ab origine ...

Norton’s quality of code in drivers

Life of every driver developer is complicated by the fact that the code you write should be stable (read: bugs free) and compatible with any other third party drivers. It is very important for any driver to be bugs free, as any error in kernel leads (directly or indirectly) to a blue screen of death (BSOD).

To ease the life of kernel developers Microsoft has implemented quite a few useful tools which helps to locate driver errors and make the code better. Some of them run in runtime (Driver Verifier), some of them are static (prefast) and some of them represent a complex system of test (like DTM for example). In this post, I will concentrate on Driver Verifier, a tool which is making verification tests of driver in runtime. Let me explain what is Driver Verifier, and why it is so useful tool.

Please, red the rest of the post at http://www.shcherbyna.com/?p=291

Phishing on Saturday ...

It’s quite often to happen with average user on the Internet – to recieve spam. Sometimes it advertises some junk, but sometimes it asks user to run some executable which does some magic, for example, it allows to send sms to any mobile operator for free :). As every human being is a little bit naive, this works : people do run executables coming from Internet and thus get infected. Sometimes even antivirus software is silent, this makes user to feel safe and run something...

Please read this post at http://www.shcherbyna.com/?p=243

Buying computer in Switzerland

I was inspired to write this post after having tried several companies in Switzerland in terms of computer staff. First thing you notice in Switzerland is that:

1. The prices usually are higher than in US or Canada (difference is quite big)

2. There are only few companies where you can assemble machine from pieces (I mean to buy separately pieces and assembly machine on your own)

3. Microsoft operating systems are everywhere , and usually you cannot get rid of XP or Vista

4. Working staff does not speak English, or speaks but very bad :)

Please read the post http://www.shcherbyna.com/?p=124

SMB traffic not captured in TDI filter driver

Recently I met a problem in one of my TDI filters when filtering SMB traffic. The filter driver was able to see outgoing TDI_CONNECT requests to 137 and 445 ports, but during the heavy file upload there was no TDI_SEND requests issued.

Please read the post http://www.shcherbyna.com/?p=121

Undeletable bug in VS2008?

I see this bug for a quite a long time, starting from VS2005. To illustrate the problem:

1. Go to project properties, open some tab

2. Do not close the property dialog windows simply change the focus by clicking in code editor

[...]

Please read the post http://www.shcherbyna.com/?p=119

A case of mysterious BSOD at tcpip!TcpIndicateData+22b

1. The causes

Recently I was observing strange BSODs on my Vista machine quite periodically when dealing with network applications:

[...]

Please, read the rest of this post at http://www.shcherbyna.com/?p=117

Third time to become MVP

Today I received a really great news: I am MVP for a 3rd time!

This is my third “first of July” which brings me exciting news. This time I receive award in DDK profile, which is something different from what I had before. My first nomination was SDK area (2005 - 2006), second was also SDK (2006 - 2007), and third is DDK (2007 - 2008) area nomination. Well, … what can I tell … : thanks Microsoft :)

[...]

Please, read the rest of this post at http://www.shcherbyna.com/?p=112

Mysterious ExUuidCreate function

I was inspired to write this post after being confused by behaviour of ExUuidCreate function in Windows Vista.

This function is used to generate GUIDs at kernel mode. According to documentation: "ExUuidCreate returns STATUS_SUCCESS if successful; otherwise, if the system is not ready to generate a new UUID, it returns STATUS_RETRY." Practically, if you call this function say in driver which is loading by boot loader (if the driver has "Start" registry value equal to 0 due to SERVICE_BOOT_START flag set when creating service using CreateService) you can observe strange behaviour, especially in Vista.

[...]

Please, read the rest of this post at http://www.shcherbyna.com/?p=114

A change for SoftIce

As SoftIce is officially dead, you might want to find its substitution. There is one product which aims to fully substitute SoftIce – Syser debugger, which proposes pretty close user interface, and “live” debugging of kernel on a host machine:

[...]

Please, read the rest of this post at http://www.shcherbyna.com/?p=109

Moving to www.shcherbyna.com

I always wanted to have an own domain, hosting mail, blog and probably some important files for me. However, I always felt the leak in time, and this direction was non primary for me. Until today.

As you probably have mentioned, the server msmvps.com (which is hosting http://msmvps.com/blogs/v_scherbina/) was dead for approximately one week. During these 7 days my brain reorganized some tasks, and I decided to make independent blog which (theoretically) will be constantly up : ).

So let’s welcome www.shcherbyna.com web site. I am going to move completely on this blog, but for some period of time I will be duplicating posts to “Ab origine” as well.

Windows Research Kernel

Have you ever think about accessing sources of Microsoft Windows kernel? Now thoughts might become reality. Quote taken from http://www.microsoft.com/resources/sharedsource/licensing/researchkernel.mspx :

“The Windows Research Kernel (WRK) packages core Microsoft Windows XP x64/Server 2003 SP1 kernel source code with an environment for building and testing experimental versions of the Windows kernel for use in teaching and research. The WRK includes source for processes, threads, LPC, virtual memory, scheduler, object manager, I/O manager, synchronization, worker threads, kernel heap manager, and other core NTOS functionality.

The WRK is useful in design projects that allow your students to explore operating system (OS) principles using the Windows kernel sources. It enables advanced teaching and research by facilitating building experiments and projects based on modifying the Windows kernel, as well as by promoting better understanding of the Windows architecture and implementation.”

Although, one will need to sign documents, and apply for a program, this is a good sign in general. A dark monster sheds lights upon its internals.

Microsoft has opened Singularity sources

Everyone is able to download sources at http://www.codeplex.com/singularity

Bug in MSDN: TDI_EVENT_RECEIVE_DATAGRAM & it's handler

If you ever wanted to handle TDI_EVENT_RECEIVE_DATAGRAM (http://msdn2.microsoft.com/en-us/library/ms801156.aspx) event handler in TDI, you would notice that it's declaration is a bit strange(http://msdn2.microsoft.com/en-us/library/ms801622.aspx):

NTSTATUS
  ClientEventReceive(
    IN PVOID  TdiEventContext,
    IN CONNECTION_CONTEXT  ConnectionContext,
    IN ULONG  ReceiveFlags,
    IN ULONG  BytesIndicated,
    IN ULONG  BytesAvailable,
    OUT ULONG  *BytesTaken,
    IN PVOID  Tsdu,
    OUT PIRP  *IoRequestPacket
    );

Guess what? It's declaration is the same as to a handler of TDI_EVENT_RECEIVE which sets event handlers for TCP protocol and not for UDP! If you want to handle UDP incoming data at TDI level, you most likely will need to find a correct declaration of handler function, because using declaration from MSDN will give your driver one more chance to blue screen :)

Thanks to www.osronline.com, I found a correct declaration: http://www.osronline.com/ddkx/w98ddk/vxdtdi_9lt9.htm which should have the following form:

NTSTATUS ClientEventReceiveDatagram(
    IN PVOID TdiEventContext,
    IN LONG SourceAddressLength,
    IN PVOID SourceAddress,
    IN LONG OptionsLength,
    IN PVOID Options,
    IN ULONG ReceiveDatagramFlags,
    IN ULONG BytesIndicated,
    IN ULONG BytesAvailable,
    OUT ULONG *BytesTaken,
    IN PVOID Tsdu,
    OUT PIRP *IoRequestPacket);

The most interesting thing, is that I spent 30 minutes trying to figure out what's wrong in my code, until I noticed the presence of ConnectionContext param in the declaration of handler, so I asked myself: why would I recieve a connection context when handling connectionless protocol data ... ? So I started googling.

Seems like this issue touches both local documentation for WDK and online documentation at http://msdn2.microsoft.com

DRIVER_VERIFIER_IOMANAGER_VIOLATION in Windows Server 2003 SP2 with latest updates ON

Recently, I've received following error when trying to test my TDI filter driver on Server 2003 SP2 with latest updates ON:

DRIVER_VERIFIER_IOMANAGER_VIOLATION (c9)
Arguments: Arg1: 00000208, (Fatal error) This IRP is about to run out of stack locations. Someone may have forwarded this IRP from another stack. (IRP specified.)

This violation message appeared, when I run applications, which make network connections from network drives. Attaching debugger to debugging session gives more information:

***********************************************************************
* THIS VALIDATION BUG IS FATAL AND WILL CAUSE THE VERIFIER TO HALT    *
* WINDOWS (BUGCHECK) WHEN THE MACHINE IS NOT UNDER A KERNEL DEBUGGER! *
***********************************************************************

WDM DRIVER ERROR: [2k03sp2bug.sys @ 0xF77E00C5] This IRP is about to run out
                  of stack locations. Someone may have forwarded this IRP
                  from another stack (Irp = 859E8F48 ).
IRP_MJ_INTERNAL_DEVICE_CONTROL
[ DevObj=849C3E18, FileObject=849A93D0, Parameters=00006C36 00000020 00000000 00000000 ]
http://www.microsoft.com/hwdq/bc/default.asp?os=5.2.3790&major=0xc9&minor=0x208&lang=0x9
Break, Ignore, Zap, Remove, Disable all (bizrd)?

If I choose Ignore, everything goes fine, and there are no fatal errors, however, I don't think this is a normal behavior, so I decided to create a small TDI filter driver, which layers over \Device\TCP & \Device\UDP providers, and works in pass through mode to demonstrate the problem. I hope this small example will help to eliminate the problem.

The driver is really simple, it calls IoAttachDevice, and set's IO function for handling IRP_MJ controls codes. The DeviceIO function is implemented as:

NTSTATUS Test2k03SP2Bug_DispatchIO(IN PDEVICE_OBJECT pDeviceObject, IN PIRP Irp)
{ 
 /// simply dispatch the IRP down to stack and nothing else
 NTSTATUS   ntStatusOfDispatch = STATUS_SUCCESS;
 PIO_STACK_LOCATION pIRPs    = IoGetCurrentIrpStackLocation(Irp);

 if (pDeviceObject == g_TCPOBJ)
 {
  IoSkipCurrentIrpStackLocation(Irp);

  ntStatusOfDispatch = IoCallDriver(g_TCPOLDOBJ, Irp);
 }
 else if (pDeviceObject == g_UDPOBJ)
 {
  IoSkipCurrentIrpStackLocation(Irp);

  ntStatusOfDispatch = IoCallDriver(g_UDPOLDOBJ, Irp);
 }
 else /// unknown DO, do complete IRP
 {
  Irp->IoStatus.Status = ntStatusOfDispatch;
  IoCompleteRequest(Irp, IO_NO_INCREMENT);
 }

 return ntStatusOfDispatch;
}

As you can see, it simply forwards IRP's to stack, no more processing is done in IO function. Complete sources for driver are attached in this post. Compile them, configure verifier to verify driver with all possible verification tests:

verifier.exe /all /driver 2k03sp2bug.sys

Load the driver. Reboot machine (to allow verifier start checks). Find any network share, run application (from share) which makes intensive network traffic (UDP & TCP) and catch BSOD (if you boot with /DEBUG system will halt, so you can attach debugger, otherwise, you will see BSOD with DRIVER_VERIFIER_IOMANAGER_VIOLATION.

Microsoft is hiring advanced professionals

I discovered one more interesting blog for myself: Microsoft Advanced Windows Debugging and Troubleshooting. At the same time, I noticed that Microsoft hires professionals who are good in low level staff - reverse engineering and debugging of complex solutions which requires knowledge of assembler language & advanced knowledge of undocumented internals of Windows.

This, I believe, is a step towards to solving issues that happens only on customer’s side in complex environments only with some unique conditions and test cases. So, if you feel comfortable with asm, Windbg, IDA Pro, OllyDbg, and other tools, hit the road and join Microsoft in this interesting challenge!

explorer.exe is in danger :)

Kaspersky (http://www.kaspersky.com/) recently released a signature update that treats explore.exe as a virus.

This false signature may affect those people who set the option 'delete virus' ON - it let's anvtivirus delete the suspicious binary from file system. I guess, it may cause unpredictable results, even if WFP (Windows File Protection) will try to recover explorer.exe binary. More detailed story is described here: http://www.channelregister.co.uk/2007/12/20/kaspersky_false_alarm/

NG tips document

Newsgroups tips doc has been published recently on my blog. I am pretty sure it will be useful for newbies who are going to use Microsoft newsgroups. For more details, please visit this link.

The case of Task Manager that does not kill

Quite long time ago, my friend Vadym Stetsiak described a bug of Task Manager, which allows to disallow (!) the killing of a process, if it's name is lsass.exe. In order to test this bug, you can rename any executable file into lsass.exe, run it, and than try to kill it from Task Manager. You will fail to kill it under XP:

One year passed. Many updates were released by Microsoft. However, this bug is still present, and it still remains in upcoming SP3 for Windows XP. I checked the latest RC for XP SP3, and the same happens. I asked myself - why? In order to answer this question I did the following:

I opened WinDbg. Attached to running instance of Task Manager. In command window of debugger I typed:

0:003> bp user32!MessageBoxW
0:003> bl

0 e 7e46630a     0001 (0001)  0:**** USER32!MessageBoxW

This action sets breakpoint to MessageBoxW - I just want to catch the moment, when I see msgbox saying that lsass.exe is a critical process, that cannot be deleted. I rename some executable into lsass.exe, and run it. Then I try to kill this application via Task Manager. Breakpoint is hit, I see the following code:

However, I need to know the previous location which called this chunk of code. To do that, I need to analyze the region of code which is upper the call to MessageBoxW. To do that, I would use IDA.

So, I load into IDA the file C:\Windows\System32\taskmgr.exe. Wait untill the file is parsed. Then I jump to 0100c16d: 

Press G and specify 0100c16d:

.text:0100C15C                 lea     eax, [ebp+Caption]
.text:0100C162                 push    eax             ; lpCaption
.text:0100C163                 lea     eax, [ebp+Text]
.text:0100C169                 push    eax             ; lpText
.text:0100C16A                 push    dword ptr [ebx+4] ; hWnd
.text:0100C16D                 call    ds:MessageBoxW

This is exactly what I need. I try to locate the xref to this portion of code. And I see, that this code is called from the following address (the only one xref):

.text:0100C0EE                 push    ds:off_1001F14[edi] ; lpString2
.text:0100C0F4                  push    dword ptr [esi+88h] ; lpString1
.text:0100C0FA                 call    ds:lstrcmpiW                             ; compare name of selected process with some string
.text:0100C100                  test    eax, eax
.text:0100C102                  jz      short loc_100C11D                     ; call MessageBoxW if comparison is OK

As you can see, there is a string comparison which is done using lstrcmpiW function. Let's see, what data is comparing when this code executes:

0:003> bp 0100C0FA
0:003> g

Trying to kill again fake lsass.exe, the breakpoint hit, I see the following data passed as params to lstrcmpiW: сsrss.exe, winlogon.exe, smss.exe, services.exe and finally, lsass.exe. So, as it logically outcomes from research, these names are hardcoded into Task Manager, and are treated as a special processes, however, the check is buggy: I would rather make a check against process path, not just the process name.

Windows XP SP3 RC is released

Standalone Update Package for Windows® XP Service Pack 3 Release Candidate is avialable from this location: http://www.microsoft.com/downloads/details.aspx?FamilyId=75ED934C-8423-4386-AD98-36B124A720AA&displaylang=en  

my first FAQ ...

Well, it's "better later then never". I decided to write a small FAQ document on TDI. The idea to write this document came into my head when I noticed that there is not so much documentation on this field. Yes, I realize that TDI becomes depricated, and after Vista it would not be supported, but ... XP is still popular, and TDI filters, TDI clients are quite often used even nowdays.

Here is initial version of the FAQ.