Hello Mats,
- First decision
You can read 8 bytes, then store it and modify first 5,
after that you can use InterlockedExchange64() (but this function
is supported only from 2003 server)
2.Second decision
Use KeRaiseIrql() & KeLowerIrql()
> I thought about looking at the OpenBios and LILO boot manager. Definitely we
want to avoid any option bios, if possible.
Depending on your needs you may want to look at GRUB. It is your basic
boot loader but with very rich functionality including filesystem
support (don’t know about NTFS). Being open source it would be
relatively easy to add any specific functionality you may need
(assuming the licence requirements are not a problem).
Alberto,
You wound me for no cause! I pointedly did not cast stones at you that time; indeed I took every precaution to avoid flinging and boulders your way. :)) I knew you would step in to point a way for the OP to follow. SoftIce then enters the realm of “MacGyvering” to avoid NMI (and other) interruptions.
But again, the real question is why he wants to dynamically alter functional code; e.g. “overwriting the 1st 5 byte of the hooked function”. That’s nasty nasty stuff for which I would like to see additional justification for doing. Any debuggers such as SoftIce or WinDbg have ample justification for dynamically modifying code by using a single byte INT 3 opcode, but I am not seeing that justification from the OP, and I do believe it is a potentially dangerous exploit.
–
Gary G. Little
Seagate Technologies, LLC
“Moreira, Alberto” wrote in message news:xxxxx@ntdev…
It’s actually very easy to stop NMI, I know at least two ways, but they might make you blush, or worse, erupt into flame. 
And while we’re at it, we do that kind of thing all the time, not only in SoftICE but also in BoundsChecker, TrueTime and TrueCoverage. I’m not going to say much, but believe me, synchronization at hooking time is the least of your worries. After much aggravation and bug chasing, we decided to write an SMP-safe component that hooks code on demand for all our software - internally we call it “Capt’n Hook”. And, believe me, NO, it isn’t a hack, nor is it any less safe than anybody else’s code ! And it does precisely what Michael wants to do. Which brings the point, I hate to put it that way, but can DriverStudio be of service ? We have solved that problem many times over, and both BoundsChecker and TrueTime allow you to add your own probe code to your running driver.
Alberto.
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com]On Behalf Of Gary G. Little
Sent: Wednesday, January 14, 2004 9:19 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] global kernel lock
You still seem to be missing the overall point. You cannot stop NMI, no matter WHAT you do short of re-writing your own kernel or MacGyver the existing descriptor tables to control or disable NMI.
Why in the bloody hello are you trying to modify kernel API calls to jump to your own code? This isn’t “hooking” anything, it’s bludgeoning it to death, and this kind of behavior is normally expected by infectious and contagious vermin. What are you trying to do? yyy--
Gary G. Little
Seagate Technologies, LLC
wrote in message news:xxxxx@ntdev…
Mats,
Thanks for your reply.
>Sorry to have to ask, but: Why?
>Unless you’re building a debugger or some such, there’s really no valid case for “Must not be interrrupt by another thread”. There’s probably something wrong in your design if “must” >do this. You should ever only need to block threads that are accessing the same data as your own thread.
With the debugger you are not far away from the truth. I want to hook kernel API functions, by overwriting the 1st 5 byte of the hooked function with a “jmp xxx”. And as such a jmp instructions is 5 byte long, it can not be written within one intruction. (My 1st idea was simply using a lock prefix )
So I need to prevent others from calling the API function during Iam writing the “jmp xxx”.
(In the old WIn9x days I could simply use a kernel service hook, and I did not find a similar solution for 2K, XP)
>However, if you really want to do BAD design in your driver, a KeRaiseIRQL() call with sufficently high IRQL will do the job. Obviously followed by KeLowerIRQL(oldIRQL). [OldIRQL is >passed back from the Raise function]
>It’s EXTREMELY bad practice to do this, however.
>You should never do this in a production driver.
Best Regards
Michael
—
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
The contents of this e-mail are intended for the named addressee only. It contains information that may be confidential. Unless you are the named addressee or an authorized designee, you may not copy or use it, or disclose it to anyone else. If you received it in error please notify us immediately and then destroy it.
NMI is issued only at fatal crash, so, the developers often forget about it. The OS will crash anyway in this case
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: Moreira, Alberto
To: Windows System Software Devs Interest List
Sent: Wednesday, January 14, 2004 5:28 PM
Subject: RE: [ntdev] global kernel lock
It’s actually very easy to stop NMI, I know at least two ways, but they might make you blush, or worse, erupt into flame. And while we’re at it, we do that kind of thing all the time, not only in SoftICE but also in BoundsChecker, TrueTime and TrueCoverage. I’m not going to say much, but believe me, synchronization at hooking time is the least of your worries. After much aggravation and bug chasing, we decided to write an SMP-safe component that hooks code on demand for all our software - internally we call it “Capt’n Hook”. And, believe me, NO, it isn’t a hack, nor is it any less safe than anybody else’s code ! And it does precisely what Michael wants to do. Which brings the point, I hate to put it that way, but can DriverStudio be of service ? We have solved that problem many times over, and both BoundsChecker and TrueTime allow you to add your own probe code to your running driver.
Alberto.
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com]On Behalf Of Gary G. Little
Sent: Wednesday, January 14, 2004 9:19 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] global kernel lock
You still seem to be missing the overall point. You cannot stop NMI, no matter WHAT you do short of re-writing your own kernel or MacGyver the existing descriptor tables to control or disable NMI.
Why in the bloody hello are you trying to modify kernel API calls to jump to your own code? This isn’t “hooking” anything, it’s bludgeoning it to death, and this kind of behavior is normally expected by infectious and contagious vermin. What are you trying to do?
–
Gary G. Little
Seagate Technologies, LLC
wrote in message news:xxxxx@ntdev…
Mats,
Thanks for your reply.
>Sorry to have to ask, but: Why?
>Unless you’re building a debugger or some such, there’s really no valid case for “Must not be interrrupt by another thread”. There’s probably something wrong in your design if “must” >do this. You should ever only need to block threads that are accessing the same data as your own thread.
With the debugger you are not far away from the truth. I want to hook kernel API functions, by overwriting the 1st 5 byte of the hooked function with a “jmp xxx”. And as such a jmp instructions is 5 byte long, it can not be written within one intruction. (My 1st idea was simply using a lock prefix )
So I need to prevent others from calling the API function during Iam writing the “jmp xxx”.
(In the old WIn9x days I could simply use a kernel service hook, and I did not find a similar solution for 2K, XP)
>However, if you really want to do BAD design in your driver, a KeRaiseIRQL() call with sufficently high IRQL will do the job. Obviously followed by KeLowerIRQL(oldIRQL). [OldIRQL is >passed back from the Raise function]
>It’s EXTREMELY bad practice to do this, however.
>You should never do this in a production driver.
Best Regards
Michael
—
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@storagecraft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
The contents of this e-mail are intended for the named addressee only. It contains information that may be confidential. Unless you are the named addressee or an authorized designee, you may not copy or use it, or disclose it to anyone else. If you received it in error please notify us immediately and then destroy it.
Not if I catch it.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Maxim S. Shatskih
Sent: Wednesday, January 14, 2004 1:11 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] global kernel lock
NMI is issued only at fatal crash, so, the developers often forget about
it. The OS will crash anyway in this case
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com mailto:xxxxx
http://www.storagecraft.com http:
----- Original Message -----
From: Moreira, Alberto mailto:xxxxx
To: Windows System Software Devs Interest mailto:xxxxx List
Sent: Wednesday, January 14, 2004 5:28 PM
Subject: RE: [ntdev] global kernel lock
It’s actually very easy to stop NMI, I know at least two ways, but they
might make you blush, or worse, erupt into flame. And while we’re at it,
we do that kind of thing all the time, not only in SoftICE but also in
BoundsChecker, TrueTime and TrueCoverage. I’m not going to say much, but
believe me, synchronization at hooking time is the least of your worries.
After much aggravation and bug chasing, we decided to write an SMP-safe
component that hooks code on demand for all our software - internally we
call it “Capt’n Hook”. And, believe me, NO, it isn’t a hack, nor is it any
less safe than anybody else’s code ! And it does precisely what Michael
wants to do. Which brings the point, I hate to put it that way, but can
DriverStudio be of service ? We have solved that problem many times over,
and both BoundsChecker and TrueTime allow you to add your own probe code to
your running driver.
Alberto.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Gary G. Little
Sent: Wednesday, January 14, 2004 9:19 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] global kernel lock
You still seem to be missing the overall point. You cannot stop NMI, no
matter WHAT you do short of re-writing your own kernel or MacGyver the
existing descriptor tables to control or disable NMI.
Why in the bloody hello are you trying to modify kernel API calls to jump to
your own code? This isn’t “hooking” anything, it’s bludgeoning it to death,
and this kind of behavior is normally expected by infectious and contagious
vermin. What are you trying to do?
–
Gary G. Little
Seagate Technologies, LLC
< xxxxx@sonydadc.com mailto:xxxxx > wrote in
message news:xxxxx@ntdev news:xxxxx …
Mats,
Thanks for your reply.
>Sorry to have to ask, but: Why?
>Unless you’re building a debugger or some such, there’s really no valid
case for “Must not be interrrupt by another thread”. There’s probably
something wrong in your design if “must” >do this. You should ever only need
to block threads that are accessing the same data as your own thread.
With the debugger you are not far away from the truth. I want to hook kernel
API functions, by overwriting the 1st 5 byte of the hooked function with a
“jmp xxx”. And as such a jmp instructions is 5 byte long, it can not be
written within one intruction. (My 1st idea was simply using a lock prefix )
So I need to prevent others from calling the API function during Iam writing
the “jmp xxx”.
(In the old WIn9x days I could simply use a kernel service hook, and I did
not find a similar solution for 2K, XP)
>However, if you really want to do BAD design in your driver, a
KeRaiseIRQL() call with sufficently high IRQL will do the job. Obviously
followed by KeLowerIRQL(oldIRQL). [OldIRQL is >passed back from the Raise
function]
>It’s EXTREMELY bad practice to do this, however.
>You should never do this in a production driver.
Best Regards
Michael
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@storagecraft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
The contents of this e-mail are intended for the named addressee only. It
contains information that may be confidential. Unless you are the named
addressee or an authorized designee, you may not copy or use it, or disclose
it to anyone else. If you received it in error please notify us immediately
and then destroy it.
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
The contents of this e-mail are intended for the named addressee only. It
contains information that may be confidential. Unless you are the named
addressee or an authorized designee, you may not copy or use it, or disclose
it to anyone else. If you received it in error please notify us immediately
and then destroy it.</news:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></http:></mailto:xxxxx>
Thanks, and I will look at it …
Thanks again,
-prokash
-----Original Message-----
From: Robert Newton [mailto:xxxxx@telusplanet.net]
Sent: Wednesday, January 14, 2004 10:11 AM
To: Windows System Software Devs Interest List
Subject: Re[2]: [ntdev] global kernel lock
I thought about looking at the OpenBios and LILO boot manager.
Definitely we want to avoid any option bios, if possible.
Depending on your needs you may want to look at GRUB. It is your basic boot
loader but with very rich functionality including filesystem support (don’t
know about NTFS). Being open source it would be relatively easy to add any
specific functionality you may need (assuming the licence requirements are
not a problem).
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@maxtor.com To
unsubscribe send a blank email to xxxxx@lists.osr.com