Mystery of RuntimeExceptionHelperModules in WerRegisterRuntimeExceptionModule(…) function

I guess this happens to everyone: you need to write a test project to see if some features work and you’re stuck in poor documentation and google has no examples for you … Recently I was trying to call WerRegisterRuntimeExceptionModule(…) to register my custom exception filtering module and I was stuck in registering module as …

Continue reading ‘Mystery of RuntimeExceptionHelperModules in WerRegisterRuntimeExceptionModule(…) function’ »

Modifying EIP in WinDbg on fly in order to test different branches of code

Sometimes during debugging it happens that you just got some function failed and you want to re-try it again. After this function fails you might have a BSOD, for example, ntRetVal = FileOpen(&hFile, szPath); if (!NT_SUCCESS(ntRetVal)) { #ifdef DBG KeBugCheckEx(0x0, 0, 0, 0, id_of_the_problem); #endif } Now, as you can see in above code it …

Continue reading ‘Modifying EIP in WinDbg on fly in order to test different branches of code’ »

How to find cause of BSOD without dump file

Sometimes it happens that BSOD occures without any dump file generated. It could take some time to figure out why there is no dump file generated and what to do. If this happens on customer side, sometimes it is really problematic due to different policies, restrictions, etc. On the other hand, it is possible to …

Continue reading ‘How to find cause of BSOD without dump file’ »

Why calling WTSEnumerateSessions in NT service initialization routine is a bad idea

Recently in tests I noticed that my NT service stopped working in Windows Vista machine. There were no crashes, just entry in Event Log saying: “Error 1053: The service did not respond to the start or control request in a timely fashion“. These type of things are slightly more difficult to debug than usual crashes …

Continue reading ‘Why calling WTSEnumerateSessions in NT service initialization routine is a bad idea’ »

How to BSOD Trend Micro Internet Security in 10 minutes

(Prequel: Hot to BSOD Norton Antivirus in 10 minutes) Recently I have noticed that some of the well known brands like Norton, VmWare, Juniper, Trend Micro and some others have stability issues with their drivers. It seems like these brands neglect to pass Driver Verifier tests, thus releasing quite unstable code. It is worth mentioning …

Continue reading ‘How to BSOD Trend Micro Internet Security in 10 minutes’ »

WDK 7.x is not compatible with Windows 2000 anymore …

A new version of Windows Driver Kit was released recently, the 7600.16385.0 and probably some of you’ve noticed that it does not support Windows 2000 Build Environment. This is a bad news for me, as I still need to support Windows 2000 in some of my projects. Before, with WDK 6.x versions you had a …

Continue reading ‘WDK 7.x is not compatible with Windows 2000 anymore …’ »

Norton’s quality of code in drivers

http://www.youtube.com/watch?v=k5wzFY88Wiw

Life of every driver developer is complicated by the fact that the code you write should be stable (read: bugs free) and compatible with any other third party drivers. It is very important for any driver to be bugs free, as any error in kernel leads (directly or indirectly) to a blue screen of death …

Continue reading ‘Norton’s quality of code in drivers’ »

SMB traffic not captured in TDI filter driver

Recently I met a problem in one of my TDI filters when filtering SMB traffic. The filter driver was able to see outgoing TDI_CONNECT requests to 139 and 445 ports, but during the heavy file upload there was no TDI_SEND requests issued. Usually in such cases you start to googlize for a solution, and I …

Continue reading ‘SMB traffic not captured in TDI filter driver’ »

A case of mysterious BSOD at tcpip!TcpIndicateData+22b

1. The causes Recently I was observing strange BSODs on my Vista machine quite periodically when dealing with network applications: 2. Investigations As you can see the BSOD happens because the tcpip.sys is trying to access some wrong address. Luckily, I was able to access the dump file generated during this BSOD. When I try …

Continue reading ‘A case of mysterious BSOD at tcpip!TcpIndicateData+22b’ »

Mysterious ExUuidCreate function

I was inspired to write this post after being confused by behaviour of ExUuidCreate function in Windows Vista. This function is used to generate GUIDs at kernel mode. According to documentation: “ExUuidCreate returns STATUS_SUCCESS if successful; otherwise, if the system is not ready to generate a new UUID, it returns STATUS_RETRY.” Practically, if you call …

Continue reading ‘Mysterious ExUuidCreate function’ »

A change for SoftIce

As SoftIce is officially dead, you might want to find its substitution. There is one product which aims to fully substitute SoftIce – Syser debugger, which proposes pretty close user interface, and “live” debugging of kernel on a host machine: According to documentation, all command line commands are fully softice compatible (you can check all …

Continue reading ‘A change for SoftIce’ »

Bug in MSDN: TDI_EVENT_RECEIVE_DATAGRAM & it’s handler

If you ever wanted to handle TDI_EVENT_RECEIVE_DATAGRAM (http://msdn2.microsoft.com/en-us/library/ms801156.aspx) event handler in TDI, you would notice that it’s declaration is a bit strange(http://msdn2.microsoft.com/en-us/library/ms801622.aspx): NTSTATUS ClientEventReceive( IN PVOID TdiEventContext, IN CONNECTION_CONTEXT ConnectionContext, IN ULONG ReceiveFlags, IN ULONG BytesIndicated, IN ULONG BytesAvailable, OUT ULONG *BytesTaken, IN PVOID Tsdu, OUT PIRP *IoRequestPacket ); Guess what? It’s declaration is the …

Continue reading ‘Bug in MSDN: TDI_EVENT_RECEIVE_DATAGRAM & it’s handler’ »

DRIVER_VERIFIER_IOMANAGER_VIOLATION in Windows Server 2003 SP2 with latest updates ON

Recently, I’ve received following error when trying to test my TDI filter driver on Server 2003 SP2 with latest updates ON: DRIVER_VERIFIER_IOMANAGER_VIOLATION (c9) Arguments: Arg1: 00000208, (Fatal error) This IRP is about to run out of stack locations. Someone may have forwarded this IRP from another stack. (IRP specified.) This violation message appeared, when I …

Continue reading ‘DRIVER_VERIFIER_IOMANAGER_VIOLATION in Windows Server 2003 SP2 with latest updates ON’ »

The case of Task Manager that does not kill

Quite long time ago, my friend Vadym Stetsiak described a bug of Task Manager, which allows to disallow (!) the killing of a process, if it’s name is lsass.exe. In order to test this bug, you can rename any executable file into lsass.exe, run it, and than try to kill it from Task Manager. You …

Continue reading ‘The case of Task Manager that does not kill’ »

Undefeatable files & folders in Windows XP SP2 – a bug in SHFileOperationW

Recently I was surprised with one interesting behavior of my Windows XP box. I was playing with long name files and noticed that major part of my shell extensions do not work with files, whose path is longer then 260 symbols. I also noticed, that Windows Shell does not allow me to create long file …

Continue reading ‘Undefeatable files & folders in Windows XP SP2 – a bug in SHFileOperationW’ »

PDBExt plugin (32 bit) v(0.2) for IDA Pro v(5.0 and higher) is released

As I promised, here is the next version of plugin. This version introduces extended set of settings. In addition to ‘local’ settings (which are specific per project) there are so called “global” settings. This feature seems to be very useful for me, because when I worked under several projects I constantly was forced to specify …

Continue reading ‘PDBExt plugin (32 bit) v(0.2) for IDA Pro v(5.0 and higher) is released’ »

PDBExt plugin (32 bit) v(0.1) for IDA Pro v(5.0 and higher) is released

IDA Pro allows you to load symbols for windows components. However, this feature is not fully suitable for me, because it constantly loads them from internet. Looks inefficient, especially if you use IDA on different machines – symbols get downloaded for each of them. I prefer everything that can be controlled, so my idealistic vision …

Continue reading ‘PDBExt plugin (32 bit) v(0.1) for IDA Pro v(5.0 and higher) is released’ »