Hello everyone.
1.I dont know why but the __try __except method does not work with kernel drivers, in user mode it works perfectly, in kernel mode the system crashes, on any IRQL.
Maybe I missed up something.I used the following example:
void TestException(void)
{
DWORD A = 100;
DWORD* B = 0;
DWORD C = 20;
__try
{
A=*B;
}__except(EXCEPTION_EXECUTE_HANDLER)
{
A=C;
}
}
And,is it possibile to use __try __except at IRQL>IRQL_PASSIVE_LEVEL ??
Get your free mail box @ http://www.mail.md
There are some exceptional conditions that __try/__execute cannot catch.
Attempting to access a bad kernel-mode memory address is one of them.
The page fault handler will bug check on this condition instead of
throwing an exception. (Attempting to access a bad user-mode memory
address will throw an exception, however).
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Cornel
Sent: Saturday, May 31, 2003 6:47 PM
To: File Systems Developers
Subject: [ntfsd] __try __except in kernel modeHello everyone.
1.I dont know why but the __try __except method does not work
with kernel drivers, in user mode it works perfectly, in
kernel mode the system crashes, on any IRQL. Maybe I missed
up something.I used the following example:void TestException(void)
{
DWORD A = 100;
DWORD* B = 0;
DWORD C = 20;
__try
{
A=*B;
}__except(EXCEPTION_EXECUTE_HANDLER)
{
A=C;
}
}
And,is it possibile to use __try __except at
IRQL>IRQL_PASSIVE_LEVEL ??
Get your free mail box @ http://www.mail.md
You are currently subscribed to ntfsd as: xxxxx@nryan.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
The __try __except construct works at any irql, and if you look at Rajeev’s
file system books it tells what kind of exception it would tackle, well the
list may be old and may not be exhaustive, but something to base on…
Since you are using null pointer essentially, it does not catch this.
-prokash
----- Original Message -----
From: “Cornel”
To: “File Systems Developers”
Sent: Saturday, May 31, 2003 6:47 PM
Subject: [ntfsd] try except in kernel mode
> Hello everyone.
>
> 1.I dont know why but the try except method does not work with kernel
drivers, in user mode it works perfectly, in kernel mode the system crashes,
on any IRQL.
> Maybe I missed up something.I used the following example:
>
> void TestException(void)
> {
> DWORD A = 100;
> DWORD* B = 0;
> DWORD C = 20;
> try
> {
> A=*B;
> } except(EXCEPTION_EXECUTE_HANDLER)
> {
> A=C;
> }
> }
> And,is it possibile to use try except at IRQL>IRQL_PASSIVE_LEVEL ??
>
>
> ___________________________________________
> Get your free mail box @ http://www.mail.md
>
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@garlic.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> 1.I dont know why but the __try __except method does not work with kernel
drivers, in user mode it works perfectly, in kernel mode the system crashes,
on any IRQL.
Maybe I missed up something.I used the following example:
void TestException(void)
{
DWORD A = 100;
DWORD* B = 0;
DWORD C = 20;
__try
{
A=*B;
}__except(EXCEPTION_EXECUTE_HANDLER)
{
A=C;
}
}
And,is it possibile to use __try __except at IRQL>IRQL_PASSIVE_LEVEL ??
Dereferencing NULL pointer at IRQL >= DISPATCH_LEVEL doesn’t not raise an
exception but generates bug check IRQL_NOT_LESS_OR_EQUAL.
On IRQL < DISPATCH_LEVEL exception is generated and can be caught by
exception handler; I don’t see any reason why the above example generates a
bug check.
You need to provide additional details like what the bug check code is and
what is the output from !analyze -v when bug check occur.
Alexei.
I forgot NULL is below the 2GB boundary (nt!MmSystemRangeStart) and
therefore will throw. Dereferencing something bad > 2Gb like 0xFFFFFFFF
will bugcheck at all IRQLs, however.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Alexei Jelvis
Sent: Sunday, June 01, 2003 7:50 AM
To: File Systems Developers
Subject: [ntfsd] Re: __try __except in kernel mode> 1.I dont know why but the __try __except method does not work with
> kernel
drivers, in user mode it works perfectly, in kernel mode the
system crashes, on any IRQL.
> Maybe I missed up something.I used the following example:
>
> void TestException(void)
> {
> DWORD A = 100;
> DWORD* B = 0;
> DWORD C = 20;
> __try
> {
> A=*B;
> }__except(EXCEPTION_EXECUTE_HANDLER)
> {
> A=C;
> }
> }
> And,is it possibile to use __try __except at
IRQL>IRQL_PASSIVE_LEVEL
> ??Dereferencing NULL pointer at IRQL >= DISPATCH_LEVEL doesn’t
not raise an exception but generates bug check
IRQL_NOT_LESS_OR_EQUAL. On IRQL < DISPATCH_LEVEL exception is
generated and can be caught by exception handler; I don’t see
any reason why the above example generates a bug check. You
need to provide additional details like what the bug check
code is and what is the output from !analyze -v when bug check occur.Alexei.
You are currently subscribed to ntfsd as: xxxxx@nryan.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Hy Nick, thx for the reply ppl.
I was just experimenting with __try __except with null pointers, it seems not to work.
But this is not the only trouble:)
I am dooing a hook for ZwOpenKey to make read-only a few keys in the registry.
So i am hooking system service 0x2E in the IDT like this:
(ntdll)NtOpenKey->int2e->[myhook]->standart_routine
if Service number EAX==0x00000067 (ZwOpenKey)
i am looking at the incoming data which is:
[edx] //HANDLE KeyHandle
[edx+4] //ULONG DesiredAccess
[edx+8] //POBJECT_ATTRIBUTES ObjectAttributes
Now ObjectAttributes->ObjectName - is the unicode string that contain the name of the key to be opened.
ok, now i can easily return to the user STATUS_ACCESS_DENIED.
All works just FINE…but sometimes when i’m trying to read data referenced by ObjectAttributes->ObjectName a kind of “exception handler” takes control wich is an interrupt (i think) because the control is returned back thru an IRETD intruction, and the control is returned in ntdll at the point the int2E(EAX=00000067)was called, with erroneus data and the calling user mode process just dies 
Now when I access data in the __try __except statement this “exception handler” is called no more and only the soft ice stops me from bugcheck (fault page in non paged area)
The question is how to read that deam string?? Soft ice displays its content witout problems, and i am in the calling thread, so i think i must have acces to that buffer…
I nociced that usualy all calls came with buffers at 0x0006F…, when error occurs the buffer is placed at 0x77E035…
ps:i am a begginer in the kernel mode programmin, so i can post a lot of stupid questions here
I forgot NULL is below the 2GB boundary (nt!MmSystemRangeStart) and
therefore will throw. Dereferencing something bad > 2Gb like 0xFFFFFFFF
will bugcheck at all IRQLs, however.
- Nick Ryan
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Alexei Jelvis
> Sent: Sunday, June 01, 2003 7:50 AM
> To: File Systems Developers
> Subject: [ntfsd] Re: __try __except in kernel mode
>
>
> > 1.I dont know why but the __try __except method does not work with
> > kernel
> drivers, in user mode it works perfectly, in kernel mode the
> system crashes, on any IRQL.
> > Maybe I missed up something.I used the following example:
> >
> > void TestException(void)
> > {
> > DWORD A = 100;
> > DWORD* B = 0;
> > DWORD C = 20;
> > __try
> > {
> > A=*B;
> > }__except(EXCEPTION_EXECUTE_HANDLER)
> > {
> > A=C;
> > }
> > }
> > And,is it possibile to use __try __except at
> IRQL>IRQL_PASSIVE_LEVEL
> > ??
>
> Dereferencing NULL pointer at IRQL >= DISPATCH_LEVEL doesn’t
> not raise an exception but generates bug check
> IRQL_NOT_LESS_OR_EQUAL. On IRQL < DISPATCH_LEVEL exception is
> generated and can be caught by exception handler; I don’t see
> any reason why the above example generates a bug check. You
> need to provide additional details like what the bug check
> code is and what is the output from !analyze -v when bug check occur.
>
> Alexei.
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@nryan.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
You are currently subscribed to ntfsd as: xxxxx@mail.md
To unsubscribe send a blank email to xxxxx@lists.osr.com
Get your free mail box @ http://www.mail.md
I’ve just verified that dereferencing NULL at passive level will throw
an exception and it can be caught using __try/__except. Can you do an
!analyze -v in WinDbg and send us the output?
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Cornel
Sent: Sunday, June 01, 2003 6:09 PM
To: File Systems Developers
Subject: [ntfsd] Re: __try __except in kernel modeHy Nick, thx for the reply ppl.
I was just experimenting with __try __except with null
pointers, it seems not to work. But this is not the only
trouble:) I am dooing a hook for ZwOpenKey to make read-only
a few keys in the registry. So i am hooking system service
0x2E in the IDT like this:(ntdll)NtOpenKey->int2e->[myhook]->standart_routine
if Service number EAX==0x00000067 (ZwOpenKey)
i am looking at the incoming data which is:[edx] //HANDLE KeyHandle
[edx+4] //ULONG DesiredAccess
[edx+8] //POBJECT_ATTRIBUTES ObjectAttributesNow ObjectAttributes->ObjectName - is the unicode string that
contain the name of the key to be opened. ok, now i can
easily return to the user STATUS_ACCESS_DENIED.All works just FINE…but sometimes when i’m trying to read
data referenced by ObjectAttributes->ObjectName a kind of
“exception handler” takes control wich is an interrupt (i
think) because the control is returned back thru an IRETD
intruction, and the control is returned in ntdll at the point
the int2E(EAX=00000067)was called, with erroneus data and the
calling user mode process just dies
in the __try __except statement this “exception handler” is
called no more and only the soft ice stops me from bugcheck
(fault page in non paged area)The question is how to read that deam string?? Soft ice
displays its content witout problems, and i am in the calling
thread, so i think i must have acces to that buffer… I
nociced that usualy all calls came with buffers at
0x0006F…, when error occurs the buffer is placed at 0x77E035…ps:i am a begginer in the kernel mode programmin, so i can
post a lot of stupid questions here> I forgot NULL is below the 2GB boundary (nt!MmSystemRangeStart) and
> therefore will throw. Dereferencing something bad > 2Gb like
> 0xFFFFFFFF will bugcheck at all IRQLs, however.
>
> - Nick Ryan
>
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com] On Behalf Of
Alexei Jelvis
> > Sent: Sunday, June 01, 2003 7:50 AM
> > To: File Systems Developers
> > Subject: [ntfsd] Re: __try __except in kernel mode
> >
> >
> > > 1.I dont know why but the __try __except method does
not work with
> > > kernel
> > drivers, in user mode it works perfectly, in kernel mode the
> > system crashes, on any IRQL.
> > > Maybe I missed up something.I used the following example:
> > >
> > > void TestException(void)
> > > {
> > > DWORD A = 100;
> > > DWORD* B = 0;
> > > DWORD C = 20;
> > > __try
> > > {
> > > A=*B;
> > > }__except(EXCEPTION_EXECUTE_HANDLER)
> > > {
> > > A=C;
> > > }
> > > }
> > > And,is it possibile to use __try __except at
> > IRQL>IRQL_PASSIVE_LEVEL
> > > ??
> >
> > Dereferencing NULL pointer at IRQL >= DISPATCH_LEVEL doesn’t
> > not raise an exception but generates bug check
> > IRQL_NOT_LESS_OR_EQUAL. On IRQL < DISPATCH_LEVEL exception is
> > generated and can be caught by exception handler; I don’t see
> > any reason why the above example generates a bug check. You
> > need to provide additional details like what the bug check
> > code is and what is the output from !analyze -v when bug
check occur.
> >
> > Alexei.
> >
> >
> >
> > —
> > You are currently subscribed to ntfsd as: xxxxx@nryan.com To
> > unsubscribe send a blank email to xxxxx@lists.osr.com
> >
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@mail.md
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
Get your free mail box @ http://www.mail.md
You are currently subscribed to ntfsd as: xxxxx@nryan.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Are you sure you haven’t raised your IRQL level to dispatch level when
you were accessing the ObjectName? If you were acquiring a spin lock
before accessing the ObjectName you are implicitly raising the IRQL.
-Srin.
-----Original Message-----
From: Cornel [mailto:xxxxx@mail.md]
Sent: Sunday, June 01, 2003 6:09 PM
To: File Systems Developers
Subject: [ntfsd] Re: __try __except in kernel modeHy Nick, thx for the reply ppl.
I was just experimenting with __try __except with null pointers, it
seems
not to work.
But this is not the only trouble:)
I am dooing a hook for ZwOpenKey to make read-only a few keys in the
registry.
So i am hooking system service 0x2E in the IDT like this:(ntdll)NtOpenKey->int2e->[myhook]->standart_routine
if Service number EAX==0x00000067 (ZwOpenKey)
i am looking at the incoming data which is:[edx] //HANDLE KeyHandle
[edx+4] //ULONG DesiredAccess
[edx+8] //POBJECT_ATTRIBUTES ObjectAttributesNow ObjectAttributes->ObjectName - is the unicode string that contain
the
name of the key to be opened.
ok, now i can easily return to the user STATUS_ACCESS_DENIED.All works just FINE…but sometimes when i’m trying to read data
referenced by ObjectAttributes->ObjectName a kind of “exception
handler”
takes control wich is an interrupt (i think) because the control is
returned back thru an IRETD intruction, and the control is returned in
ntdll at the point the int2E(EAX=00000067)was called, with erroneus
data
and the calling user mode process just dies
Now when I access data in the __try __except statement this “exception
handler” is called no more and only the soft ice stops me from
bugcheck
(fault page in non paged area)The question is how to read that deam string?? Soft ice displays its
content witout problems, and i am in the calling thread, so i think i
must
have acces to that buffer…
I nociced that usualy all calls came with buffers at 0x0006F…, when
error occurs the buffer is placed at 0x77E035…ps:i am a begginer in the kernel mode programmin, so i can post a lot
of
stupid questions here> I forgot NULL is below the 2GB boundary (nt!MmSystemRangeStart) and
> therefore will throw. Dereferencing something bad > 2Gb like
0xFFFFFFFF
> will bugcheck at all IRQLs, however.
>
> - Nick Ryan
>
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com] On Behalf Of Alexei
Jelvis
> > Sent: Sunday, June 01, 2003 7:50 AM
> > To: File Systems Developers
> > Subject: [ntfsd] Re: __try __except in kernel mode
> >
> >
> > > 1.I dont know why but the __try __except method does not work
with
> > > kernel
> > drivers, in user mode it works perfectly, in kernel mode the
> > system crashes, on any IRQL.
> > > Maybe I missed up something.I used the following example:
> > >
> > > void TestException(void)
> > > {
> > > DWORD A = 100;
> > > DWORD* B = 0;
> > > DWORD C = 20;
> > > __try
> > > {
> > > A=*B;
> > > }__except(EXCEPTION_EXECUTE_HANDLER)
> > > {
> > > A=C;
> > > }
> > > }
> > > And,is it possibile to use __try __except at
> > IRQL>IRQL_PASSIVE_LEVEL
> > > ??
> >
> > Dereferencing NULL pointer at IRQL >= DISPATCH_LEVEL doesn’t
> > not raise an exception but generates bug check
> > IRQL_NOT_LESS_OR_EQUAL. On IRQL < DISPATCH_LEVEL exception is
> > generated and can be caught by exception handler; I don’t see
> > any reason why the above example generates a bug check. You
> > need to provide additional details like what the bug check
> > code is and what is the output from !analyze -v when bug check
occur.
> >
> > Alexei.
> >
> >
> >
> > —
> > You are currently subscribed to ntfsd as: xxxxx@nryan.com
> > To unsubscribe send a blank email to
xxxxx@lists.osr.com
> >
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@mail.md
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
Get your free mail box @ http://www.mail.md
You are currently subscribed to ntfsd as: xxxxx@nai.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Srin you are deam right 
I am at dispatch level…and what to do now?
Are you sure you haven’t raised your IRQL level to dispatch level when
you were accessing the ObjectName? If you were acquiring a spin lock
before accessing the ObjectName you are implicitly raising the IRQL.-Srin.
> -----Original Message-----
> From: Cornel [mailto:xxxxx@mail.md]
> Sent: Sunday, June 01, 2003 6:09 PM
> To: File Systems Developers
> Subject: [ntfsd] Re: __try __except in kernel mode
>=20
> Hy Nick, thx for the reply ppl.
>=20
> I was just experimenting with __try __except with null pointers, it
seems
> not to work.
> But this is not the only trouble:)
> I am dooing a hook for ZwOpenKey to make read-only a few keys in the
> registry.
> So i am hooking system service 0x2E in the IDT like this:
>=20
> (ntdll)NtOpenKey->int2e->[myhook]->standart_routine
>=20
> if Service number EAX=3D=3D0x00000067 (ZwOpenKey)
> i am looking at the incoming data which is:
>=20
> [edx] //HANDLE KeyHandle
> [edx+4] //ULONG DesiredAccess
> [edx+8] //POBJECT_ATTRIBUTES ObjectAttributes
>=20
> Now ObjectAttributes->ObjectName - is the unicode string that contain
the
> name of the key to be opened.
> ok, now i can easily return to the user STATUS_ACCESS_DENIED.
>=20
> All works just FINE…but sometimes when i’m trying to read data
> referenced by ObjectAttributes->ObjectName a kind of “exception
handler”
> takes control wich is an interrupt (i think) because the control is
> returned back thru an IRETD intruction, and the control is returned in
> ntdll at the point the int2E(EAX=3D00000067)was called, with erroneus
data
> and the calling user mode process just dies
> Now when I access data in the __try __except statement this “exception
> handler” is called no more and only the soft ice stops me from
bugcheck
> (fault page in non paged area)
>=20
> The question is how to read that deam string?? Soft ice displays its
> content witout problems, and i am in the calling thread, so i think i
must
> have acces to that buffer…
> I nociced that usualy all calls came with buffers at 0x0006F…, when
> error occurs the buffer is placed at 0x77E035…
>=20
> ps:i am a begginer in the kernel mode programmin, so i can post a lot
of
> stupid questions here
>=20
>=20
>=20
>=20
>=20
> > I forgot NULL is below the 2GB boundary (nt!MmSystemRangeStart) and
> > therefore will throw. Dereferencing something bad > 2Gb like
0xFFFFFFFF
> > will bugcheck at all IRQLs, however.
> >
> > - Nick Ryan
> >
> > > -----Original Message-----
> > > From: xxxxx@lists.osr.com
> > > [mailto:xxxxx@lists.osr.com] On Behalf Of Alexei
Jelvis
> > > Sent: Sunday, June 01, 2003 7:50 AM
> > > To: File Systems Developers
> > > Subject: [ntfsd] Re: __try __except in kernel mode
> > >
> > >
> > > > 1.I dont know why but the __try __except method does not work
with
> > > > kernel
> > > drivers, in user mode it works perfectly, in kernel mode the
> > > system crashes, on any IRQL.
> > > > Maybe I missed up something.I used the following example:
> > > >
> > > > void TestException(void)
> > > > {
> > > > DWORD A =3D 100;
> > > > DWORD* B =3D 0;
> > > > DWORD C =3D 20;
> > > > __try
> > > > {
> > > > A=3D*B;
> > > > }__except(EXCEPTION_EXECUTE_HANDLER)
> > > > {
> > > > A=3DC;
> > > > }
> > > > }
> > > > And,is it possibile to use __try __except at
> > > IRQL>IRQL_PASSIVE_LEVEL
> > > > ??
> > >
> > > Dereferencing NULL pointer at IRQL >=3D DISPATCH_LEVEL doesn’t
> > > not raise an exception but generates bug check
> > > IRQL_NOT_LESS_OR_EQUAL. On IRQL < DISPATCH_LEVEL exception is
> > > generated and can be caught by exception handler; I don’t see
> > > any reason why the above example generates a bug check. You
> > > need to provide additional details like what the bug check
> > > code is and what is the output from !analyze -v when bug check
occur.
> > >
> > > Alexei.
> > >
> > >
> > >
> > > —
> > > You are currently subscribed to ntfsd as: xxxxx@nryan.com
> > > To unsubscribe send a blank email to
xxxxx@lists.osr.com
> > >
> >
> >
> >
> > —
> > You are currently subscribed to ntfsd as: xxxxx@mail.md
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> >
>=20
>=20
> ___________________________________________
> Get your free mail box @ http://www.mail.md
>=20
>=20
>=20
>=20
> —
> You are currently subscribed to ntfsd as: xxxxx@nai.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
You are currently subscribed to ntfsd as: xxxxx@mail.md
To unsubscribe send a blank email to xxxxx@lists.osr.com
Get your free mail box @ http://www.mail.md
There is no magic answer for that. You need to change your design or
logic so that you would call it at less than dispatch level. If you tell
us why you had to raise your IRQL may be we can help.
System services are called at passive level. To protect data at
this level with out raising IRQL you could use a mutex instead of
spinlock. Make sure the data you are protecting using mutex is not
accessed at dispatch level.
-Srin.
-----Original Message-----
From: Cornel [mailto:xxxxx@mail.md]
Sent: Tuesday, June 03, 2003 5:48 PM
To: File Systems Developers
Subject: [ntfsd] Re: __try __except in kernel modeSrin you are deam right
I am at dispatch level…and what to do now?> Are you sure you haven’t raised your IRQL level to dispatch level
when
> you were accessing the ObjectName? If you were acquiring a spin lock
> before accessing the ObjectName you are implicitly raising the IRQL.
>
> -Srin.
>
> > -----Original Message-----
> > From: Cornel [mailto:xxxxx@mail.md]
> > Sent: Sunday, June 01, 2003 6:09 PM
> > To: File Systems Developers
> > Subject: [ntfsd] Re: __try __except in kernel mode
> >=20
> > Hy Nick, thx for the reply ppl.
> >=20
> > I was just experimenting with __try __except with null pointers,
it
> seems
> > not to work.
> > But this is not the only trouble:)
> > I am dooing a hook for ZwOpenKey to make read-only a few keys in
the
> > registry.
> > So i am hooking system service 0x2E in the IDT like this:
> >=20
> > (ntdll)NtOpenKey->int2e->[myhook]->standart_routine
> >=20
> > if Service number EAX=3D=3D0x00000067 (ZwOpenKey)
> > i am looking at the incoming data which is:
> >=20
> > [edx] //HANDLE KeyHandle
> > [edx+4] //ULONG DesiredAccess
> > [edx+8] //POBJECT_ATTRIBUTES ObjectAttributes
> >=20
> > Now ObjectAttributes->ObjectName - is the unicode string that
contain
> the
> > name of the key to be opened.
> > ok, now i can easily return to the user STATUS_ACCESS_DENIED.
> >=20
> > All works just FINE…but sometimes when i’m trying to read data
> > referenced by ObjectAttributes->ObjectName a kind of “exception
> handler”
> > takes control wich is an interrupt (i think) because the control
is
> > returned back thru an IRETD intruction, and the control is
returned in
> > ntdll at the point the int2E(EAX=3D00000067)was called, with
erroneus
> data
> > and the calling user mode process just dies
> > Now when I access data in the __try __except statement this
“exception
> > handler” is called no more and only the soft ice stops me from
> bugcheck
> > (fault page in non paged area)
> >=20
> > The question is how to read that deam string?? Soft ice displays
its
> > content witout problems, and i am in the calling thread, so i
think i
> must
> > have acces to that buffer…
> > I nociced that usualy all calls came with buffers at 0x0006F…,
when
> > error occurs the buffer is placed at 0x77E035…
> >=20
> > ps:i am a begginer in the kernel mode programmin, so i can post a
lot
> of
> > stupid questions here
> >=20
> >=20
> >=20
> >=20
> >=20
> > > I forgot NULL is below the 2GB boundary (nt!MmSystemRangeStart)
and
> > > therefore will throw. Dereferencing something bad > 2Gb like
> 0xFFFFFFFF
> > > will bugcheck at all IRQLs, however.
> > >
> > > - Nick Ryan
> > >
> > > > -----Original Message-----
> > > > From: xxxxx@lists.osr.com
> > > > [mailto:xxxxx@lists.osr.com] On Behalf Of Alexei
> Jelvis
> > > > Sent: Sunday, June 01, 2003 7:50 AM
> > > > To: File Systems Developers
> > > > Subject: [ntfsd] Re: __try __except in kernel mode
> > > >
> > > >
> > > > > 1.I dont know why but the __try __except method does not
work
> with
> > > > > kernel
> > > > drivers, in user mode it works perfectly, in kernel mode the
> > > > system crashes, on any IRQL.
> > > > > Maybe I missed up something.I used the following example:
> > > > >
> > > > > void TestException(void)
> > > > > {
> > > > > DWORD A =3D 100;
> > > > > DWORD* B =3D 0;
> > > > > DWORD C =3D 20;
> > > > > __try
> > > > > {
> > > > > A=3D*B;
> > > > > }__except(EXCEPTION_EXECUTE_HANDLER)
> > > > > {
> > > > > A=3DC;
> > > > > }
> > > > > }
> > > > > And,is it possibile to use __try __except at
> > > > IRQL>IRQL_PASSIVE_LEVEL
> > > > > ??
> > > >
> > > > Dereferencing NULL pointer at IRQL >=3D DISPATCH_LEVEL doesn’t
> > > > not raise an exception but generates bug check
> > > > IRQL_NOT_LESS_OR_EQUAL. On IRQL < DISPATCH_LEVEL exception is
> > > > generated and can be caught by exception handler; I don’t see
> > > > any reason why the above example generates a bug check. You
> > > > need to provide additional details like what the bug check
> > > > code is and what is the output from !analyze -v when bug check
> occur.
> > > >
> > > > Alexei.
> > > >
> > > >
> > > >
> > > > —
> > > > You are currently subscribed to ntfsd as: xxxxx@nryan.com
> > > > To unsubscribe send a blank email to
> xxxxx@lists.osr.com
> > > >
> > >
> > >
> > >
> > > —
> > > You are currently subscribed to ntfsd as: xxxxx@mail.md
> > > To unsubscribe send a blank email to
xxxxx@lists.osr.com
> > >
> > >
> >=20
> >=20
> > ___________________________________________
> > Get your free mail box @ http://www.mail.md
> >=20
> >=20
> >=20
> >=20
> > —
> > You are currently subscribed to ntfsd as: xxxxx@nai.com
> > To unsubscribe send a blank email to
xxxxx@lists.osr.com
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@mail.md
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
Get your free mail box @ http://www.mail.md
You are currently subscribed to ntfsd as: xxxxx@nai.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
I am not sure about it, but i think the request to system service came allredy at raised irql, because i’m not raising the irql in any way, the bug check code is IRQL_NOT_LESS_OR_EQUAL IRQL=2, the source is very simple and look like this:
(And is there a possybility to manually lower the irql?And would it be helpfull?)
static __declspec( naked ) void SystemServiceHookEntry(void)
{
_asm mov ServiceID,EAX
if(ServiceID==0x00000067)
{
SAVE_REGISTERS_TO_STACK_MACROS;
//string comparations here (and the exception too)
POP_REGISTERS_FROM_STACK_MACROS;
}
_asm jmp cs:[Location]
}
There is no magic answer for that.
logic so that you would call it at less than dispatch level. If you tell
us why you had to raise your IRQL may be we can help.
System services are called at passive level. To protect data at
this level with out raising IRQL you could use a mutex instead of
spinlock. Make sure the data you are protecting using mutex is not
accessed at dispatch level.-Srin.
> -----Original Message-----
> From: Cornel [mailto:xxxxx@mail.md]
> Sent: Tuesday, June 03, 2003 5:48 PM
> To: File Systems Developers
> Subject: [ntfsd] Re: __try __except in kernel mode
>=20
> Srin you are deam right
> I am at dispatch level…and what to do now?
>=20
>=20
> > Are you sure you haven’t raised your IRQL level to dispatch level
when
> > you were accessing the ObjectName? If you were acquiring a spin lock
> > before accessing the ObjectName you are implicitly raising the IRQL.
> >
> > -Srin.
> >
> > > -----Original Message-----
> > > From: Cornel [mailto:xxxxx@mail.md]
> > > Sent: Sunday, June 01, 2003 6:09 PM
> > > To: File Systems Developers
> > > Subject: [ntfsd] Re: __try __except in kernel mode
> > >=3D20
> > > Hy Nick, thx for the reply ppl.
> > >=3D20
> > > I was just experimenting with __try __except with null pointers,
it
> > seems
> > > not to work.
> > > But this is not the only trouble:)
> > > I am dooing a hook for ZwOpenKey to make read-only a few keys in
the
> > > registry.
> > > So i am hooking system service 0x2E in the IDT like this:
> > >=3D20
> > > (ntdll)NtOpenKey->int2e->[myhook]->standart_routine
> > >=3D20
> > > if Service number EAX=3D3D=3D3D0x00000067 (ZwOpenKey)
> > > i am looking at the incoming data which is:
> > >=3D20
> > > [edx] //HANDLE KeyHandle
> > > [edx+4] //ULONG DesiredAccess
> > > [edx+8] //POBJECT_ATTRIBUTES ObjectAttributes
> > >=3D20
> > > Now ObjectAttributes->ObjectName - is the unicode string that
contain
> > the
> > > name of the key to be opened.
> > > ok, now i can easily return to the user STATUS_ACCESS_DENIED.
> > >=3D20
> > > All works just FINE…but sometimes when i’m trying to read data
> > > referenced by ObjectAttributes->ObjectName a kind of “exception
> > handler”
> > > takes control wich is an interrupt (i think) because the control
is
> > > returned back thru an IRETD intruction, and the control is
returned in
> > > ntdll at the point the int2E(EAX=3D3D00000067)was called, with
erroneus
> > data
> > > and the calling user mode process just dies
> > > Now when I access data in the __try __except statement this
“exception
> > > handler” is called no more and only the soft ice stops me from
> > bugcheck
> > > (fault page in non paged area)
> > >=3D20
> > > The question is how to read that deam string?? Soft ice displays
its
> > > content witout problems, and i am in the calling thread, so i
think i
> > must
> > > have acces to that buffer…
> > > I nociced that usualy all calls came with buffers at 0x0006F…,
when
> > > error occurs the buffer is placed at 0x77E035…
> > >=3D20
> > > ps:i am a begginer in the kernel mode programmin, so i can post a
lot
> > of
> > > stupid questions here
> > >=3D20
> > >=3D20
> > >=3D20
> > >=3D20
> > >=3D20
> > > > I forgot NULL is below the 2GB boundary (nt!MmSystemRangeStart)
and
> > > > therefore will throw. Dereferencing something bad > 2Gb like
> > 0xFFFFFFFF
> > > > will bugcheck at all IRQLs, however.
> > > >
> > > > - Nick Ryan
> > > >
> > > > > -----Original Message-----
> > > > > From: xxxxx@lists.osr.com
> > > > > [mailto:xxxxx@lists.osr.com] On Behalf Of Alexei
> > Jelvis
> > > > > Sent: Sunday, June 01, 2003 7:50 AM
> > > > > To: File Systems Developers
> > > > > Subject: [ntfsd] Re: __try __except in kernel mode
> > > > >
> > > > >
> > > > > > 1.I dont know why but the __try __except method does not
work
> > with
> > > > > > kernel
> > > > > drivers, in user mode it works perfectly, in kernel mode the
> > > > > system crashes, on any IRQL.
> > > > > > Maybe I missed up something.I used the following example:
> > > > > >
> > > > > > void TestException(void)
> > > > > > {
> > > > > > DWORD A =3D3D 100;
> > > > > > DWORD* B =3D3D 0;
> > > > > > DWORD C =3D3D 20;
> > > > > > __try
> > > > > > {
> > > > > > A=3D3D*B;
> > > > > > }__except(EXCEPTION_EXECUTE_HANDLER)
> > > > > > {
> > > > > > A=3D3DC;
> > > > > > }
> > > > > > }
> > > > > > And,is it possibile to use __try __except at
> > > > > IRQL>IRQL_PASSIVE_LEVEL
> > > > > > ??
> > > > >
> > > > > Dereferencing NULL pointer at IRQL >=3D3D DISPATCH_LEVEL =
doesn’t
> > > > > not raise an exception but generates bug check
> > > > > IRQL_NOT_LESS_OR_EQUAL. On IRQL < DISPATCH_LEVEL exception is
> > > > > generated and can be caught by exception handler; I don’t see
> > > > > any reason why the above example generates a bug check. You
> > > > > need to provide additional details like what the bug check
> > > > > code is and what is the output from !analyze -v when bug check
> > occur.
> > > > >
> > > > > Alexei.
> > > > >
> > > > >
> > > > >
> > > > > —
> > > > > You are currently subscribed to ntfsd as: xxxxx@nryan.com
> > > > > To unsubscribe send a blank email to
> > xxxxx@lists.osr.com
> > > > >
> > > >
> > > >
> > > >
> > > > —
> > > > You are currently subscribed to ntfsd as: xxxxx@mail.md
> > > > To unsubscribe send a blank email to
xxxxx@lists.osr.com
> > > >
> > > >
> > >=3D20
> > >=3D20
> > > ___________________________________________
> > > Get your free mail box @ http://www.mail.md
> > >=3D20
> > >=3D20
> > >=3D20
> > >=3D20
> > > —
> > > You are currently subscribed to ntfsd as: xxxxx@nai.com
> > > To unsubscribe send a blank email to
xxxxx@lists.osr.com
> >
> >
> > —
> > You are currently subscribed to ntfsd as: xxxxx@mail.md
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> >
>=20
>=20
> ___________________________________________
> Get your free mail box @ http://www.mail.md
>=20
>=20
>=20
>=20
> —
> You are currently subscribed to ntfsd as: xxxxx@nai.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
You are currently subscribed to ntfsd as: xxxxx@mail.md
To unsubscribe send a blank email to xxxxx@lists.osr.com
Get your free mail box @ http://www.mail.md
“Cornel” wrote in message news:xxxxx@ntfsd…
>
> I am not sure about it, but i think the request to system service came
allredy at raised irql, because i’m not raising the irql in any way, the bug
check code is IRQL_NOT_LESS_OR_EQUAL IRQL=2, the source is very simple and
look like this:
> (And is there a possybility to manually lower the irql?And would it be
helpfull?)
You can check the current IRQL by using KeGetCurrentIrql. If the IRQL is too
high for the function you are going to call the only option you have is
performing your work in another thread. You can use WorkItem for that
purpose (IoAllocateWorkItem/IoQueueWorkItem).
Although there is a way to lower IRQL level by calling KeLowerIrql you
should never use it to set IRQL lower than the IRQL at which your code was
called by OS. This function can be used only to restore IRQL, that was
raised by your code, to the original value.
Alexei.
> I am not sure about it, but i think the request to system service
came allredy at raised irql,
No.
Max