry” and then you have the truth of the matter. The entrypoint is
not ‘exported by name’ but is recorded in the PE header as a RVA. The I/O
manager does not give two shakes what it is ‘called’ in the symbol table
(that is not even available to the loader to query if it wanted to).

Since when did the rules (or hopeful wishes) define the reality?

More useless information but since it is lunch time here …

Cheers,
Dave

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Alex Shvedov
Sent: Friday, February 20, 2009 11:36 AM
To: Windows System Software Devs Interest List
Subject: Re: RE:[ntdev] Breaking into win2k.sys each time I do a rdesktop

> I’m not saying it’s PRACTICAL… I’m just saying it’s possible.
Well, then it is a matter of terminology: a driver ( as smth
loaded by the OS) absolutely must have DriverEntry, from
WDK’s “Writing a DriverEntry Routine”:

“Each driver must have a DriverEntry routine … .
The I/O manager calls the DriverEntry routine when it
loads the driver.”

An additional DLL linked in by a driver (in the above
meaning of the term) certainly can have any entry point.

Oh well, you are right, “Not that this is on topic, or
even useful information…”

----- Original Message -----
From:
To: “Windows System Software Devs Interest List”
Sent: Friday, February 20, 2009 10:20 AM
Subject: RE:[ntdev] Breaking into win2k.sys each time I do a rdesktop

>

>
> Not that this is on topic, or even useful information… but how about
> drivers that declare a different entry point when they’re linked?
>
> I’m not saying it’s PRACTICAL… I’m just saying it’s possible. So, while

> Mr. Cattley’s qualification might be a little too careful, he IS
> technically correct,
>
> Peter
> OSR
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

[My turn to go OT, but I’ll be brief]

IIRC, in the earliest DDK documentation, DriverEntry was presented much as Dispatchxxx routines and AdapterControl/StartIo, etc., were and still are- making it appear like a placeholder defining what a function looked like, but with the strong recommendation that the name DriverEntry be used for it [and it was the build default]. Writing drivers was hard enough I’d be surprised if many tried to deviate from that.

At some point, [probably around NT 3.5 or 4] I recall going through makefile.def and finding a build macro that looked like it could be used to override the name in SOURCE- this may have been documented and I may have used it, but I’m not certain- in those days, I was prone to just using the “Alternative” methods [usually involving what I believe was called Developer Studio at about that mid-to-late-90’s time]. I’m afraid I was one of those who always coded a different name because by then people were interpreting it as “you MUST use DriverEntry”, so it was my way of being different…

But that did change when the buffer overflow checks were introduced. I was heart-struck by having to find a different outlet for my sociopathy. I suppose it’s satisfied now by shipping WDK tools that surreptitiously run KM binaries in user mode…

As for “why do people argue about this stuff?”. Just thought I’d observe I often ask myself the same question after:

* design and code reviews
* political debates
* lover’s quarrels or family “discussions”
* every C vs C++ thread known to modern man
And a lot of other controversies.

It’s just built into all of us, somewhere.

[I guess the peanut gallery had to chime in sometime, eh? My hands got sore from my sitting on them for so long]