Udostępnij za pośrednictwem


“Blue Screens” in Designer Colors with One Click

My last blog post described how to use local kernel debugging to change the colors of the Windows crash screen, also known as the “blue screen of death”. No doubt many of you thought that showing off a green screen of death or red screen of death to your friends and family would be fun, but the steps involved too complicated.

Alex Ionescu, one of my coauthors on Windows Internals, 5th Edition (he’s also coauthoring the 6th edition with me and Dave Solomon, which covers Windows 7 and Windows Server 2008 R2 – scheduled for release this summer), suggested that we make it easy for people to enjoy blue screens of any color. We did so by modifying Notmyfault, a buggy driver demonstration tool that I wrote for the book and my crash dump analysis presentations. Simply make your color section in the new BSOD color picker dialog, press the “Do Bug” button, and enjoy your creation:

image

Here’s the “blue screen” that results from the above color choice:

image

It’s as easy as that - there’s no need to tweak large-page settings or perform any other system configuration changes like those described in my last blog post.

How does it work? We extended Notmyfault’s kernel-mode driver (named Myfault.sys, as seen on the crash screen, to highlight the fact that user-mode code cannot directly cause a system crash) to register a “bugcheck callback”. When the system crashes it invokes driver-registered callbacks so that they can add data to the crash dump that can help troubleshooters get information about device or driver state at the time of a crash. The Myfault.sys callback executes just after the blue screen paints and changes the colors to the ones passed to it by Notmyfault by changing the default VGA palette entries used by the Boot Video driver.

Now with no awkward and error-prone fiddling in a kernel debugger, you can impress your friends and family with a blue screen painted in your favorite colors (though they might be even more impressed if you change the colors by fiddling in the kernel debugger)!

To download the latest copy of Notmyfault (both 32-bit and 64-bit versions) click here.

Comments

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    Can you have a crash screen with animated ascii art?  Thanks.

  • Anonymous
    January 01, 2003
    Correct, it isn't persistant. The coloring is done by writing to the VGA device, not the registry, etc.  The callback to do that is only resident when NotMyFault has caused the BSOD.

  • Anonymous
    January 11, 2011
    That's awful cool. It seems that you can do anything in Window without any constraint...

  • Anonymous
    January 11, 2011
    Thanks for the gr8 post ! Assuming callback data buffers reside in Small Mem Dump  and not KM (not sure ), why the buffers or dump file doesn't contain  the driver's KeRegisterBugCheckCallback routines data ?

  • Anonymous
    January 12, 2011
    Very nice stuff! I'm assuming that like the manual method this isn't a persistent change?

  • Anonymous
    January 12, 2011
    very cool stuff from the modest person. You can add colorized bugcheck callback method to your drivers. It's a poc, very nice poc.

  • Anonymous
    January 16, 2011
    "Can you have a crash screen with animated ascii art?" That would be very cool :-D I think nothing is impossible, so it can be done! But some geeks have to work on it ehehehe By the way, cool tool :-)

  • Anonymous
    January 20, 2011
    I would like to get your utility kicked off by the screen saver timer. That would be a nice prank for somebody who likes to show a screen shot of a BSOD as a screen saver. Imagine the surprise to get a real BSOD in red instead of the fake one. :-)

  • Anonymous
    January 27, 2011
    Very cool. Although it's enlightened me with some great potential windows vulnerabilities. ;)