Hi,
I am using the PsSetCreateProcessNotifyRoutine() KPI to register a callback
funtion to monitor process exits.
The callback funtion calls another function which writes the process ID of
the process that exited into a buffer. This buffer is allocated in the
NonPagedPool duringDriverEntry() and the entire memory is zeroed using
RtlZeroMemory().
However, whenever i try to copy the Process Id into the storage buffer the
system BSODs. I use RtlCopyBytes().
I then protected the buffer using ProbeforWrite(). This call always raises
and exception and i am never able to write any data
into the buffer.
Could anyone PLEASE HELP.
Thanks,
Samarth
You will have to show us some code, but a couple of comments:
- Why are you using RtlCopyBytes to copy a 4 byte item into a buffer? It
is easier
and safer to:
HANDLE *p;
*p++ = processId;
- Never use ProbeForWrite on a kernel space address such as
NonPagedPool.
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
----- Original Message -----
From: “Samarth Sharma”
Newsgroups: ntdev
To: “Windows System Software Developers Interest List”
Sent: Saturday, July 19, 2003 5:56 AM
Subject: [ntdev] PsSetCreateProcessNotifyRoutine() PROBLEM
> Hi,
> I am using the PsSetCreateProcessNotifyRoutine() KPI to register a
callback
> funtion to monitor process exits.
> The callback funtion calls another function which writes the process ID of
> the process that exited into a buffer. This buffer is allocated in the
> NonPagedPool duringDriverEntry() and the entire memory is zeroed using
> RtlZeroMemory().
> However, whenever i try to copy the Process Id into the storage buffer the
> system BSODs. I use RtlCopyBytes().
> I then protected the buffer using ProbeforWrite(). This call always raises
> and exception and i am never able to write any data
> into the buffer.
> Could anyone PLEASE HELP.
> Thanks,
> Samarth
>
>
>
>
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@acm.org
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
Don Burn wrote:
- Never use ProbeForWrite on a kernel space address such as
NonPagedPool.
… because it will *always* raise an exception. That’s what it’s
supposed to do. You use that function to test the assertion “this memory
is entirely in user space”. RTFM, which says: “If the specified range of
memory is not a valid user-mode address range . . . ProbeForWrite raises
the STATUS_ACCESS_VIOLATION exception.”
Now, it *is* true that part of the doc (the part that says ProbeForWrite
will raise an exception if the memory isn’t writable) isn’t true, at
least on x86 machines. But the rest of the doc is true. Especially the
sentence at the end that says, “Do not use this routine on kernel-mode
addresses; it will raise an exception.”
I mean, they made this so totally clear! To the OP: you’ve obviously got
some bug in your callback routine. What do you learn when you run under
a debugger?
–
Walter Oney, Consulting and Training
Basic and Advanced Driver Programming Seminars
Check out our schedule at http://www.oneysoft.com
To be fair to Don, what I think he was implying was that if you KNOW
that an address is from kernel pool you should never call ProbeForXXXX
on it. Since the OP has stated to us that he’s allocating the memory
from non-paged kernel pool, and then calling ProbeForXXXX on it, he’s
screwing up.
Walter Oney wrote:
Don Burn wrote:
>2. Never use ProbeForWrite on a kernel space address such as
>NonPagedPool.… because it will *always* raise an exception. That’s what it’s
supposed to do. You use that function to test the assertion “this memory
is entirely in user space”. RTFM, which says: “If the specified range of
memory is not a valid user-mode address range . . . ProbeForWrite raises
the STATUS_ACCESS_VIOLATION exception.”Now, it *is* true that part of the doc (the part that says ProbeForWrite
will raise an exception if the memory isn’t writable) isn’t true, at
least on x86 machines. But the rest of the doc is true. Especially the
sentence at the end that says, “Do not use this routine on kernel-mode
addresses; it will raise an exception.”I mean, they made this so totally clear! To the OP: you’ve obviously got
some bug in your callback routine. What do you learn when you run under
a debugger?–
Walter Oney, Consulting and Training
Basic and Advanced Driver Programming Seminars
Check out our schedule at http://www.oneysoft.com
You are currently subscribed to ntdev as: xxxxx@nryan.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
–
- Nick Ryan (MVP for DDK)
The Process is dead and the ID is invalid when the callback is called.
Jamey
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Samarth Sharma
Sent: Saturday, July 19, 2003 2:57 AM
To: Windows System Software Developers Interest List
Subject: [ntdev] PsSetCreateProcessNotifyRoutine() PROBLEM
Hi,
I am using the PsSetCreateProcessNotifyRoutine() KPI to register a
callback
funtion to monitor process exits.
The callback funtion calls another function which writes the process ID
of
the process that exited into a buffer. This buffer is allocated in the
NonPagedPool duringDriverEntry() and the entire memory is zeroed using
RtlZeroMemory().
However, whenever i try to copy the Process Id into the storage buffer
the
system BSODs. I use RtlCopyBytes().
I then protected the buffer using ProbeforWrite(). This call always
raises
and exception and i am never able to write any data
into the buffer.
Could anyone PLEASE HELP.
Thanks,
Samarth
You are currently subscribed to ntdev as: xxxxx@storagecraft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Nick Ryan wrote:
To be fair to Don, what I think he was implying was that if you KNOW
that an address is from kernel pool you should never call ProbeForXXXX
on it. Since the OP has stated to us that he’s allocating the memory
from non-paged kernel pool, and then calling ProbeForXXXX on it, he’s
screwing up.
I *am* being fair to Don. It’s the OP who didn’t read the manual. I’m
sure both Don and the OP knew who was being chastised.
–
Walter Oney, Consulting and Training
Basic and Advanced Driver Programming Seminars
Check out our schedule at http://www.oneysoft.com
Actually, the process ID is valid, the process is just on its final legs of
depature. But even if this was not the case this is an ID not a pointer, so
yes it is valid.
On Walters response, I have no problem (except being in a hurry myself so I
didn’t explain my comment in my posting) I knew who he was directing the
answer to.
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
----- Original Message -----
From: “Jamey Kirby”
To: “Windows System Software Developers Interest List”
Sent: Sunday, July 20, 2003 3:35 AM
Subject: [ntdev] RE: PsSetCreateProcessNotifyRoutine() PROBLEM
> The Process is dead and the ID is invalid when the callback is called.
>
> Jamey
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Samarth Sharma
> Sent: Saturday, July 19, 2003 2:57 AM
> To: Windows System Software Developers Interest List
> Subject: [ntdev] PsSetCreateProcessNotifyRoutine() PROBLEM
>
> Hi,
> I am using the PsSetCreateProcessNotifyRoutine() KPI to register a
> callback
> funtion to monitor process exits.
> The callback funtion calls another function which writes the process ID
> of
> the process that exited into a buffer. This buffer is allocated in the
> NonPagedPool duringDriverEntry() and the entire memory is zeroed using
> RtlZeroMemory().
> However, whenever i try to copy the Process Id into the storage buffer
> the
> system BSODs. I use RtlCopyBytes().
> I then protected the buffer using ProbeforWrite(). This call always
> raises
> and exception and i am never able to write any data
> into the buffer.
> Could anyone PLEASE HELP.
> Thanks,
> Samarth
>
>
>
>
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@acm.org
> To unsubscribe send a blank email to xxxxx@lists.osr.com
Ooops. It is not the create call I was thinking of. It is the delete
call that has an invalid handle.
It was late 
Jamey
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Sunday, July 20, 2003 6:32 AM
To: Windows System Software Developers Interest List
Subject: [ntdev] RE: PsSetCreateProcessNotifyRoutine() PROBLEM
Actually, the process ID is valid, the process is just on its final legs
of
depature. But even if this was not the case this is an ID not a
pointer, so
yes it is valid.
On Walters response, I have no problem (except being in a hurry myself
so I
didn’t explain my comment in my posting) I knew who he was directing the
answer to.
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
----- Original Message -----
From: “Jamey Kirby”
To: “Windows System Software Developers Interest List”
Sent: Sunday, July 20, 2003 3:35 AM
Subject: [ntdev] RE: PsSetCreateProcessNotifyRoutine() PROBLEM
> The Process is dead and the ID is invalid when the callback is called.
>
> Jamey
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Samarth Sharma
> Sent: Saturday, July 19, 2003 2:57 AM
> To: Windows System Software Developers Interest List
> Subject: [ntdev] PsSetCreateProcessNotifyRoutine() PROBLEM
>
> Hi,
> I am using the PsSetCreateProcessNotifyRoutine() KPI to register a
> callback
> funtion to monitor process exits.
> The callback funtion calls another function which writes the process
ID
> of
> the process that exited into a buffer. This buffer is allocated in the
> NonPagedPool duringDriverEntry() and the entire memory is zeroed using
> RtlZeroMemory().
> However, whenever i try to copy the Process Id into the storage buffer
> the
> system BSODs. I use RtlCopyBytes().
> I then protected the buffer using ProbeforWrite(). This call always
> raises
> and exception and i am never able to write any data
> into the buffer.
> Could anyone PLEASE HELP.
> Thanks,
> Samarth
>
>
>
>
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@acm.org
> To unsubscribe send a blank email to xxxxx@lists.osr.com
—
You are currently subscribed to ntdev as: xxxxx@storagecraft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Hi,
Sorry…the error was in the callback routine only. I was writing four bytes
extra before allocating the new buffer.
Should have checked more thoroughly.
Thanks for all your comments.
Regards,
Samarth
“Jamey Kirby” wrote in message news:xxxxx@ntdev…
>
> The Process is dead and the ID is invalid when the callback is called.
>
> Jamey
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Samarth Sharma
> Sent: Saturday, July 19, 2003 2:57 AM
> To: Windows System Software Developers Interest List
> Subject: [ntdev] PsSetCreateProcessNotifyRoutine() PROBLEM
>
> Hi,
> I am using the PsSetCreateProcessNotifyRoutine() KPI to register a
> callback
> funtion to monitor process exits.
> The callback funtion calls another function which writes the process ID
> of
> the process that exited into a buffer. This buffer is allocated in the
> NonPagedPool duringDriverEntry() and the entire memory is zeroed using
> RtlZeroMemory().
> However, whenever i try to copy the Process Id into the storage buffer
> the
> system BSODs. I use RtlCopyBytes().
> I then protected the buffer using ProbeforWrite(). This call always
> raises
> and exception and i am never able to write any data
> into the buffer.
> Could anyone PLEASE HELP.
> Thanks,
> Samarth
>
>
>
>
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
>