how to check if function callback is valid

Or_kerlic · January 25, 2016, 12:17pm

I have a structure contain several function callback , before i would like to test if the callback valid before i call the function how can i do that?
the callback function prototype
typedef LONG (*func)(void *x1, void *x2, void *x3, void * x4)

thanks

Alex_Grig · January 25, 2016, 12:44pm

There is no way. You have to know that.

OSR_Community_User · January 25, 2016, 12:51pm

What do you expect ‘valid’ to mean in this case?

What you probably want it to mean is ‘does the pointer point to the start of a function which satisfies that prototype?’, but that would require examining the bytes pointed to see whether they represent values consistent with the instructions implementing such a function, including checking that it returns the right kind of value. This is hard and unproductive, and still won’t guarantee that the function called isn’t malicious. Don’t go there unless you are a glutton for punishment.

You might be able to do some heuristic checks on the pointer value itself, depending on what you know about the supplier of the pointer:

Is the pointer NULL? If so, it’s not valid.

Many implementations would stop here and just call the function through the non-NULL pointer. However, there’s a bit more you can do:

If not NULL, does it point to executable read-only memory? If not, it’s highly unlikely to be valid.
If applicable, does it point to an address which is well-known to your program (e.g. because it originally supplied the pointer)?

In the end it boils down to: do you trust the supplier of this pointer? If not, don’t call it.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-600558-
xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: 25 January 2016 17:16
To: Windows System Software Devs Interest List
Subject: [ntdev] how to check if function callback is valid

I have a structure contain several function callback , before i would
like to test if the callback valid before i call the function how can i
do that?
the callback function prototype
typedef LONG (*func)(void *x1, void *x2, void *x3, void * x4)

thanks
This email message has been delivered safely and archived online by Mimecast.

For more information please visit http://www.mimecast.com

Or_kerlic · January 25, 2016, 1:53pm

Thanks David for the reply
How can I check it point to read only memory , can someone post a sample code

Chris_Aseltine · January 25, 2016, 6:02pm

Or kerlic wrote:

How can I check it point to read only memory , can someone post
a sample code

You were told, quite correctly, that you can’t perform any such “check”. What are you trying to do, and why aren’t you accepting the answers you’re given?

Paul_McDonough · January 25, 2016, 8:31pm

Well the OP never actually said if the callbacks are within kernel or user
space. For user mode addresses, you can use ZwQueryVirtualMemory to check
the page attribs. That still won’t tell you if your callback is “valid”
but you can at least check if the page is marked execute. Although unless
you are using undocumented methods to call user mode code, it doesn’t make
any sense to pass user mode callback addresses to the kernel in the first
place.

Now, how are your receiving this structure of callbacks and why may they or
may not be valid? If your driver is receiving data from some source why
would you blindly accept random data that might not be valid? Under what
conditions would they not be valid? The problem is you provided little to
no real information about what you are trying to do so it’s almost
impossible to provide an actual answer. Dave gave you some ideas on what
you can do but maybe if you better explain to the group what your goals are
then maybe you’ll get put on the right track.

On Mon, Jan 25, 2016 at 6:00 PM, wrote:

> Or kerlic wrote:
>
> > How can I check it point to read only memory , can someone post
> > a sample code
>
> You were told, quite correctly, that you can’t perform any such “check”.
> What are you trying to do, and why aren’t you accepting the answers you’re
> given?
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: <
> http://www.osronline.com/showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
></http:>

Or_kerlic · January 26, 2016, 12:58am

Hi,
I am talking about driver point of view, I got BSOD when I look at the output I see the callback function is invalid , jmp address was 00000000`00000010 , I would like to debug the issue but I want to make sure this is the problem , this is the reason I want to check if the callback is valid

OSR_Community_User · January 26, 2016, 5:38am

No, that address is definitely not a valid callback. It’s in page zero and probably comes about as a result of the supplier using an offset (16 or 0x10) to a NULL pointer.

This is really an extension of the ‘Is the pointer NULL?’ check but would also have been caught by the ‘does it point to executable read-only memory?’ check.

It’s also an example of the ‘pattern recognition’ debug skill; learning to recognise zero page references when they appear.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-600639-
xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: 26 January 2016 05:57
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] how to check if function callback is valid

Hi,
I am talking about driver point of view, I got BSOD when I look at the
output I see the callback function is invalid , jmp address was
00000000`00000010 , I would like to debug the issue but I want to make
sure this is the problem , this is the reason I want to check if the
callback is valid

NTDEV is sponsored by OSR

Visit the list online at:
http:
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at
> http:
This email message has been delivered safely and archived online by Mimecast.

For more information please visit http://www.mimecast.com</http:></http:></http:>

Or_kerlic · January 26, 2016, 6:08am

I know the address is an extension of a NULL pointer , I would like to add a check in the code in order to catch and debug it.
Can you post an example how to check if it 'does it point to executable read-only memory?

Maxim_S_Shatskih · January 26, 2016, 6:10am

So what? either the memory location where the function pointer is was overwritten, or somebody has provided invalid pointer to you.

–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com

wrote in message news:xxxxx@ntdev…
> Hi,
> I am talking about driver point of view, I got BSOD when I look at the output I see the callback function is invalid , jmp address was 00000000`00000010 , I would like to debug the issue but I want to make sure this is the problem , this is the reason I want to check if the callback is valid
>
>

Maxim_S_Shatskih · January 26, 2016, 6:12am

> Can you post an example how to check if it 'does it point to executable read-only memory?

You do not need this. 0x10 is surely not executable memory

–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com