Hi All,
I’m new to the windows driver programming world.
I am writing a wdm driver (not for any particular device). I would like to
register some ISRs for interrupts generated by the devices.
Say, I need to register an ISR for keyboard interrupt, another ISR for some
network card(sitting on a PCI bus). The purpose is to monitor the interrupts
generated by these devices, not to control it.
Now the question is how to get the Irql, Affinity, InterruptMode, and
ProcessorEnableMask, for a given interrupt vector?
Regards,
Raghukiran
First interrupts are given to your driver as part of the resources
assigned, you do not GET THEM. So no you cannot register to get a keyboard
interrupt unless you are the driver for that device. Now on the specifics,
the item you ask about are all assigned by the OS, except the InterruptMode
which is related to your hardware.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply
“Raghu Kiran” wrote in message news:xxxxx@ntdev…
> Hi All,
> I’m new to the windows driver programming world.
>
> I am writing a wdm driver (not for any particular device). I would like
> to
> register some ISRs for interrupts generated by the devices.
> Say, I need to register an ISR for keyboard interrupt, another ISR for
> some
> network card(sitting on a PCI bus). The purpose is to monitor the
> interrupts
> generated by these devices, not to control it.
>
> Now the question is how to get the Irql, Affinity, InterruptMode, and
> ProcessorEnableMask, for a given interrupt vector?
>
> Regards,
> Raghukiran
>
> I am writing a wdm driver (not for any particular device). I would like to
register some ISRs for interrupts generated by the devices.
As Don explained to you already, you cannot register interrupt unless you are the driver for the device that processes it. Interrupts are processed only by the lowest-level drivers, so that if you write a filter driver, let alone the one that is not related to any hardware stack, interrupts are the last thing you have to worry about. This is how you are *supposed* to do things under Windows.
The purpose is to monitor the interrupts generated by these devices, not to control it.
As long as this is non-commercial project (if I got it right, you speak about educational project),
you can afford to “play around” a little bit. Therefore, you can hook IDT, and monitor interrupts processing. However, I would not advise you to do it in a commercial project, unless you really know what you are doing…
Anton Bassov
Thanks Anton.
Definitely my driver is not a commercial project.
Can you please tell me how I can hook IDT and monitor interrupt processing?
regards,
Raghukiran
On 3/13/07, xxxxx@hotmail.com wrote:
>
> > I am writing a wdm driver (not for any particular device). I would like
> to
> > register some ISRs for interrupts generated by the devices.
>
> As Don explained to you already, you cannot register interrupt unless you
> are the driver for the device that processes it. Interrupts are processed
> only by the lowest-level drivers, so that if you write a filter driver, let
> alone the one that is not related to any hardware stack, interrupts are the
> last thing you have to worry about. This is how you are supposed to do
> things under Windows.
>
> > The purpose is to monitor the interrupts generated by these devices, not
> to control it.
>
> As long as this is non-commercial project (if I got it right, you speak
> about educational project),
> you can afford to “play around” a little bit. Therefore, you can hook IDT,
> and monitor interrupts processing. However, I would not advise you to do it
> in a commercial project, unless you really know what you are doing…
>
> Anton Bassov
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
For Hooking the IDT, Rootkits: Suverting the Windows Kernel By Greg
Hoglund,James Butler is the best book. Refer Chapter 4 For complete
details on IDT Hooking.
Its like a tutorial itself. All the best.
~Nagesh
> I am writing a wdm driver (not for any particular device). I would like to
register some ISRs for interrupts generated by the devices.
Say, I need to register an ISR for keyboard interrupt, another ISR for some
network card(sitting on a PCI bus). The purpose is to monitor the interrupts
generated by these devices, not to control it.
Windows provides no such facility for drivers - only the driver who owns the
hardware can access its interrupts, no other drivers can “monitor” the
interrupts.
IDT hacking is the only way.
–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
> For Hooking the IDT, Rootkits: Suverting the Windows Kernel By Greg
Hoglund,James Butler is the best book. Refer Chapter 4 For complete
details on IDT Hooking. Its like a tutorial itself
This is a tutorial of how *NOT* to do things - frankly speaking, I find it just inadequate…
-
It is not going to work on SMP machine because every CPU has its own IDTR and IDT - in order to
hook interrupts on SMP machine you have to hook IDTs one-by-one
-
All my experience shows that modifying memory, pointed to IDTR, is unsafe - you may BSOD from time to time for no apparent reason. Instead, it is better to load a temporary IDT, modify the original one, and then reload it
Anton Bassov
I haven’t read the Rootkits book yet, but I concur with Anton completely
as far as 1 & 2 go. In the case of (2), it is kind of disturbing that a
book suggests doing it the other way.
mm
>> xxxxx@hotmail.com 2007-03-28 04:24 >>>
For Hooking the IDT, Rootkits: Suverting the Windows Kernel By Greg
Hoglund,James Butler is the best book. Refer Chapter 4 For complete
details on IDT Hooking. Its like a tutorial itself
This is a tutorial of how *NOT* to do things - frankly speaking, I find
it just inadequate…
-
It is not going to work on SMP machine because every CPU has its own
IDTR and IDT - in order to
hook interrupts on SMP machine you have to hook IDTs one-by-one
-
All my experience shows that modifying memory, pointed to IDTR, is
unsafe - you may BSOD from time to time for no apparent reason. Instead,
it is better to load a temporary IDT, modify the original one, and then
reload it
Anton Bassov
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer