Thunks, filling the gap

Those of you who have ever debugged an application may have been frustrated by the lack of some source code; even if you installed the shared source (aka PRIVATE) code, when your application performed a system call  almost inevitably splashed into assembly code -which is not too bad after all, de gustibus non disputandum est. This happened because the coredll code didn’t include the thunks files: with WEC7 you finally have those files (%_WINCEROOT%\private\winceos\COREOS\core\thunks) so debugging is a bit more pleasant at least… But what are those thunks? When you call a system API (most of them are exported by coredll) you’re actually calling a thin wrapper while the actual implementation resides in a server process (the device manager for example). The thunks are those wrapper: for example, if you call CreateFile the code in coredll will be:

extern "C"
 LPCWSTR                 lpFileName,
 DWORD                   dwDesiredAccess,
 DWORD                   dwShareMode,
 DWORD                   dwCreationDisposition,
 DWORD                   dwFlagsAndAttributes,
 HANDLE                  hTemplateFile
 HANDLE h = CreateFileW_Trap(lpFileName,dwDesiredAccess,dwShareMode,lpsa,dwCreationDisposition,dwFlagsAndAttributes,hTemplateFile);
return h;


CreateFileW_Trap is, as the name suggests, a trap: it’s defined as a macro (more than one actually, take a look to %_WINCEROOT%\public\COMMON\oak\inc\mwinbase.h) which at the end results in an invalid address (like 0xFFFF55EE): when you jump to the address an exception is triggered and the kernel handler will take care of it . The invalid address has a specific format so that the kernel not only will distinguish it from an ‘actual’ invalid address but it will decode it to detect which function you’re calling and which server process to forward the request to. This design ‘naturally’ allows the transition from user to kernel mode.

All I said is related to user code: the kernel calls the systems API directly instead.

Although it’s a bit dated I suggest reading a post by Sue Loh (who can tell if she’s still in MSFT?) on the ce_base blog: this blog was one of my favourite ones but, unfortunately,  it’s been a lot of time since someone wrote something on it…

This entry was posted in Windows Embedded Compact and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s