A Hole In My Head

I will be on parental leave for the month of April :). While I have written up articles to post ahead of time, there is no guarantee I will have time to post them though. I will try for around 3 articles a week, but the pace might be slower then...

Today's kernel debugger command is "!bpid", break on process id. This command will break into an application in the application context from within the kernel debugger. Why would you want to do this? Well, you are not always in the right user mode...

Today's debugger command is "dps" (display pointers and symbols). You might be familiar with the "dds" command. While dds will always dump a DWORD, dps will dump pointers, where the pointer size is determined by the target. (I used to use dds because...

I think that the C preprocessor is a very powerful tool, but I like to limit my use of #defines. I have already touched on this when i talked about why I liked FORCEINLINE and I want to talk about it some more. I realize I can't eliminate the use of #defines...

Peter Wieland informed me that you can actually find the security descriptor (SD) using !object, you just have to work harder to get at it. It relies on an undocumented structure, but since this is not being used at runtime and !object also uses it, I...

Today I will cover how to look at type information from the command line of windbg/kd. You can do all of this in the UI with a mouse, but that takes too long ;). I like to keep my hands on the keyboard and not move around. More importantly, by learning...

Today I am going to write about !object. One of the tools you can get from sysinternals is WinObj.exe. This allows you to traverse the internal object hierarchy in Windows. It's a neat tool, but it uses internal undocumented APIs which means that when...

Today I got a callstack via email (from the NTDEV list), but no dump file. I needed to determine if the bugcheck was due to a KMDF or a USB core bug. Since I had no dump file, I had to work purely on what the message contained. The callstack did have...

Today's commands are related to power, they are: !poreqlist !poaction !podev (covered in the last topic) !poreqlist will list all outstanding PIRPs on the machine that are a result of any driver calling PoRequestPowerIrp(). Remember how in the...

Over the next few days I'll talk about different debugger commands which I use to make driver development easier, especially when debugging my driver. Today I'll talk about how to find your driver, the devices you created and any device object that any...

Debugging when your driver fails to load can be exasperating, especially if it is due to a missing import. Windows 2000 would put up a dialog box telling the user which import was missing, but the user can't do anything about it (unless she is the driver...

One of the very cool features of windbg/kd is that you can load any PE file as a dump file. That means that you can load an exe, dll, or sys file as a dump file in the debugger. Your driver won't run ;), but you can look at alot of things in it. All you...

Peter Wieland has started a blog . Peter sits around the corner from me and works on UMDF (which exists under the WDF banner alongside KMDF). He has written 4 (so far) excellent entries on DMA, part 1 is here . DMA is one of the aspects of writing a driver...

This came up on NTDEV today and has come up in the past (both in the community and internally on the KMDF team). MmIsAddressValid appears to be a great function given its name. You pass in a kernel virtual address (VA from now on) and it returns TRUE...

Folks like to write wrappers. One very popular wrapper is for a KSPIN_LOCK . An example wrapper would be typedef struct _MY_LOCK { KSPIN_LOCK Lock; KIRQL LockIrql; } MY_LOCK, *PMY_LOCK; VOID FORCEINLINE AcquireMyLock(PMY_LOCK Lock) { KeAcquireSpinLock...

When I was working on the Bluetooth core, I got this mistake the first time I tried to compare 2 bluetooth addresses (a bluetooth address is 48 bits wide and at the time we were not using a ULONGLONG to represent the address, so we were doing structure...

If you look at the docs for many Rtl string functions, you will see that they are callable only at IRQL == PASSIVE_LEVEL. This applies to not only Rtl functions but also to CRT functions Why is that? Well, there are a few resaons The Rtl functions...

http://www.microsoft.com/whdc/winhec/ I will definitely be there. I will be at the KMDF and UMDF talks (I don't think I am presenting this year) as well as all the WDF (KMDF, UMDF, prefast, SDV) related labs and just hanging out in general. In previous...

While this is not necessarily specific to a driver, the affects can be, so read on. A string constant (e.g. "Foo") all by itself is harmless, but if you use the string constant when initializing a variable, it depends on how you declar the variable...

A NULL terminated string can be mismisinterpreted if the Length field contains the NULL part of the string. Let's look at the the definition of DECLARE_CONST_UNICODE_STRING again before I go into how it can be misinterpreted. #define DECLARE_CONST_UNICODE_STRING...