Index
> Windows > Blue Screen of DeathGoto page 1, 2 Next |
| Author |
|
|
zhak 27 Dec 2006, 08:59
AFAIK, BSOD is called with KeBugCheckEx function. you may check MSDN library for error codes or... disassemble it to see how it really works
 |
|||
27 Dec 2006, 08:59 |
|
|
kohlrak 27 Dec 2006, 09:03
Are you saying that i could manually call the BSOD?
EDIT: cute... i'm assuming kernel32.dll... I'm not testing it to find out, don't feel like crashing my comp with all these windows open. lol Last edited by kohlrak on 27 Dec 2006, 09:11; edited 1 time in total |
|||
|
27 Dec 2006, 09:03 |
|
|
zhak 27 Dec 2006, 09:11
I didn't try, but I think it's posiible... at least from ring0
|
|||
|
27 Dec 2006, 09:11 |
|
|
kohlrak 27 Dec 2006, 09:29
|
|||
|
27 Dec 2006, 09:29 |
|
|
zhak 27 Dec 2006, 09:48
you interested me
I'll write a simple test driver in the evening... I don't wanna play with system in the office. I already crashed my system some weeks ago, and our admin was busy reinstalling windows and configuring it the whole day... |
|||
|
27 Dec 2006, 09:48 |
|
|
kohlrak 27 Dec 2006, 09:50
I hear that alot. I've never had to reinstall windows after a bluescreen. I wonder what causes some people to have to.
|
|||
|
27 Dec 2006, 09:50 |
|
|
ACP 27 Dec 2006, 23:08
One way to always trigger BSOD is to hook SYSENTER and uninstall driver without restoring IA32_SYSENTER_EIP register (machine specific register 176h) - you can do the same with INT 2Eh on older architectures.
Another simple method is to trigger page fault at certain IRQL. Device driver also is allowed to explicitly calling KeBugCheckEx function which tries to down system in a controlled way. Inside KeBugCheckEx is really a wrapper (including hotpatching prolog on XP SP2/Windows 2003) to KeBugCheck2 which does all the inner workings. |
|||
|
27 Dec 2006, 23:08 |
|
|
kohlrak 30 Dec 2006, 22:26
So, essentually i can go ahead and crash the computer by calling the bug check.
|
|||
|
30 Dec 2006, 22:26 |
|
|
ACP 31 Dec 2006, 15:51
kohlrak wrote: So, essentually i can go ahead and crash the computer by calling the bug check. Yes if you look for controlled way which should be safe for the system. |
|||
|
31 Dec 2006, 15:51 |
|
|
comrade 31 Dec 2006, 17:28
maybe you are misunderstanding the goal of BugCheck...
NT BugCheck is called a kernel panic in UNIX. It is called by the OS, purposely, when it knows something is wrong and it is afraid to go on. For example, file system driver code may call a bugcheck when it detects that certain data-structures are not consistent. Rather than trying to fix the problem with the chance of something even more going wrong and destroying user's data, it instead calls a kebugcheck (making the kernel panic) to display a blue-screeen, telling the user there was an error Quote: Yes if you look for controlled way which should be safe for the system Not always - bugcheck may cause certain data not be flushed to disk, leaving the file-system in an inconsistent state. I had that once after a BSOD - my system would not boot at all. Fortunately, all I had to was run chkdsk from the recovery console to fix the problem. |
|||
|
31 Dec 2006, 17:28 |
|
|
ACP 31 Dec 2006, 17:33
comrade wrote: maybe you are misunderstanding the goal of BugCheck... This is why I used "should" in my post. |
|||
|
31 Dec 2006, 17:33 |
|
|
kohlrak 01 Jan 2007, 18:44
KeBugCheck is a callable function, but i can't find the DLL it's in, since it's not in kernel32. I did some research, all i got was C++ header files...
|
|||
|
01 Jan 2007, 18:44 |
|
|
f0dder 01 Jan 2007, 23:46
|
|||
|
01 Jan 2007, 23:46 |
|
|
ACP 02 Jan 2007, 00:01
kohlrak wrote: KeBugCheck is a callable function, but i can't find the DLL it's in, since it's not in kernel32. I did some research, all i got was C++ header files... Take a look here: http://msdn2.microsoft.com/en-us/library/ms801645.aspx You have to call it from ring 0. |
|||
|
02 Jan 2007, 00:01 |
|
|
kohlrak 02 Jan 2007, 02:39
i don't see anything about "ring 0" in there, but what is ring 0? (and that is a lovely screensaver. lol)
|
|||
|
02 Jan 2007, 02:39 |
|
|
LocoDelAssembly 02 Jan 2007, 02:47
Drivers runs at that privilege level. About ring levels http://en.wikipedia.org/wiki/Protected_mode#Privilege_levels
NTOSKRNL.EXE exports KeBugCheck and KeBugCheckEx |
|||
|
02 Jan 2007, 02:47 |
|
|
kohlrak 02 Jan 2007, 04:13
Without editing priviledge levels, i tried pulling something from that exe before, and the program itself crashed saying that i didn't initialize properly. So, essentually, all i do is set the level high or low enough then i can call it? Note: reply posted before actually reading the wiki. reading wiki now.
|
|||
|
02 Jan 2007, 04:13 |
|
|
ACP 02 Jan 2007, 09:01
|
|||
|
02 Jan 2007, 09:01 |
|
|
kohlrak 02 Jan 2007, 11:35
THank you, looks like i got more to read. lol
|
|||
|
02 Jan 2007, 11:35 |
|
| Goto page 1, 2 Next < Last Thread | Next Thread > |
Forum Rules:
|