SEH & IRQL ?

NTFSD
1

Hi,

I put the license check of my program into the kernel mode driver, i.e: the user mode program sends license parameters to the kernel driver and the latter checks them and sends the result to the user mode program.

To prevent disclose of my license check algorithm I should detect if someone is trying to debug my driver, so I’ve put this code in the beginning of DriverEntry:

try{
__asm int 0x3
return STATUS_UNSUCCESSFUL; // don’t load if there is a debugger

} except( EXCEPTION_EXECUTE_HANDLER ){

//continue…


but, sometimes, I had BSOD with DRIVER_IRQL_NOT_LESS_OR_EQUAL bugcheck…
I wonder if SEH causes the IRQL raise

THX.

2

Take a look at http://www.osronline.com/article.cfm?id=380 your
approach does not work. You might try KD_DEBUGGER_ENABLED and
KD_DEBUGGER_NOT_PRESENT since these can be tested.

Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
From: xxxxx@live.com [mailto:xxxxx@live.com] Posted At: Monday, May
31, 2010 8:19 AM Posted To: ntfsd
Conversation: SEH & IRQL ?
Subject: SEH & IRQL ?

Hi,

I put the license check of my program into the kernel mode driver,
i.e: the user mode program sends license parameters to the kernel
driver and the latter checks them and sends the result to the user
mode program.

To prevent disclose of my license check algorithm I should detect if
someone is trying to debug my driver, so I’ve put this code in the
beginning of
DriverEntry:

try{
__asm int 0x3
return STATUS_UNSUCCESSFUL; // don’t load if there
is a
debugger

} except( EXCEPTION_EXECUTE_HANDLER ){

//continue…


but, sometimes, I had BSOD with DRIVER_IRQL_NOT_LESS_OR_EQUAL
bugcheck…
I wonder if SEH causes the IRQL raise

THX.

__________ Information from ESET Smart Security, version of virus
signature database 5157 (20100531) __________

The message was checked by ESET Smart Security.

http://www.eset.com

__________ Information from ESET Smart Security, version of virus
signature database 5157 (20100531) __________

The message was checked by ESET Smart Security.

http://www.eset.com

3

THX Don very much for the link, I’ll use KD_DEBUGGER_ENABLED and KD_DEBUGGER_NOT_PRESENT…

but to make knowledge:
I see in the article that there is no way to re-enable the interrupt…
this code snippet from scanner.c sample…

try {

RtlCopyMemory( &notification->Contents,
buffer,
notification->BytesToScan );

} except( EXCEPTION_EXECUTE_HANDLER ) {

//
// Error accessing buffer. Complete i/o with failure
//

Data->IoStatus.Status = GetExceptionCode() ;
Data->IoStatus.Information = 0;
returnStatus = FLT_PREOP_COMPLETE;
leave;
}

I see in the code that there is no try to re-enable the interrupt…
so, who will re-enable it? is it the fltmgr?

4

The exception is always on. Don’t confuse the article which is a
specific case, i.e. breakpoints, with the general exception case.

Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
From: xxxxx@live.com [mailto:xxxxx@live.com]
Posted At: Monday, May 31, 2010 9:31 AM
Posted To: ntfsd
Conversation: SEH & IRQL ?
Subject: RE: SEH & IRQL ?

THX Don very much for the link, I’ll use KD_DEBUGGER_ENABLED and
KD_DEBUGGER_NOT_PRESENT…

but to make knowledge:
I see in the article that there is no way to re-enable the interrupt…
this code snippet from scanner.c sample…

try {

RtlCopyMemory( &notification->Contents,
buffer,
notification->BytesToScan );

} except( EXCEPTION_EXECUTE_HANDLER ) {

//
// Error accessing buffer. Complete i/o with failure
//

Data->IoStatus.Status = GetExceptionCode() ;
Data->IoStatus.Information = 0;
returnStatus = FLT_PREOP_COMPLETE;
leave;
}

I see in the code that there is no try to re-enable the interrupt…
so, who will re-enable it? is it the fltmgr?

__________ Information from ESET Smart Security, version of virus
signature
database 5158 (20100531) __________

The message was checked by ESET Smart Security.

http://www.eset.com

5

> try {

RtlCopyMemory( &notification->Contents,
buffer,
notification->BytesToScan );

} except( EXCEPTION_EXECUTE_HANDLER ) {

//
// Error accessing buffer. Complete i/o with failure
//

Data->IoStatus.Status = GetExceptionCode() ;
Data->IoStatus.Information = 0;
returnStatus = FLT_PREOP_COMPLETE;
leave;
}

I see in the code that there is no try to re-enable the interrupt…

And where do you see the interrupt in the above code?


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

6

Sorry I was wrong… THX Don.

“Intel documentation states that INT 1, INT 3 and BOUNDS exceptions disable interrupts”…
I thought that applied to SEH not to the INT.