I put experiments on Windows and encountered such a problem: in kernel mode, I execute the following code

mov esp, 0XXXXXXXXh ret

And on the mov command, the system crashes with the UNEXPECTED_KERNEL_MODE_TRAP error with the parameter 0x8 , which means Double Fault . In MSDN it is written that most often this is either an overflow of the kernel stack, or a hardware error. It is clear that the second is excluded.

I can not understand why the error occurs immediately in this place. I understand if it happened on the commands push , pop , etc. I hope that someone will tell me what the reason is and what to do. Thank.

  • What do you think ret does? - Pavel Mayorov
  • jumps to the address that lies on top of the stack. (To be honest, that's what I want). But execution does not reach the ret command - Alexey Sarovsky
  • And how do you determine what does not reach? :) - Pavel Mayorov
  • @PavelMayorov before mov I have int3 , respectively, in WinDbg I step by step. - Alexey Sarovsky
  • one
    Aha, a debugger that one command to execute and stop puts the int3 after it. And at the moment of his call, the trouble happens with the stack - Mike

1 answer 1

Each debugger step is int 1 . And int instructions need a stack.

  • Now I will try. - Alexey Sarovsky
  • Yes, indeed, I did not take this into account by folly. Thanks, I will know - Alexey Sarovsky