I have a question about Interrupt Service Routine

NTDEV
1

About Interrupt Handling processing?

We try to handling in interrupt.

If generated a specific interrupt, call
InterruptServiceRoutine.

following source code:

_declspec(naked)

MakeInterruptHandler()

{

__asm {

test dword ptr
[esp+4], 0x20000

jz IntHandle

jmp dword ptr
cs:[OldInterruptHandler]

IntHandle:

sub esp, 4

push ebp

mov ebp, esp

cli

pusha

push ds

push es

push gs

push fs

mov bx, 0x23

mov ds, bx

mov es, bx

mov gs, bx

mov bx, 0x30

mov fs, bx

call
InterruptServiceRoutine

pop fs

pop gs

pop es

pop ds

popa

sti

pop ebp

add esp, 0x4

iretd

}

}

void InterruptServiceRoutine()

{

// just return

KdPrint(“MyDriver : InterruptServiceRoutine \n”);

}

In WinDBG, got a error message:

MyDriver : InterruptServiceRoutine

Access violation - code c0000005 (!!! second chance !!!)

Unable to load image ntoskrnl.exe, Win32 error 2

nt!RtlFillMemoryUlong+0x10:

80469380 f3ab rep stosd

kd> g

Access violation - code c0000005 (!!! second chance !!!)

nt!RtlFillMemoryUlong+0x10:

80469380 f3ab rep stosd

kd> g

Access violation - code c0000005 (!!! second chance !!!)

nt!RtlFillMemoryUlong+0x10:

80469380 f3ab rep stosd

above message repeat it

kd> !kdex2x86.stack

T. Address RetAddr Called Procedure

*0 EDAC3400 A001AEAF nt!RtlFillMemoryUlong(04271EF8, 000003CC,
00FFFFFF,…);

*2 EDAC3434 A001AD01 nt!RtlFillMemoryUlong+00000010(EDAC3694,
000000F3, 041C0028,…);

*1 EDAC3460 A007EA47 nt!ExAllocatePoolWithTag(00000000,
00000001, 8515A000,…);

*1 EDAC3474 8046A9A9 hal!ExReleaseFastMutex(00000158, 34206847,
00000000,…);

*1 EDAC34A0 A007EA47 nt!ExAllocatePoolWithTag(00000001,
00000002, 34206847,…);

*1 EDAC34C4 A0001D1C win32k!HeavyAllocPool(00000158, 34206847,
00000000,…);

*1 EDAC34DC 80415A2C nt!ExInterlockedPushEntrySList(00000000,
E2C73540, EDAC351C,…);

*1 EDAC34F0 A0002239 nt!ExFreeToPagedLookasideList(851A6208,
A010A51A, 00000368,…);

*0 EDAC34F8 A010A51A nt!InterlockedCompareExchange(00000368,
A0192320, 00000000,…);

*0 EDAC3508 A00E3880 nt!InterlockedCompareExchange(00000369,
E27FC648, A000182A,…);

*0 EDAC3514 A000182A
win32k!DDHANDLELOCK::~DDHANDLELOCK(EDAC3564, 91040232, 00000001,…);

*1 EDAC354C A00BBEC7 nt!InterlockedDecrement(E27FC680,
A00BD938, 0012E398,…);

*1 EDAC3554 A00BD938 win32k!RGNOBJAPI::~RGNOBJAPI(0012E398,
E239E000, 00000001,…);

*0 EDAC3574 A00BD9D7 nt!ProbeForWrite(0012E398, A00BDA1F,
E239E000,…);

*0 EDAC357C A00BDA1F win32k!FreeTmpBuffer(E239E000, EDAC3714,
0012E378,…);

*2 EDAC35B4 A0011487 win32k!vDIBSolidBlt(A001ADA5, EDAC3694,
00000000,…);

*0 EDAC35D8 A0001CED nt!InterlockedExchange(EDAC35F4, 00000001,
80415A2C,…);

*1 EDAC35E4 80415A2C nt!ExInterlockedPushEntrySList(00000000,
EDAC36A8, EDAC362C,…);

*1 EDAC35F8 A0002239 nt!ExFreeToPagedLookasideList(851A6208,
E23E7508, A0005C77,…);

*1 EDAC3604 A0005C77 win32k!FreeObject(E23E7508, A010A51A,
02314D4A,…);

*0 EDAC360C A010A51A nt!InterlockedCompareExchange(02314D4A,
E2ADA888, 00000000,…);

*2 EDAC3620 A0002D37 win32k!EngBitBlt+000003EB(E23D1008,
00000000, 00000000,…);

*2 EDAC3668 A00011FD win32k!GrePatBltLockedDC(E26C6824,
EDAC36A4, EDAC3694,…);

*2 EDAC3708 80464F56 win32k!NtGdiFlushUserBatch(000000A5,
0012BA04, 00000000,…);

How can i debug it?

==================================
*** Technology opinion leader ***

Eric Ahn

Voebi Inc.

msn : xxxxx@hotmail.com
1G mail : xxxxx@gmail.com

2

You had this explained a month and a half ago on
comp.os.ms-windows.programmer.nt.kernel-mode. Sorry what Max and I told you
then about trying to replace a system interrupt handler still holds, it
ain’t going to work. As an aside using ASM in a driver is a bad idea.


Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

“Eric Ahn” wrote in message news:xxxxx@ntdev…
> About Interrupt Handling processing?
>
>
>
> We try to handling in interrupt.
>
> If generated a specific interrupt, call
> InterruptServiceRoutine.
>
> following source code:
>
>
>
> _declspec(naked)
>
> MakeInterruptHandler()
>
> {
>
> __asm {
>
> test dword ptr
> [esp+4], 0x20000
>
> jz IntHandle
>
> jmp dword ptr
> cs:[OldInterruptHandler]
>
> IntHandle:
>
> sub esp, 4
>
> push ebp
>
> mov ebp, esp
>
> cli
>
> pusha
>
> push ds
>
> push es
>
> push gs
>
> push fs
>
> mov bx, 0x23
>
> mov ds, bx
>
> mov es, bx
>
> mov gs, bx
>
> mov bx, 0x30
>
> mov fs, bx
>
> call
> InterruptServiceRoutine
>
> pop fs
>
> pop gs
>
> pop es
>
> pop ds
>
> popa
>
> sti
>
> pop ebp
>
> add esp, 0x4
>
> iretd
>
> }
>
> }
>
> void InterruptServiceRoutine()
>
> {
>
> // just return
>
> KdPrint(“MyDriver : InterruptServiceRoutine
> \n”);
>
> }
>
>
>
>
>
> In WinDBG, got a error message:
>
>
>
> --------------------------------------------------
>
> MyDriver : InterruptServiceRoutine
>
>
>
>
>
> Access violation - code c0000005 (!!! second chance !!!)
>
> Unable to load image ntoskrnl.exe, Win32 error 2
>
> nt!RtlFillMemoryUlong+0x10:
>
> 80469380 f3ab rep stosd
>
>
>
> kd> g
>
> Access violation - code c0000005 (!!! second chance !!!)
>
> nt!RtlFillMemoryUlong+0x10:
>
> 80469380 f3ab rep stosd
>
>
>
> kd> g
>
> Access violation - code c0000005 (!!! second chance !!!)
>
> nt!RtlFillMemoryUlong+0x10:
>
> 80469380 f3ab rep stosd
>
>
>
> …
>
> above message repeat it
>
> …
>
>
>
>
>
> kd> !kdex2x86.stack
>
> T. Address RetAddr Called Procedure
>
> *0 EDAC3400 A001AEAF nt!RtlFillMemoryUlong(04271EF8, 000003CC,
> 00FFFFFF,…);
>
> *2 EDAC3434 A001AD01 nt!RtlFillMemoryUlong+00000010(EDAC3694,
> 000000F3, 041C0028,…);
>
> *1 EDAC3460 A007EA47 nt!ExAllocatePoolWithTag(00000000,
> 00000001, 8515A000,…);
>
> *1 EDAC3474 8046A9A9 hal!ExReleaseFastMutex(00000158,
> 34206847,
> 00000000,…);
>
> *1 EDAC34A0 A007EA47 nt!ExAllocatePoolWithTag(00000001,
> 00000002, 34206847,…);
>
> *1 EDAC34C4 A0001D1C win32k!HeavyAllocPool(00000158, 34206847,
> 00000000,…);
>
> *1 EDAC34DC 80415A2C nt!ExInterlockedPushEntrySList(00000000,
> E2C73540, EDAC351C,…);
>
> *1 EDAC34F0 A0002239 nt!ExFreeToPagedLookasideList(851A6208,
> A010A51A, 00000368,…);
>
> *0 EDAC34F8 A010A51A nt!InterlockedCompareExchange(00000368,
> A0192320, 00000000,…);
>
> *0 EDAC3508 A00E3880 nt!InterlockedCompareExchange(00000369,
> E27FC648, A000182A,…);
>
> *0 EDAC3514 A000182A
> win32k!DDHANDLELOCK::~DDHANDLELOCK(EDAC3564, 91040232, 00000001,…);
>
> *1 EDAC354C A00BBEC7 nt!InterlockedDecrement(E27FC680,
> A00BD938, 0012E398,…);
>
> *1 EDAC3554 A00BD938 win32k!RGNOBJAPI::~RGNOBJAPI(0012E398,
> E239E000, 00000001,…);
>
> *0 EDAC3574 A00BD9D7 nt!ProbeForWrite(0012E398, A00BDA1F,
> E239E000,…);
>
> *0 EDAC357C A00BDA1F win32k!FreeTmpBuffer(E239E000, EDAC3714,
> 0012E378,…);
>
> *2 EDAC35B4 A0011487 win32k!vDIBSolidBlt(A001ADA5, EDAC3694,
> 00000000,…);
>
> *0 EDAC35D8 A0001CED nt!InterlockedExchange(EDAC35F4,
> 00000001,
> 80415A2C,…);
>
> *1 EDAC35E4 80415A2C nt!ExInterlockedPushEntrySList(00000000,
> EDAC36A8, EDAC362C,…);
>
> *1 EDAC35F8 A0002239 nt!ExFreeToPagedLookasideList(851A6208,
> E23E7508, A0005C77,…);
>
> *1 EDAC3604 A0005C77 win32k!FreeObject(E23E7508, A010A51A,
> 02314D4A,…);
>
> *0 EDAC360C A010A51A nt!InterlockedCompareExchange(02314D4A,
> E2ADA888, 00000000,…);
>
> *2 EDAC3620 A0002D37 win32k!EngBitBlt+000003EB(E23D1008,
> 00000000, 00000000,…);
>
> *2 EDAC3668 A00011FD win32k!GrePatBltLockedDC(E26C6824,
> EDAC36A4, EDAC3694,…);
>
> *2 EDAC3708 80464F56 win32k!NtGdiFlushUserBatch(000000A5,
> 0012BA04, 00000000,…);
>
>
>
>
>
> ----------------------------------------------
>
>
>
> How can i debug it?
>
>
>
> ==================================
> Technology opinion leader
> ----------------------------------
> Eric Ahn
>
> Voebi Inc.
>
>
> msn : xxxxx@hotmail.com
> 1G mail : xxxxx@gmail.com
> ==================================
>
>
>
>

3

because of Detector system, Why do chagne it?

Eric Ahn
////////////////////////////////////////////////////////////////////////////
////
You had this explained a month and a half ago on
comp.os.ms-windows.programmer.nt.kernel-mode. Sorry what Max and I told you
then about trying to replace a system interrupt handler still holds, it
ain’t going to work. As an aside using ASM in a driver is a bad idea.


Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

“Eric Ahn” wrote in message news:xxxxx@ntdev…
> About Interrupt Handling processing?
>
>
>
> We try to handling in interrupt.
>
> If generated a specific interrupt, call
> InterruptServiceRoutine.
>
> following source code:
>
>
>
> _declspec(naked)
>
> MakeInterruptHandler()
>
> {
>
> __asm {
>
> test dword ptr
> [esp+4], 0x20000
>
> jz IntHandle
>
> jmp dword ptr
> cs:[OldInterruptHandler]
>
> IntHandle:
>
> sub esp, 4
>
> push ebp
>
> mov ebp, esp
>
> cli
>
> pusha
>
> push ds
>
> push es
>
> push gs
>
> push fs
>
> mov bx, 0x23
>
> mov ds, bx
>
> mov es, bx
>
> mov gs, bx
>
> mov bx, 0x30
>
> mov fs, bx
>
> call
> InterruptServiceRoutine
>
> pop fs
>
> pop gs
>
> pop es
>
> pop ds
>
> popa
>
> sti
>
> pop ebp
>
> add esp, 0x4
>
> iretd
>
> }
>
> }
>
> void InterruptServiceRoutine()
>
> {
>
> // just return
>
> KdPrint(“MyDriver : InterruptServiceRoutine
> \n”);
>
> }
>
>
>
>
>
> In WinDBG, got a error message:
>
>
>
> --------------------------------------------------
>
> MyDriver : InterruptServiceRoutine
>
>
>
>
>
> Access violation - code c0000005 (!!! second chance !!!)
>
> Unable to load image ntoskrnl.exe, Win32 error 2
>
> nt!RtlFillMemoryUlong+0x10:
>
> 80469380 f3ab rep stosd
>
>
>
> kd> g
>
> Access violation - code c0000005 (!!! second chance !!!)
>
> nt!RtlFillMemoryUlong+0x10:
>
> 80469380 f3ab rep stosd
>
>
>
> kd> g
>
> Access violation - code c0000005 (!!! second chance !!!)
>
> nt!RtlFillMemoryUlong+0x10:
>
> 80469380 f3ab rep stosd
>
>
>
> …
>
> above message repeat it
>
> …
>
>
>
>
>
> kd> !kdex2x86.stack
>
> T. Address RetAddr Called Procedure
>
> *0 EDAC3400 A001AEAF nt!RtlFillMemoryUlong(04271EF8, 000003CC,
> 00FFFFFF,…);
>
> *2 EDAC3434 A001AD01 nt!RtlFillMemoryUlong+00000010(EDAC3694,
> 000000F3, 041C0028,…);
>
> *1 EDAC3460 A007EA47 nt!ExAllocatePoolWithTag(00000000,
> 00000001, 8515A000,…);
>
> *1 EDAC3474 8046A9A9 hal!ExReleaseFastMutex(00000158,
> 34206847,
> 00000000,…);
>
> *1 EDAC34A0 A007EA47 nt!ExAllocatePoolWithTag(00000001,
> 00000002, 34206847,…);
>
> *1 EDAC34C4 A0001D1C win32k!HeavyAllocPool(00000158, 34206847,
> 00000000,…);
>
> *1 EDAC34DC 80415A2C nt!ExInterlockedPushEntrySList(00000000,
> E2C73540, EDAC351C,…);
>
> *1 EDAC34F0 A0002239 nt!ExFreeToPagedLookasideList(851A6208,
> A010A51A, 00000368,…);
>
> *0 EDAC34F8 A010A51A nt!InterlockedCompareExchange(00000368,
> A0192320, 00000000,…);
>
> *0 EDAC3508 A00E3880 nt!InterlockedCompareExchange(00000369,
> E27FC648, A000182A,…);
>
> *0 EDAC3514 A000182A
> win32k!DDHANDLELOCK::~DDHANDLELOCK(EDAC3564, 91040232, 00000001,…);
>
> *1 EDAC354C A00BBEC7 nt!InterlockedDecrement(E27FC680,
> A00BD938, 0012E398,…);
>
> *1 EDAC3554 A00BD938 win32k!RGNOBJAPI::~RGNOBJAPI(0012E398,
> E239E000, 00000001,…);
>
> *0 EDAC3574 A00BD9D7 nt!ProbeForWrite(0012E398, A00BDA1F,
> E239E000,…);
>
> *0 EDAC357C A00BDA1F win32k!FreeTmpBuffer(E239E000, EDAC3714,
> 0012E378,…);
>
> *2 EDAC35B4 A0011487 win32k!vDIBSolidBlt(A001ADA5, EDAC3694,
> 00000000,…);
>
> *0 EDAC35D8 A0001CED nt!InterlockedExchange(EDAC35F4,
> 00000001,
> 80415A2C,…);
>
> *1 EDAC35E4 80415A2C nt!ExInterlockedPushEntrySList(00000000,
> EDAC36A8, EDAC362C,…);
>
> *1 EDAC35F8 A0002239 nt!ExFreeToPagedLookasideList(851A6208,
> E23E7508, A0005C77,…);
>
> *1 EDAC3604 A0005C77 win32k!FreeObject(E23E7508, A010A51A,
> 02314D4A,…);
>
> *0 EDAC360C A010A51A nt!InterlockedCompareExchange(02314D4A,
> E2ADA888, 00000000,…);
>
> *2 EDAC3620 A0002D37 win32k!EngBitBlt+000003EB(E23D1008,
> 00000000, 00000000,…);
>
> *2 EDAC3668 A00011FD win32k!GrePatBltLockedDC(E26C6824,
> EDAC36A4, EDAC3694,…);
>
> *2 EDAC3708 80464F56 win32k!NtGdiFlushUserBatch(000000A5,
> 0012BA04, 00000000,…);
>
>
>
>
>
> ----------------------------------------------
>
>
>
> How can i debug it?
>
>
>
> ==================================
> Technology opinion leader
> ----------------------------------
> Eric Ahn
>
> Voebi Inc.
>
>
> msn : xxxxx@hotmail.com
> 1G mail : xxxxx@gmail.com
> ==================================
>
>
>
>

4

because of Detector system, Why don’t chagne it?

Eric Ahn

////////////////////////////////////////////////////////////////////////////
////
You had this explained a month and a half ago on
comp.os.ms-windows.programmer.nt.kernel-mode. Sorry what Max and I told you
then about trying to replace a system interrupt handler still holds, it
ain’t going to work. As an aside using ASM in a driver is a bad idea.


Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

“Eric Ahn” wrote in message news:xxxxx@ntdev…
> About Interrupt Handling processing?
>
>
>
> We try to handling in interrupt.
>
> If generated a specific interrupt, call
> InterruptServiceRoutine.
>
> following source code:
>
>
>
> _declspec(naked)
>
> MakeInterruptHandler()
>
> {
>
> __asm {
>
> test dword ptr
> [esp+4], 0x20000
>
> jz IntHandle
>
> jmp dword ptr
> cs:[OldInterruptHandler]
>
> IntHandle:
>
> sub esp, 4
>
> push ebp
>
> mov ebp, esp
>
> cli
>
> pusha
>
> push ds
>
> push es
>
> push gs
>
> push fs
>
> mov bx, 0x23
>
> mov ds, bx
>
> mov es, bx
>
> mov gs, bx
>
> mov bx, 0x30
>
> mov fs, bx
>
> call
> InterruptServiceRoutine
>
> pop fs
>
> pop gs
>
> pop es
>
> pop ds
>
> popa
>
> sti
>
> pop ebp
>
> add esp, 0x4
>
> iretd
>
> }
>
> }
>
> void InterruptServiceRoutine()
>
> {
>
> // just return
>
> KdPrint(“MyDriver : InterruptServiceRoutine
> \n”);
>
> }
>
>
>
>
>
> In WinDBG, got a error message:
>
>
>
> --------------------------------------------------
>
> MyDriver : InterruptServiceRoutine
>
>
>
>
>
> Access violation - code c0000005 (!!! second chance !!!)
>
> Unable to load image ntoskrnl.exe, Win32 error 2
>
> nt!RtlFillMemoryUlong+0x10:
>
> 80469380 f3ab rep stosd
>
>
>
> kd> g
>
> Access violation - code c0000005 (!!! second chance !!!)
>
> nt!RtlFillMemoryUlong+0x10:
>
> 80469380 f3ab rep stosd
>
>
>
> kd> g
>
> Access violation - code c0000005 (!!! second chance !!!)
>
> nt!RtlFillMemoryUlong+0x10:
>
> 80469380 f3ab rep stosd
>
>
>
> …
>
> above message repeat it
>
> …
>
>
>
>
>
> kd> !kdex2x86.stack
>
> T. Address RetAddr Called Procedure
>
> *0 EDAC3400 A001AEAF nt!RtlFillMemoryUlong(04271EF8, 000003CC,
> 00FFFFFF,…);
>
> *2 EDAC3434 A001AD01 nt!RtlFillMemoryUlong+00000010(EDAC3694,
> 000000F3, 041C0028,…);
>
> *1 EDAC3460 A007EA47 nt!ExAllocatePoolWithTag(00000000,
> 00000001, 8515A000,…);
>
> *1 EDAC3474 8046A9A9 hal!ExReleaseFastMutex(00000158,
> 34206847,
> 00000000,…);
>
> *1 EDAC34A0 A007EA47 nt!ExAllocatePoolWithTag(00000001,
> 00000002, 34206847,…);
>
> *1 EDAC34C4 A0001D1C win32k!HeavyAllocPool(00000158, 34206847,
> 00000000,…);
>
> *1 EDAC34DC 80415A2C nt!ExInterlockedPushEntrySList(00000000,
> E2C73540, EDAC351C,…);
>
> *1 EDAC34F0 A0002239 nt!ExFreeToPagedLookasideList(851A6208,
> A010A51A, 00000368,…);
>
> *0 EDAC34F8 A010A51A nt!InterlockedCompareExchange(00000368,
> A0192320, 00000000,…);
>
> *0 EDAC3508 A00E3880 nt!InterlockedCompareExchange(00000369,
> E27FC648, A000182A,…);
>
> *0 EDAC3514 A000182A
> win32k!DDHANDLELOCK::~DDHANDLELOCK(EDAC3564, 91040232, 00000001,…);
>
> *1 EDAC354C A00BBEC7 nt!InterlockedDecrement(E27FC680,
> A00BD938, 0012E398,…);
>
> *1 EDAC3554 A00BD938 win32k!RGNOBJAPI::~RGNOBJAPI(0012E398,
> E239E000, 00000001,…);
>
> *0 EDAC3574 A00BD9D7 nt!ProbeForWrite(0012E398, A00BDA1F,
> E239E000,…);
>
> *0 EDAC357C A00BDA1F win32k!FreeTmpBuffer(E239E000, EDAC3714,
> 0012E378,…);
>
> *2 EDAC35B4 A0011487 win32k!vDIBSolidBlt(A001ADA5, EDAC3694,
> 00000000,…);
>
> *0 EDAC35D8 A0001CED nt!InterlockedExchange(EDAC35F4,
> 00000001,
> 80415A2C,…);
>
> *1 EDAC35E4 80415A2C nt!ExInterlockedPushEntrySList(00000000,
> EDAC36A8, EDAC362C,…);
>
> *1 EDAC35F8 A0002239 nt!ExFreeToPagedLookasideList(851A6208,
> E23E7508, A0005C77,…);
>
> *1 EDAC3604 A0005C77 win32k!FreeObject(E23E7508, A010A51A,
> 02314D4A,…);
>
> *0 EDAC360C A010A51A nt!InterlockedCompareExchange(02314D4A,
> E2ADA888, 00000000,…);
>
> *2 EDAC3620 A0002D37 win32k!EngBitBlt+000003EB(E23D1008,
> 00000000, 00000000,…);
>
> *2 EDAC3668 A00011FD win32k!GrePatBltLockedDC(E26C6824,
> EDAC36A4, EDAC3694,…);
>
> *2 EDAC3708 80464F56 win32k!NtGdiFlushUserBatch(000000A5,
> 0012BA04, 00000000,…);
>
>
>
>
>
> ----------------------------------------------
>
>
>
> How can i debug it?
>
>
>
> ==================================
> Technology opinion leader
> ----------------------------------
> Eric Ahn
>
> Voebi Inc.
>
>
> msn : xxxxx@hotmail.com
> 1G mail : xxxxx@gmail.com
> ==================================
>
>
>
>

5

Use IoConnectInterrupt. Such code can work in bare-metal OS-less
environment of your own, but not in Windows. The chances of making this code
Windows-compatible are next to zero.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Eric Ahn”
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”
Sent: Thursday, January 19, 2006 4:31 PM
Subject: [ntdev] I have a question about Interrupt Service Routine

> About Interrupt Handling processing?
>
>
>
> We try to handling in interrupt.
>
> If generated a specific interrupt, call
> InterruptServiceRoutine.
>
> following source code:
>
>
>
> _declspec(naked)
>
> MakeInterruptHandler()
>
> {
>
> __asm {
>
> test dword ptr
> [esp+4], 0x20000
>
> jz IntHandle
>
> jmp dword ptr
> cs:[OldInterruptHandler]
>
> IntHandle:
>
> sub esp, 4
>
> push ebp
>
> mov ebp, esp
>
> cli
>
> pusha
>
> push ds
>
> push es
>
> push gs
>
> push fs
>
> mov bx, 0x23
>
> mov ds, bx
>
> mov es, bx
>
> mov gs, bx
>
> mov bx, 0x30
>
> mov fs, bx
>
> call
> InterruptServiceRoutine
>
> pop fs
>
> pop gs
>
> pop es
>
> pop ds
>
> popa
>
> sti
>
> pop ebp
>
> add esp, 0x4
>
> iretd
>
> }
>
> }
>
> void InterruptServiceRoutine()
>
> {
>
> // just return
>
> KdPrint(“MyDriver : InterruptServiceRoutine \n”);
>
> }
>
>
>
>
>
> In WinDBG, got a error message:
>
>
>
> --------------------------------------------------
>
> MyDriver : InterruptServiceRoutine
>
>
>
>
>
> Access violation - code c0000005 (!!! second chance !!!)
>
> Unable to load image ntoskrnl.exe, Win32 error 2
>
> nt!RtlFillMemoryUlong+0x10:
>
> 80469380 f3ab rep stosd
>
>
>
> kd> g
>
> Access violation - code c0000005 (!!! second chance !!!)
>
> nt!RtlFillMemoryUlong+0x10:
>
> 80469380 f3ab rep stosd
>
>
>
> kd> g
>
> Access violation - code c0000005 (!!! second chance !!!)
>
> nt!RtlFillMemoryUlong+0x10:
>
> 80469380 f3ab rep stosd
>
>
>
> …
>
> above message repeat it
>
> …
>
>
>
>
>
> kd> !kdex2x86.stack
>
> T. Address RetAddr Called Procedure
>
> *0 EDAC3400 A001AEAF nt!RtlFillMemoryUlong(04271EF8, 000003CC,
> 00FFFFFF,…);
>
> *2 EDAC3434 A001AD01 nt!RtlFillMemoryUlong+00000010(EDAC3694,
> 000000F3, 041C0028,…);
>
> *1 EDAC3460 A007EA47 nt!ExAllocatePoolWithTag(00000000,
> 00000001, 8515A000,…);
>
> *1 EDAC3474 8046A9A9 hal!ExReleaseFastMutex(00000158, 34206847,
> 00000000,…);
>
> *1 EDAC34A0 A007EA47 nt!ExAllocatePoolWithTag(00000001,
> 00000002, 34206847,…);
>
> *1 EDAC34C4 A0001D1C win32k!HeavyAllocPool(00000158, 34206847,
> 00000000,…);
>
> *1 EDAC34DC 80415A2C nt!ExInterlockedPushEntrySList(00000000,
> E2C73540, EDAC351C,…);
>
> *1 EDAC34F0 A0002239 nt!ExFreeToPagedLookasideList(851A6208,
> A010A51A, 00000368,…);
>
> *0 EDAC34F8 A010A51A nt!InterlockedCompareExchange(00000368,
> A0192320, 00000000,…);
>
> *0 EDAC3508 A00E3880 nt!InterlockedCompareExchange(00000369,
> E27FC648, A000182A,…);
>
> *0 EDAC3514 A000182A
> win32k!DDHANDLELOCK::~DDHANDLELOCK(EDAC3564, 91040232, 00000001,…);
>
> *1 EDAC354C A00BBEC7 nt!InterlockedDecrement(E27FC680,
> A00BD938, 0012E398,…);
>
> *1 EDAC3554 A00BD938 win32k!RGNOBJAPI::~RGNOBJAPI(0012E398,
> E239E000, 00000001,…);
>
> *0 EDAC3574 A00BD9D7 nt!ProbeForWrite(0012E398, A00BDA1F,
> E239E000,…);
>
> *0 EDAC357C A00BDA1F win32k!FreeTmpBuffer(E239E000, EDAC3714,
> 0012E378,…);
>
> *2 EDAC35B4 A0011487 win32k!vDIBSolidBlt(A001ADA5, EDAC3694,
> 00000000,…);
>
> *0 EDAC35D8 A0001CED nt!InterlockedExchange(EDAC35F4, 00000001,
> 80415A2C,…);
>
> *1 EDAC35E4 80415A2C nt!ExInterlockedPushEntrySList(00000000,
> EDAC36A8, EDAC362C,…);
>
> *1 EDAC35F8 A0002239 nt!ExFreeToPagedLookasideList(851A6208,
> E23E7508, A0005C77,…);
>
> *1 EDAC3604 A0005C77 win32k!FreeObject(E23E7508, A010A51A,
> 02314D4A,…);
>
> *0 EDAC360C A010A51A nt!InterlockedCompareExchange(02314D4A,
> E2ADA888, 00000000,…);
>
> *2 EDAC3620 A0002D37 win32k!EngBitBlt+000003EB(E23D1008,
> 00000000, 00000000,…);
>
> *2 EDAC3668 A00011FD win32k!GrePatBltLockedDC(E26C6824,
> EDAC36A4, EDAC3694,…);
>
> *2 EDAC3708 80464F56 win32k!NtGdiFlushUserBatch(000000A5,
> 0012BA04, 00000000,…);
>
>
>
>
>
> ----------------------------------------------
>
>
>
> How can i debug it?
>
>
>
> ==================================
> Technology opinion leader
> ----------------------------------
> Eric Ahn
>
> Voebi Inc.
>
>
> msn : xxxxx@hotmail.com
> 1G mail : xxxxx@gmail.com
> ==================================
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com