Re: interrupt routine and application pages

Tech-Archive recommends: Fix windows errors by optimizing your registry

Ok, this may be able to be done. You will need to know the range of the
stack and create a MDL for the stack area, then proble and lock the pages.
From thst you can get a non-paged system address, and use it to reference
the stack. Now you still have the stack pointer problem, since the stack
pointer in the ISR is the kernel stack pointer not the user stack pointer.
If you can find the stack pointer you need to rationalize it to be relative
to the system address you get.


--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
http://www.windrvr.com
Remove StopSpam from the email to reply



"RJ" <RJ@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:8B1BBE2A-74D4-40B7-99A5-989243D1CFD2@xxxxxxxxxxxxxxxx
Hi Don,
Thanks for the quick reply. I do have the right stack pointer and
PsGetCurrentProcessId() returns the PID for the process that was running
when
the interrupt happened.

I need to access the stack only if the PID is of the process I am
interested
in.
So I know the PID of the interested application. This is to generate the
Callstack of the application at the interrupt.
Thanks,
RJ

"Don Burn" wrote:

You cannot do this. The application code is pageable and an interrupt
service routine runs at Device IRQL which cannot access pageable code.
Also, you are running in arbitrary thread context, i.e you do not know
what
the thread or the process will be, so what are you going to do with the
stack (assuming you had a way to find the stack pointer?). You cannot
walk
the stack since you do not know the calling conventions being used by
the
application, you cannot read a variable since you don't know what the
application is.

Tell us what you are really trying to accomplish, and maybe there is an
approach.

--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
http://www.windrvr.com
Remove StopSpam from the email to reply



"RJ" <RJ@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C60CC328-2272-45D7-9611-DC859F738C1F@xxxxxxxxxxxxxxxx
Hello,
I have a requirement to examine currently running application stack on
an
interrupt routine. Is it safe to read application memory on an
interrupt
routine? What is IRQL at which page swapping happens? What is the
mechanism
that can be used to make sure that memory area is safe to read?

I would like to use "MmProbeAndLockPages", but it can be used only <=
APC_LEVEL

Any hints appreciated.
Thanks,
RJ







.

Relevant Pages

  • Re: Question about interrupt in MINIX3
    ... a new stack for use during the interrupt service. ... stack is determined by an entry in the Task State Segment. ... register values are saved on the frame, the stack pointer ...
    (comp.os.minix)
  • Re: interrupt routine and application pages
    ... Look - the stack is changing dynamically, so that, if we are speaking ... Don Burn (MVP, Windows DDK) ... pages before the interrupt starts? ... Now you still have the stack pointer problem, ...
    (microsoft.public.development.device.drivers)
  • Re: interrupt routine and application pages
    ... You need to lock the pages in memory before the interrupt. ... know the application stack pointer? ... Now you still have the stack pointer problem, ...
    (microsoft.public.development.device.drivers)
  • Re: StdCall vs. CDecl
    ... I don't understand why "leaving arguments on the stack" is benign. ... If the caller expects the callee to "clean up the stack" (that is, restore the stack pointer to the value it had before the caller pushed a call frame onto the stack), then I would expect the caller to be thoroughly messed up after the call returns and the caller tries to get to its own data on the stack. ... That's for calling a cdecl function as stdcall. ...
    (microsoft.public.dotnet.framework.interop)
  • Re: [9fans] pointer to the last TOS
    ... the stack pointer is there. ... a positive offset from ... pointer to the virtual frame pointer to find the return address. ...
    (comp.os.plan9)