Customize custom blue screen of death

He turned blue, him bad?

BSOD - kernel response to an intractable exceptional situation. If you see it, it means that something is definitely wrong.

The kernel environment imposes many restrictions on the programmer's freedom of action: consider IRQL, synchronize access to shared variables, do not linger in the ISR, check any data from the “userland” ... Violating at least one of the rules, you will get a real reprimand from forged phrases in the standard VGA video mode with a thin palette.

Actually there is logic in it. If in a user mode with an unhandled exception and a complete collapse of the execution logic, the application simply terminates without even removing traces of vital activity behind itself (which the kernel kindly makes for it), it will not pull its user-friendly neighbors, it will not violate their integrity and all the more integrity of the entire system. Well, well, can pull a couple, with which it was connected through interprocess communication, no more.
')
In kernel mode everything is different. First, the kernel-mode neighbors are already neighbors not in the apartment, but in the room. Between them there are no solid walls that would protect some residents from drunken antics of others. At the same time, the relationship of the kernel modular modules is thin and fragile. The core and its components are a giant clock with a huge number of components. And in this salt: if one screw is damaged, the whole system stops. Of course, there are modules whose failures logically do not affect the operation of the OS. It would be possible to isolate a faulty module — in some places they do this, well, you know. However, the logic is that the nuclear component actively interacts with other components and the OS kernel, therefore, a failure in one component can lead to a chain of failures in others, ultimately destroying all nuclear structures, or, even worse, damaging user data. In addition, debugging such hidden bugs is extremely difficult.

Nevertheless, suppose you are a user of the “kettle” level. What is the likely reaction you will have at the sight of a blue screen?

Suppose now that you are a system administrator. What is your reaction to bruise? Well, before you start reading the error code and all that.

Let you be a kernel coder, and you have to see this sophisticated debugging output a bunch of times. What do you think of when you see it again? Well, except for interjections.



And we have behind this, on the one hand, the inability to continue the normal functioning of the system, on the other, priceless non-regenerating nerve cells. How to be? Intercepting KeBugCheck does not offer - we all know what will come of it. Before the release of Windows 8 with its soulful DirectX BSOD, you need to wait a while. For now ...

Himself Russinovich

I think everyone knows this name. Russinovich cool, though cunning. Among the heaps of useful utilities from Sysinternals there is one interesting one - NotMyFault. It can artificially generate various errors in kernel mode, which, of course, will display the BSOD. In addition, it has an interesting opportunity - to change the background color and font of the screen of death. This utility is so cool that it even comes with the source! However, as I said, Russinovich is cool ...

For some time I could not understand what was happening: there is such code in the header file ioctlcmd.h:

#define IOCTL_BSOD_COLOR (ULONG) CTL_CODE (FILE_DEVICE_MYFAULT, 0x10, METHOD_BUFFERED, FILE_ANY_ACCESS)

But this is the only place where there is a trace of code responsible for changing the color of the screen of death. The myfault.c driver file contains a cookbook of nuclear perversions without a main dish! But! The assembled driver, apparently, the necessary code still has, because it works with a bang. Okay, I thought.

Distract for a moment. Before you think of something to splice in the core, do not be lazy to look at MDSN, since there are plenty of callback functions (callback functions) in the core. The same with the blue screen: there is a callback function, which is called immediately after the blue screen is displayed. It is registered with the following function:

BOOLEAN KeRegisterBugCheckReasonCallback (
__out PKBUGCHECK_REASON_CALLBACK_RECORD CallbackRecord,
__in PKBUGCHECK_REASON_CALLBACK_ROUTINE CallbackRoutine,
__in KBUGCHECK_CALLBACK_REASON Reason,
__in PUCHAR Component
);

This callback function indicates the reason for its registration: either it needs to add something to the dump, or track the moment when the dump is already written, or by specifying KbCallbackReserved1 as the reason, we can be called "just like that." The KbCallbackReserved1 parameter is private and is called before all other callback functions when critical errors occur.

In addition to this callback function, there is another, similar, which is registered by the following function:

BOOLEAN KeRegisterBugCheckCallback (
__out PKBUGCHECK_CALLBACK_RECORD CallbackRecord,
__in PKBUGCHECK_CALLBACK_ROUTINE CallbackRoutine,
__in_opt PVOID Buffer,
__in ULONG Length,
__in PUCHAR Component
);

It notifies the registered module of a critical error after all the worst has already happened, and you can restart the computer.

Back to business. When I saw the automatically assigned name of the function “CallbackRoutine” in the disassembled listing, I didn’t even know where else to go in search of the magic code. And here he is! ... Wait, what is it? "Mov - out, mov - out". I do not know about you, but I had a feeling that I was deceived. I was waiting for miracles and fairy tales. And here Mark takes VGA-ports and through them changes the palette. It is the palette! That is, it makes blue, for example, green, so that the background turns green:

mov edx, 3C8h; port to which the color index is written in the DAC palette
mov al, 4; was blue
out dx al
mov al, 0x00003F00; will turn green (6 bits per color)
lea ecx, [edx + 1]; edx = 0x3C9 - port for recording color components
mov edx, ecx
out dx, al; install the red component
mov eax, 0x00003F00
shr eax, 8
out dx, al; Green
mov eax, 0x00003F00
shr eax, 10h
out dx, al; Blue

Well, in principle, too, come down. But I want more.

Enjoy the little things

The animated OS boot screen, in principle, gives a good idea of ​​what can be squeezed out of the VGA video mode. You can even guess that the code for drawing graphics is already ready somewhere in the kernel. I will not torment: we are interested in the Inbv * family of functions. Note that some of them are even exported from the kernel. Using the example of the KiDisplayBlueScreen reverse, you can figure out how to use these functions:

if (InbvIsBootDriverInstalled ())
{
InbvAcquireDisplayOwnership (); // now we command
InbvResetDisplay (); // clear the screen, re-initialize the palette
InbvSolidColorFill (0, 0, 639, 479, 4); // fill with all blue paint
InbvSetTextColor (15); // write white
InbvInstallDisplayStringFilter (0); // reset the callback function to display the text string
InbvEnableDisplayString (TRUE); // allow writing strings
InbvSetScrollRegion (0, 0, 639, 475); // narrow the screen frame
...
InbvDisplayString ( "Hello world!" ); // display text
...
};

These functions can be safely used in the code of your driver. But do not forget that switching to this mode, you can not return from it so easily.

But the most remarkable feature is InbvBitBlt:

VOID NTAPI InbvBitBlt (IN PUCHAR Buffer, IN ULONG X, IN ULONG Y)

Guess? Yes, she directly draws a BMP image (read, a 256-color BMP file with no file header)! The only problem is that it is not exported. Fortunately, it is just a wrapper for a similar function in VidBitBlt. The role of the wrapper is only to synchronize the rendering, which, in general, we are not very interested. And VidBitBlt is exported from the bootvid.dll module, which, as you might guess from the name, entertains the user with boot animation. So go, my dear! Absolutely legally looking for loaded modules, parsing the export table and we get a pointer to this magic function. And then you are limited only by your imagination.

It would be possible to brag of this hand-made article or to argue on a hot dog, for example. Above all, do not forget the difference between man and machine.

All positive!