LordJeb Blogs

So yesterday I was troubleshooting some window creation issues, and had to fool around in the kernel side of window creation, down in win32k.sys. Specifically I was looking at window class registration, which happens when you call RegisterClassEx from your Windows app. Down in the kernel, some magic happens with creating Atoms as part of the window class registration. I traced through a bunch of win32k.sys routines to figure out where in memory they were storing this, and then I wanted to dump the table. After dumping about 4 of the entries manually, I got bored and wrote this little gem:

r $t0=poi(poi(win32k!UserAtomTableHandle)+c)
.for ( r $t1=0; @$t1 < @$t0; r $t1 = @$t1 + 1 ) { du poi(poi(win32k!UserAtomTableHandle)+10+( @$t1 * 4))+c }

Basically, this uses the symbol win32k!UserAtomTableHandle to find the length of the table, and then uses a for loop to go through, calculating the offset of each item, and them dumping its string value. On my Windows 7 system it produced something like this:

8c2a3d1c "Native"
878b0c9c "ObjectLink"
87e1e18c "AeroWizardInternalFrameButtonCli"
87e1e1cc "cked"
878cb314 "Static"
878cb104 "DDEMLUnicodeClient"
9620faec "DataObject"
8c2affa4 "ACTIVATESHELLWINDOW"
8c2afe34 "FlashWState"
9620fa84 "SysCH"
8c2b2ce4 "PBrush"
8c3b8f24 "MSUIM.Msg.RpcSendReceive"
878bb7b4 "SysIC"
878cb1ec "DDEMLEvent"
878bb784 "SHELLHOOK"
8c2b2e0c "Custom Link Source"
9159dc84 "AltTab_KeyHookWnd"
91529084 "Search Box"
878bb6f4 "SysDT"
8c2b2dd4 "Link Source"
9620fb8c "FileName"
87e35b0c "GDI+ Accessibility"
878bb664 "SysWNDO"
878bb854 "DDEMLAnsiServer"
87e0c0bc "SysLink"
9620fb24 "NetworkName"
8c2cde3c "USER32"
8c2b2d14 "OleDraw"
9620fb5c "FileNameW"
8c2b2bec "MoreOlePrivateData"
8c282434 "Edit"
9620fbbc "Binary"
878cb374 "OleClipboardPersistOnFlush"
8c2a3d4c "OwnerLink"
878cb2e4 "ListBox"
8c2b2e54 "Embed Source"
878bb634 "SysIMEL"
878cb224 "ComboLBox"

I had to debug an annoying little problem today that I thought might be worth writing about. I was interested in walking through some code that was failing, but the same code was getting called in a recursive loop, so there were literally hundreds of successful runs that I was not interested in prior to the single failure I did care about.

Now a normal usermode developer might just add some special code at the point of failure to detect the failure and recall the failing function. Nice and easy. But that's really not any fun, and when you're doing kernel debugging, writing some new code and getting it running on the machine is not quite as simple (it's not hard, just more time consuming).

Enter this neato debugging trick...

bp address "j (dwo(status)!=0) 'r @rip=fffff880`02b5bd1f'; 'gc'"

Basically this executes a conditional test (the "j" command) each time the breakpoint is hit. If the DWORD value represented by the variable named 'status' is non-zero, then I know I've hit the failure condition. In that case, I just adjust the instruction pointer back up to before the failing function call, leaving me right where I am ready to trace into the function and see the failure. Otherwise, the breakpoint essentially just hits 'Go' to continue on to the next hit.

The syntax here is a bit rough, and would have to be modified if your program isn't always at the same code location (since I hard-coded the rip register). It could be replaced with an offset from the current location to be a bit more elegant. But since I was working on a driver, it was always in memory and at the same place, so I was lazy. (A habit that always pays off immediately.)

So I was just driving back home from getting some lunch and the Hannity show happened to be on the radio. He was talking to a "liberal" about the health care reform issues. The caller was pointing out that the U.S. ranks #38 in the world in life expectancy. (According to the CIA World Factbook 2009, the U.S. actually ranks #50 in the world for life expectancy at birth.) The caller was trying to make the point that maybe our health care system isn't that great.

Hannity's response was that the numbers were skewed by the fact that the U.S. has so many soldiers dying around the world to protect the freedom of all those other countries (and ourselves). So it got me thinking about the numbers on the way home, and when I got back I decided to do a little math.

According to the CIA Factbook the 2009 population of the U.S. is 307,212,123. The life expectancy at birth is 78.11. So if you take away 10,000 of that population and replace them with 10,000 people who die at age 19, guess what the average life expectancy becomes... that's right. 78.11. Exactly the same.

The reality is that we would have to have around 325,000 of our soldiers die at age 19 in order to move our placement at 50th into 51st (behind Albania). So what can we learn from this lesson... Hannity is FULL OF S**T.

Note that this exercise doesn't say anything about the health care reform. Hannity's lack of math skills don't imply that we need a public option, single payer, etc. I think that there are small, much less costly ways to improve our health care system, and we should explore those LONG before we create another Medicare to bankrupt us.

Tonight I had the experience of a lifetime. I was able to attend the final game of the 2009 Stanley Cup playoffs, and (more importantly) I was able to see MY team - the Pittsburgh Penguins - win the Cup.

I decided Wednesday night that I would try to get a ticket, and I was actually able to find one online through the Red Wings ticket exchange. It wasn't cheap, but I figured that this kind of opportunity doesn't come along all that often. I bought the ticket, a plane ticket, booked a hotel and a rental car, and less than 24 hours later, I was off.

I got to Detroit late Thursday night, checked into an airport near the airport, and the Friday morning I headed into downtown Detroit. I had lunch at the Hockeytown Cafe, and then walked down to Joe Louis arena. There was a party at the riverwalk next to the stadium. I hung out there for hours, listened to some bands, and watched some planes doing some racing and aerobatics over the river.

The game was MOST EXCELLENT. It was by no means a given that the Pens would win. There were some tense moments, particularly in the third period. As the buzzer sounded signaling the end of the game, there was a half-second of disbelief, and then the moment hit me!

I snapped as many pictures as I could, met some very nice Red Wings fans, and some very nice Penguins fans as well. The negative stories that I had heard about Detroit prior to coming turned out to be not true at all. Everyone I ran into during my stay was friendly, in spite of me wearing the wrong colors.

What an awesome trip! Go Penguins!

I would imagine that anyone who reads my blog is probably already aware of some of the controversy surrounding the Federal Reserve Bank. But just in case, I wanted to make a quick post and encourage everyone to look into H.R. 1207 “Audit the Federal Reserve Bank”. Give your representative a call today and encourage them to support this resolution or thank them for their support. (Almost 100 representatives have already co-sponsored this resolution.)

The Federal Bank is basically in charge of massive portions of our financial system. They control the money supply, borrow money from other countries, lend money to financial institutions, etc. And the truly scary part about this is that NOBODY OVERSEES WHAT THEY DO. They report whatever numbers they feel like, and in recent years have stopped publishing data about the money supply. Even the Congress does not hold them accountable or exercise any oversight on their actions.

The problem is, that the Constitution gives CONGRESS many these financial powers: “to borrow money on the credit of the United States . . . to coin money, regulate the value thereof.” These are powers, than even when exercised, should NOT be turned over to a third party with complete autonomy. Congress has the responsibility to make sure that these powers are used correctly and responsibly, and WE should hold THEM accountable to do so.