stackoom
  简体   繁体   中英

I don't understand Windows IRQL

 原文  2014-11-16 04:34:43       windows/ kernel/ driver

Question

http://msdn.microsoft.com/en-us/library/windows/hardware/ff553079(v=vs.85).aspx

MSDN says KeRaiseIrql(newIrql, &oldIrql) must be called with newIrql which is >= currentIrql .

"If the new IRQL is less than the current IRQL, a bug check occurs."

But in below code KeRaiseIrql() works well with newIrql which is < currentIrql . (Also, both loading and unloading this driver worked well.)

Is there anyone to explain this?

Test Environment: WinXp(32bit, Vmware Player), Win7(32bit, Vmware Player) 

#include <ntddk.h>

VOID DriverUnload
(
    IN PDRIVER_OBJECT DriverObject
)
{
    DbgPrint("BYE!\n");
}

NTSTATUS DriverEntry
(
    IN PDRIVER_OBJECT DriverObject,
    IN PUNICODE_STRING RegistryPath
)
{
    KIRQL oldIrql;

    DriverObject->DriverUnload = DriverUnload;

    DbgPrint("Hello!\n");

    KeRaiseIrql(3, &oldIrql);

    DbgPrint("%d\n", KeGetCurrentIrql()); // 3

    KeRaiseIrqlToDpcLevel();

    DbgPrint("%d\n", KeGetCurrentIrql()); // 2

    KeRaiseIrql(1, &oldIrql);

    DbgPrint("%d\n", KeGetCurrentIrql()); // 1

    KeRaiseIrql(0, &oldIrql);

    DbgPrint("%d\n", KeGetCurrentIrql()); // 0

    DbgPrint("Yo!\n");

    return STATUS_SUCCESS;
}

1 answers

solution1
 1  2014-11-16 10:37:24

As someone above suggested it depends on the given OS implementation. If you have issues like this, the best is to use debugger.

Eg in win xp sp2 release i386 I have: 

    hal!KfRaiseIrql:
    806e43b8 0fb6d1          movzx   edx,cl
    806e43bb 0fb68a98436e80  movzx   ecx,byte ptr hal!HalpIRQLtoTPR (806e4398)[edx]
    806e43c2 a18000feff      mov     eax,dword ptr ds:[FFFE0080h]
    806e43c7 890d8000feff    mov     dword ptr ds:[0FFFE0080h],ecx
    806e43cd c1e804          shr     eax,4
    806e43d0 0fb68018f26e80  movzx   eax,byte ptr hal!HalpVectorToIRQL (806ef218)[eax]
    806e43d7 c3              ret

As you can see there's no previous irql checking. If you'd look into wrk sources you would find versions of KfRaiseIrql where it is checked, also keep in mind there is checked and free windows version. Most probabbly in checked version you would have bugcheck.

If you want to see bsod on your code, use Driver Verifier :) afair it is checking if raising/lowering irql are used correctly.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question I don't quite understand how a MySql connection looks like How are software interrupts triggered in windows when the IRQL drops? pdftk update_info command raising a warning which I don't understand I don't understand stack overflow error with repeated DispatchMessageW in the call stack I don't know how to input through windows command prompt tkinter Attribute error - Object has no attribute. I don't understand why it can't find the attribute of this object QtQuickControls, don't work on Windows I don't understand why all forked children do not start at exactly the same time using Parallel::ForkManager in Perl Still don't understand pointers to an array of numbers in C Creating Class Stopwatch Python. Don't Understand Why it Works?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM