LIST_ENTRY

NTDEV
1

Hi.
I am trying to implement a LIST_ENTRY and running into BSODS when a second item is added to the list.

I create a list head

PLIST_ENTRY LIST_HEAD = (PLIST_ENTRY)ExAllocatePoolWithTag(NonPagedPool, sizeof(LIST_ENTRY), PROCESS_LIST_POOL_TAG);
InitializeListHead(LIST_HEAD);

And add

PPROCESS_LIST_ENTRY entry = ExAllocatePoolWithTag(NonPagedPool, sizeof(PROCESS_LIST_ENTRY), PROCESS_LIST_POOL_TAG);

if (entry == NULL)
return FALSE;

PROCESS_LIST_ENTRY pentry = *entry;
pentry.ProcessId = ProcessId;

InsertHeadList(LIST_HEAD, &(pentry.ListEntry));

Once a second item is added i run into BSOD.

The BSOD occurs here

#if DBG

RtlpCheckListEntry(ListHead);

#endif

When i check the ListHead its looks like the adresses of Flink and Blink are reset to zero?

Am i doing something wrong here ?

2

This
InsertHeadList(LIST_HEAD, &(pentry.ListEntry));

Takes the address of the variable on the stack, not the address relative to the allocation.

  1. you don’t need to allocate the list head. The list head should just be a field in a larger structure like your device extension or some other allocation, so you have

struct DEVICE_EXTENSION {
[…]
LIST_ENTRY ListHead;
[…]
};

InitializeListHead(&devExt->ListHead)

  1. you use the process list entry allocation as is

PPROCESS_LIST_ENTRY entry = ExAllocatePoolWithTag(NonPagedPool, sizeof(PROCESS_LIST_ENTRY), PROCESS_LIST_POOL_TAG);

if (entry == NULL)
return FALSE;

entry->ProcessId = ProcessId;

InsertHeadList(&devExt->LIstHead, &entry->ListEntry);

(and you probably want InsertTailList if you want to keep list order the same as insertion order)

d

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@netprojects.gr
Sent: Monday, August 22, 2016 11:17 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] LIST_ENTRY

Hi.
I am trying to implement a LIST_ENTRY and running into BSODS when a second item is added to the list.

I create a list head

PLIST_ENTRY LIST_HEAD = (PLIST_ENTRY)ExAllocatePoolWithTag(NonPagedPool, sizeof(LIST_ENTRY), PROCESS_LIST_POOL_TAG);
InitializeListHead(LIST_HEAD);

And add

PPROCESS_LIST_ENTRY entry = ExAllocatePoolWithTag(NonPagedPool, sizeof(PROCESS_LIST_ENTRY), PROCESS_LIST_POOL_TAG);

if (entry == NULL)
return FALSE;

PROCESS_LIST_ENTRY pentry = *entry;
pentry.ProcessId = ProcessId;

InsertHeadList(LIST_HEAD, &(pentry.ListEntry));

Once a second item is added i run into BSOD.

The BSOD occurs here

#if DBG

RtlpCheckListEntry(ListHead);

#endif

When i check the ListHead its looks like the adresses of Flink and Blink are reset to zero?

Am i doing something wrong here ?


NTDEV is sponsored by OSR

Visit the list online at: http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:>

3

Thanks for reply.

So i tried this in header

typedef struct _DEVICE_EXTENSION
{
LIST_ENTRY ListHead;
KSPIN_LOCK ListSpinLock;
} DEVICE_EXTENSION, *PDEVICE_EXTENSION;

in source

DEVICE_EXTENSION EXTENSION = { 0 };

NTSTATUS ProtectionEnable()
{
InitializeListHead(&EXTENSION.ListHead);
KeInitializeSpinLock(&EXTENSION.ListSpinLock);
}

BOOLEAN SetIsProtectedProcess(HANDLE ProcessId)
{
if (ProcessId == NULL)
return FALSE;

PPROCESS_LIST_ENTRY entry = ExAllocatePoolWithTag(NonPagedPool, sizeof(PROCESS_LIST_ENTRY), PROCESS_LIST_POOL_TAG);

if (entry == NULL)
return FALSE;

PROCESS_LIST_ENTRY pentry = *entry;
pentry.ProcessId = ProcessId;
InsertHeadList(&EXTENSION.ListHead, &pentry.ListEntry);

return TRUE;
}

Got same result :frowning:

4

> Got same result :frowning:

Doron told you that it should be

InsertHeadList(&EXTENSION.ListHead, &entry->ListEntry);

5

Indeed that fixed the problem, forgive my clumsiness :frowning:
My idea was that

PROCESS_LIST_ENTRY pentry = *entry;

Would actually provide an object based on memory location and if i alter it the changes would be made in relative memory location.

I am complete noob guys , just trying to learn :slight_smile: so dont beat me up with all your force :stuck_out_tongue:

6

You need to understand how pointers work. This is basic C/C++. Without understanding pointers, writing a driver is going to be a lesson in futility. And your DEVICE_EXTENSION will not be a global, it will be a part of the WDFDEVICE or PDEVICE_OBJECT and accessible from there.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@netprojects.gr
Sent: Monday, August 22, 2016 12:36 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] LIST_ENTRY

Indeed that fixed the problem, forgive my clumsiness :frowning: My idea was that

PROCESS_LIST_ENTRY pentry = *entry;

Would actually provide an object based on memory location and if i alter it the changes would be made in relative memory location.

I am complete noob guys , just trying to learn :slight_smile: so dont beat me up with all your force :stuck_out_tongue:


NTDEV is sponsored by OSR

Visit the list online at: http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:>

7

I have a pretty good understanding of pointers, i think what i will need to understand is how the pointer to object is handled in c++.

For example PROCESS_LIST_ENTRY pentry = *entry;
Would this create a completely new object in new memory location?

If so , would i need to de-allocate the memory of this object to avoid memory leaks ?

I understand that this is not the place to learn c++ guys just eager to understand how it works :slight_smile:

8

As it was already suggested on this list, I suggest the OP first works in user-mode with:

#include <winternl.h>

and link against NTDLL.LIB. You can this way write some NT style code without crashing (and restarting) the machine.

To the OP: you still have to learn to work with the CONTAINING_RECORD macro.

PS: note that the code does not acquire the lock that protects the list.</winternl.h>

9

I have taken care of locking and yes CONTAINING_RECORD is the next challenge :slight_smile:
I any case thanks go to all of you!

10

If you don’t understand what this does

PROCESS_LIST_ENTRY pentry = *entry;

You don’t understand how pointers and the stack works.

Second freebie for the day: your code above makes a byte for byte copy of *entry into pentry. pentry lives on the stack. This is why your code was blowing up on the second insertion, the pointers in the list head were pointing to the previous stack which was invalid at the time of reference. You actually got lucky, it could have referred to another stack or a different spot on the same calling stack and corrupted the stack in weird wonderful ways.

d

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@netprojects.gr
Sent: Monday, August 22, 2016 12:54 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] LIST_ENTRY

I have a pretty good understanding of pointers, i think what i will need to understand is how the pointer to object is handled in c++.

For example PROCESS_LIST_ENTRY pentry = *entry; Would this create a completely new object in new memory location?

If so , would i need to de-allocate the memory of this object to avoid memory leaks ?

I understand that this is not the place to learn c++ guys just eager to understand how it works :slight_smile:


NTDEV is sponsored by OSR

Visit the list online at: http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:>