Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 05-20-2004, 07:04
ajron ajron is offline
Family
 
Join Date: Jan 2002
Location: Poland
Posts: 40
Rept. Given: 0
Rept. Rcvd 33 Times in 7 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
ajron Reputation: 33
VxD and PageNotPresent

I'm writting VxD which dumps a memory. Maybe it's no problem to do it but I have one ;(.

Initially i call mem_dump() function while processing DEBUG_QUERY, but I read somewhere that it's not a good idea to process code which may cause page fault from DEBUG_QUERY. Next I call mem_dump() from W32_DEVICEIOCONTROL [DIOC_OPEN] (maybe it's not a good idea too - I don't know) but it's not solve my problem.

When I read some not present memory (not all) the system crashes. AFAIK the system process page fault to load not present page in this situation. And it's true but not at all in my case. When I test dumping memory, the system crashes in concrete pages in context. Different in different processes, but always at not present one. When I pass over this few non present pages (with other non present it's no problem) everything goes ok. Maybe someone know what is wrong.

Below is mem_dump() code. R0File is wrapper class for R0_XXXFile services.

void mem_dump()
{
char txt[256];
char fileNm[]="c:\\file.tmp";

Trace_Out("Prepare to die ;-)");

R0File file;

file.SetInContext();

if(file.Create(fileNm,OPEN_ACCESS_READWRITE|OPEN_SHARE_DENYREADWRITE|OPEN_FLAGS_COMMIT))
{
Trace_Out("[*] Memory dumping ...");

DWORD page = PAGE(0x00400000);

while((page << PAGESHIFT) < 0x80000000)
{
if(IsPageCommitted(page))
{
_Sprintf(txt,"--> Dumping committed page %x\n",page);
Out_Debug_String(txt);

file.Write((PBYTE)(page << PAGESHIFT),PAGESIZE);
}

page++;
}

file.Close();

Trace_Out("[*] Memory dumped!");
}
else
{
Trace_Out("[*] Create file failed");
}
}
Reply With Quote
  #2  
Old 05-20-2004, 13:54
peleon peleon is offline
Friend
 
Join Date: Sep 2003
Posts: 174
Rept. Given: 0
Rept. Rcvd 7 Times in 1 Post
Thanks Given: 0
Thanks Rcvd at 7 Times in 7 Posts
peleon Reputation: 7
Hi,

When I was a little boy, I played with VxD. I remember that I coulndn't access to non present pages from certain parts in Ring-0. Example, when processing interrupt requests.

I guess that your problem might be in accesing those pages from a DEBUG_QUERY event, that as you well have read, it can cause page faults. (dunno about W32_DEVICEIOCONTROL)

It could be a similar mechanism like KMD with PassiveLevel, DispatchLevel....though VxD architecture is quite different from the NT one.

Could you first lock the pages with function like "PageLock", "LinPageLock" and friends?

Hope I'm right, hope it helps

Last edited by peleon; 05-20-2004 at 14:04.
Reply With Quote
  #3  
Old 05-20-2004, 16:55
ajron ajron is offline
Family
 
Join Date: Jan 2002
Location: Poland
Posts: 40
Rept. Given: 0
Rept. Rcvd 33 Times in 7 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
ajron Reputation: 33
Quote:
Originally Posted by peleon
I remember that I coulndn't access to non present pages from certain parts in Ring-0. Example, when processing interrupt requests.
I know that processing interrupts is the most restricted area .

Quote:
I guess that your problem might be in accesing those pages from a DEBUG_QUERY event, that as you well have read, it can cause page faults.
So I move code to other place, but with no positive result ;(.

Quote:
Could you first lock the pages with function like "PageLock", "LinPageLock" and friends?
I'll try with LinPageLock(), maybe it helps . Thanks.
Reply With Quote
  #4  
Old 05-20-2004, 17:53
ajron ajron is offline
Family
 
Join Date: Jan 2002
Location: Poland
Posts: 40
Rept. Given: 0
Rept. Rcvd 33 Times in 7 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
ajron Reputation: 33
Yeah, LinPageLock() solves problem . Thanks again.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 17:54.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )