[求助]ntddk.h中定义的函数，怎么看实现-编程技术-看雪-安全社区|安全招聘|kanxue.com

最新回复 (5)
cyndyli 雪币： 212 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 9 回帖 64 粉丝 0 关注私信	cyndyli 2 楼在wdm.h 中找到了定义，但是在windbg 中用u命令查看，还是不行。 FAST_IO_DEVICE_CONTROL ( __in struct _FILE_OBJECT FileObject, __in BOOLEAN Wait, __in_opt PVOID InputBuffer, __in ULONG InputBufferLength, __out_opt PVOID OutputBuffer, __in ULONG OutputBufferLength, __in ULONG IoControlCode, __out PIO_STATUS_BLOCK IoStatus, __in struct _DEVICE_OBJECT DeviceObject ); typedef FAST_IO_DEVICE_CONTROL *PFAST_IO_DEVICE_CONTROL; 它是_FAST_IO_DISPATCH 数据结构中的一个成员，可以用dt 命令查看此数据结构，但是怎么查看数据结构的一个成员（指针）所指的函数的汇编码。不知道用什么命令找到这个数据结构的内存地址，然后找到指针值，再u估计就可以了。用dd _FAST_IO_DISPATCH这个不行，说Couldn't resolve error at '_fast_io_dispatch' 2009-11-25 10:59 0
ImHolly 雪币： 412 活跃值： (30) 能力值： ( LV5，RANK：70 ) 在线值：发帖 6 回帖 293 粉丝 1 关注私信	ImHolly 1 3 楼 lkd> !drvobj ntfs Driver object (89dcee20) is for: \FileSystem\Ntfs Driver Extension List: (id , addr) Device Object list: 89cce770 89b2b020 898f5770 89e11590 89dc8f18 lkd> !drvobj 89dcee20 2 Driver object (89dcee20) is for: \FileSystem\Ntfs DriverEntry: b9ecc184 Ntfs!GsDriverEntry DriverStartIo: 00000000 DriverUnload: 00000000 AddDevice: 00000000 Dispatch routines: [00] IRP_MJ_CREATE b9e6cc01 Ntfs!NtfsFsdCreate [01] IRP_MJ_CREATE_NAMED_PIPE 804f5544 nt!IopInvalidDeviceRequest [02] IRP_MJ_CLOSE b9e6c0ea Ntfs!NtfsFsdClose [03] IRP_MJ_READ b9e49f3b Ntfs!NtfsFsdRead [04] IRP_MJ_WRITE b9e48b57 Ntfs!NtfsFsdWrite [05] IRP_MJ_QUERY_INFORMATION b9e6d2b9 Ntfs!NtfsFsdDispatchWait [06] IRP_MJ_SET_INFORMATION b9e4a618 Ntfs!NtfsFsdSetInformation [07] IRP_MJ_QUERY_EA b9e6d2b9 Ntfs!NtfsFsdDispatchWait [08] IRP_MJ_SET_EA b9e6d2b9 Ntfs!NtfsFsdDispatchWait [09] IRP_MJ_FLUSH_BUFFERS b9e86ec8 Ntfs!NtfsFsdFlushBuffers [0a] IRP_MJ_QUERY_VOLUME_INFORMATION b9e6d404 Ntfs!NtfsFsdDispatch [0b] IRP_MJ_SET_VOLUME_INFORMATION b9e6d404 Ntfs!NtfsFsdDispatch [0c] IRP_MJ_DIRECTORY_CONTROL b9e6efbd Ntfs!NtfsFsdDirectoryControl [0d] IRP_MJ_FILE_SYSTEM_CONTROL b9e71758 Ntfs!NtfsFsdFileSystemControl [0e] IRP_MJ_DEVICE_CONTROL b9e6d404 Ntfs!NtfsFsdDispatch [0f] IRP_MJ_INTERNAL_DEVICE_CONTROL 804f5544 nt!IopInvalidDeviceRequest [10] IRP_MJ_SHUTDOWN b9e5b5af Ntfs!NtfsFsdShutdown [11] IRP_MJ_LOCK_CONTROL b9ec0aa3 Ntfs!NtfsFsdLockControl [12] IRP_MJ_CLEANUP b9e6cab8 Ntfs!NtfsFsdCleanup [13] IRP_MJ_CREATE_MAILSLOT 804f5544 nt!IopInvalidDeviceRequest [14] IRP_MJ_QUERY_SECURITY b9e6d404 Ntfs!NtfsFsdDispatch [15] IRP_MJ_SET_SECURITY b9e6d404 Ntfs!NtfsFsdDispatch [16] IRP_MJ_POWER 804f5544 nt!IopInvalidDeviceRequest [17] IRP_MJ_SYSTEM_CONTROL 804f5544 nt!IopInvalidDeviceRequest [18] IRP_MJ_DEVICE_CHANGE 804f5544 nt!IopInvalidDeviceRequest [19] IRP_MJ_QUERY_QUOTA b9e6d2b9 Ntfs!NtfsFsdDispatchWait [1a] IRP_MJ_SET_QUOTA b9e6d2b9 Ntfs!NtfsFsdDispatchWait [1b] IRP_MJ_PNP b9e897f0 Ntfs!NtfsFsdPnp Fast I/O routines: FastIoCheckIfPossible b9e80eda Ntfs!NtfsFastIoCheckIfPossible FastIoRead b9e67b57 Ntfs!NtfsCopyReadA FastIoWrite b9e86448 Ntfs!NtfsCopyWriteA FastIoQueryBasicInfo b9e6d48e Ntfs!NtfsFastQueryBasicInfo FastIoQueryStandardInfo b9e6bf7e Ntfs!NtfsFastQueryStdInfo FastIoLock b9e870f2 Ntfs!NtfsFastLock FastIoUnlockSingle b9e871f8 Ntfs!NtfsFastUnlockSingle FastIoUnlockAll b9ec06ae Ntfs!NtfsFastUnlockAll FastIoUnlockAllByKey b9ec07f3 Ntfs!NtfsFastUnlockAllByKey AcquireFileForNtCreateSection b9e6783a Ntfs!NtfsAcquireForCreateSection ReleaseFileForNtCreateSection b9e67881 Ntfs!NtfsReleaseForCreateSection FastIoQueryNetworkOpenInfo b9eaee1d Ntfs!NtfsFastQueryNetworkOpenInfo AcquireForModWrite b9e73a10 Ntfs!NtfsAcquireFileForModWrite MdlRead b9eaef31 Ntfs!NtfsMdlReadA MdlReadComplete 804e9b14 nt!FsRtlMdlReadCompleteDev PrepareMdlWrite b9eaf2ab Ntfs!NtfsPrepareMdlWriteA MdlWriteComplete 8056bbec nt!FsRtlMdlWriteCompleteDev FastIoQueryOpen b9e6bdb8 Ntfs!NtfsNetworkOpenCreate AcquireForCcFlush b9e676e2 Ntfs!NtfsAcquireFileForCcFlush ReleaseForCcFlush b9e67708 Ntfs!NtfsReleaseFileForCcFlush 2009-11-25 16:53 0
ImHolly 雪币： 412 活跃值： (30) 能力值： ( LV5，RANK：70 ) 在线值：发帖 6 回帖 293 粉丝 1 关注私信	ImHolly 1 4 楼 lkd> dt _DRIVER_OBJECT 89dcee20 nt!_DRIVER_OBJECT +0x000 Type : 4 +0x002 Size : 168 +0x004 DeviceObject : 0x89cce770 _DEVICE_OBJECT +0x008 Flags : 0x92 +0x00c DriverStart : 0xb9e47000 +0x010 DriverSize : 0x8c400 +0x014 DriverSection : 0x89e64a78 +0x018 DriverExtension : 0x89dceec8 _DRIVER_EXTENSION +0x01c DriverName : _UNICODE_STRING "\FileSystem\Ntfs" +0x024 HardwareDatabase : 0x8067c260 _UNICODE_STRING "\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM" +0x028 FastIoDispatch : 0xb9e667a0 _FAST_IO_DISPATCH +0x02c DriverInit : 0xb9ecc184 long Ntfs!GsDriverEntry+0 +0x030 DriverStartIo : (null) +0x034 DriverUnload : (null) +0x038 MajorFunction : [28] 0xb9e6cc01 long Ntfs!NtfsFsdCreate+0 lkd> dt _FAST_IO_DISPATCH b9e667a0 nt!_FAST_IO_DISPATCH +0x000 SizeOfFastIoDispatch : 0x70 +0x004 FastIoCheckIfPossible : 0xb9e80eda unsigned char Ntfs!NtfsFastIoCheckIfPossible+0 +0x008 FastIoRead : 0xb9e67b57 unsigned char Ntfs!NtfsCopyReadA+0 +0x00c FastIoWrite : 0xb9e86448 unsigned char Ntfs!NtfsCopyWriteA+0 +0x010 FastIoQueryBasicInfo : 0xb9e6d48e unsigned char Ntfs!NtfsFastQueryBasicInfo+0 +0x014 FastIoQueryStandardInfo : 0xb9e6bf7e unsigned char Ntfs!NtfsFastQueryStdInfo+0 +0x018 FastIoLock : 0xb9e870f2 unsigned char Ntfs!NtfsFastLock+0 +0x01c FastIoUnlockSingle : 0xb9e871f8 unsigned char Ntfs!NtfsFastUnlockSingle+0 +0x020 FastIoUnlockAll : 0xb9ec06ae unsigned char Ntfs!NtfsFastUnlockAll+0 +0x024 FastIoUnlockAllByKey : 0xb9ec07f3 unsigned char Ntfs!NtfsFastUnlockAllByKey+0 +0x028 FastIoDeviceControl : (null) +0x02c AcquireFileForNtCreateSection : 0xb9e6783a void Ntfs!NtfsAcquireForCreateSection+0 +0x030 ReleaseFileForNtCreateSection : 0xb9e67881 void Ntfs!NtfsReleaseForCreateSection+0 +0x034 FastIoDetachDevice : (null) +0x038 FastIoQueryNetworkOpenInfo : 0xb9eaee1d unsigned char Ntfs!NtfsFastQueryNetworkOpenInfo+0 +0x03c AcquireForModWrite : 0xb9e73a10 long Ntfs!NtfsAcquireFileForModWrite+0 +0x040 MdlRead : 0xb9eaef31 unsigned char Ntfs!NtfsMdlReadA+0 +0x044 MdlReadComplete : 0x804e9b14 unsigned char nt!FsRtlMdlReadCompleteDev+0 +0x048 PrepareMdlWrite : 0xb9eaf2ab unsigned char Ntfs!NtfsPrepareMdlWriteA+0 +0x04c MdlWriteComplete : 0x8056bbec unsigned char nt!FsRtlMdlWriteCompleteDev+0 +0x050 FastIoReadCompressed : (null) +0x054 FastIoWriteCompressed : (null) +0x058 MdlReadCompleteCompressed : (null) +0x05c MdlWriteCompleteCompressed : (null) +0x060 FastIoQueryOpen : 0xb9e6bdb8 unsigned char Ntfs!NtfsNetworkOpenCreate+0 +0x064 ReleaseForModWrite : (null) +0x068 AcquireForCcFlush : 0xb9e676e2 long Ntfs!NtfsAcquireFileForCcFlush+0 +0x06c ReleaseForCcFlush : 0xb9e67708 long Ntfs!NtfsReleaseFileForCcFlush+0 2009-11-25 16:54 0
cyndyli 雪币： 212 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 9 回帖 64 粉丝 0 关注私信	cyndyli 5 楼谢谢，ImHolly，我把你给的命令都实践了下，但是+0x028 FastIoDeviceControl : (null) 从你给的命令，我知道怎么查地址了，但是这个是空，这个要怎么看他的反汇编代码？我看filemon程序中hook这个函数后，有些输出后，直接调用的，那它调用的函数，实现过程我能查看到么 2009-11-25 19:39 0
ImHolly 雪币： 412 活跃值： (30) 能力值： ( LV5，RANK：70 ) 在线值：发帖 6 回帖 293 粉丝 1 关注私信	ImHolly 1 6 楼 FASTIOPRESENT( hookExt, FastIoDeviceControl ) 这个是判断FastIo是否存在的 2009-11-25 22:38 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

cyndyli

雪币： 212

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

9

回帖

64

粉丝

0

关注

私信

cyndyli: 2 楼

在wdm.h 中找到了定义，但是在windbg 中用u命令查看，还是不行。
FAST_IO_DEVICE_CONTROL (
__in struct _FILE_OBJECT *FileObject,
__in BOOLEAN Wait,
__in_opt PVOID InputBuffer,
__in ULONG InputBufferLength,
__out_opt PVOID OutputBuffer,
__in ULONG OutputBufferLength,
__in ULONG IoControlCode,
__out PIO_STATUS_BLOCK IoStatus,
__in struct _DEVICE_OBJECT *DeviceObject
);

typedef FAST_IO_DEVICE_CONTROL *PFAST_IO_DEVICE_CONTROL;

它是_FAST_IO_DISPATCH 数据结构中的一个成员，可以用dt 命令查看此数据结构，但是怎么查看数据结构的一个成员（指针）所指的函数的汇编码。不知道用什么命令找到这个数据结构的内存地址，然后找到指针值，再u估计就可以了。用dd _FAST_IO_DISPATCH这个不行，说Couldn't resolve error at '_fast_io_dispatch'

2009-11-25 10:59

0

ImHolly

雪币： 412

活跃值： (30)

能力值：

( LV5，RANK：70 )

在线值：

发帖

6

回帖

293

粉丝

1

关注

私信

ImHolly 1: 3 楼

lkd> !drvobj ntfs
Driver object (89dcee20) is for:
\FileSystem\Ntfs
Driver Extension List: (id , addr)

Device Object list:
89cce770  89b2b020  898f5770  89e11590
89dc8f18

lkd> !drvobj 89dcee20 2
Driver object (89dcee20) is for:
\FileSystem\Ntfs
DriverEntry: b9ecc184 Ntfs!GsDriverEntry
DriverStartIo: 00000000
DriverUnload:  00000000
AddDevice:    00000000

Dispatch routines:
[00] IRP_MJ_CREATE                   b9e6cc01 Ntfs!NtfsFsdCreate
[01] IRP_MJ_CREATE_NAMED_PIPE          804f5544 nt!IopInvalidDeviceRequest
[02] IRP_MJ_CLOSE                      b9e6c0ea Ntfs!NtfsFsdClose
[03] IRP_MJ_READ                      b9e49f3b Ntfs!NtfsFsdRead
[04] IRP_MJ_WRITE                      b9e48b57 Ntfs!NtfsFsdWrite
[05] IRP_MJ_QUERY_INFORMATION          b9e6d2b9 Ntfs!NtfsFsdDispatchWait
[06] IRP_MJ_SET_INFORMATION          b9e4a618 Ntfs!NtfsFsdSetInformation
[07] IRP_MJ_QUERY_EA                   b9e6d2b9 Ntfs!NtfsFsdDispatchWait
[08] IRP_MJ_SET_EA                   b9e6d2b9 Ntfs!NtfsFsdDispatchWait
[09] IRP_MJ_FLUSH_BUFFERS             b9e86ec8 Ntfs!NtfsFsdFlushBuffers
[0a] IRP_MJ_QUERY_VOLUME_INFORMATION b9e6d404 Ntfs!NtfsFsdDispatch
[0b] IRP_MJ_SET_VOLUME_INFORMATION    b9e6d404 Ntfs!NtfsFsdDispatch
[0c] IRP_MJ_DIRECTORY_CONTROL          b9e6efbd Ntfs!NtfsFsdDirectoryControl
[0d] IRP_MJ_FILE_SYSTEM_CONTROL       b9e71758 Ntfs!NtfsFsdFileSystemControl
[0e] IRP_MJ_DEVICE_CONTROL             b9e6d404 Ntfs!NtfsFsdDispatch
[0f] IRP_MJ_INTERNAL_DEVICE_CONTROL    804f5544 nt!IopInvalidDeviceRequest
[10] IRP_MJ_SHUTDOWN                   b9e5b5af Ntfs!NtfsFsdShutdown
[11] IRP_MJ_LOCK_CONTROL             b9ec0aa3 Ntfs!NtfsFsdLockControl
[12] IRP_MJ_CLEANUP                   b9e6cab8 Ntfs!NtfsFsdCleanup
[13] IRP_MJ_CREATE_MAILSLOT          804f5544 nt!IopInvalidDeviceRequest
[14] IRP_MJ_QUERY_SECURITY             b9e6d404 Ntfs!NtfsFsdDispatch
[15] IRP_MJ_SET_SECURITY             b9e6d404 Ntfs!NtfsFsdDispatch
[16] IRP_MJ_POWER                      804f5544 nt!IopInvalidDeviceRequest
[17] IRP_MJ_SYSTEM_CONTROL             804f5544 nt!IopInvalidDeviceRequest
[18] IRP_MJ_DEVICE_CHANGE             804f5544 nt!IopInvalidDeviceRequest
[19] IRP_MJ_QUERY_QUOTA                b9e6d2b9 Ntfs!NtfsFsdDispatchWait
[1a] IRP_MJ_SET_QUOTA                b9e6d2b9 Ntfs!NtfsFsdDispatchWait
[1b] IRP_MJ_PNP                      b9e897f0 Ntfs!NtfsFsdPnp

Fast I/O routines:
FastIoCheckIfPossible                b9e80eda Ntfs!NtfsFastIoCheckIfPossible
FastIoRead                            b9e67b57 Ntfs!NtfsCopyReadA
FastIoWrite                            b9e86448 Ntfs!NtfsCopyWriteA
FastIoQueryBasicInfo                   b9e6d48e Ntfs!NtfsFastQueryBasicInfo
FastIoQueryStandardInfo                b9e6bf7e Ntfs!NtfsFastQueryStdInfo
FastIoLock                            b9e870f2 Ntfs!NtfsFastLock
FastIoUnlockSingle                   b9e871f8 Ntfs!NtfsFastUnlockSingle
FastIoUnlockAll                      b9ec06ae Ntfs!NtfsFastUnlockAll
FastIoUnlockAllByKey                   b9ec07f3 Ntfs!NtfsFastUnlockAllByKey
AcquireFileForNtCreateSection          b9e6783a Ntfs!NtfsAcquireForCreateSection
ReleaseFileForNtCreateSection          b9e67881 Ntfs!NtfsReleaseForCreateSection
FastIoQueryNetworkOpenInfo             b9eaee1d Ntfs!NtfsFastQueryNetworkOpenInfo
AcquireForModWrite                   b9e73a10 Ntfs!NtfsAcquireFileForModWrite
MdlRead                               b9eaef31 Ntfs!NtfsMdlReadA
MdlReadComplete                      804e9b14 nt!FsRtlMdlReadCompleteDev
PrepareMdlWrite                      b9eaf2ab Ntfs!NtfsPrepareMdlWriteA
MdlWriteComplete                      8056bbec nt!FsRtlMdlWriteCompleteDev
FastIoQueryOpen                      b9e6bdb8 Ntfs!NtfsNetworkOpenCreate
AcquireForCcFlush                      b9e676e2 Ntfs!NtfsAcquireFileForCcFlush
ReleaseForCcFlush                      b9e67708 Ntfs!NtfsReleaseFileForCcFlush

2009-11-25 16:53

0

ImHolly

雪币： 412

活跃值： (30)

能力值：

( LV5，RANK：70 )

在线值：

发帖

6

回帖

293

粉丝

1

关注

私信

ImHolly 1: 4 楼

lkd> dt _DRIVER_OBJECT 89dcee20
nt!_DRIVER_OBJECT
+0x000 Type          : 4
+0x002 Size          : 168
+0x004 DeviceObject    : 0x89cce770 _DEVICE_OBJECT
+0x008 Flags          : 0x92
+0x00c DriverStart    : 0xb9e47000
+0x010 DriverSize    : 0x8c400
+0x014 DriverSection : 0x89e64a78
+0x018 DriverExtension  : 0x89dceec8 _DRIVER_EXTENSION
+0x01c DriverName    : _UNICODE_STRING "\FileSystem\Ntfs"
+0x024 HardwareDatabase : 0x8067c260 _UNICODE_STRING "\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM"
+0x028 FastIoDispatch : 0xb9e667a0 _FAST_IO_DISPATCH
+0x02c DriverInit    : 0xb9ecc184    long  Ntfs!GsDriverEntry+0
+0x030 DriverStartIo : (null)
+0x034 DriverUnload    : (null)
+0x038 MajorFunction : [28] 0xb9e6cc01    long  Ntfs!NtfsFsdCreate+0
lkd> dt _FAST_IO_DISPATCH b9e667a0
nt!_FAST_IO_DISPATCH
+0x000 SizeOfFastIoDispatch : 0x70
+0x004 FastIoCheckIfPossible : 0xb9e80eda    unsigned char  Ntfs!NtfsFastIoCheckIfPossible+0
+0x008 FastIoRead    : 0xb9e67b57    unsigned char  Ntfs!NtfsCopyReadA+0
+0x00c FastIoWrite    : 0xb9e86448    unsigned char  Ntfs!NtfsCopyWriteA+0
+0x010 FastIoQueryBasicInfo : 0xb9e6d48e    unsigned char  Ntfs!NtfsFastQueryBasicInfo+0
+0x014 FastIoQueryStandardInfo : 0xb9e6bf7e    unsigned char  Ntfs!NtfsFastQueryStdInfo+0
+0x018 FastIoLock    : 0xb9e870f2    unsigned char  Ntfs!NtfsFastLock+0
+0x01c FastIoUnlockSingle : 0xb9e871f8    unsigned char  Ntfs!NtfsFastUnlockSingle+0
+0x020 FastIoUnlockAll  : 0xb9ec06ae    unsigned char  Ntfs!NtfsFastUnlockAll+0
+0x024 FastIoUnlockAllByKey : 0xb9ec07f3    unsigned char  Ntfs!NtfsFastUnlockAllByKey+0
+0x028 FastIoDeviceControl : (null)
+0x02c AcquireFileForNtCreateSection : 0xb9e6783a    void  Ntfs!NtfsAcquireForCreateSection+0
+0x030 ReleaseFileForNtCreateSection : 0xb9e67881    void  Ntfs!NtfsReleaseForCreateSection+0
+0x034 FastIoDetachDevice : (null)
+0x038 FastIoQueryNetworkOpenInfo : 0xb9eaee1d    unsigned char  Ntfs!NtfsFastQueryNetworkOpenInfo+0
+0x03c AcquireForModWrite : 0xb9e73a10    long  Ntfs!NtfsAcquireFileForModWrite+0
+0x040 MdlRead       : 0xb9eaef31    unsigned char  Ntfs!NtfsMdlReadA+0
+0x044 MdlReadComplete  : 0x804e9b14    unsigned char  nt!FsRtlMdlReadCompleteDev+0
+0x048 PrepareMdlWrite  : 0xb9eaf2ab    unsigned char  Ntfs!NtfsPrepareMdlWriteA+0
+0x04c MdlWriteComplete : 0x8056bbec    unsigned char  nt!FsRtlMdlWriteCompleteDev+0
+0x050 FastIoReadCompressed : (null)
+0x054 FastIoWriteCompressed : (null)
+0x058 MdlReadCompleteCompressed : (null)
+0x05c MdlWriteCompleteCompressed : (null)
+0x060 FastIoQueryOpen  : 0xb9e6bdb8    unsigned char  Ntfs!NtfsNetworkOpenCreate+0
+0x064 ReleaseForModWrite : (null)
+0x068 AcquireForCcFlush : 0xb9e676e2    long  Ntfs!NtfsAcquireFileForCcFlush+0
+0x06c ReleaseForCcFlush : 0xb9e67708    long  Ntfs!NtfsReleaseFileForCcFlush+0

2009-11-25 16:54

0

cyndyli

雪币： 212

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

9

回帖

64

粉丝

0

关注

私信

cyndyli: 5 楼

谢谢，ImHolly，我把你给的命令都实践了下，但是+0x028 FastIoDeviceControl : (null)
从你给的命令，我知道怎么查地址了，但是这个是空，这个要怎么看他的反汇编代码？

我看filemon程序中hook这个函数后，有些输出后，直接调用的，那它调用的函数，实现过程我能查看到么

2009-11-25 19:39

0