strcpy in nt

Hi, I want to ask a question, from nt module, can see these export functions:

80538360 nt!strcpy ()
80538370 nt!strcat ()
80538470 nt!strchr ()
80538540 nt!strcmp ()
805385d0 nt!strlen ()

and if i use strchr in my code, can see use imported function in nt, but if I use strcpy in my code, I can not see that one when disassemble (then when i debug the code, seems take a quite long time when run the p command)

Is there anybody can help to explain it, Thanks.

There are a lot of legacy functions in the kernel. More recent
compilers/WDK’s do not always use the same calls.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Tuesday, December 10, 2013 10:32 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] strcpy in nt

Hi, I want to ask a question, from nt module, can see these export
functions:

80538360 nt!strcpy ()
80538370 nt!strcat ()
80538470 nt!strchr ()
80538540 nt!strcmp ()
805385d0 nt!strlen ()

and if i use strchr in my code, can see use imported function in nt, but if
I use strcpy in my code, I can not see that one when disassemble (then when
i debug the code, seems take a quite long time when run the p command)

Is there anybody can help to explain it, Thanks.


NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

>>if i use strchr in my code, can see use imported function in nt, but if I
use strcpy in my code, I can not see that one when disassemble

It must be getting expanded inline. Create a user mode app and observe the behavior.

>(then when i debug the code, seems take a quite long time when run the p command
This I have seen with wcslen as well (IIRC) and would like to get some explanation as well.

Thanks Don, but if there’s any way I can still use strcpy function exported from nt module, I even used TARGETLIBS=$(DDK_LIB_PATH)\nt.lib in the sources file, but still can not work. really feel frustrated when costs around 1 minute to step pass strcpy in the debugger.

Thanks.

Well you should think carefully about using C strings in the kernel. They
are unsafe and a terrible idea, so why don’t you tell the list what you are
really trying to do?

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Tuesday, December 10, 2013 10:54 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] strcpy in nt

Thanks Don, but if there’s any way I can still use strcpy function exported
from nt module, I even used TARGETLIBS=$(DDK_LIB_PATH)\nt.lib in the sources
file, but still can not work. really feel frustrated when costs around 1
minute to step pass strcpy in the debugger.

Thanks.


NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

And why not use safe strings and the RtlString* functions?

http://msdn.microsoft.com/en-us/library/windows/hardware/ff563885(v=vs.85).aspx

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Tuesday, December 10, 2013 8:05 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] strcpy in nt

Well you should think carefully about using C strings in the kernel. They are unsafe and a terrible idea, so why don’t you tell the list what you are really trying to do?

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Tuesday, December 10, 2013 10:54 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] strcpy in nt

Thanks Don, but if there’s any way I can still use strcpy function exported
from nt module, I even used TARGETLIBS=$(DDK_LIB_PATH)\nt.lib in the sources
file, but still can not work. really feel frustrated when costs around 1
minute to step pass strcpy in the debugger.

Thanks.


NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer


NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

> Hi, I want to ask a question, from nt module, can see these export

functions:

80538360 nt!strcpy ()
> 80538370 nt!strcat ()
> 80538470 nt!strchr ()
> 80538540 nt!strcmp ()
> 805385d0 nt!strlen ()
>
> and if i use strchr in my code, can see use imported function in nt, but
> if I use strcpy in my code, I can not see that one when disassemble (then
> when i debug the code, seems take a quite long time when run the p
> command)
>
> Is there anybody can help to explain it, Thanks.
>
>
strcpy was a bad function when I first met it in 1975. No amount of
rehabilitation can help. It is the height of insanity to consider using
this function, even in application space, and using it in the kernel is
madness. Using strcpy in some companies is now considered a fireable
offense, and there are movements in some communities (notably Santa Clara,
Palo Alto, and Redmond) to make its use a felony.

The question is not “how do I use this?” but “How can I avoid using this
poorly-designed, dangerous excuse for a string copy?”

Note also that strcpy only applies to 8-bit characters, which means it is
only useful for debugging, and I’ve never seen a case in debugging output
that couldn’t be handled better by the existing mechanisms. Why do you
think you need this? Do you have spare-time hobbies like juggling flaming
torches over swimming pools filled with gasoline? (Hint: that is usually
considered far less dangerous than using strcpy)

And if you don’t like tracing it, don’t trace into it, and if you do so by
accident, just use the “proceed to return” command (I presume WinDbg has
this).
joe
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

yes, Aditya, it’s expanded inline, perhaps it gets the code from static lib.

The reason I used strcpy is “so lots of codes are already written in a thus kind of way, and I have used this function for decade now, looks so friendly for the team”, perhaps I should change the attitude.

Currently I just feel quite curious about what have happened, and an alternate way is I can use sprintf to replace strcpy, thus the debug speed is quite fast.

And Joe, I know “proceed to return”, but the problem is you haven’t traced into it yet, just bypass that function would take a significant time. My debug environment is vmWare+windbg.

Thanks for all of your kind help, although not got the satisfied answer yet.

> yes, Aditya, it’s expanded inline, perhaps it gets the code from static

lib.

The reason I used strcpy is “so lots of codes are already written in a
thus kind of way, and I have used this function for decade now, looks so
friendly for the team”, perhaps I should change the attitude.

If “looking friendly” is a valid criterion, rather than “robust” or
“secure”, by all means, continue to use it. Other products used the same
reasoning for years, and the outcome was a variety of successful
buffer-overflow exploits that got them front-page billing in the major
trade magazines. Usually under the headline “Buffer overflow exploit
takes over 300,000 machines with latest malware attack”. Friendliness has
nothing to do with robustness or security, so a re-education of your team
seems to me to be long overdue.

Currently I just feel quite curious about what have happened, and an
alternate way is I can use sprintf to replace strcpy, thus the debug speed
is quite fast.

sprintf is another of those functions that is a fireable offense in some
companies. Essentially, ANY non-bounds-checked string copy operation is
insane. sprintf makes the use of strcpy look positively responsible by
comparison. Somebody really needs to understand the fundamental defects
in these poorly-designed functions.
joe

And Joe, I know “proceed to return”, but the problem is you haven’t traced
into it yet, just bypass that function would take a significant time. My
debug environment is vmWare+windbg.

Thanks for all of your kind help, although not got the satisfied answer
yet.


NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Joe, I know it’s bad, Just want to get the reason why it’s slow, and if there’s any alternate way to use the exported function nt!strcpy, we can treat it’s the research, can you help…

Thanks.

If it is compiled inline, the code is probably a repne prefix on a movsb.
In single-stepping, if you try to go across this line while in assembler
single-step, you are probably seeing the effect of simulating the rep,
even silently. I know in past debuggers I could get hung up indefinitely
long on rep-prefix instructions.

But to me, learning how to efficiently use a function whose danger is
well-known and well-documented (and I don’t mean the MSDN docs, I mean the
documented instances of such functions comromising the security of real
systems under real operating conditions) seem to be the wrong way to go
about a solution.

Furthermore, it is not clear why you need an 8-bit character copy
function, since I have trouble imagining its utility, even if you are
manipulating debug output strings. What problem do you think using this
is solving that could not be solved by avoiding it entirely? Note that
justifications should be based on demonstrable real problems; repeating
urban legends does not constitute “data justifying a technical choice”.

Somehow, making it more efficient to debug inherently dangerous code does
not seem to make sense to me.
joe

Joe, I know it’s bad, Just want to get the reason why it’s slow, and if
there’s any alternate way to use the exported function nt!strcpy, we can
treat it’s the research, can you help…

Thanks.


NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Thanks, Joe, for your nice help again and again, although still can not resolve the problem of “use the exported function nt!strcpy”, you can just think it’s my hobby to do that.

> The reason I used strcpy is "so lots of codes are already written in a thus kind of way, and I have

used this function for decade now, looks so friendly for the team", perhaps I should change the

Modern static analyzis tools just complain on this family of functions.

You can use strcpy_s or the MS’s names for it like StringCchCopy.

You can use a C++ class for a string. If you use C++, then PLEASE use a class for string. Not necessary an STL’s class with exceptions - you can handicraft your own in 2-3 hours, it’s 1 screen of code.

Actually, when you switch from C to C++ (in a C+±friendly environment, not in Windows kernel), the 2 immediate best gains you obtain are a) strings b) container classes. Believe me: this is a serious practical fact from several experienced people who had the task once of porting code code from C to C++.

You can use a “poor man’s C++ class” in C which is “a string guaranteed to be allocated by malloc() and zero-terminated”, and write your own catenation function for them.

You can use UNICODE_STRING.


Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com

xxxxx@flounder.com wrote:

If it is compiled inline, the code is probably a repne prefix on a movsb.

Well, repne doesn’t mean anything on a movsb, because movs doesn’t set
the flags. It does a repne scasb to find the terminating zero, then
does the copy using rep movsd for performance.

I used to consider myself an assembler “guru”, but it’s interesting how
quickly that expertise has aged. There are now so many instruction set
extensions and new register sets that it’s like learning a new processor
each time.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

On 11-Dec-2013 08:37, xxxxx@gmail.com wrote:

Joe, I know it’s bad, Just want to get the reason why it’s slow, and if there’s any alternate way to use the exported function nt!strcpy, we can treat it’s the research, can you help…

For your research: using so called “standard C library” in unsuitable
environment is a good example of anti-pattern.
http://en.wikipedia.org/wiki/Antipattern

– pa

That’s what I get for trusting my memory. I need a good Hamming code
correction system, because I seem to be dropping more than one bit.

I could make x86 assembler tap-dance in 1989; fortunately, I have not
needed that skill in 24 years. Every once in a while I try to figure out
if I care about MMX, and usually end up deciding that since DSP is just
Magic (Clarke’s Third Law), I end up deciding I don’t care. If I want an
FFT done using MMX, google will be my friend.
joe

xxxxx@flounder.com wrote:
> If it is compiled inline, the code is probably a repne prefix on a
> movsb.

Well, repne doesn’t mean anything on a movsb, because movs doesn’t set
the flags. It does a repne scasb to find the terminating zero, then
does the copy using rep movsd for performance.

I used to consider myself an assembler “guru”, but it’s interesting how
quickly that expertise has aged. There are now so many instruction set
extensions and new register sets that it’s like learning a new processor
each time.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.


NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

zhen hua yang, you could use MmGetSystemRoutineAddress (http://msdn.microsoft.com/en-us/library/windows/hardware/ff554563(v=vs.85).aspx) to locate strcpy in nt.

Haha, Mikae, yes, this is the way, I can get the address of nt!strcpy, although the way is not clever, but it’s really one method and it can work.

Seems for strchr, when compile/link, it would use exported function nt!strchr, but for strcpy, it’s not the case, cl does some change intelligently.

Thanks,
Zhen-Hua

> On 11-Dec-2013 08:37, xxxxx@gmail.com wrote:

> Joe, I know it’s bad, Just want to get the reason why it’s slow, and if
> there’s any alternate way to use the exported function nt!strcpy, we can
> treat it’s the research, can you help…

For your research: using so called “standard C library” in unsuitable
environment is a good example of anti-pattern.
http://en.wikipedia.org/wiki/Antipattern

Add to this that using functions like strcpy, strcat, and sprintf (to name
the deadliest offenders) are unsuitable for use in any environment in
which concepts like reliability, robustness, security, stability, and
similar concepts matter. Essentially, there is effectively NO environment
today in which these functions are considered reasonable. There are
environments in which they are used, usually justified by the “we know
these are safe because we are careful” excuse, with said products getting
regular “security updates” because of their vulnerabilities. Or ask
Microsoft, Adobe, Apple, Oracle, Sun/Oracle, etc. about how well this
reasoning has resulted in deadly vulnerabilities.
joe

– pa


NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

>>Haha, Mikae, yes, this is the way, I can get the address of nt!strcpy, although
the way is not clever, but it’s really one method and it can work.

I am not sure why will you assume its not clever?

If compiler is expanding a function inline for you and you do not want that; you are left with just two options. Either search for some compiler flag and disable the specific optimization (but it may switch off other optimization as well). Or get the routine address dynamically and call that.