CODEWITHSUNDEEP
windowskerneldriver
wut
wut

Reputation: 39

I don't understand Windows IRQL

http://msdn.microsoft.com/en-us/library/windows/hardware/ff553079(v=vs.85).aspx

MSDN says KeRaiseIrql(newIrql, &oldIrql) must be called with newIrql which is >= currentIrql.

"If the new IRQL is less than the current IRQL, a bug check occurs."

But in below code KeRaiseIrql() works well with newIrql which is < currentIrql. (Also, both loading and unloading this driver worked well.)

Is there anyone to explain this?

Test Environment: WinXp(32bit, Vmware Player), Win7(32bit, Vmware Player)

#include <ntddk.h>

VOID DriverUnload
(
    IN PDRIVER_OBJECT DriverObject
)
{
    DbgPrint("BYE!\n");
}

NTSTATUS DriverEntry
(
    IN PDRIVER_OBJECT DriverObject,
    IN PUNICODE_STRING RegistryPath
)
{
    KIRQL oldIrql;

    DriverObject->DriverUnload = DriverUnload;

    DbgPrint("Hello!\n");

    KeRaiseIrql(3, &oldIrql);

    DbgPrint("%d\n", KeGetCurrentIrql()); // 3

    KeRaiseIrqlToDpcLevel();

    DbgPrint("%d\n", KeGetCurrentIrql()); // 2

    KeRaiseIrql(1, &oldIrql);

    DbgPrint("%d\n", KeGetCurrentIrql()); // 1

    KeRaiseIrql(0, &oldIrql);

    DbgPrint("%d\n", KeGetCurrentIrql()); // 0

    DbgPrint("Yo!\n");

    return STATUS_SUCCESS;
}

Upvotes: 1

Views: 1506

Answers (1)

ladan
ladan

Reputation: 423

As someone above suggested it depends on the given OS implementation. If you have issues like this, the best is to use debugger.

E.g. in win xp sp2 release i386 I have:

    hal!KfRaiseIrql:
    806e43b8 0fb6d1          movzx   edx,cl
    806e43bb 0fb68a98436e80  movzx   ecx,byte ptr hal!HalpIRQLtoTPR (806e4398)[edx]
    806e43c2 a18000feff      mov     eax,dword ptr ds:[FFFE0080h]
    806e43c7 890d8000feff    mov     dword ptr ds:[0FFFE0080h],ecx
    806e43cd c1e804          shr     eax,4
    806e43d0 0fb68018f26e80  movzx   eax,byte ptr hal!HalpVectorToIRQL (806ef218)[eax]
    806e43d7 c3              ret

As you can see there's no previous irql checking. If you'd look into wrk sources you would find versions of KfRaiseIrql where it is checked, also keep in mind there is checked and free windows version. Most probabbly in checked version you would have bugcheck.

If you want to see bsod on your code, use Driver Verifier :) afair it is checking if raising/lowering irql are used correctly.

Upvotes: 1

Related Questions