IoGetCurrentIrpStackLocation in the debugger
Today I had occasion to debug a problem with some IRP handling code in my driver. In the particular debugger session I found myself in, I wanted to examine some of the Irp parameters, found in the current stack location. Unfortunately I had only a pointer to the Irp in this code, and therefore needed to figure out how to find the stack location pointer using the debugger. Fun!
The function that does this in code is IoGetCurrentIrpStackLocation, which I decided to disassemble. The first part of the function basically just checks the StackCount and CurrentLocation members of the Irp to make sure that everything is ok. (This fires an assert if it doesn’t check out.) Then near the bottom of the function, we find
drv!IoGetCurrentIrpStackLocation+0x42 :
23318 9dc43ea2 8b4d08 mov ecx,dword ptr [ebp+8]
23318 9dc43ea5 8b4160 mov eax,dword ptr [ecx+60h]
23319 9dc43ea8 8be5 mov esp,ebp
23319 9dc43eaa 5d pop ebp
23319 9dc43eab c20400 ret 4
So first this moves the Irp pointer into ecx, and then goes to offset 60 within that structure (which happens to be outside the range of the documented structure), and puts the pointer there into eax for return to the caller. So I try that in my debugger and compare with the output of the !irp command.
kd> !irp 9f104f68
Irp is active with 1 stacks 1 is current (= 0x9f104fd8)
No Mdl: System buffer=9f08cbf0: Thread 88e05558: Irp stack trace.
cmd flg cl Device File Completion-Context
>[ e, 0] 5 1 88dcbd18 88e05ab8 00000000-00000000 pending
\FileSystem\FSLX
Args: 0000040c 00000000 94000004 00000000kd> dd 9f104f68+60 L1
9f104fc8 9f104fd8kd> db 9f104fd8
9f104fd8 0e 00 05 01 0c 04 00 00-00 00 00 00 04 00 00 94 ................
9f104fe8 00 00 00 00 18 bd dc 88-b8 5a e0 88 00 00 00 00 .........Z......
9f104ff8 00 00 00 00 15 15 15 15-?? ?? ?? ?? ?? ?? ?? ?? ........????????
At this point, I now realized that this structure that I needed to look at really doesn’t provide anything that’s not already provided in the !irp output. The Args output of that command correspond to the members of the IO_STACK_LOCATION.Parameters union. In this case, I am looking at a device control Irp, so these parameters are OutputBufferLength (40c), InputBufferLength (0), IoControlCode (94000004), and Type3InputBuffer (0).
So I guess the bottom line of this post is that !irp is cool and does just what you need it to, I just had to poke around a little bit before I realized it.
Undocumented Query Directory Flags
Last week I ran into a strange Windows file system behavior that I couldn’t find any information on anywhere. Since it’s always extremely frustrating to try to figure things out when there’s no information available, I thought I would share what I found. The bug we were experiencing had to do with a directory query operation over the network (e.g., when you run ‘dir \\localhost\c$\Windows’ from a command window). If the directory doesn’t have many files in it this works just fine, but if it is a large directory, as in the example above then the IRPs that are issued to the file system are a bit strange. Our filter driver wasn’t handling these quite correctly, and the result was that if you queried the directory using the local name you’d get ~200 files, and if you used the UNC name you’d only get about ~150 files.
After digging into this with a coworker, we found an unexpected style of IRP. When performing the directory query over the network the SRV kernel component issues a IRP_MN_QUERY_DIRECTORY with a IrpSp->Parameters.QueryDirectory.FileName and IrpSp->Parameters.QueryDirectory.FileIndex combination that seems to essentially reset the point at which the enumeration continues. The sequence we were seeing goes something like this:
Read more…
Resistance to Civil Government by Henry David Thoreau
I have been reading the afore-mentioned book recently and have been struck profoundly by some of the writings. I wish to briefly mention a few of them here.
The first passage that strongly resonated with me was a description of a time when Thoreau was put in jail for non-payment of taxes: “I could not but smile to see how industriously they locked the door on my meditations, which followed them out again without let or hindrance, and THEY were really all that was dangerous. As they could not reach me, they had resolved to punish my body; just as boys, if they cannot come at some person against whom they have a spite, will abuse his dog. I saw that the State was half-witted, that it was timid as a lone woman with her silver spoons, and that it did not know its friends from its foes, and I lost all my remaining respect for it, and pitied it.” I love this! It is so true that the State can force a body to do what they desire it to, but they cannot force a man’s mind to do anything. This is an idea that is also eloquently expressed in Ayn Rand’s Atlas Shrugged.
The second passage that I want to share today is in a similar context. Thoreau has been ordered by the law to pay a tax/tool to a church which he never attended. He writes a letter to the town clerk saying “I, Henry Thoreau, do not wish to be regarded as a member of any incorporated society which I have not joined.” He then goes on to write “If I had known how to name them, I should then have signed off in detail from all the societies which I never signed on to; but I did not know where to find a complete list.” We are said to be members of various societies every day that we did not consciously agree to, not the least of which is the State. I was never asked to participate in the social contract that makes our society; rather, it is presumed and forced upon each of us without our explicit consent.
Thoreau is one of the fathers of non-violent resistance to government. His example inspired men like Martin Luther King, Jr. to rise up in their own non-violent ways to defy the State’s power to control their lives. The more I read of Thoreau’s writings, the more inspirational he becomes to me.
Directory Notification
I have had a number of situations over the last five years where I have had to write code that detects changes made in a directory. Some has been for testing my own directory notification code at the file-system level, and others have been for real implementation reasons up in usermode code.
The documentation can be a lot to wade through as there are a number of different ways that such notification can be accomplished. I won’t go into the reasons for using each (check MSDN documentation for some information on that), but I wanted to post some simple samples of using each for anyone who might be interested.
There are five different methods, using Win32 APIs, that are used in this sample. They don’t do anything special except print out basic information about the changes that are detected.
Read more…
My new Apple iPad
Well I had no intention of doing so, but yesterday I went out and bought an Apple iPad. I’m happy to say that I love it so far, and am even writing this blog entry from the WordPress application. My favorite part about it is that I can sync my Google calendar with the native calendar, which is new since I last played with my iPhone. (Upgraded to a Google Droid a while back.) I’m also loving the Appigo ToDo application, which is even better on the iPad than it was on the phone. I even like the Kindle reader, though I will have to try reading for a long period of time before I can see if it will really replace the actual Kindle. Anyway, I’m back in the Apple iCult for now.
DonorsChoose.org: A Great Cause
DonorsChoose.org is a charitable giving organization that I have been contributing to for a few years now, and I just wanted to take a minute and say how great I think it is. It’s one of the few charities that offers donors the opportunity to choose exactly what their contributions are spent on. The “projects” are all proposals from public school teachers. You can search and identify particular projects based on your own criteria: poverty of the classrooms, subject matter, age groups, etc. are all searchable items, and the descriptions of the projects let you know exactly where it goes.
Education is such an important thing for children to get, and especially in high poverty areas they just don’t have the same chance. I believe strongly that this is the kind of cause that individuals should be able to solve and the government should stay out of, and this is one of the areas where I “put my money where my mouth is.”
I hope you’ll take a look at the site and see if it’s the kind of thing you would be interested in supporting as well.
Republican Liberty Caucus Convention 2010
Well I guess it’s been two years since we organized the Republican Liberty Caucus here in Utah. After the Republican primaries in 2008 I lost interest in the Republican party for a while (since they didn’t really have a Presidential candidate that I could support). But here we are again. Political season is getting into full swing and we are having another RLC convention.
This year I think there are a few Senate candidates that I can support (Mike Lee and Tim Bridgewater both seem palatable, though I prefer Lee.) I think that situation will help people stay more interested in the RLC-Utah, and the organization will hopefully see some gains in support. Who knows… now that I’m done with school I may decide to be more involved myself, possibly even volunteer for an RLC position.
