Welcome to MSDN Blogs Sign in | Join | Help

March 2006 - Posts

Programming Note

I will be on parental leave for the month of April :). While I have written up articles to post ahead of time, there is no guarantee I will have time to post them though. I will try for around 3 articles a week, but the pace might be slower then that Read More...
Posted Friday, March 31, 2006 8:00 AM by doronh | 1 Comments

Debugger commands (!bpid) that make my life easier (part 6)

Today's kernel debugger command is "!bpid", break on process id. This command will break into an application in the application context from within the kernel debugger. Why would you want to do this? Well, you are not always in the right user mode context Read More...
Posted Thursday, March 30, 2006 2:49 PM by doronh | 2 Comments
Filed under:

Debugger commands (dps, dpp) that make my life easier (part 5)

Today's debugger command is "dps" (display pointers and symbols). You might be familiar with the "dds" command. While dds will always dump a DWORD, dps will dump pointers, where the pointer size is determined by the target. (I used to use dds because Read More...
Posted Tuesday, March 28, 2006 5:23 PM by doronh | 3 Comments
Filed under:

Avoiding #defines for constant data and using enums instead

I think that the C preprocessor is a very powerful tool, but I like to limit my use of #defines. I have already touched on this when i talked about why I liked FORCEINLINE and I want to talk about it some more. I realize I can't eliminate the use of #defines Read More...
Posted Monday, March 27, 2006 5:03 PM by doronh | 26 Comments

Debugger commands (!sd) that make my life easier (part 3.1)

Peter Wieland informed me that you can actually find the security descriptor (SD) using !object, you just have to work harder to get at it. It relies on an undocumented structure, but since this is not being used at runtime and !object also uses it, I Read More...
Posted Thursday, March 23, 2006 4:32 PM by doronh | 2 Comments
Filed under:

Debugger commands (dt, ??) that make my life easier (part 4)

Today I will cover how to look at type information from the command line of windbg/kd. You can do all of this in the UI with a mouse, but that takes too long ;). I like to keep my hands on the keyboard and not move around. More importantly, by learning Read More...
Posted Wednesday, March 22, 2006 1:42 PM by doronh | 4 Comments
Filed under:

Debugger commands (!object) that make my life easier (part 3)

Today I am going to write about !object. One of the tools you can get from sysinternals is WinObj.exe. This allows you to traverse the internal object hierarchy in Windows. It's a neat tool, but it uses internal undocumented APIs which means that when Read More...
Posted Tuesday, March 21, 2006 5:19 PM by doronh | 0 Comments
Filed under:

Real life usage of loading a driver as a dump file

Today I got a callstack via email (from the NTDEV list), but no dump file. I needed to determine if the bugcheck was due to a KMDF or a USB core bug. Since I had no dump file, I had to work purely on what the message contained. The callstack did have Read More...
Posted Monday, March 20, 2006 4:01 PM by doronh | 5 Comments
Filed under:

Debugger commands (!poaction, !poreqlist) that make my life easier (part 2)

Today's commands are related to power, they are: !poreqlist !poaction !podev (covered in the last topic) !poreqlist will list all outstanding PIRPs on the machine that are a result of any driver calling PoRequestPowerIrp(). Remember how in the last topic, Read More...
Posted Friday, March 17, 2006 4:38 PM by doronh | 3 Comments
Filed under:

Debugger commands (!drvobj, !devobj, !podev, !devstack) that make my life easier (part 1)

Over the next few days I'll talk about different debugger commands which I use to make driver development easier, especially when debugging my driver. Today I'll talk about how to find your driver, the devices you created and any device object that any Read More...
Posted Wednesday, March 15, 2006 2:47 PM by doronh | 1 Comments
Filed under:

How to debug missing imports at driver load time

Debugging when your driver fails to load can be exasperating, especially if it is due to a missing import. Windows 2000 would put up a dialog box telling the user which import was missing, but the user can't do anything about it (unless she is the driver Read More...
Posted Monday, March 13, 2006 5:00 PM by doronh | 8 Comments
Filed under: ,

Loading your driver in user mode

One of the very cool features of windbg/kd is that you can load any PE file as a dump file. That means that you can load an exe, dll, or sys file as a dump file in the debugger. Your driver won't run ;), but you can look at alot of things in it. All you Read More...
Posted Friday, March 10, 2006 1:56 PM by doronh | 6 Comments
Filed under: ,

Great articles on DMA

Peter Wieland has started a blog . Peter sits around the corner from me and works on UMDF (which exists under the WDF banner alongside KMDF). He has written 4 (so far) excellent entries on DMA, part 1 is here . DMA is one of the aspects of writing a driver Read More...
Posted Friday, March 10, 2006 10:55 AM by doronh | 2 Comments
Filed under:

Beware the shiny light that is MmIsAddressValid

This came up on NTDEV today and has come up in the past (both in the community and internally on the KMDF team). MmIsAddressValid appears to be a great function given its name. You pass in a kernel virtual address (VA from now on) and it returns TRUE Read More...
Posted Thursday, March 09, 2006 2:34 PM by doronh | 5 Comments
Filed under:

A KLOCK_QUEUE_HANDLE cannot be shared across multiple threads

Folks like to write wrappers. One very popular wrapper is for a KSPIN_LOCK . An example wrapper would be typedef struct _MY_LOCK { KSPIN_LOCK Lock; KIRQL LockIrql; } MY_LOCK, *PMY_LOCK; VOID FORCEINLINE AcquireMyLock(PMY_LOCK Lock) { KeAcquireSpinLock(&Lock->Lock, Read More...
Posted Wednesday, March 08, 2006 11:20 PM by doronh | 0 Comments
Filed under:

The return value from RtlCompareMemory and memcmp do not mean the same thing!

When I was working on the Bluetooth core, I got this mistake the first time I tried to compare 2 bluetooth addresses (a bluetooth address is 48 bits wide and at the time we were not using a ULONGLONG to represent the address, so we were doing structure Read More...
Posted Monday, March 06, 2006 4:36 PM by doronh | 3 Comments
Filed under:

String buffers and IRQL

If you look at the docs for many Rtl string functions, you will see that they are callable only at IRQL == PASSIVE_LEVEL. This applies to not only Rtl functions but also to CRT functions Why is that? Well, there are a few resaons The Rtl functions are Read More...
Posted Friday, March 03, 2006 11:27 AM by doronh | 13 Comments
Filed under:

WinHEC registration is open

http://www.microsoft.com/whdc/winhec/ I will definitely be there. I will be at the KMDF and UMDF talks (I don't think I am presenting this year) as well as all the WDF (KMDF, UMDF, prefast, SDV) related labs and just hanging out in general. In previous Read More...
Posted Thursday, March 02, 2006 11:19 PM by doronh | 0 Comments

When is string constant not really constant?

While this is not necessarily specific to a driver, the affects can be, so read on. A string constant (e.g. "Foo") all by itself is harmless, but if you use the string constant when initializing a variable, it depends on how you declar the variable and Read More...
Posted Thursday, March 02, 2006 10:27 PM by doronh | 0 Comments
Filed under: ,

How can a NULL terminated string be misinterpreted in a UNICODE_STRING?

A NULL terminated string can be mismisinterpreted if the Length field contains the NULL part of the string. Let's look at the the definition of DECLARE_CONST_UNICODE_STRING again before I go into how it can be misinterpreted. #define DECLARE_CONST_UNICODE_STRING(_var, Read More...
Posted Wednesday, March 01, 2006 1:19 PM by doronh | 2 Comments
Filed under:
 
Page view tracker