NtDll errors: How does the kernel know the difference between read and write?

jj2007 · May 29, 2012, 12:38:20 AM

Tedd & qWord,
Thanks a lot.
qWord had the right idea:

mov ecx, [edx.EXCEPTION_RECORD.ExceptionInformation]
0 for read, 1 for write access.

zooba · May 29, 2012, 08:58:58 AM

Quote from: MichaelW on May 28, 2012, 09:01:54 PM
The IsBad***Ptr functions have been around since Windows 95.

Funny, all the MSDN pages for them say "Minimum Client: Windows XP"? Maybe something got messed up in the docs when they updated the functions to be deprecated... (I never tried to use them before WinXP, so I'll accept they may have been there, but not that the kernel uses them to determine read/write AVs

)

Quote from: jj2007 on May 29, 2012, 12:38:20 AM
Code Select Expand
mov ecx, [edx.EXCEPTION_RECORD.ExceptionInformation]
0 for read, 1 for write access.

EXCEPTION_RECORD is filled in by the interrupt handler in the kernel, not the processor itself. If this answers the question, great

, but don't misunderstand which part of the system is responsible for sorting it out.

Cheers,
Zooba :t

Antariy · May 29, 2012, 11:23:45 AM

Ah. Solution already have been posted

jj2007 · May 29, 2012, 03:29:21 PM

Quote from: zooba on May 29, 2012, 08:58:58 AMEXCEPTION_RECORD is filled in by the interrupt handler in the kernel, not the processor itself.

I had not assumed that Intel & AMD hardwire "EXCEPTION_RECORD", but thanks anyway ;)

The MASM Forum

News:

NtDll errors: How does the kernel know the difference between read and write?

jj2007

zooba

Antariy

jj2007