-
Notifications
You must be signed in to change notification settings - Fork 182
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DRIVER_IRQL_NOT_LESS_OR_EQUAL on Win7 x64 #19
Comments
Thanks but it'd be appreciated if you followed the Issue template and at least uploaded the files required along with any patches applied (i.e. source code or Makefile edits.). |
|
Tried once again... Result is same, crash. This time one change in Makefile.windows, |
The issue template clearly says if it's a crash you need to upload .dmp files, and the produced executable file, .sys file, etc. |
Hi, Please check attachment |
Can you try without |
I have no windows 10 installation. I will get one and try asap... :) |
|
I wonder if it's an optimization related issue, since I was always compiling without optimizations when testing the cross build and they all worked fine (except on cross win10 builds), so I'd also try disabling that too. Last time I tested it was working fine with both native win32 (NOT MinGW, but CL), and Linux builds, so I suspect it's some option that's passed to GCC messes it up or just something to do with initialization code that the NT kernel does not like, in either case, from the generated disassembly, I see nothing obvious that hints on it. I'll look into the DMP file soon, though. I took a quick peek at it and the checksum did not match[?] . Not sure. |
I have discovered, that crash happens in DriverDispatch's switch case case KSM_IOCTL_SUBVERT: |
The real question is, which path it ends up in. What I'd appreciate is, if you use GDB to debug the kernel (If you're using QEMU/VMWare, it's quite easy), then it'd be really easy to find it. The DriverDispatch() path (with that ioctl) is basically, ksm_subvert() -> vcpu_init() -> vmlaunch -> do_resume. |
ksm_subvert -> __ksm_init_cpu I am reviewing the code. Please make a review from your end too. |
NOTE: For now stick to code review. |
There is army of inline functions in code with static scope declaration, that too in header files. |
On Fri, Mar 10, 2017 at 3:13 PM rohaaan ***@***.***> wrote:
There is army of inline functions in code with static scope declaration,
that too in header files.
Functions from this pool are referenced in __ksm_init_cpu, which is run as
dpc.
Functions running as DPC should not be pagable and should not refer any
potential pagable inline functions and pagable data.
Therefore, the crash could vary by location at every run.
I believe we lets make the relevant changes, test it and then close this
issue.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#19 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ABvH5fXHYNkkKLJ_ZW5CpOXB80uAg6M9ks5rkUyEgaJpZM4MXsOv>
.
There are no pageable functions in that path... Plus the IRQL reported in
the dmp is passive level iirc.
--
asamy
|
Actually, I was wrong about one thing: The Microsoft Linker by default marks sections as non-pageable (i.e. with P section attribute), initially I thought the P implies pageable 1. However, I am not sure how to force the linker to set that attribute, perhaps we need an LD script, what do you think? It doesn't seem to exist from reading the LD script manual 2. |
"There are no pageable functions in that path" |
What do you mean use driver verifier...? Anyway, try with latest, you'll need Python 2.7 and install pefile with:
Then recompile. |
Driver verifier allows to reveal runtime defects in our driver in windows kernel. Very useful. OK. I will install pefile and check. |
I understand what Driver Verifier is, it sounded like you wanted to use Driver Verifier for something else. |
Updates on this? Finalizing stuff. |
not yet... tommorrow |
Installing pefile and recompiling made no difference |
ksm.sys service does not start |
I am puzzled now...even after making the code section non-pageable, its crashing. |
Any updates on this? |
I will debug it myself later today. |
Compiled ksm.sys with vs2015 for win7 x64. using vmware player for hosting win7 x64.
here I continue then-
|
|
any update? Kernel stack overflow, is it? while allocating COW pages.... |
No, it's probably something to do with the process you're sandboxing dying (i.e. crashing or similar), it may be some error in CoW page allocation that's causing it to die, not sure. Probably due some paging stuff, i.e. a range is being paged or similar. Possibly also a cache congestion. |
After cross compiling windows driver on linux and loading it in windows, when user mode app is run Driver crashes with BUG_CHECK 0xD1 : DRIVER_IRQL_NOT_LESS_OR_EQUAL
The text was updated successfully, but these errors were encountered: