flynn017

Driver Verifier in Windows 8/8.1 has added more new debugging and testing procedures, the example in this blog post is going to be about DDI Compliance Rules, and how to debug such a bugcheck. I know this is a very easy bugcheck, but I just wanted to explain some of the parameters and the extensions we can use with it. The first parameter contains the identifier for the broken DDI Compliance Rule, and the second parameter contains the pointer to the string which describes the broken DDI Compliance Rule. We should discuss what are DDI Compliance Rules and what is DDI Compliance Checking. DDI Compliance Rules define how a driver and the Kernel Mode side of the operating system should interact, in order to prevent any crashes or problems. The DDI Compliance Rules apply to  WDM, KMDF, NDIS and Storport drivers. In this example, since driver has broken a Windows Driver Model framework DDI (Driver Device Interface) rule, we'll look at the WDM side of things. The DDI Compliance Checking D...

This is going to be a very short blog post, just to demonstrate how to find the Exception Record address in the stack, and how many times it seems to appear within the call stack. Interestingly, but not unsurprisingly, the exception code wasn't passed to any of the exception handlers in the call stack. The blue highlighting is the address of the exception record, and the green highlighting is the address of the trap frame which contains the last saved context. The !exchain extension shows all the exception handlers in the call stack. The _CONTEXT data structure can show us the saved registers from the trap frame. Please note I've omitted this data structure to the main registers.

Introduction   I've briefly explained Direct Memory Access, and then applied it specifically to Windows and graphics cards, however, this blog post will take a look at the general aspect of Direct Memory Access and how it works. Direct Memory Access (DMA) enables devices to be able to directly access and transfer data between the device's bus or own memory and RAM within the need of interrupting the CPU, and using the CPU to complete such operations. Traditionally, without the use of DMA, the CPU would use PIO (Programmed I/O) and be fully occupied with this operation for the duration of the read or write transfer operation. DMA removes this, and enables the CPU to complete other tasks. Although, the CPU still has to initiate the transfer, and will receive a interrupt to show that DMA transfer has completed. Typically, there are two types of DMA implementations: ISA and PCI. These two implementations work differently from each other, with PCI using the concept of Bus Mastering ...

To begin this is the first time I've personally seen this bugcheck, however, Patrick (@bsodanalysis) has beeen noticing this bugchecks occur on the HP Envy 700-074 model with Windows 8/Windows 8.1. The best resource you could use with this bugcheck is downloading yourself a copy of the ACPI Specification and then reading through the relevant parts of the documentation. Operating Regions should be located on Page 33, but I will explaining those in this blog post anyhow. The most important part is the first parameter, which indicates the exact problem which has happened, this is partly due to poor ASL (ACPI Source Language) code used by the vendor, which is then complied into bytecode called AML (ACPI Machine Language). The only method to fix this problem is to search for a later version of the BIOS. We can gather some BIOS information using the !sysinfo machineid and !sysinfo smbios extensions. This information can used to the vendor which BIOS version this problem is happening wi...

The Shadow System Service Dispatch Table can be hooked into much like the IDT and the SSDT. The SSDT for the Windows Kernel, and the Shadow SSDT is designed for the Windows subsystem (win32k.sys). The SSDT and the Shadow SSDT both use the SST (System Service Table) data structure, which is part of a another data structure called the SDT (Service Descriptor Table). The System Service Table takes the following format as a data structure: The SSDT as said before, is a array of function pointers to important system service routines. This true for the Shadow SSDT too. We can view these two tables in WinDbg, using the dps command and the name of the associated table. Here's the Service Table used by the System Service Dispatch Table , this the array of function pointers to kernel routines. Again, we can check the Shadow System Service Dispatch Table, and gather similar information. You can see the routines are all related to the Graphics Device Interface (GDI). The Argument Table is the...

Heap Segments Heap Segments refer to the Heap Segment of a program, much like when you have a Code Segment and a Data Segment, there is a Heap Segment which is for the Heap.  Our heap blocks live within this heap segment. Each heap segment belongs to a certain running process. We can use the !heap -stat extension in WinDbg to gather more information about each segment. The !heap -m extension will show us information about all the segment entries within the heap. Debugging the Heap We can use the !address -summary extension to gather a summary of what is consuming the address space of the process, and then check for any heap exhaustion. Busy refers to the number of allocated heap blocks, let's examine further with the !heap -s extension, whilst omitting the address of the heap. This will give us general information about all the heaps within the process address space. Note, that the heap example I have been using, is the default process heap. Using the s command with some para...

Personally, I didn't know really where to start this blog post from at first, but I think it's best to first define the heap and it's purpose. The heap is used by the Memory Manager and the Heap Manager (for User-Mode processes). The heap generally speaking is a area of free memory in which processes can use for allocations for data objects and variables etc. The heap is not be confused with the heap data structure, even though there are data structures we can view to explore the heap. In case, you didn't know, we have already discussed the Kernel-Mode version of the Heap greatly in my previous posts. Paged Pool and Non-Paged Pool are forms of Kernel-Mode Heaps. I will not continue with the discussion about Kernel-Mode Heaps, and therefore will instead continue with the discussion about User-Mode versions of the Heap. If your a programmer or study computer science, then this topic should be easy for you to understand. This a good point to say, this is one of the reasons...