..-----------------------------------------..
..    inside BSOD                          ..
..                                         ..
..           ( )     ..
.._________________________________________..


             BSOD (Blue Screen Of  Death). 
   -     win95,       
   . - -         
      :)              
     ,            reset. 
       ...

            . 
                
   ,      -   , ,  
    . !

       API      , 
             
     (  BSOD).       
       ,     . 
   ..  " "   (status  codes),  SEH  (Structured   Exception
   Handling)  ...        - :)   ..
   "bug checks".

       -     .   
             ,   ,
     -     .     
   STATUS_SUCCESS  ..

      -  ,    .
        ,..    
   .    ,    "A Crash Course on the  Depths of
   Win32 Structured Exception Handling"    "Win32  Exception
   handling for assembler programmers"  .

       -     .      , 
          ,    
   BSOD   .   ,   
   ,   DDK :

VOID KeBugCheck( IN ULONG  BugCheckCode );

VOID KeBugCheckEx(IN ULONG  BugCheckCode,IN ULONG_PTR BugCheckParameter1,\
     IN ULONG_PTR  BugCheckParameter2, IN ULONG_PTR  BugCheckParameter3, \
     IN ULONG_PTR  BugCheckParameter4 );

             
   .     ntoskrnl.exe,
     .

   ,    ,        XP Pro
   5.1.2600 SP1. Microsoft      
    api    . ,KeBugCheckEx  XP  KeBugCheckEx
    w2k server -    ,      
     .

   ,   BSOD.       :
   		- PE Tools (http://www.uinc.ru)
   		- IDA Pro (  -  ,    )
   		- SoftICE       DriverStudio,     (
   		    http://reversing.kulichki.ru)

    ida  ntoskrnl,   PE Tools   
     api,        .

   
   KeBugCheck     KeBugCheckEx  ,     
      .

   KeBugCheck:
				xor     eax, eax
				push    eax
				push    eax
				push    eax
				push    eax
				push    eax
				push    [esp+14h+arg_0]
				call    sub_420A66				; 


   KeBugCheckEx:
				push    ebp
				mov     ebp, esp
				push    0
				push    [ebp+arg_10]
				push    [ebp+arg_C]
				push    [ebp+arg_8]
				push    [ebp+arg_4]
				push    [ebp+arg_0]
				call    sub_420A66				; 
				pop     ebp

      BSOD      :
   		1)    (BugCheckCode)
   		2)           
   		      (            
   		   KeBugCheckEx)
   		3)    BSOD     

   ,     ,   .   DDK   0E4h
         (    bugcodes.h).   ,  
     -               -
             .  ,   
                
     (0E5h).    :

				mov     ebx, [ebp+arg_0]		;BUG code
				[...]
				cmp     ebx, 0E5h
				[...]
				jnz     short loc_420AA8		;if system code
				call    sub_420778				;if  NOT  system  code  --
											;process user code
				push    3
				call    ds:HalReturnToFirmware

        bug code,    cr0-cr4,
   dr0-dr3, dr6, dr7, gdt, idt, tr, ldt   fs:20h + 1ch.

       .    
       ?                  7fh
   (UNEXPECTED_KERNEL_MODE_TRAP).       
               7fh .
      - ,      
    .  :

	0Ah (IRQL_NOT_LESS_OR_EQUAL)
	1Eh (KMODE_EXCEPTION_NOT_HANDLED)
	23h (FAT_FILE_SYSTEM)
	24h (NTFS_FILE_SYSTEM)
	7Fh (UNEXPECTED_KERNEL_MODE_TRAP)

     ,  7fh  , .. :

				mov     eax, ebx				;BUG code < 7fh
				sub     eax, ecx				;eax = BUG code - 1eh
				jz      short loc_420B34		;if BUG code == 1eh
				sub     eax, 5
				jz      loc_420C07				;if BUG code == 23h
				dec     eax
				jz      loc_420BA6				;if BUG code == 24h
				[...]

      ,  7fh     
   (), .. :

				mp     ebx, 8Eh				;BUG code > 7fh
				jz      loc_420B34				;if BUG code == 8eh
				cmp     ebx, 0A5h
				jz      short loc_420C07		;if BUG code == 0a5h
				cmp     ebx, eax				;eax == 0c5h
				jz      short loc_420C07		;if BUG code == 0c5h
				[...]

             ( 
           ,        
       ).          -       
       0C00002D1h, 
       .  -  , 
    ? :)

       -       
         KeBugCheckEx( 
   ).        ,    
   :

.data:00475C60	KiBugCheckData  dd ?			;BUG code
				dword_475C64    dd ?			;[ebp+arg_4]
				dword_475C68    dd ?			;[ebp+arg_8]
				dword_475C6C    dd ?			;[ebp+arg_C]
				dword_475C70    dd ?			;[ebp+arg_10]

      .     :

	0Ah (IRQL_NOT_LESS_OR_EQUAL)
	4Ch (FATAL_UNHANDLED_HARD_ERROR)
	50h (PAGE_FAULT_IN_NONPAGED_AREA)
	0BEh (ATTEMPTED_WRITE_TO_READONLY_MEMORY)
	0D8h (DRIVER_USED_EXCESSIVE_PTES)

      ,    . 

          -      
   BSOD.             (  
   ).    ,          ,   
       Kd.   ,      
   SoftICE         ,     
   ,    .      :

				cmp     KdDebuggerEnabled, 0
				jz      short loc_420ED3		;If no debuggers enabled
				push    dword_475C70
				push    dword_475C6C
				push    dword_475C68
				push    dword_475C64
				push    KiBugCheckData
				push    offset aFatalSystemErr 	;"\n*** Fatal System " ...
				call    DbgPrint

            KfRaiseIrql.         
                
   Inbv* (InbvSetTextColor,InbvEnableDisplayString,InbvDisplayString,...),
       ntoskrnl.exe.

      - , ,   
     (,  )   .

      , BSOD...  ,     .
             =)     
     ida  (  ).         
           :)


   .      MoskovSKAya, Ska-P,  SKA Chartbusters,
   SKA  attack        "SKA  Punk"  (Mad  Sound  Collection)  
    ,      
   .
