DebugPrint hooking under 2000

For OS’s that don’t support DbgSetDebugPrintCallback (eg 2000, XP and
2003) I hook IDT entry 0x2D and capture DebugPrint output from there.
Apart from not working under 2003x64 due to PatchGuard it works fine
under XP and 2003 x32.

I’m now testing my driver under 2000 and hooking IDT entry 0x2D doesn’t
have the desired effect. Can anyone tell me what Windows 2000 does
differently? Is it just another IDT entry or are things done completely
differently?

Thanks

James

For w2k I would go for straight function call hooking rather than IDT.
Take a look at the call stack for DebugPrint and choose something
appropriate to insert a trampoline.

Or better yet just forget about w2k debug logging entirely. Or w2k for
that matter.

Mark Roddy

On Thu, Sep 30, 2010 at 8:35 AM, James Harper
wrote:
> For OS’s that don’t support DbgSetDebugPrintCallback (eg 2000, XP and
> 2003) I hook IDT entry 0x2D and capture DebugPrint output from there.
> Apart from not working under 2003x64 due to PatchGuard it works fine
> under XP and 2003 x32.
>
> I’m now testing my driver under 2000 and hooking IDT entry 0x2D doesn’t
> have the desired effect. Can anyone tell me what Windows 2000 does
> differently? Is it just another IDT entry or are things done completely
> differently?
>
> Thanks
>
> James
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>

Why Sysinternals DebugView does not work for you?
– pa

“James Harper” wrote in message
news:xxxxx@ntdev…
> For OS’s that don’t support DbgSetDebugPrintCallback (eg 2000, XP and
> 2003) I hook IDT entry 0x2D and capture DebugPrint output from there.
> Apart from not working under 2003x64 due to PatchGuard it works fine
> under XP and 2003 x32.
>
> I’m now testing my driver under 2000 and hooking IDT entry 0x2D doesn’t
> have the desired effect. Can anyone tell me what Windows 2000 does
> differently? Is it just another IDT entry or are things done completely
> differently?
>
> Thanks
>
> James
>

>

For w2k I would go for straight function call hooking rather than IDT.
Take a look at the call stack for DebugPrint and choose something
appropriate to insert a trampoline.

Or better yet just forget about w2k debug logging entirely. Or w2k for
that matter.

Need to restore some files from scsi tape onto something running
Exchange 2000 (eg Windows 2000), and a virtual machine seemed the best
way to do this in the absence of compatible hardware that is known to
work.

Now that my drivers are all working (needed scsi passthrough from the
physical machine to the virtual machine) I don’t need to worry about
DebugPrint so much but thought that if it was easy enough I’d add that
too.

The only things not working are usb passthrough (not going to happen)
and networking (current driver is NDIS 5.1, not going to backport it
just for this).

Thanks again for pointing me to depends.exe. I was sure there was a way
to find the missing symbols but couldn’t remember what it was.

James

>

Why Sysinternals DebugView does not work for you?

My drivers copy all the debug output to xen (including bug check codes)
which is much faster than loading up the debugger and memory dumps,
especially when working over a slow link.

DebugView is great but my way is faster to capture fatal ASSERT’s etc.

James

“James Harper” wrote in message
news:xxxxx@ntdev…
>>
>> Why Sysinternals DebugView does not work for you?
>
> My drivers copy all the debug output to xen (including bug check codes)
> which is much faster than loading up the debugger and memory dumps,
> especially when working over a slow link.
>
> DebugView is great but my way is faster to capture fatal ASSERT’s etc.
>
> James

Check http://alter.org.ua/soft/win/dbgdump/dbgdump.php

Regards,
– pa