Kernel Drivers Ahoy!

cscript, or why life is dull

2011-02-11T06:19:00.000-08:00

I'm busy doing WMI stuff these days, and I've had to play with js code within the microsoft command prompt. It's fun, but it can be a hassle to try and understand the code that's there.

One thing that is usefull, is to make sure that all js output goes to the command prompt, so it makes it easier to read.

to do that, type this in a command prompt!

Cscript /H:CScript

Cmd, my best friend after all

2011-01-26T07:26:00.000-08:00

Isn't it interesting that after all that GUI we are being thrown, we just end up going back to command prompts to get interesting stuff quickly?

Just recently, I've had to figure out the ip address of my laptop to be able to add a route, and the easiest way to figure it out? cmd prompt!

Here's how to get the ip address of a machine easily (all of them):

netsh interface ip show addresses | find "IP Address" | find /v "127.0.0.1" | find /v "0.0.0.0"

You can also get this into a variable, and specify the actual config you want

Here's a batch file I use to get my "Canada" address ;)
@echo off
@netsh interface ip show addresses "Canada" | find "IP Address" | find /v "127.0.0.1" | find /v "0.0.0.0" > %temp%\tempip.txt
@FOR /F "tokens=2 delims=:" %%a in (%temp%\TEMPIP.txt) do set IP=%%a
@del %temp%\TEMPIP.txt
@set IP=%IP:~1%
@set IP=%IP: =%
@echo %IP% >%temp%\ip.txt
@echo The current Canada IP address is "%IP%"
@echo press any key to set the address in the routing table
pause
route add 10.22.180.0 mask 255.255.255.0 %IP%

I have other cmd tidbits I love, I'll add them later

It's the parameters dummy!

2009-07-21T18:46:00.001-07:00

You know you've been looking at the same code too much when one small parameter is all it takes to change the behaviour!

I was looking at code where there was a KeWaitForSingleObject, but the alertable parameter was set to TRUE instead of the normal FALSE...

Then I was failing to understand how this thread was continuing on, freeing the worker, and crashing the rest of the code...

Well, it was all caused by this alertable set to TRUE.

The calling app, which was terminating, caused the thread to be in an alertable state. Then obviously, the code didn't deal with it (that's what you get with inherited code that you people hand over to you)...

Of course, since the worker was still in the queue, and was now freed, there had to be some other piece of code that would come along and try to signal the event that was part of said worker! DUH!

Anyhow, now I've learned my lesson: always, always make sure you use the return code, and look at the value!

finding a leaked tag quickly!

2009-06-19T05:20:00.001-07:00

Recently, I've been working on a file system driver, and unfortunatly something in it is increasing the memory foot print on every directory query.

Now I wanted to see what was the call that was increasing the memory, but unfortunatly the tag that was leaking was not in my code.

So, you can create a breakpoint that executes and checks the tag on exallocatepoolwithtag, but since memory is constantly allocated, that will take a while (execute and continue is slow).

So here comes microsoft to the rescue!

In fact there is a nice global variable that you can set, and it will break when that tag is allocated.

nt!poolhittag

You just do "ed nt!poolhittag 'looP'" to get a hit on tag "Pool" (yes you need to reverse the name)

You can see the contents of it by doing "db nt!PoolHitTag L4"

The debugger will now break every time that pool is allocated or freed with the "Pool" tag!

Saved me a couple of hours of going nuts!

Enable Auto-Login

2009-05-15T11:08:00.000-07:00

Another quick usefull tidbit, how to enable auto-login on 2008:

do "run", then type : control userpasswords2

Then simply deselect that the user needs to type a password and press OK...

Then the system asks you for the user password, and it now will auto-login!!!

Super ;)

Enable Kernel Debugging on vista and better

2009-05-15T07:28:00.001-07:00

Somehow, I always forget this, and have to google it...

http://www.microsoft.com/whdc/driver/tips/Debug_Vista.mspx

In a nutshell:

1- bcdedit /copy {current} /d DebugEntry

(this will give you the {ID} of your new entry, important for later)

2- bcdedit /debug {ID} ON

(this sets the entry to be debug enabled with default settings - com1/115200)

3- bcdedit /default {ID}

(this sets the newly created entry as being the default now)

And reboot!!! Voila! Now, stop googling for it! (note to self)

APCs

2009-04-03T07:32:00.000-07:00

Whew, who knew APCs could be so complicated...

After a small discussion with various team members, here is what we know:

There are a couple of different APC types:

user mode APC
kernel mode APC
special kernel mode APC

To disable user/kernel mode APC for the CURRENT THREAD use KeEnterCriticalRegion
To disable user/kernel/special kernel mode APC for the CURRENT THREAD use KeEnterGuardedRegion
To disable user/kernel/special kernel mode APC for EVERYONE use KeRaiseIrql to APC_LEVEL

Our main contention was that being at passive mode didn't tell you if those APCs would run or not... So they may not run... for the current thread... But unless you are at APC, they will always be enabled for other threads

Friends & Family

2007-11-16T10:39:00.000-08:00

Hi Friends & Family.

I know this blog is mostly about work related things, and for the forseable future it will stay that way. Note that I will create a family & friends oriented blog in the near future, and I will update that regularly ;)

In the mean time, don't hesitate to post comments on the posts available here!

See you soon!

S

The answer!

2007-10-19T12:38:00.000-07:00

After just a last look at the documentation for OpenFileById, I stumbled on the structure they point to at msdn:
(http://msdn2.microsoft.com/en-us/library/aa364227.aspx)

typedef struct FILE_ID_DESCRIPTOR {
DWORD dwSize; // Size of the struct
FILE_ID_TYPE Type; // Describes the type of identifier passed in.
union {
LARGE_INTEGER FileId;
GUID ObjectId;
};
} FILE_ID_DESCRIPTOR, *LPFILE_ID_DESCRIPTOR;

I noticed a difference with the version declared in the shipping v1.1 version of fileext.h:

typedef struct FILE_ID_DESCRIPTOR {
DWORD dwSize; // Size of the struct
FILE_ID_TYPE Type; // Describes the type of identifier passed in.
union {
LARGE_INTEGER FileId;
};
} FILE_ID_DESCRIPTOR, *LPFILE_ID_DESCRIPTOR;

When using sizeof() with the msdn version, it correctly returns 24...

I've sent microsoft an email about it...

I'm guessing no one is using this :p

OpenFileById

2007-10-19T12:08:00.000-07:00

A while back,

I was trying to determine the file name for a given file ID, and had initially found the new win32 API to do this: OpenFileById.

However, I never got it to work, and soon used some kernel code in usermode to get it.

Recently, I've had to revisit this code to make an easier win32 app that can find a file's name.

I was always getting an invalid parameter every time I called the function, so I finally traced in assembly...

And behold! The function was checking my parameters, and the size of the structure I was passing (the dwSize parameter), which I had set to the sizeof(structure).

When looking at the given size, it did not match what they were looking for. (I had 16)

So I just changed my code to set the size to the value they were expecting (24), and made sure I allocated my structure inside a pointer that had at least that size as a backing (even if the structure really only is 16 bytes).

All of a sudden it worked!

Here is a tidbit:

wsprintf(szVolumePath, TEXT("\\\\.\\%c:"), cDriveLetter[0]);
hDisk=CreateFile(szVolumePath,
GENERIC_READ,
FILE_SHARE_READ|FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
0,
NULL);

if(hDisk!=INVALID_HANDLE_VALUE)
{
// This value was determined by looking at the assembly code
// and has no actual corresponance to the structure size which
// is 16. Might be related to 64bit version?
fileIDDesc.dwSize = 24;
fileIDDesc.FileId.QuadPart = index;
fileIDDesc.Type = FileIdType;

hFile = OpenFileById ( hDisk,
&fileIDDesc,
SYNCHRONIZE | FILE_READ_ATTRIBUTES,
FILE_SHARE_READ|FILE_SHARE_WRITE,
NULL,
0 );

if (hFile != INVALID_HANDLE_VALUE)
{
PFILE_NAME_INFO pFileNameInfo = NULL;
pFileNameInfo = (PFILE_NAME_INFO)malloc(sizeof(FILE_NAME_INFO)+1000);
if (pFileNameInfo != NULL)
{
RtlZeroMemory(pFileNameInfo, sizeof(FILE_NAME_INFO) + 1000);
GetFileInformationByHandleEx(hFile, FileNameInfo, pFileNameInfo, sizeof(FILE_NAME_INFO) + 1000);

if (pFileNameInfo->FileNameLength > 0)
{
if (*pLength >= pFileNameInfo->FileNameLength)
{
// copy your file, and return it!

That's how simple it is, if you figure out that OpenFileById needs a 24bytes size structure :p

2007-10-19T11:18:00.000-07:00

Well!

This is my new blog, the old one is located here:

http://steve-goddyn.spaces.live.com/default.aspx

Don't hesitate to give me a shout if you need to!

S