flat assembler
Message board for the users of flat assembler.

Index > Windows > Blue Screen of Death

Goto page 1, 2  Next
Author
Thread Post new topic Reply to topic
kohlrak



Joined: 21 Jul 2006
Posts: 1421
Location: Uncle Sam's Pad
kohlrak 27 Dec 2006, 06:55
This is a really odd request. I'd like to know how the "Blue Screen of Death" is triggered. I know there are alot of ways, but does anyone know of a complete list?
Post 27 Dec 2006, 06:55
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger Reply with quote
zhak



Joined: 12 Apr 2005
Posts: 501
Location: Belarus
zhak 27 Dec 2006, 08:59
AFAIK, BSOD is called with KeBugCheckEx function. you may check MSDN library for error codes or... disassemble it to see how it really works Smile
Post 27 Dec 2006, 08:59
View user's profile Send private message Reply with quote
kohlrak



Joined: 21 Jul 2006
Posts: 1421
Location: Uncle Sam's Pad
kohlrak 27 Dec 2006, 09:03
Are you saying that i could manually call the BSOD?

EDIT: cute... i'm assuming kernel32.dll... I'm not testing it to find out, don't feel like crashing my comp with all these windows open. lol


Last edited by kohlrak on 27 Dec 2006, 09:11; edited 1 time in total
Post 27 Dec 2006, 09:03
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger Reply with quote
zhak



Joined: 12 Apr 2005
Posts: 501
Location: Belarus
zhak 27 Dec 2006, 09:11
I didn't try, but I think it's posiible... at least from ring0
Post 27 Dec 2006, 09:11
View user's profile Send private message Reply with quote
kohlrak



Joined: 21 Jul 2006
Posts: 1421
Location: Uncle Sam's Pad
kohlrak 27 Dec 2006, 09:29
Post 27 Dec 2006, 09:29
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger Reply with quote
zhak



Joined: 12 Apr 2005
Posts: 501
Location: Belarus
zhak 27 Dec 2006, 09:48
you interested me Smile I'll write a simple test driver in the evening... I don't wanna play with system in the office. I already crashed my system some weeks ago, and our admin was busy reinstalling windows and configuring it the whole day...
Post 27 Dec 2006, 09:48
View user's profile Send private message Reply with quote
kohlrak



Joined: 21 Jul 2006
Posts: 1421
Location: Uncle Sam's Pad
kohlrak 27 Dec 2006, 09:50
I hear that alot. I've never had to reinstall windows after a bluescreen. I wonder what causes some people to have to.
Post 27 Dec 2006, 09:50
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger Reply with quote
ACP



Joined: 23 Sep 2006
Posts: 204
ACP 27 Dec 2006, 23:08
One way to always trigger BSOD is to hook SYSENTER and uninstall driver without restoring IA32_SYSENTER_EIP register (machine specific register 176h) - you can do the same with INT 2Eh on older architectures.

Another simple method is to trigger page fault at certain IRQL. Device driver also is allowed to explicitly calling KeBugCheckEx function which tries to down system in a controlled way.

Inside KeBugCheckEx is really a wrapper (including hotpatching prolog on XP SP2/Windows 2003) to KeBugCheck2 which does all the inner workings.
Post 27 Dec 2006, 23:08
View user's profile Send private message Reply with quote
kohlrak



Joined: 21 Jul 2006
Posts: 1421
Location: Uncle Sam's Pad
kohlrak 30 Dec 2006, 22:26
So, essentually i can go ahead and crash the computer by calling the bug check.
Post 30 Dec 2006, 22:26
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger Reply with quote
ACP



Joined: 23 Sep 2006
Posts: 204
ACP 31 Dec 2006, 15:51
kohlrak wrote:
So, essentually i can go ahead and crash the computer by calling the bug check.

Yes if you look for controlled way which should be safe for the system.
Post 31 Dec 2006, 15:51
View user's profile Send private message Reply with quote
comrade



Joined: 16 Jun 2003
Posts: 1150
Location: Russian Federation
comrade 31 Dec 2006, 17:28
maybe you are misunderstanding the goal of BugCheck...

NT BugCheck is called a kernel panic in UNIX. It is called by the OS, purposely, when it knows something is wrong and it is afraid to go on. For example, file system driver code may call a bugcheck when it detects that certain data-structures are not consistent. Rather than trying to fix the problem with the chance of something even more going wrong and destroying user's data, it instead calls a kebugcheck (making the kernel panic) to display a blue-screeen, telling the user there was an error

Quote:
Yes if you look for controlled way which should be safe for the system

Not always - bugcheck may cause certain data not be flushed to disk, leaving the file-system in an inconsistent state. I had that once after a BSOD - my system would not boot at all. Fortunately, all I had to was run chkdsk from the recovery console to fix the problem.
Post 31 Dec 2006, 17:28
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
ACP



Joined: 23 Sep 2006
Posts: 204
ACP 31 Dec 2006, 17:33
comrade wrote:
maybe you are misunderstanding the goal of BugCheck...

NT BugCheck is called a kernel panic in UNIX. It is called by the OS, purposely, when it knows something is wrong and it is afraid to go on. For example, file system driver code may call a bugcheck when it detects that certain data-structures are not consistent. Rather than trying to fix the problem with the chance of something even more going wrong and destroying user's data, it instead calls a kebugcheck (making the kernel panic) to display a blue-screeen, telling the user there was an error

Quote:
Yes if you look for controlled way which should be safe for the system

Not always - bugcheck may cause certain data not be flushed to disk, leaving the file-system in an inconsistent state. I had that once after a BSOD - my system would not boot at all. Fortunately, all I had to was run chkdsk from the recovery console to fix the problem.


This is why I used "should" in my post.
Post 31 Dec 2006, 17:33
View user's profile Send private message Reply with quote
kohlrak



Joined: 21 Jul 2006
Posts: 1421
Location: Uncle Sam's Pad
kohlrak 01 Jan 2007, 18:44
KeBugCheck is a callable function, but i can't find the DLL it's in, since it's not in kernel32. I did some research, all i got was C++ header files...
Post 01 Jan 2007, 18:44
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3175
Location: Denmark
f0dder 01 Jan 2007, 23:46
Post 01 Jan 2007, 23:46
View user's profile Send private message Visit poster's website Reply with quote
ACP



Joined: 23 Sep 2006
Posts: 204
ACP 02 Jan 2007, 00:01
kohlrak wrote:
KeBugCheck is a callable function, but i can't find the DLL it's in, since it's not in kernel32. I did some research, all i got was C++ header files...

Take a look here:

http://msdn2.microsoft.com/en-us/library/ms801645.aspx

You have to call it from ring 0.
Post 02 Jan 2007, 00:01
View user's profile Send private message Reply with quote
kohlrak



Joined: 21 Jul 2006
Posts: 1421
Location: Uncle Sam's Pad
kohlrak 02 Jan 2007, 02:39
i don't see anything about "ring 0" in there, but what is ring 0? (and that is a lovely screensaver. lol)
Post 02 Jan 2007, 02:39
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 02 Jan 2007, 02:47
Drivers runs at that privilege level. About ring levels http://en.wikipedia.org/wiki/Protected_mode#Privilege_levels

NTOSKRNL.EXE exports KeBugCheck and KeBugCheckEx
Post 02 Jan 2007, 02:47
View user's profile Send private message Reply with quote
kohlrak



Joined: 21 Jul 2006
Posts: 1421
Location: Uncle Sam's Pad
kohlrak 02 Jan 2007, 04:13
Without editing priviledge levels, i tried pulling something from that exe before, and the program itself crashed saying that i didn't initialize properly. So, essentually, all i do is set the level high or low enough then i can call it? Note: reply posted before actually reading the wiki. reading wiki now.
Post 02 Jan 2007, 04:13
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger Reply with quote
ACP



Joined: 23 Sep 2006
Posts: 204
ACP 02 Jan 2007, 09:01
I suggest this link - read it first:

http://www.microsoft.com/whdc/default.mspx
Post 02 Jan 2007, 09:01
View user's profile Send private message Reply with quote
kohlrak



Joined: 21 Jul 2006
Posts: 1421
Location: Uncle Sam's Pad
kohlrak 02 Jan 2007, 11:35
THank you, looks like i got more to read. lol
Post 02 Jan 2007, 11:35
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.