RE: Change Thread stack, was Re: About ...ZwCreateProcess

NTDEV
1

You must at least update fields in ETHREAD and tss to reflect ring0 stack
change. Otherwise one switch of your thread, you may be back to old one and
if that happens a bugcheck is ensured.

I am not sure SHE will use stock any old stack pointer. After an exception,
OS is obligated to save the current thread context, including the esp before
it calls the your exception handler.

I wonder if the SHE handler works in current thread stack or it has its own
dedicate stack (its own tss) in Microsoft implementation. Could some guru or
people from Microsoft comment on this?

Bi

-----Original Message-----
From: James Antognini [mailto:xxxxx@mindspring.nospam.com]
Sent: Wednesday, October 30, 2002 1:34 PM
To: NT Developers Interest List
Subject: [ntdev] Re: About …ZwCreateProcess

Expanding the stack is something I’ve wondered about, eg, copying the
stack at procedure entry to a larger area and using a little inline
assembler to point ESP to that area, and of course reversing at
procedure exit. But the technique might get sticky in exception
handling, since the old stack pointer might be squirreled away somewhere
that SEH uses.

What are the known holes?


If replying by e-mail, please remove “nospam.” from the address.

James Antognini

You are currently subscribed to ntdev as: xxxxx@appstream.com
To unsubscribe send a blank email to %%email.unsub%%

2

Exception unwinding does get broken if you switch stacks. In fact the
SEH handler will bugcheck if the frame is outside the stack limits.APC’s
will be broken, you will have to disable them. In reality there is not
too much that you could safely do on such a switched stack,and the few
folks who do it have experienced much pain It’s a heck of a lot easier
to pro-actively check for stack limits (IoGetStackLimits) and use
another thread if it’s running out. Please don’t try this - I had to
work with folks who have attempted or still doing this & it’s not
pretty.

In the first place though, what is the real problem? Is this all
hypothetical or is there a current burning stack space problem for some
poster’s driver?

Ravi
-----Original Message-----
From: Bi Chen [mailto:xxxxx@AppStream.com]
Sent: Thursday, October 31, 2002 3:13 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Change Thread stack, was Re: About
…ZwCreateProcess

You must at least update fields in ETHREAD and tss to reflect ring0
stack change. Otherwise one switch of your thread, you may be back to
old one and if that happens a bugcheck is ensured.
I am not sure SHE will use stock any old stack pointer. After an
exception, OS is obligated to save the current thread context, including
the esp before it calls the your exception handler.
I wonder if the SHE handler works in current thread stack or it has its
own dedicate stack (its own tss) in Microsoft implementation. Could some
guru or people from Microsoft comment on this?
Bi
-----Original Message-----
From: James Antognini [mailto:xxxxx@mindspring.nospam.com]
Sent: Wednesday, October 30, 2002 1:34 PM
To: NT Developers Interest List
Subject: [ntdev] Re: About …ZwCreateProcess

Expanding the stack is something I’ve wondered about, eg, copying the
stack at procedure entry to a larger area and using a little inline
assembler to point ESP to that area, and of course reversing at
procedure exit. But the technique might get sticky in exception
handling, since the old stack pointer might be squirreled away somewhere

that SEH uses.
What are the known holes?

If replying by e-mail, please remove “nospam.” from the address.
James Antognini

You are currently subscribed to ntdev as: xxxxx@appstream.com
To unsubscribe send a blank email to %%email.unsub%%

You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to %%email.unsub%%

3

RE: [ntdev] Change Thread stack, was Re: About …ZwCreateProcessIIRC the only dedicated TSSs and stacks are for double fault (KiTrap08) and NMI. All other things, including SEH, are running on usual kernel stacks.

Max

----- Original Message -----
From: Bi Chen
To: NT Developers Interest List
Sent: Friday, November 01, 2002 2:13 AM
Subject: [ntdev] RE: Change Thread stack, was Re: About …ZwCreateProcess

You must at least update fields in ETHREAD and tss to reflect ring0 stack change. Otherwise one switch of your thread, you may be back to old one and if that happens a bugcheck is ensured.

I am not sure SHE will use stock any old stack pointer. After an exception, OS is obligated to save the current thread context, including the esp before it calls the your exception handler.

I wonder if the SHE handler works in current thread stack or it has its own dedicate stack (its own tss) in Microsoft implementation. Could some guru or people from Microsoft comment on this?

Bi

-----Original Message-----
From: James Antognini [mailto:xxxxx@mindspring.nospam.com]
Sent: Wednesday, October 30, 2002 1:34 PM
To: NT Developers Interest List
Subject: [ntdev] Re: About …ZwCreateProcess

Expanding the stack is something I’ve wondered about, eg, copying the
stack at procedure entry to a larger area and using a little inline
assembler to point ESP to that area, and of course reversing at
procedure exit. But the technique might get sticky in exception
handling, since the old stack pointer might be squirreled away somewhere
that SEH uses.

What are the known holes?


If replying by e-mail, please remove “nospam.” from the address.

James Antognini

You are currently subscribed to ntdev as: xxxxx@appstream.com
To unsubscribe send a blank email to %%email.unsub%%

You are currently subscribed to ntdev as: xxxxx@storagecraft.com
To unsubscribe send a blank email to %%email.unsub%%