Reading Notebook: 06-August-09
Comments in italics are mine and express my own views, thoughts and opinions
Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:
saved IRQL before breakin !irql (p. 95) - not available prior to W2K3
0: kd> !irql
nt!_KPRCB.DebuggerSavedIRQL not found, error : 0x4.
Saved IRQL not available prior to Windows Server 2003
passive IRQL for user-mode code (p. 96) - I can imagine thet user-space code can be at higher level IRQL when a function pointer is used to call a function from user space but that would be still kernel mode (not the distinction between mode and space here)
inter-processor interrupt (IPI) (p. 96)
kernrate uses profile IRQL level of real-time clock to record RIP (p. 97) - never used before, give it a try later
CMCI (correctible machine check interrupt) (p. 97)
explanation for IRQL_NOT_LESS_OR_EQUAL (pp. 100 - 101) - a few years ago I was pondering about this and created a UML sequence diagram to convince myself: http://www.dumpanalysis.org/blog/index.php/2007/03/06/bugchecks-depicted-irql_not_less_or_equal/
KiInterruptTemplate (p. 101) - it seems saves the current thread state. On x64 W2K8 we get this disassembled code:
1: kd> u KiInterruptTemplate
nt!KiInterruptTemplate:
fffff800`01869270 push rax
fffff800`01869271 push rbp
fffff800`01869272 lea rbp,[nt!KiInterruptDispatchNoEOI+0x250 (fffff800`018691e0)]
fffff800`01869279 jmp qword ptr [rbp+50h]
fffff800`0186927c int 3
fffff800`0186927d int 3
fffff800`0186927e int 3
fffff800`0186927f int 3
Then we disassemble fffff800`018691e0 address (I put here only the beginning):
1: kd> uf fffff800`018691e0
nt!KiInterruptDispatchNoEOI:
fffff800`01868f90 push rsi
fffff800`01868f91 sub rsp,150h
fffff800`01868f98 mov rsi,rbp
fffff800`01868f9b lea rbp,[rsp+80h]
fffff800`01868fa3 mov byte ptr [rbp-55h],0
fffff800`01868fa7 mov qword ptr [rbp-50h],rax
fffff800`01868fab mov qword ptr [rbp-48h],rcx
fffff800`01868faf mov qword ptr [rbp-40h],rdx
fffff800`01868fb3 mov qword ptr [rbp-38h],r8
fffff800`01868fb7 mov qword ptr [rbp-30h],r9
fffff800`01868fbb mov qword ptr [rbp-28h],r10
fffff800`01868fbf mov qword ptr [rbp-20h],r11
fffff800`01868fc3 test byte ptr [rbp+0F0h],1
fffff800`01868fca je nt!KiInterruptDispatchNoEOI+0×5d (fffff800`01868fed)
DispatchCode UINT4B array (p. 104) - these are bytes from KiDispatchInterrupt, for example, 0×56535554 from p. 103 are just the first 4 bytes in reverse order from x86 (32-bit) system (WINXP):
nt!KiInterruptTemplate:
80545711 54 push esp
80545712 55 push ebp
80545713 53 push ebx
80545714 56 push esi
80545715 57 push edi
80545716 83ec54 sub esp,54h
80545719 8bec mov ebp,esp
8054571b 89442444 mov dword ptr [esp+44h],eax
8054571f 894c2440 mov dword ptr [esp+40h],ecx
80545723 8954243c mov dword ptr [esp+3Ch],edx
Windows as a task - IntervalZero (p. 105)
- Dmitry Vostokov @ SoftwareGeneralist.com -
_1125.png)
Coming Soon:
Management Bits: An Anthology from Reductionist Manager
Debugging Notebook: Essential Concepts, WinDbg Commands and Tools
Crash Dump Analysis for System Administrators and Support Engineers
New Magazines:
Debugged! MZ/PE: MagaZine for/from Practicing Engineers
New Books:
Memory Dump Analysis Anthology: Color Supplement for Volumes 1-3
Memory Dump Analysis Anthology, Volume 3
First Fault Software Problem Solving: A Guide for Engineers, Managers and Users
x64 Windows Debugging: Practical Foundations
Also available:
Windows Debugging: Practical Foundations
DLL List Landscape: The Art from Computer Memory Space
Dumps, Bugs and Debugging Forensics: The Adventures of Dr. Debugalov
WinDbg: A Reference Poster and Learning Cards
Memory Dump Analysis Anthology, Volume 2
Memory Dump Analysis Anthology, Volume 1
New Children's Book:
