OSR Context paper

Hi!

I’ve decided to implement a driver that can call user mode functions
recently (alike to SwitchStack mentioned in the OSR “Execution Context in NT
drivers” whitepaper).

Quote from the whitepaper follows (one of the most exciting parts ):

“Given the design of NT, there is very little that the called-back user
function cannot do. It can issue Win32
function calls, pop up dialog boxes, and perform File I/O. The only
difference is that the user-application is
running in kernel mode, on the kernel stack. When an application is running
in kernel mode it is not subject
to privilege limits, quotas, or protection checking. Since all functions
executing in kernel mode have IOPL,
the user application can even issue IN and OUT instructions (on an Intel
architecture system, of course).
Your imagination (coupled with common sense) is the only limit on the types
of things you could do with
this driver.”

My implementation allows the user mode client to specify the signature of
the function to call and the driver prepares the stack for the call
appropriately.

So, control flow is:

1. The user mode client sends ioctl to the driver passing: function address,
   calling convention, parameters.
2. The driver prepares the stack, calls the function, performs stack cleanup
   (if needed by calling convention).

Everything works fine, until I try to call a function initiating a ring
transition (via sysenter). In this case, the user mode application hangs.
Here goes some WinDBG output concerning the user mode thread:

THREAD 82d3f780 Cid 224.2c4 Teb: 7ffde000 Win32Thread: 00000000 WAIT:
(DelayExecution) KernelMode Non-Alertable
82d3f870 NotificationTimer
IRP List:
8305ef68: (0006,0094) Flags: 40000000 Mdl: 00000000
Not impersonating
DeviceMap e1aa9c50
Owning Process 82cce5a0
Wait Start TickCount 30034 Elapsed Ticks: 4
Context Switch Count 825 LargeStack
UserTime 00:00:00.0000
KernelTime 00:00:00.0281
Start Address 0x77e8149f
Win32 Start Address 0x01001e52
Stack Init f5a8d000 Current f5a8cbc8 Base f5a8d000 Limit f5a88000 Call 0
Priority 16 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f5a8cbe0 804ebd36 nt!KiSwapContext+0x2e (FPO: [EBP 0xf5a8cc18] [0,0,4])
f5a8cbec 804ec393 nt!KiSwapThread+0x44 (FPO: [0,0,2])
f5a8cc18 8055b7b7 nt!KeDelayExecutionThread+0x1c7 (FPO: [Non-Fpo])
f5a8cc48 8058aa29 nt!IoCancelThreadIo+0x66 (FPO: [Non-Fpo])
f5a8ccf0 8059785a nt!PspExitThread+0x41e (FPO: [Non-Fpo])
f5a8ccfc 804fb64f nt!PsExitSpecialApc+0x20 (FPO: [5,0,1])
f5a8cd4c 804da970 nt!KiDeliverApc+0x1ad (FPO: [Non-Fpo])
f5a8cd4c 7ffe0304 nt!KiExceptionExit+0x39 (FPO: [0,0] TrapFrame @ f5a8cd64)
f5a8cba4 804ec6c9 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
f5a8cb90 00000000 nt!KiInsertTimerTable+0x1a (FPO: [Non-Fpo]

kd> .trap f5a8cd64
ErrCode = 00000005
eax=c0000005 ebx=8305ef00 ecx=f5a8cb74 edx=7ffe0304 esi=82e41508
edi=0006ff74
eip=7ffe0304 esp=f5a8cb74 ebp=f5a8cb90 iopl=0 nv up ei ng nz na po
nc
cs=001b ss=0023 ds=0023 es=0023 fs=0000 gs=0000
efl=00000286
SharedUserData!SystemCallStub+4:
001b:7ffe0304 c3 ret

As seen from the output, the ring transition fails with
STATUS_ACCESS_VIOLATION.

The questions are:

1. Have I missed something (the paper says that almost anything may be
   called, but I’m limited to “pure” user mode functions so far)?
2. Is it possible to sneak by the check which leads to
   STATUS_ACCESS_VIOLATION?
3. Why the thread hangs?

P.S. Of course, as if I need to say this, but:

1. I know that it is not a brilliant idea to call the user mode functions
   from the kmode (ok, it’s really a BAD idea ).
2. I know this is a hack.
3. I know that a lot of things (including new service pack or star
   disposition on the sky) may change the system and this code won’t work any
   more.
4. This won’t be used in production.
5. This is just a research.

So, please, “Repeat after me …”, “Go and write on the nearest whiteboard
…” and “Chorus says …” answer writers: don’t bother

> 1. The user mode client sends ioctl to the driver passing: function address,

calling convention, parameters.
2. The driver prepares the stack, calls the function, performs stack cleanup
(if needed by calling convention).

Please do not do this, or you will open the huge security and stability hole in
Windows, not to say this is a sign of grossly misdesigned software.

The correct way is:

• the user mode code sends IOCTL to the driver to pull the call [in] parameters
  from it
• the user mode code calls the function
• the user mode code sends IOCTL to the driver to report the [out] parameters
  and the return value to it
• the user mode code spins several worker threads for this

This is called “inverted call”.

Also - please design the software properly, the driver functioning must never
rely on the user mode code. The driver must be in the sane state (at least not
crashing and not disabling the whole OS, networking or storage stacks) even
without any user mode code.

Also the driver must be in the sane state in the absense of any logged on
users. Also the driver must be in the sane state even if there are several
users (Remote Desktop).

Showing some UI balloons or such on requests from the driver is OK (NDIS shows
the media connect/disconnect indication via balloon), but the driver must
continue regardless of the user’s response from the balloon or if the balloon
will be indefinitely delayed, or even if the ballon user mode code will fail.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

Please make sure that you tell us all the name of the product you are
working on so that we will be sure to NEVER load it on any system we care
about

Jamey

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of shk
Sent: Wednesday, August 18, 2004 10:24 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] OSR Context paper

Hi!

I’ve decided to implement a driver that can call user mode functions
recently (alike to SwitchStack mentioned in the OSR “Execution Context in NT
drivers” whitepaper).

Quote from the whitepaper follows (one of the most exciting parts ):

“Given the design of NT, there is very little that the called-back user
function cannot do. It can issue Win32
function calls, pop up dialog boxes, and perform File I/O. The only
difference is that the user-application is
running in kernel mode, on the kernel stack. When an application is running
in kernel mode it is not subject
to privilege limits, quotas, or protection checking. Since all functions
executing in kernel mode have IOPL,
the user application can even issue IN and OUT instructions (on an Intel
architecture system, of course).
Your imagination (coupled with common sense) is the only limit on the types
of things you could do with
this driver.”

My implementation allows the user mode client to specify the signature of
the function to call and the driver prepares the stack for the call
appropriately.

So, control flow is:

1. The user mode client sends ioctl to the driver passing: function address,
   calling convention, parameters.
2. The driver prepares the stack, calls the function, performs stack cleanup
   (if needed by calling convention).

Everything works fine, until I try to call a function initiating a ring
transition (via sysenter). In this case, the user mode application hangs.
Here goes some WinDBG output concerning the user mode thread:

THREAD 82d3f780 Cid 224.2c4 Teb: 7ffde000 Win32Thread: 00000000 WAIT:
(DelayExecution) KernelMode Non-Alertable
82d3f870 NotificationTimer
IRP List:
8305ef68: (0006,0094) Flags: 40000000 Mdl: 00000000
Not impersonating
DeviceMap e1aa9c50
Owning Process 82cce5a0
Wait Start TickCount 30034 Elapsed Ticks: 4
Context Switch Count 825 LargeStack
UserTime 00:00:00.0000
KernelTime 00:00:00.0281
Start Address 0x77e8149f
Win32 Start Address 0x01001e52
Stack Init f5a8d000 Current f5a8cbc8 Base f5a8d000 Limit f5a88000 Call 0
Priority 16 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f5a8cbe0 804ebd36 nt!KiSwapContext+0x2e (FPO: [EBP 0xf5a8cc18] [0,0,4])
f5a8cbec 804ec393 nt!KiSwapThread+0x44 (FPO: [0,0,2])
f5a8cc18 8055b7b7 nt!KeDelayExecutionThread+0x1c7 (FPO: [Non-Fpo])
f5a8cc48 8058aa29 nt!IoCancelThreadIo+0x66 (FPO: [Non-Fpo])
f5a8ccf0 8059785a nt!PspExitThread+0x41e (FPO: [Non-Fpo])
f5a8ccfc 804fb64f nt!PsExitSpecialApc+0x20 (FPO: [5,0,1])
f5a8cd4c 804da970 nt!KiDeliverApc+0x1ad (FPO: [Non-Fpo])
f5a8cd4c 7ffe0304 nt!KiExceptionExit+0x39 (FPO: [0,0] TrapFrame @ f5a8cd64)
f5a8cba4 804ec6c9 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
f5a8cb90 00000000 nt!KiInsertTimerTable+0x1a (FPO: [Non-Fpo]

kd> .trap f5a8cd64
ErrCode = 00000005
eax=c0000005 ebx=8305ef00 ecx=f5a8cb74 edx=7ffe0304 esi=82e41508
edi=0006ff74
eip=7ffe0304 esp=f5a8cb74 ebp=f5a8cb90 iopl=0 nv up ei ng nz na po
nc
cs=001b ss=0023 ds=0023 es=0023 fs=0000 gs=0000
efl=00000286
SharedUserData!SystemCallStub+4:
001b:7ffe0304 c3 ret

As seen from the output, the ring transition fails with
STATUS_ACCESS_VIOLATION.

The questions are:

1. Have I missed something (the paper says that almost anything may be
   called, but I’m limited to “pure” user mode functions so far)?
2. Is it possible to sneak by the check which leads to
   STATUS_ACCESS_VIOLATION?
3. Why the thread hangs?

P.S. Of course, as if I need to say this, but:

1. I know that it is not a brilliant idea to call the user mode functions
   from the kmode (ok, it’s really a BAD idea ).
2. I know this is a hack.
3. I know that a lot of things (including new service pack or star
   disposition on the sky) may change the system and this code won’t work any
   more.
4. This won’t be used in production.
5. This is just a research.

So, please, “Repeat after me …”, “Go and write on the nearest whiteboard
…” and “Chorus says …” answer writers: don’t bother

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@storagecraft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

__________ NOD32 1.847 (20040818) Information __________

This message was checked by NOD32 antivirus system.
http://www.nod32.com

Jamey, may I cite the thread-starter:
"

4. This won't be used in production.
5. This is just a research.
   "

So your reply was not necessary

Best regards (and never mind ;-),

Oliver

Please make sure that you tell us all the name of the product you are
working on so that we will be sure to NEVER load it on any system we care
about

Jamey

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of shk
Sent: Wednesday, August 18, 2004 10:24 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] OSR Context paper

Hi!

I've decided to implement a driver that can call user mode functions
recently (alike to SwitchStack mentioned in the OSR "Execution Context in
NT
drivers" whitepaper).

Quote from the whitepaper follows (one of the most exciting parts ):

"Given the design of NT, there is very little that the called-back user
function cannot do. It can issue Win32
function calls, pop up dialog boxes, and perform File I/O. The only
difference is that the user-application is
running in kernel mode, on the kernel stack. When an application is
running
in kernel mode it is not subject
to privilege limits, quotas, or protection checking. Since all functions
executing in kernel mode have IOPL,
the user application can even issue IN and OUT instructions (on an Intel
architecture system, of course).
Your imagination (coupled with common sense) is the only limit on the
types
of things you could do with
this driver."

My implementation allows the user mode client to specify the signature of
the function to call and the driver prepares the stack for the call
appropriately.

So, control flow is:

1. The user mode client sends ioctl to the driver passing: function
   address,
   calling convention, parameters.
2. The driver prepares the stack, calls the function, performs stack
   cleanup
   (if needed by calling convention).

Everything works fine, until I try to call a function initiating a ring
transition (via sysenter). In this case, the user mode application hangs.
Here goes some WinDBG output concerning the user mode thread:

THREAD 82d3f780 Cid 224.2c4 Teb: 7ffde000 Win32Thread: 00000000 WAIT:
(DelayExecution) KernelMode Non-Alertable
82d3f870 NotificationTimer
IRP List:
8305ef68: (0006,0094) Flags: 40000000 Mdl: 00000000
Not impersonating
DeviceMap e1aa9c50
Owning Process 82cce5a0
Wait Start TickCount 30034 Elapsed Ticks: 4
Context Switch Count 825 LargeStack
UserTime 00:00:00.0000
KernelTime 00:00:00.0281
Start Address 0x77e8149f
Win32 Start Address 0x01001e52
Stack Init f5a8d000 Current f5a8cbc8 Base f5a8d000 Limit f5a88000 Call 0
Priority 16 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f5a8cbe0 804ebd36 nt!KiSwapContext+0x2e (FPO: [EBP 0xf5a8cc18] [0,0,4])
f5a8cbec 804ec393 nt!KiSwapThread+0x44 (FPO: [0,0,2])
f5a8cc18 8055b7b7 nt!KeDelayExecutionThread+0x1c7 (FPO: [Non-Fpo])
f5a8cc48 8058aa29 nt!IoCancelThreadIo+0x66 (FPO: [Non-Fpo])
f5a8ccf0 8059785a nt!PspExitThread+0x41e (FPO: [Non-Fpo])
f5a8ccfc 804fb64f nt!PsExitSpecialApc+0x20 (FPO: [5,0,1])
f5a8cd4c 804da970 nt!KiDeliverApc+0x1ad (FPO: [Non-Fpo])
f5a8cd4c 7ffe0304 nt!KiExceptionExit+0x39 (FPO: [0,0] TrapFrame @
f5a8cd64)
f5a8cba4 804ec6c9 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
f5a8cb90 00000000 nt!KiInsertTimerTable+0x1a (FPO: [Non-Fpo]

kd> .trap f5a8cd64
ErrCode = 00000005
eax=c0000005 ebx=8305ef00 ecx=f5a8cb74 edx=7ffe0304 esi=82e41508
edi=0006ff74
eip=7ffe0304 esp=f5a8cb74 ebp=f5a8cb90 iopl=0 nv up ei ng nz na po
nc
cs=001b ss=0023 ds=0023 es=0023 fs=0000 gs=0000
efl=00000286
SharedUserData!SystemCallStub+4:
001b:7ffe0304 c3 ret

As seen from the output, the ring transition fails with
STATUS_ACCESS_VIOLATION.

The questions are:

1. Have I missed something (the paper says that almost anything may be
   called, but I'm limited to "pure" user mode functions so far)?
2. Is it possible to sneak by the check which leads to
   STATUS_ACCESS_VIOLATION?
3. Why the thread hangs?

P.S. Of course, as if I need to say this, but:

1. I know that it is not a brilliant idea to call the user mode functions
   >from the kmode (ok, it's really a BAD idea ).
2. I know this is a hack.
3. I know that a lot of things (including new service pack or star
   disposition on the sky) may change the system and this code won't work any
   more.
4. This won't be used in production.
5. This is just a research.

So, please, "Repeat after me ...", "Go and write on the nearest whiteboard
..." and "Chorus says ..." answer writers: don't bother

---

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@storagecraft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

__________ NOD32 1.847 (20040818) Information __________

This message was checked by NOD32 antivirus system.
http://www.nod32.com

---

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@gmxpro.net
To unsubscribe send a blank email to xxxxx@lists.osr.com

--

May the source be with you, stranger ...

Did anyone actually read what he said? I quote:

4. This won’t be used in production.
5. This is just a research.

How about helping the guy out instead of poo pooing him?

-Jeff

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jamey Kirby
Sent: Wednesday, August 18, 2004 5:42 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] OSR Context paper

Please make sure that you tell us all the name of the product you are
working on so that we will be sure to NEVER load it on any system we
care about

Jamey

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of shk
Sent: Wednesday, August 18, 2004 10:24 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] OSR Context paper

Hi!

I’ve decided to implement a driver that can call user mode functions
recently (alike to SwitchStack mentioned in the OSR “Execution Context
in NT drivers” whitepaper).

Quote from the whitepaper follows (one of the most exciting parts ):

“Given the design of NT, there is very little that the called-back user
function cannot do. It can issue Win32 function calls, pop up dialog
boxes, and perform File I/O. The only difference is that the
user-application is running in kernel mode, on the kernel stack. When an
application is running in kernel mode it is not subject to privilege
limits, quotas, or protection checking. Since all functions executing in
kernel mode have IOPL, the user application can even issue IN and OUT
instructions (on an Intel architecture system, of course). Your
imagination (coupled with common sense) is the only limit on the types
of things you could do with this driver.”

My implementation allows the user mode client to specify the signature
of the function to call and the driver prepares the stack for the call
appropriately.

So, control flow is:

1. The user mode client sends ioctl to the driver passing: function
   address, calling convention, parameters. 2. The driver prepares the
   stack, calls the function, performs stack cleanup (if needed by calling
   convention).

Everything works fine, until I try to call a function initiating a ring
transition (via sysenter). In this case, the user mode application
hangs. Here goes some WinDBG output concerning the user mode thread:

THREAD 82d3f780 Cid 224.2c4 Teb: 7ffde000 Win32Thread: 00000000 WAIT:
(DelayExecution) KernelMode Non-Alertable
82d3f870 NotificationTimer
IRP List:
8305ef68: (0006,0094) Flags: 40000000 Mdl: 00000000 Not
impersonating
DeviceMap e1aa9c50
Owning Process 82cce5a0
Wait Start TickCount 30034 Elapsed Ticks: 4
Context Switch Count 825 LargeStack
UserTime 00:00:00.0000
KernelTime 00:00:00.0281
Start Address 0x77e8149f
Win32 Start Address 0x01001e52
Stack Init f5a8d000 Current f5a8cbc8 Base f5a8d000 Limit f5a88000 Call 0
Priority 16 BasePriority 8 PriorityDecrement 0 DecrementCount 0 ChildEBP
RetAddr
f5a8cbe0 804ebd36 nt!KiSwapContext+0x2e (FPO: [EBP 0xf5a8cc18] [0,0,4])
f5a8cbec 804ec393 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f5a8cc18 8055b7b7
nt!KeDelayExecutionThread+0x1c7 (FPO: [Non-Fpo]) f5a8cc48 8058aa29
nt!IoCancelThreadIo+0x66 (FPO: [Non-Fpo]) f5a8ccf0 8059785a
nt!PspExitThread+0x41e (FPO: [Non-Fpo]) f5a8ccfc 804fb64f
nt!PsExitSpecialApc+0x20 (FPO: [5,0,1]) f5a8cd4c 804da970
nt!KiDeliverApc+0x1ad (FPO: [Non-Fpo]) f5a8cd4c 7ffe0304
nt!KiExceptionExit+0x39 (FPO: [0,0] TrapFrame @ f5a8cd64) f5a8cba4
804ec6c9 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0]) f5a8cb90
00000000 nt!KiInsertTimerTable+0x1a (FPO: [Non-Fpo]

kd> .trap f5a8cd64
ErrCode = 00000005
eax=c0000005 ebx=8305ef00 ecx=f5a8cb74 edx=7ffe0304 esi=82e41508
edi=0006ff74
eip=7ffe0304 esp=f5a8cb74 ebp=f5a8cb90 iopl=0 nv up ei ng nz na
po
nc
cs=001b ss=0023 ds=0023 es=0023 fs=0000 gs=0000 efl=00000286
SharedUserData!SystemCallStub+4:
001b:7ffe0304 c3 ret

As seen from the output, the ring transition fails with
STATUS_ACCESS_VIOLATION.

The questions are:

1. Have I missed something (the paper says that almost anything may be
   called, but I’m limited to “pure” user mode functions so far)? 2. Is it
   possible to sneak by the check which leads to STATUS_ACCESS_VIOLATION?
2. Why the thread hangs?

P.S. Of course, as if I need to say this, but:

1. I know that it is not a brilliant idea to call the user mode
   functions from the kmode (ok, it’s really a BAD idea ). 2. I know
   this is a hack. 3. I know that a lot of things (including new service
   pack or star disposition on the sky) may change the system and this code
   won’t work any more. 4. This won’t be used in production. 5. This is
   just a research.

So, please, “Repeat after me …”, “Go and write on the nearest
whiteboard …” and “Chorus says …” answer writers: don’t bother

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@storagecraft.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

__________ NOD32 1.847 (20040818) Information __________

This message was checked by NOD32 antivirus system. http://www.nod32.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@concord.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

***********************************************************************************
This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secured or error-free as information could be intercepted, corrupted, lost, destroyed, received late or incomplete, or could contain viruses. The sender therefore does not accept liability for any error or omission in the contents of this message, which arises as a result of e-mail transmission. If verification is required, please request a hard-copy version from the sender.
***********************************************************************************

I terminated the message with a Where has everyone’s sense of humor gone?

Jamey

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Curless, Jeffrey
Sent: Wednesday, August 18, 2004 3:03 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] OSR Context paper

Did anyone actually read what he said? I quote:

4. This won’t be used in production.
5. This is just a research.

How about helping the guy out instead of poo pooing him?

-Jeff

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jamey Kirby
Sent: Wednesday, August 18, 2004 5:42 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] OSR Context paper

Please make sure that you tell us all the name of the product you are
working on so that we will be sure to NEVER load it on any system we
care about

Jamey

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of shk
Sent: Wednesday, August 18, 2004 10:24 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] OSR Context paper

Hi!

I’ve decided to implement a driver that can call user mode functions
recently (alike to SwitchStack mentioned in the OSR “Execution Context
in NT drivers” whitepaper).

Quote from the whitepaper follows (one of the most exciting parts ):

“Given the design of NT, there is very little that the called-back user
function cannot do. It can issue Win32 function calls, pop up dialog
boxes, and perform File I/O. The only difference is that the
user-application is running in kernel mode, on the kernel stack. When an
application is running in kernel mode it is not subject to privilege
limits, quotas, or protection checking. Since all functions executing in
kernel mode have IOPL, the user application can even issue IN and OUT
instructions (on an Intel architecture system, of course). Your
imagination (coupled with common sense) is the only limit on the types
of things you could do with this driver.”

My implementation allows the user mode client to specify the signature
of the function to call and the driver prepares the stack for the call
appropriately.

So, control flow is:

1. The user mode client sends ioctl to the driver passing: function
   address, calling convention, parameters. 2. The driver prepares the
   stack, calls the function, performs stack cleanup (if needed by calling
   convention).

Everything works fine, until I try to call a function initiating a ring
transition (via sysenter). In this case, the user mode application
hangs. Here goes some WinDBG output concerning the user mode thread:

THREAD 82d3f780 Cid 224.2c4 Teb: 7ffde000 Win32Thread: 00000000 WAIT:
(DelayExecution) KernelMode Non-Alertable
82d3f870 NotificationTimer
IRP List:
8305ef68: (0006,0094) Flags: 40000000 Mdl: 00000000 Not
impersonating
DeviceMap e1aa9c50
Owning Process 82cce5a0
Wait Start TickCount 30034 Elapsed Ticks: 4
Context Switch Count 825 LargeStack
UserTime 00:00:00.0000
KernelTime 00:00:00.0281
Start Address 0x77e8149f
Win32 Start Address 0x01001e52
Stack Init f5a8d000 Current f5a8cbc8 Base f5a8d000 Limit f5a88000 Call 0
Priority 16 BasePriority 8 PriorityDecrement 0 DecrementCount 0 ChildEBP
RetAddr
f5a8cbe0 804ebd36 nt!KiSwapContext+0x2e (FPO: [EBP 0xf5a8cc18] [0,0,4])
f5a8cbec 804ec393 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f5a8cc18 8055b7b7
nt!KeDelayExecutionThread+0x1c7 (FPO: [Non-Fpo]) f5a8cc48 8058aa29
nt!IoCancelThreadIo+0x66 (FPO: [Non-Fpo]) f5a8ccf0 8059785a
nt!PspExitThread+0x41e (FPO: [Non-Fpo]) f5a8ccfc 804fb64f
nt!PsExitSpecialApc+0x20 (FPO: [5,0,1]) f5a8cd4c 804da970
nt!KiDeliverApc+0x1ad (FPO: [Non-Fpo]) f5a8cd4c 7ffe0304
nt!KiExceptionExit+0x39 (FPO: [0,0] TrapFrame @ f5a8cd64) f5a8cba4
804ec6c9 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0]) f5a8cb90
00000000 nt!KiInsertTimerTable+0x1a (FPO: [Non-Fpo]

kd> .trap f5a8cd64
ErrCode = 00000005
eax=c0000005 ebx=8305ef00 ecx=f5a8cb74 edx=7ffe0304 esi=82e41508
edi=0006ff74
eip=7ffe0304 esp=f5a8cb74 ebp=f5a8cb90 iopl=0 nv up ei ng nz na
po
nc
cs=001b ss=0023 ds=0023 es=0023 fs=0000 gs=0000 efl=00000286
SharedUserData!SystemCallStub+4:
001b:7ffe0304 c3 ret

As seen from the output, the ring transition fails with
STATUS_ACCESS_VIOLATION.

The questions are:

1. Have I missed something (the paper says that almost anything may be
   called, but I’m limited to “pure” user mode functions so far)? 2. Is it
   possible to sneak by the check which leads to STATUS_ACCESS_VIOLATION?
2. Why the thread hangs?

P.S. Of course, as if I need to say this, but:

1. I know that it is not a brilliant idea to call the user mode
   functions from the kmode (ok, it’s really a BAD idea ). 2. I know
   this is a hack. 3. I know that a lot of things (including new service
   pack or star disposition on the sky) may change the system and this code
   won’t work any more. 4. This won’t be used in production. 5. This is
   just a research.

So, please, “Repeat after me …”, “Go and write on the nearest
whiteboard …” and “Chorus says …” answer writers: don’t bother

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@storagecraft.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

__________ NOD32 1.847 (20040818) Information __________

This message was checked by NOD32 antivirus system. http://www.nod32.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@concord.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

****************************************************************************
*******
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. E-mail transmission cannot be guaranteed to be
secured or error-free as information could be intercepted, corrupted, lost,
destroyed, received late or incomplete, or could contain viruses. The sender
therefore does not accept liability for any error or omission in the
contents of this message, which arises as a result of e-mail transmission.
If verification is required, please request a hard-copy version from the
sender.
****************************************************************************
*******

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

__________ NOD32 1.847 (20040818) Information __________

This message was checked by NOD32 antivirus system.
http://www.nod32.com

Yeah, I know, just wanted to drive the point home

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Oliver Schneider
Sent: Wednesday, August 18, 2004 2:50 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] OSR Context paper

Jamey, may I cite the thread-starter:
"

4. This won't be used in production.
5. This is just a research.
   "

So your reply was not necessary

Best regards (and never mind ;-),

Oliver

Please make sure that you tell us all the name of the product you are
working on so that we will be sure to NEVER load it on any system we care
about

Jamey

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of shk
Sent: Wednesday, August 18, 2004 10:24 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] OSR Context paper

Hi!

I've decided to implement a driver that can call user mode functions
recently (alike to SwitchStack mentioned in the OSR "Execution Context in
NT
drivers" whitepaper).

Quote from the whitepaper follows (one of the most exciting parts ):

"Given the design of NT, there is very little that the called-back user
function cannot do. It can issue Win32
function calls, pop up dialog boxes, and perform File I/O. The only
difference is that the user-application is
running in kernel mode, on the kernel stack. When an application is
running
in kernel mode it is not subject
to privilege limits, quotas, or protection checking. Since all functions
executing in kernel mode have IOPL,
the user application can even issue IN and OUT instructions (on an Intel
architecture system, of course).
Your imagination (coupled with common sense) is the only limit on the
types
of things you could do with
this driver."

My implementation allows the user mode client to specify the signature of
the function to call and the driver prepares the stack for the call
appropriately.

So, control flow is:

1. The user mode client sends ioctl to the driver passing: function
   address,
   calling convention, parameters.
2. The driver prepares the stack, calls the function, performs stack
   cleanup
   (if needed by calling convention).

Everything works fine, until I try to call a function initiating a ring
transition (via sysenter). In this case, the user mode application hangs.
Here goes some WinDBG output concerning the user mode thread:

THREAD 82d3f780 Cid 224.2c4 Teb: 7ffde000 Win32Thread: 00000000 WAIT:
(DelayExecution) KernelMode Non-Alertable
82d3f870 NotificationTimer
IRP List:
8305ef68: (0006,0094) Flags: 40000000 Mdl: 00000000
Not impersonating
DeviceMap e1aa9c50
Owning Process 82cce5a0
Wait Start TickCount 30034 Elapsed Ticks: 4
Context Switch Count 825 LargeStack
UserTime 00:00:00.0000
KernelTime 00:00:00.0281
Start Address 0x77e8149f
Win32 Start Address 0x01001e52
Stack Init f5a8d000 Current f5a8cbc8 Base f5a8d000 Limit f5a88000 Call 0
Priority 16 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f5a8cbe0 804ebd36 nt!KiSwapContext+0x2e (FPO: [EBP 0xf5a8cc18] [0,0,4])
f5a8cbec 804ec393 nt!KiSwapThread+0x44 (FPO: [0,0,2])
f5a8cc18 8055b7b7 nt!KeDelayExecutionThread+0x1c7 (FPO: [Non-Fpo])
f5a8cc48 8058aa29 nt!IoCancelThreadIo+0x66 (FPO: [Non-Fpo])
f5a8ccf0 8059785a nt!PspExitThread+0x41e (FPO: [Non-Fpo])
f5a8ccfc 804fb64f nt!PsExitSpecialApc+0x20 (FPO: [5,0,1])
f5a8cd4c 804da970 nt!KiDeliverApc+0x1ad (FPO: [Non-Fpo])
f5a8cd4c 7ffe0304 nt!KiExceptionExit+0x39 (FPO: [0,0] TrapFrame @
f5a8cd64)
f5a8cba4 804ec6c9 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
f5a8cb90 00000000 nt!KiInsertTimerTable+0x1a (FPO: [Non-Fpo]

kd> .trap f5a8cd64
ErrCode = 00000005
eax=c0000005 ebx=8305ef00 ecx=f5a8cb74 edx=7ffe0304 esi=82e41508
edi=0006ff74
eip=7ffe0304 esp=f5a8cb74 ebp=f5a8cb90 iopl=0 nv up ei ng nz na po
nc
cs=001b ss=0023 ds=0023 es=0023 fs=0000 gs=0000
efl=00000286
SharedUserData!SystemCallStub+4:
001b:7ffe0304 c3 ret

As seen from the output, the ring transition fails with
STATUS_ACCESS_VIOLATION.

The questions are:

1. Have I missed something (the paper says that almost anything may be
   called, but I'm limited to "pure" user mode functions so far)?
2. Is it possible to sneak by the check which leads to
   STATUS_ACCESS_VIOLATION?
3. Why the thread hangs?

P.S. Of course, as if I need to say this, but:

1. I know that it is not a brilliant idea to call the user mode functions
   >from the kmode (ok, it's really a BAD idea ).
2. I know this is a hack.
3. I know that a lot of things (including new service pack or star
   disposition on the sky) may change the system and this code won't work any
   more.
4. This won't be used in production.
5. This is just a research.

So, please, "Repeat after me ...", "Go and write on the nearest whiteboard
..." and "Chorus says ..." answer writers: don't bother

---

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@storagecraft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

__________ NOD32 1.847 (20040818) Information __________

This message was checked by NOD32 antivirus system.
http://www.nod32.com

---

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@gmxpro.net
To unsubscribe send a blank email to xxxxx@lists.osr.com

--

May the source be with you, stranger ...

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@storagecraft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

__________ NOD32 1.847 (20040818) Information __________

This message was checked by NOD32 antivirus system.

> Showing some UI balloons or such on requests from the driver is OK (NDIS

shows
the media connect/disconnect indication via balloon), but the driver must
continue regardless of the user’s response from the balloon or if the
balloon
will be indefinitely delayed, or even if the ballon user mode code will
fail.

How is this done? How can you request showing UI balloons from a driver?

Shahar

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
Sent: Wednesday, August 18, 2004 8:22 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] OSR Context paper

1. The user mode client sends ioctl to the driver passing: function
   address,
   calling convention, parameters.
2. The driver prepares the stack, calls the function, performs stack
   cleanup
   (if needed by calling convention).

Please do not do this, or you will open the huge security and stability hole
in
Windows, not to say this is a sign of grossly misdesigned software.

The correct way is:

• the user mode code sends IOCTL to the driver to pull the call [in]
  parameters
  from it
• the user mode code calls the function
• the user mode code sends IOCTL to the driver to report the [out]
  parameters
  and the return value to it
• the user mode code spins several worker threads for this

This is called “inverted call”.

Also - please design the software properly, the driver functioning must
never
rely on the user mode code. The driver must be in the sane state (at least
not
crashing and not disabling the whole OS, networking or storage stacks) even
without any user mode code.

Also the driver must be in the sane state in the absense of any logged on
users. Also the driver must be in the sane state even if there are several
users (Remote Desktop).

Showing some UI balloons or such on requests from the driver is OK (NDIS
shows
the media connect/disconnect indication via balloon), but the driver must
continue regardless of the user’s response from the balloon or if the
balloon
will be indefinitely delayed, or even if the ballon user mode code will
fail.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@safend.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Kindly re-read the OP disclaimer: This is a LAB interface only and not for
general usage, so dinna get yer bowels in an uproar thinking you will be
writing a production driver using such a bastardized interface and stippling
a monitor with UI balloons during boot — even if your pointy haired
manager thinks its a great idea. Red the referred to white paper on OSRs
site.

–
The personal opinion of
Gary G. Little

“Shahar Talmi” wrote in message news:xxxxx@ntdev…
> > Showing some UI balloons or such on requests from the driver is OK (NDIS
> > shows
> > the media connect/disconnect indication via balloon), but the driver
must
> > continue regardless of the user’s response from the balloon or if the
> > balloon
> > will be indefinitely delayed, or even if the ballon user mode code will
> > fail.
>
> How is this done? How can you request showing UI balloons from a driver?
>
> Shahar
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
> Sent: Wednesday, August 18, 2004 8:22 PM
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] OSR Context paper
>
> > 1. The user mode client sends ioctl to the driver passing: function
> address,
> > calling convention, parameters.
> > 2. The driver prepares the stack, calls the function, performs stack
> cleanup
> > (if needed by calling convention).
>
> Please do not do this, or you will open the huge security and stability
hole
> in
> Windows, not to say this is a sign of grossly misdesigned software.
>
> The correct way is:
> - the user mode code sends IOCTL to the driver to pull the call [in]
> parameters
> from it
> - the user mode code calls the function
> - the user mode code sends IOCTL to the driver to report the [out]
> parameters
> and the return value to it
> - the user mode code spins several worker threads for this
>
> This is called “inverted call”.
>
> Also - please design the software properly, the driver functioning must
> never
> rely on the user mode code. The driver must be in the sane state (at least
> not
> crashing and not disabling the whole OS, networking or storage stacks)
even
> without any user mode code.
>
> Also the driver must be in the sane state in the absense of any logged on
> users. Also the driver must be in the sane state even if there are several
> users (Remote Desktop).
>
> Showing some UI balloons or such on requests from the driver is OK (NDIS
> shows
> the media connect/disconnect indication via balloon), but the driver must
> continue regardless of the user’s response from the balloon or if the
> balloon
> will be indefinitely delayed, or even if the ballon user mode code will
> fail.
>
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@safend.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>

Sounds like we need some more trolls and bait here nonetheless.

/Daniel

“Gary G. Little” wrote in message
news:xxxxx@ntdev…
> Kindly re-read the OP disclaimer: This is a LAB interface only and not for
> general usage, so dinna get yer bowels in an uproar thinking you will be
> writing a production driver using such a bastardized interface and
> stippling
> a monitor with UI balloons during boot — even if your pointy haired
> manager thinks its a great idea. Red the referred to white paper on OSRs
> site.
>
> –
> The personal opinion of
> Gary G. Little
>
> “Shahar Talmi” wrote in message news:xxxxx@ntdev…
>> > Showing some UI balloons or such on requests from the driver is OK
>> > (NDIS
>> > shows
>> > the media connect/disconnect indication via balloon), but the driver
> must
>> > continue regardless of the user’s response from the balloon or if the
>> > balloon
>> > will be indefinitely delayed, or even if the ballon user mode code will
>> > fail.
>>
>> How is this done? How can you request showing UI balloons from a driver?
>>
>> Shahar
>>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com
>> [mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
>> Sent: Wednesday, August 18, 2004 8:22 PM
>> To: Windows System Software Devs Interest List
>> Subject: Re: [ntdev] OSR Context paper
>>
>> > 1. The user mode client sends ioctl to the driver passing: function
>> address,
>> > calling convention, parameters.
>> > 2. The driver prepares the stack, calls the function, performs stack
>> cleanup
>> > (if needed by calling convention).
>>
>> Please do not do this, or you will open the huge security and stability
> hole
>> in
>> Windows, not to say this is a sign of grossly misdesigned software.
>>
>> The correct way is:
>> - the user mode code sends IOCTL to the driver to pull the call [in]
>> parameters
>> from it
>> - the user mode code calls the function
>> - the user mode code sends IOCTL to the driver to report the [out]
>> parameters
>> and the return value to it
>> - the user mode code spins several worker threads for this
>>
>> This is called “inverted call”.
>>
>> Also - please design the software properly, the driver functioning must
>> never
>> rely on the user mode code. The driver must be in the sane state (at
>> least
>> not
>> crashing and not disabling the whole OS, networking or storage stacks)
> even
>> without any user mode code.
>>
>> Also the driver must be in the sane state in the absense of any logged on
>> users. Also the driver must be in the sane state even if there are
>> several
>> users (Remote Desktop).
>>
>> Showing some UI balloons or such on requests from the driver is OK (NDIS
>> shows
>> the media connect/disconnect indication via balloon), but the driver must
>> continue regardless of the user’s response from the balloon or if the
>> balloon
>> will be indefinitely delayed, or even if the ballon user mode code will
>> fail.
>>
>> Maxim Shatskih, Windows DDK MVP
>> StorageCraft Corporation
>> xxxxx@storagecraft.com
>> http://www.storagecraft.com
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: xxxxx@safend.com
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>>
>
>
>

Mmmm, bait.

-p

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Daniel Terhell
Sent: Thursday, August 19, 2004 11:02 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] OSR Context paper

Sounds like we need some more trolls and bait here nonetheless.

/Daniel

“Gary G. Little” wrote in message
news:xxxxx@ntdev…
> Kindly re-read the OP disclaimer: This is a LAB interface only and not

> for general usage, so dinna get yer bowels in an uproar thinking you
> will be writing a production driver using such a bastardized interface

> and stippling a monitor with UI balloons during boot — even if your
> pointy haired manager thinks its a great idea. Red the referred to
> white paper on OSRs site.
>
> –
> The personal opinion of
> Gary G. Little
>
> “Shahar Talmi” wrote in message
news:xxxxx@ntdev…
>> > Showing some UI balloons or such on requests from the driver is OK
>> > (NDIS shows the media connect/disconnect indication via balloon),
>> > but the driver
> must
>> > continue regardless of the user’s response from the balloon or if
>> > the balloon will be indefinitely delayed, or even if the ballon
>> > user mode code will fail.
>>
>> How is this done? How can you request showing UI balloons from a
driver?
>>
>> Shahar
>>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com
>> [mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S.
>> Shatskih
>> Sent: Wednesday, August 18, 2004 8:22 PM
>> To: Windows System Software Devs Interest List
>> Subject: Re: [ntdev] OSR Context paper
>>
>> > 1. The user mode client sends ioctl to the driver passing: function
>> address,
>> > calling convention, parameters.
>> > 2. The driver prepares the stack, calls the function, performs
>> > stack
>> cleanup
>> > (if needed by calling convention).
>>
>> Please do not do this, or you will open the huge security and
>> stability
> hole
>> in
>> Windows, not to say this is a sign of grossly misdesigned software.
>>
>> The correct way is:
>> - the user mode code sends IOCTL to the driver to pull the call [in]
>> parameters from it
>> - the user mode code calls the function
>> - the user mode code sends IOCTL to the driver to report the [out]
>> parameters and the return value to it
>> - the user mode code spins several worker threads for this
>>
>> This is called “inverted call”.
>>
>> Also - please design the software properly, the driver functioning
>> must never rely on the user mode code. The driver must be in the sane

>> state (at least not crashing and not disabling the whole OS,
>> networking or storage stacks)
> even
>> without any user mode code.
>>
>> Also the driver must be in the sane state in the absense of any
>> logged on users. Also the driver must be in the sane state even if
>> there are several users (Remote Desktop).
>>
>> Showing some UI balloons or such on requests from the driver is OK
>> (NDIS shows the media connect/disconnect indication via balloon), but

>> the driver must continue regardless of the user’s response from the
>> balloon or if the balloon will be indefinitely delayed, or even if
>> the ballon user mode code will fail.
>>
>> Maxim Shatskih, Windows DDK MVP
>> StorageCraft Corporation
>> xxxxx@storagecraft.com
>> http://www.storagecraft.com
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: xxxxx@safend.com To
>> unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>>
>
>
>

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

[snip]

Now that the dust has settled, check this out. Although someone already
mentioned the inverted model as the way to go for production code (it is),
look at this, as it may be something you’d like to experiment with *in the
lab*:

http://www.microsoft.com/msj/0799/nerd/nerd0799.aspx

This paper talks about using kernel mode APCs for “calling” a usermode
callback function from kernel mode. Never tried it myself. Anyways, as was
stated many times before, this is not for production code, as the example
uses undocumented OS internals. Also, try using google for KeInsertQueueApc
and see what you get (*for the lab*).

Philip Lukidis

> How is this done? How can you request showing UI balloons from a driver?

Via inverted call paths.

If you’re lazy of coding this path yourself - use WMI events, it is an
OS-provided implementation of it (too slow though).

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

//////////////////////////////
//RESEARCH|RESEARCH|RESEARCH//
//////////////////////////////
This will be a kind of composite answer concerning replies to my original
post.

The dust has really settled down a bit, but unfortunately no fruitful result
seen and the question remains open.

1. Maybe somebody from OSR could clarify their own whitepaper a bit?
2. If the list is not the rights place for such questions, any links will be
   appreciated (books by Solomon and Russinovich; Schreiber are on my shelf
   already).
3. Again, as I wrote in my original post, it’s just a research, so it is
   “grossly misdesigned software” by design And I do hope it will never get
   to a system Jamey Kirby cares about
4. Oliver Schneider, Jeffrey Curless and others: thanks for reading the
   whole message again

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Philip Lukidis
Sent: Thursday, August 19, 2004 9:38 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] OSR Context paper

[snip]

Now that the dust has settled, check this out. Although someone already
mentioned the inverted model as the way to go for production code (it is),
look at this, as it may be something you’d like to experiment with *in the
lab*:

http://www.microsoft.com/msj/0799/nerd/nerd0799.aspx

This paper talks about using kernel mode APCs for “calling” a usermode
callback function from kernel mode. Never tried it myself. Anyways, as was
stated many times before, this is not for production code, as the example
uses undocumented OS internals. Also, try using google for KeInsertQueueApc
and see what you get (*for the lab*).

Philip Lukidis

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: ntdev@ua.fm
To unsubscribe send a blank email to xxxxx@lists.osr.com

Yes there are products that uses this kind of kernel to user handoff, IIRC the arctile is correct. Sure the approach is dangerous, but I’ve seen popular product using it, would it ulimately be trashed, that is another questions, but those who started, now can openup 10 small companies out of their own pockets w/o VC’s money…

Some of the obvious problems are -

1. having the right context, based on PIDs
2. paging and swapping problem, so the processing should be in all account at passive level, so that user lvl can do stuff safely
3. Signalling using Events

Weired behavior ? Sure we will see lots of it …

I’m not qualified to judge this, but possibly a lab approach is Okay. Scary parrt is that lab approach goes out the door sometime and then who knows what

-pro

This makes me curious. Research into what? What’s the point of trying to
figure out how to do something dumb? To prove that it can be done? It
would seem much easier to do that sort of thing under Linux. I would have
thought that any attempt to make something work under Windows would have a
practical need. This makes me very suspicious about projects that are
labeled research.

–
Jake Oshins
Windows Kernel Group

This posting is provided “AS IS” with no warranties, and confers no rights.

“shk” wrote in message news:xxxxx@ntdev…
> //////////////////////////////
> //RESEARCH|RESEARCH|RESEARCH//
> //////////////////////////////
> This will be a kind of composite answer concerning replies to my original
> post.
>
> The dust has really settled down a bit, but unfortunately no fruitful
> result
> seen and the question remains open.
>
> 1. Maybe somebody from OSR could clarify their own whitepaper a bit?
> 2. If the list is not the rights place for such questions, any links will
> be
> appreciated (books by Solomon and Russinovich; Schreiber are on my shelf
> already).
> 3. Again, as I wrote in my original post, it’s just a research, so it is
> “grossly misdesigned software” by design And I do hope it will never
> get
> to a system Jamey Kirby cares about
> 4. Oliver Schneider, Jeffrey Curless and others: thanks for reading the
> whole message again
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Philip Lukidis
> Sent: Thursday, August 19, 2004 9:38 PM
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] OSR Context paper
>
> [snip]
>
> Now that the dust has settled, check this out. Although someone already
> mentioned the inverted model as the way to go for production code (it is),
> look at this, as it may be something you’d like to experiment with in the
> lab:
>
> http://www.microsoft.com/msj/0799/nerd/nerd0799.aspx
>
> This paper talks about using kernel mode APCs for “calling” a usermode
> callback function from kernel mode. Never tried it myself. Anyways, as
> was
> stated many times before, this is not for production code, as the example
> uses undocumented OS internals. Also, try using google for
> KeInsertQueueApc
> and see what you get (for the lab).
>
> Philip Lukidis
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: ntdev@ua.fm
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>