Author Topic: NtDll errors: How does the kernel know the difference between read and write?  (Read 8082 times)

jj2007

  • Member
  • *****
  • Posts: 7765
  • Assembler is fun ;-)
    • MasmBasic
Tedd & qWord,
Thanks a lot.
qWord had the right idea:
Code: [Select]
mov ecx, [edx.EXCEPTION_RECORD.ExceptionInformation]0 for read, 1 for write access.

zooba

  • Guest
The IsBad***Ptr functions have been around since Windows 95.

Funny, all the MSDN pages for them say "Minimum Client: Windows XP"? Maybe something got messed up in the docs when they updated the functions to be deprecated... (I never tried to use them before WinXP, so I'll accept they may have been there, but not that the kernel uses them to determine read/write AVs  :biggrin: )

Code: [Select]
mov ecx, [edx.EXCEPTION_RECORD.ExceptionInformation]0 for read, 1 for write access.

EXCEPTION_RECORD is filled in by the interrupt handler in the kernel, not the processor itself. If this answers the question, great  :biggrin: , but don't misunderstand which part of the system is responsible for sorting it out.

Cheers,
Zooba  :t

Antariy

  • Member
  • ****
  • Posts: 541
Ah. Solution already have been posted :biggrin:

jj2007

  • Member
  • *****
  • Posts: 7765
  • Assembler is fun ;-)
    • MasmBasic
EXCEPTION_RECORD is filled in by the interrupt handler in the kernel, not the processor itself.

I had not assumed that Intel & AMD hardwire "EXCEPTION_RECORD", but thanks anyway  ;)