Over two months since my last update! Guess I’ve been enjoying the Summer a bit too much…I plan on picking back up again in a couple of weeks when I’m back from vacation, until then look out for our upcoming issue of The NT Insider where I’ll be covering the details of DbgEng and writing your own debugger extensions.
Dog days of Summer
July 23rd, 2010Process specific breakpoints
May 20th, 2010I’ve talked previously about thread specific breakpoints, which allow you to set a breakpoint that will only fire for a specific thread. Equally useful are process specific breakpoints, which will only fire for any thread within a given process.
To set a process specific breakpoint, you specify the /p switch to the bp command and supply a process object address:
bp /p 84996030 ntfs!ntfscommoncreate
The process address could, for example, be retrieved from the output of the !process 0 0 command or you can use the handy $proc pseudo register to specify the current process:
bp /p @$proc ntfs!ntfscommoncreate
Driver Speak: IRQL
May 12th, 2010Interrupt request levels are a fundamental Windows concept. We all know what they are (and if not we should) and interact with them every day, but do we know how to pronounce their acronym “IRQLs”?
Much like most of these terms, you’ll find a few alternate pronounciations. The one that I use is:
Urk wull
With short u sounds.
An alternate pronounciation that you’ll sometimes hear is:
Urkel
(An homage to Steve?)
Lastly, there’s the obvious pronounciation of just sounding out the letters:
I R Q L
Though what fun is that?
DPCs execute on their own call stack (x86 Edition)
April 29th, 2010Deferred Procedure Call (DPCs) are callbacks to an arbitrary thread context at IRQL DISPATCH_LEVEL. There is a DPC queue per processor, and queueing a DPC performs two steps:
1) Inserts the DPC onto the DPC queue of the current processor.
2) Requests a DISPATCH_LEVEL software interrupt on the current processor.
Note that there are exceptions to both of those, though I’m not interested in talking about them at this moment
When the operating system is about to return to an IRQL < DISPATCH_LEVEL, the DISPATCH_LEVEL software interrupt is delivered to the processor. On XP, the ISR for this interrupt is hal!HalpDispatchInterrupt, which does some interrupt management work and calls nt!KiDispatchInterrupt. You can get a feel for how this works by setting a breakpoint on KiDispatchInterrupt and checking out a few call stacks, which should look like the following:
While KiInterruptDispatch serves a few different purposes, for our discussion all we care about is the beginning of the function shown here:
Note the call near the end of the listing to nt!KiRetireDpcList. This is the function that will sit in a loop dequeing DPCs from the current processor’s DPC queue and calling the callbacks. There’s some interesting code leading up to that call though, so let’s go line by line and figure out exactly what this code is doing.
nt!KiDispatchInterrupt: mov ebx,dword ptr fs:[1Ch]
This line is moving the contents of offset 0×1c from the far segment into EBX. In kernel mode, the base of the far segment is the base address of what is called the PCR for the current processor:
Thus, this code is grabbing whatever field is at offset 0×1c from the base of the PCR structure. Luckily we have the type information for the PCR, which is nt!_KPCR so we can easily see what is at that offset in the structure:
That is the SelfPcr field, which is just the flat address of the PCR (in this case that would be 0xffdff000). Let’s move on to the next fragment:
nt!KiDispatchInterrupt+0x7: lea eax,[ebx+980h] cli cmp eax,dword ptr [eax] je nt!KiDispatchInterrupt+0x2f (805459df)
Here, we add 0×980 to the base address of the PCR and store the result in EAX. We then disable interrupts on the current processor and check to see if the contents of the pointer match the pointer address.
The CMP instruction will do a logical subtract of the two values and set the Z-Flag to one if the result is zero, which would mean that the two values are the same. The JE instruction will, “Jump if the Z-Flag Equals one”, so if the contents of the pointer match the address of the pointer then this code will jump over the code segment that calls KiRetireDpcList.
If you’ve never looked at much assembly that might seem a bit weird, so let’s see what’s add offset 0×980 from the PCR and see if we can figure out what this code is doing.
If you go to a full listing of the PCR structure, you’ll notice that the last offset given is 0×120 and that is the PrcbData field:
Thus, in order to figure out what’s at offset 0×980 from the base of the PCR we’ll need to go to offset 0×860 into the PRCB. We’ll find this by doing a dt nt!_kprcb and scanning the output:
Aha! That field is labeled as the DpcListHead (a.k.a. the DPC queue) and the type is a LIST_ENTRY, which is the standard type for a doubly linked list in the kernel.
LIST_ENTRY structures have two fields, a Flink field that points to the next entry and a Blink field that points to the previous entry. When a list is empty, the Flink field points back to the address of the head of the list. So our previous check above is testing the value of the Flink field against the address of the list head, in other words it is checking to see if the list is empty. If it is, the code avoids draining the DPC queue (which makes sense).
If the list is not empty, then the code sets up to call KiRetireDpcList:
nt!KiDispatchInterrupt+0x12: push ebp push dword ptr [ebx] mov dword ptr [ebx],0FFFFFFFFh mov edx,esp mov esp,dword ptr [ebx+988h] push edx mov ebp,eax call nt!KiRetireDpcList (80545e0e)
I’m going to save the first three instructions for another time if I ever get to talk about Structured Exception Handling (SEH). Right now it’s sufficient to set that the code there prevents kernel mode exceptions from being raised to user mode exception handlers.
The next two instructions are interesting though:
mov edx,esp mov esp,dword ptr [ebx+988h]
Note that the code saves the current stack pointer and then overwrites ESP with a different pointer value from the PCR. We saw previously that the last offset in the PCR is 0×120, which is the beginning of the PRCB. So, whatever value is at offset 0×868 from the PRCB is what we put into the stack pointer register. If you scroll up to the previous graphic, you’ll see that field labeled as DpcStack:
+0x868 DpcStack : Ptr32 Void
Thus, each processor has its own DPC stack that is used when DPCs are executed. Shortly this is going to lead to an unexpected problem that this post will hopefully help you solve.
Lastly, the old stack pointer is pushed onto the stack and finally the call to KiRetireDpcList occurs. When it completes, the old stack is restored and all is right in the World.
However, there’s an interesting issue that can arise in your crash analysis. What if the system crashes inside a DPC? Due to the stack swap that occurs in KiRetireDpcList you’ll get this when you try to dump the call stack:
In other words, you’ll get a listing for the DPC stack and you won’t necessarily be able to see the actual kernel stack of the current thread. While in 99% of the cases the DPC stack will be the only stack that you care about, there’s that 1% where knowing the current thread stack will provide the insight necessary to solve the crash (in almost 10 years I’ve seen two). Luckily, it’s going to be relatively straightforward to get the stack back. Even more luckily, it’s mostly formulaic so even if you’re not sure why you can get it back you’ll still be able to 
First thing you need is the old stack pointer, which is the first thing on the stack before the return address in the call to nt!KiRetireDpcList:
Then we’re going to dump this out with the dps command and find the return address to hal!HalpDispatchInterrupt that the nt!KiDispatchInterrupt will return to. We’ll also want the first thing on the stack after the return address:
In my case, I have 0xf715da0c and hal!HalpDispatchInterrupt+0xbb. Now all that’s left is to feed those two values into the special k syntax that allows you to specify your own EBP, ESP, and EIP overrides:
Note that there’s a cheater shortcut, I could have just done k = f715da00 f715da00 @eip in this case and gotten a slightly busted but still legible stack. The technique above gives a more attractive and correct stack in the end
Possibly we can cover why this command works in the future, but for now hopefully that’s enough of a guide for you to go experiment yourselves. Don’t forget that you can always play with this on a live system where you can verify your results by simply stepping out of nt!KiRetireDpcList.
Random Other Points
1) The DISPATCH_LEVEL software interrupt isn’t always requested, so the DPC isn’t always drained when returning to an IRQL < DISPATCH_LEVEL.
2) The Idle thread also checks the DPC queue and, if it isn’t empty, drains the queue by dequeueing entries and calling the callbacks. In this case, the DPCs execute on the Idle thread’s stack
3) It is possible to target a DPC to a processor other than the current processor
Driver Speak: WinDBG
April 26th, 2010Everyone loves the the Windows Kernel Debugger WinDBG, but how do you pronounce it when you’re talking about it? There are, in fact, two commonly accepted pronounciations:
Win D-B-G
And:
Wind bag
I exclusively use the latter as it rolls off of the tongue a bit better in my opinion.
Bonus Material: Driver Speak Spelling Bee
WinDBG also has the distinction of having two spellings: WinDBG and WinDbg. WinDbg appears to be the “correct” spelling, as it is how the name appears in the application’s title bar. However, for no good reason other than asthetics I prefer WinDBG, so that’s what I use.
New post series coming up: Driver Speak
April 26th, 2010I’m going to start a new mini-post series called Driver Speak. In this series I’m going to write posts that describe how to pronounce all those strange words and acronyms you’ll come across in your driver writing. First up will be everyone’s favorite kernel debugger, “WinDBG.”
Getting WER crash dumps on Windows 7
April 16th, 2010I had an application crashing on my Windows 7 system and couldn’t find a resulting DMP file anywhere. After some fruitless Googling, I finally found the magic incantation that I needed to get the Windows Error Reporting mechanism to write out a dump for me.
The trick for me was the DumpFolder registry value, described here:
http://msdn.microsoft.com/en-us/library/bb787181(VS.85).aspx
Setting this value to a path on the local machine and setting the DumpType value to 2 finally got me the crash dump that I was looking for.
Undocumented !verifier flags value (!verifier 0×200)
April 14th, 2010Starting with Windows Vista, Driver Verifier has been updated to include circular trace buffers for interesting events. My favorite up until this point has been the pool allocate and free log, which records the call stack, calling thread, and address of pool allocations and frees. If the system then crashes due to a double free or access to a freed pool block, the debugger’s !verifier 0×80 command can be used to dump the alloc/free log. Even better, the command takes an optional address value that will show only the allocations and frees of the pool block containing that address.
You can see the results in this example from the WinDBG docs:
0: kd> !verifier 80 a2b1cf20 Parsing 00004000 array entries, searching for address a2b1cf20. ======================================= Pool block a2b1ce98, Size 00000168, Thread a2b1ce98 808f1be6 ndis!ndisFreeToNPagedPool+0x39 808f11c1 ndis!ndisPplFree+0x47 808f100f ndis!NdisFreeNetBufferList+0x3b 8088db41 NETIO!NetioFreeNetBufferAndNetBufferList+0xe 8c588d68 tcpip!UdpEndSendMessages+0xdf 8c588cb5 tcpip!UdpSendMessagesDatagramsComplete+0x22 8088d622 NETIO!NetioDereferenceNetBufferListChain+0xcf 8c5954ea tcpip!FlSendNetBufferListChainComplete+0x1c 809b2370 ndis!ndisMSendCompleteNetBufferListsInternal+0x67 808f1781 ndis!NdisFSendNetBufferListsComplete+0x1a 8c04c68e pacer!PcFilterSendNetBufferListsComplete+0xb2 809b230c ndis!NdisMSendNetBufferListsComplete+0x70 8ac4a8ba test1!HandleCompletedTxPacket+0xea ======================================= Pool block a2b1ce98, Size 00000164, Thread a2b1ce98 822af87f nt!VerifierExAllocatePoolWithTagPriority+0x5d 808f1c88 ndis!ndisAllocateFromNPagedPool+0x1d 808f11f3 ndis!ndisPplAllocate+0x60 808f1257 ndis!NdisAllocateNetBufferList+0x26 80890933 NETIO!NetioAllocateAndReferenceNetBufferListNetBufferMdlAndData+0x14 8c5889c2 tcpip!UdpSendMessages+0x503 8c05c565 afd!AfdTLSendMessages+0x27 8c07a087 afd!AfdTLFastDgramSend+0x7d 8c079f82 afd!AfdFastDatagramSend+0x5ae 8c06f3ea afd!AfdFastIoDeviceControl+0x3c1 8217474f nt!IopXxxControlFile+0x268 821797a1 nt!NtDeviceIoControlFile+0x2a 8204d16a nt!KiFastCallEntry+0x127
In the output, the most recent event is at the top. Thus, here you can see that the buffer was allocated with ndisAllocateFromNPagedPool and freed with ndisAllocateFromNPagedPool.
In addition to the pool allocation log, !verifier 0×100 shows the IRP log, which logs all IoCallDriver, IoCompleteRequest, and IoCancelIrp calls.
Based on the docs you’d think that’s all there is, but there’s an undocumented log that can be accessed with !verifier 0×200 and that is the critical region log.
This is not to be confused with the user mode concept of critical regions. In a driver, one can call KeEnterCriticalRegion and KeExitCriticalRegion in order to disable and re-enable APC delivery. Without getting too much in to why a driver needs to disable APC delivery, what’s important to note is that every call to KeEnterCriticalRegion must be matched with a call to KeExitCriticalRegion. If a driver gets this wrong, then the system will crash with an APC_INDEX_MISMATCH bugcheck when it notices that the enter/exit count is off.
The way this works is that entering a critical region decrements a field of the KTHREAD structure and exiting a critical region increments the field of the structure. At various points in the O/S, the field of the KTHREAD is checked to make sure that it is zero. If it isn’t, then the system crashes with the previously mentioned APC_INDEX_MISMATCH bugcheck code. One such place that this is checked is in the system service dispatcher before returning back to the caller, which is why you’ll see these bugchecks come from KiSystemServiceExit.
What makes these crashes particularly difficult to track down is that the crash is a secondary failure, by the time the system notices that the count field is incorrect the code that caused the bad state is gone. Enter the critical region log, which will trace every call to KeEnterCriticalRegion and KeLeaveCriticalRegion for the Verified drivers. Now, when the system crashes you can just type !verifier 0×200 in the debugger and find the mismatched call.
Note that this only works with Driver Verifier enabled, just another reason to make sure that you’re always testing with Verifier!
Expressing negative decimal numbers in WinDBG
April 6th, 2010Surprisingly, after almost a decade of using WinDBG I have never had to use a negative decimal value in a WinDBG expression. Until recently, that is…Because the MASM syntax was a bit trickier than expected, I thought I’d record it here for posterity.
When using the MASM evaluator (which is the default in WinDBG), hex values are the default and decimal numbers are indicated by using the 0n override. Thus, for example, if I wanted to evaluate 123 in an expression I could use 0n123:
3: kd> ?0n123
Evaluate expression: 123 = 00000000`0000007b
However, if I want to use -123 there’s a bit of a catch. My natural inclination was to put the minus sign to the right of the 0n and the left of the 123, such as this: 0n-123. However, this yields an unexpected result:
3: kd> ?0n-123
Evaluate expression: -291 = ffffffff`fffffedd
That’s actually -0×123, not -123. To make matters even worse, the latest debugger even shows this syntax when displaying negative decimal values:
3: kd> dt nt!_mdl fffffa80077f1df0
+0×000 Next : (null)
+0×008 Size : 0n56
+0×00a MdlFlags : 0n-32701
+0×010 Process : 0xfffffa80`069dab30 _EPROCESS
+0×018 MappedSystemVa : 0xfffffa80`06797294 Void
+0×020 StartVa : 0×00000000`0404f000 Void
+0×028 ByteCount : 0×1c
+0×02c ByteOffset : 0×79c
However, the correct syntax is to put the minus sign to the left of the 0n:
3: kd> ?-0n123
Evaluate expression: -123 = ffffffff`ffffff85
For the C++ evaluator, things are much easier because the default radix is decimal. Thus, all you need to do is specify -123:
3: kd> ? @@c++(-123)
Evaluate expression: -123 = ffffffff`ffffff85
The trick now comes when you want to specify a negative hex number, which also requires the minus sign to be on the left of the modifier:
3: kd> ? @@c++(0x-123)
Evaluate expression: -123 = ffffffff`ffffff85
3: kd> ? @@c++(-0×123)
Evaluate expression: -291 = ffffffff`fffffedd
WinDBG caches data from the target (.cache)
April 5th, 2010Been a bit of an unexpected break for a while now, but hopefully back to regular posting…
You might never need to know this, but WinDBG will actually cache data read from the target. For example, this means that if you dd a memory location multiple times only the first dump of the memory will actually be read from target. Obviously this cache is invalidated when the target is resumed, so most of us won’t have an issue with this caching. However, if the memory you’re dumping is something like mapped device memory then this is an issue as the cache could be stale.
Enter the .cache command, which controls the size and state of the local cache (amongst other things, we’ve seen .cache before). Turning off the cache is as easy as executing .cache 0, which sets the size of the local cache to zero. This causes all of your reads to hit the target and ensure that you’re seeing the latest data. There are also the flushall, flushu, and flush parameters, which allow for flushing all or some of the cache from the local machine.