flat assembler
Message board for the users of flat assembler.
Index
> Windows > Zw functions reenterant? |
Author |
|
LocoDelAssembly 14 Oct 2008, 04:00
Quote:
Well, ZwOpenFile seems to work at IRQL==PASSIVE_LEVEL so yes, it is possible. About IRQL 0, according to http://www.ext2fsd.com/documents/irql.htm , that is precisely PASSIVE_LEVEL so again functions working only at that level are expecting to be preempted. It is important to note that if it requires IRQL strictly equal to PASSIVE_LEVEL then that means that you can execute it on that level or else unexpected behavior can occur (like very "pleasant" BSODs ). Others, like KeAcquireSpinLock, are allowed to be called at IRQL<=DISPATCH_LEVEL. This DISPATCH_LEVEL prevents other threads to be scheduled on the running core but I think there are still chances of concurrency in kernel mode on multi-core systems and perhaps even by hardware interrupts handlers. Please, refresh my mind by reading the link I gave you above |
|||
14 Oct 2008, 04:00 |
|
bcdsys 15 Oct 2008, 03:27
does this mean that when I use global variables in my SSDT hook, I need to raise IRQL? I have linked list code in my SSDT hook, but its crashing (I already got simple SSDT hook work, it's the linked list code causing problems, verify in debugger) Sould I raise IRQL while in SSDT hook for my linked list code (I know I have restore IRQL when call original function, else crash could occur becase function expects IRQL 0)?
|
|||
15 Oct 2008, 03:27 |
|
bcdsys 15 Oct 2008, 03:32
also, KeRaiseIrql not working in driver, tried import KeRaiseIrql from ntoskrnl.exe but on load error dialog pops up "KeRaiseIrql cannot be found in driver ntoskrnl.exe" under win2k (not tested other windows)
|
|||
15 Oct 2008, 03:32 |
|
LocoDelAssembly 15 Oct 2008, 04:54
Is SSDT the System Service Dispatch Table? I suppose that some system calls (and in fact all of them?) runs at IRQL=PASSIVE_LEVEL so raising the IRQL could not be a very good idea if the data you are planning to handle is allocated from the paged pool. You must use other means for synchronizing the access to data structures. Check http://msdn.microsoft.com/en-us/library/ms810047.aspx . Try to not use those mechanisms that raise the IRQL and remember to check at which IRQL your hook runs because you should not lower it neither.
Quote: also, KeRaiseIrql not working in driver, tried import KeRaiseIrql from ntoskrnl.exe but on load error dialog pops up "KeRaiseIrql cannot be found in driver ntoskrnl.exe" under win2k (not tested other windows) It is exported by HAL.DLL, but as I've said before, this probably is not your best choice (unless you love random IRQL_NOT_LESS_OR_EQUAL BSODs and others). |
|||
15 Oct 2008, 04:54 |
|
HyperVista 15 Oct 2008, 17:45
bcdsys wrote: "KeRaiseIrql cannot be found in driver ntoskrnl.exe" Make sure you have #include "ntddk.h" in your source. And also be sure to call KeLowerIrql() to help avoid those BSODs LocalDelAssembly rightly mentions. |
|||
15 Oct 2008, 17:45 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.