能力值:
( LV2,RANK:10 )
2 楼
在wdm.h 中找到了定义,但是在windbg 中用u命令查看,还是不行。
FAST_IO_DEVICE_CONTROL (
__in struct _FILE_OBJECT *FileObject,
__in BOOLEAN Wait,
__in_opt PVOID InputBuffer,
__in ULONG InputBufferLength,
__out_opt PVOID OutputBuffer,
__in ULONG OutputBufferLength,
__in ULONG IoControlCode,
__out PIO_STATUS_BLOCK IoStatus,
__in struct _DEVICE_OBJECT *DeviceObject
);
typedef FAST_IO_DEVICE_CONTROL *PFAST_IO_DEVICE_CONTROL;
它是_FAST_IO_DISPATCH 数据结构中的一个成员,可以用dt 命令查看此数据结构,但是怎么查看数据结构的一个成员(指针)所指的函数的汇编码。不知道用什么命令找到这个数据结构的内存地址,然后找到指针值,再u估计就可以了。用dd _FAST_IO_DISPATCH这个不行,说Couldn't resolve error at '_fast_io_dispatch'
能力值:
( LV5,RANK:70 )
3 楼
lkd> !drvobj ntfs
Driver object (89dcee20) is for:
\FileSystem\Ntfs
Driver Extension List: (id , addr)
Device Object list:
89cce770 89b2b020 898f5770 89e11590
89dc8f18
lkd> !drvobj 89dcee20 2
Driver object (89dcee20) is for:
\FileSystem\Ntfs
DriverEntry: b9ecc184 Ntfs!GsDriverEntry
DriverStartIo: 00000000
DriverUnload: 00000000
AddDevice: 00000000
Dispatch routines:
[00] IRP_MJ_CREATE b9e6cc01 Ntfs!NtfsFsdCreate
[01] IRP_MJ_CREATE_NAMED_PIPE 804f5544 nt!IopInvalidDeviceRequest
[02] IRP_MJ_CLOSE b9e6c0ea Ntfs!NtfsFsdClose
[03] IRP_MJ_READ b9e49f3b Ntfs!NtfsFsdRead
[04] IRP_MJ_WRITE b9e48b57 Ntfs!NtfsFsdWrite
[05] IRP_MJ_QUERY_INFORMATION b9e6d2b9 Ntfs!NtfsFsdDispatchWait
[06] IRP_MJ_SET_INFORMATION b9e4a618 Ntfs!NtfsFsdSetInformation
[07] IRP_MJ_QUERY_EA b9e6d2b9 Ntfs!NtfsFsdDispatchWait
[08] IRP_MJ_SET_EA b9e6d2b9 Ntfs!NtfsFsdDispatchWait
[09] IRP_MJ_FLUSH_BUFFERS b9e86ec8 Ntfs!NtfsFsdFlushBuffers
[0a] IRP_MJ_QUERY_VOLUME_INFORMATION b9e6d404 Ntfs!NtfsFsdDispatch
[0b] IRP_MJ_SET_VOLUME_INFORMATION b9e6d404 Ntfs!NtfsFsdDispatch
[0c] IRP_MJ_DIRECTORY_CONTROL b9e6efbd Ntfs!NtfsFsdDirectoryControl
[0d] IRP_MJ_FILE_SYSTEM_CONTROL b9e71758 Ntfs!NtfsFsdFileSystemControl
[0e] IRP_MJ_DEVICE_CONTROL b9e6d404 Ntfs!NtfsFsdDispatch
[0f] IRP_MJ_INTERNAL_DEVICE_CONTROL 804f5544 nt!IopInvalidDeviceRequest
[10] IRP_MJ_SHUTDOWN b9e5b5af Ntfs!NtfsFsdShutdown
[11] IRP_MJ_LOCK_CONTROL b9ec0aa3 Ntfs!NtfsFsdLockControl
[12] IRP_MJ_CLEANUP b9e6cab8 Ntfs!NtfsFsdCleanup
[13] IRP_MJ_CREATE_MAILSLOT 804f5544 nt!IopInvalidDeviceRequest
[14] IRP_MJ_QUERY_SECURITY b9e6d404 Ntfs!NtfsFsdDispatch
[15] IRP_MJ_SET_SECURITY b9e6d404 Ntfs!NtfsFsdDispatch
[16] IRP_MJ_POWER 804f5544 nt!IopInvalidDeviceRequest
[17] IRP_MJ_SYSTEM_CONTROL 804f5544 nt!IopInvalidDeviceRequest
[18] IRP_MJ_DEVICE_CHANGE 804f5544 nt!IopInvalidDeviceRequest
[19] IRP_MJ_QUERY_QUOTA b9e6d2b9 Ntfs!NtfsFsdDispatchWait
[1a] IRP_MJ_SET_QUOTA b9e6d2b9 Ntfs!NtfsFsdDispatchWait
[1b] IRP_MJ_PNP b9e897f0 Ntfs!NtfsFsdPnp
Fast I/O routines:
FastIoCheckIfPossible b9e80eda Ntfs!NtfsFastIoCheckIfPossible
FastIoRead b9e67b57 Ntfs!NtfsCopyReadA
FastIoWrite b9e86448 Ntfs!NtfsCopyWriteA
FastIoQueryBasicInfo b9e6d48e Ntfs!NtfsFastQueryBasicInfo
FastIoQueryStandardInfo b9e6bf7e Ntfs!NtfsFastQueryStdInfo
FastIoLock b9e870f2 Ntfs!NtfsFastLock
FastIoUnlockSingle b9e871f8 Ntfs!NtfsFastUnlockSingle
FastIoUnlockAll b9ec06ae Ntfs!NtfsFastUnlockAll
FastIoUnlockAllByKey b9ec07f3 Ntfs!NtfsFastUnlockAllByKey
AcquireFileForNtCreateSection b9e6783a Ntfs!NtfsAcquireForCreateSection
ReleaseFileForNtCreateSection b9e67881 Ntfs!NtfsReleaseForCreateSection
FastIoQueryNetworkOpenInfo b9eaee1d Ntfs!NtfsFastQueryNetworkOpenInfo
AcquireForModWrite b9e73a10 Ntfs!NtfsAcquireFileForModWrite
MdlRead b9eaef31 Ntfs!NtfsMdlReadA
MdlReadComplete 804e9b14 nt!FsRtlMdlReadCompleteDev
PrepareMdlWrite b9eaf2ab Ntfs!NtfsPrepareMdlWriteA
MdlWriteComplete 8056bbec nt!FsRtlMdlWriteCompleteDev
FastIoQueryOpen b9e6bdb8 Ntfs!NtfsNetworkOpenCreate
AcquireForCcFlush b9e676e2 Ntfs!NtfsAcquireFileForCcFlush
ReleaseForCcFlush b9e67708 Ntfs!NtfsReleaseFileForCcFlush
能力值:
( LV5,RANK:70 )
4 楼
lkd> dt _DRIVER_OBJECT 89dcee20
nt!_DRIVER_OBJECT
+0x000 Type : 4
+0x002 Size : 168
+0x004 DeviceObject : 0x89cce770 _DEVICE_OBJECT
+0x008 Flags : 0x92
+0x00c DriverStart : 0xb9e47000
+0x010 DriverSize : 0x8c400
+0x014 DriverSection : 0x89e64a78
+0x018 DriverExtension : 0x89dceec8 _DRIVER_EXTENSION
+0x01c DriverName : _UNICODE_STRING "\FileSystem\Ntfs"
+0x024 HardwareDatabase : 0x8067c260 _UNICODE_STRING "\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM"
+0x028 FastIoDispatch : 0xb9e667a0 _FAST_IO_DISPATCH
+0x02c DriverInit : 0xb9ecc184 long Ntfs!GsDriverEntry+0
+0x030 DriverStartIo : (null)
+0x034 DriverUnload : (null)
+0x038 MajorFunction : [28] 0xb9e6cc01 long Ntfs!NtfsFsdCreate+0
lkd> dt _FAST_IO_DISPATCH b9e667a0
nt!_FAST_IO_DISPATCH
+0x000 SizeOfFastIoDispatch : 0x70
+0x004 FastIoCheckIfPossible : 0xb9e80eda unsigned char Ntfs!NtfsFastIoCheckIfPossible+0
+0x008 FastIoRead : 0xb9e67b57 unsigned char Ntfs!NtfsCopyReadA+0
+0x00c FastIoWrite : 0xb9e86448 unsigned char Ntfs!NtfsCopyWriteA+0
+0x010 FastIoQueryBasicInfo : 0xb9e6d48e unsigned char Ntfs!NtfsFastQueryBasicInfo+0
+0x014 FastIoQueryStandardInfo : 0xb9e6bf7e unsigned char Ntfs!NtfsFastQueryStdInfo+0
+0x018 FastIoLock : 0xb9e870f2 unsigned char Ntfs!NtfsFastLock+0
+0x01c FastIoUnlockSingle : 0xb9e871f8 unsigned char Ntfs!NtfsFastUnlockSingle+0
+0x020 FastIoUnlockAll : 0xb9ec06ae unsigned char Ntfs!NtfsFastUnlockAll+0
+0x024 FastIoUnlockAllByKey : 0xb9ec07f3 unsigned char Ntfs!NtfsFastUnlockAllByKey+0
+0x028 FastIoDeviceControl : (null)
+0x02c AcquireFileForNtCreateSection : 0xb9e6783a void Ntfs!NtfsAcquireForCreateSection+0
+0x030 ReleaseFileForNtCreateSection : 0xb9e67881 void Ntfs!NtfsReleaseForCreateSection+0
+0x034 FastIoDetachDevice : (null)
+0x038 FastIoQueryNetworkOpenInfo : 0xb9eaee1d unsigned char Ntfs!NtfsFastQueryNetworkOpenInfo+0
+0x03c AcquireForModWrite : 0xb9e73a10 long Ntfs!NtfsAcquireFileForModWrite+0
+0x040 MdlRead : 0xb9eaef31 unsigned char Ntfs!NtfsMdlReadA+0
+0x044 MdlReadComplete : 0x804e9b14 unsigned char nt!FsRtlMdlReadCompleteDev+0
+0x048 PrepareMdlWrite : 0xb9eaf2ab unsigned char Ntfs!NtfsPrepareMdlWriteA+0
+0x04c MdlWriteComplete : 0x8056bbec unsigned char nt!FsRtlMdlWriteCompleteDev+0
+0x050 FastIoReadCompressed : (null)
+0x054 FastIoWriteCompressed : (null)
+0x058 MdlReadCompleteCompressed : (null)
+0x05c MdlWriteCompleteCompressed : (null)
+0x060 FastIoQueryOpen : 0xb9e6bdb8 unsigned char Ntfs!NtfsNetworkOpenCreate+0
+0x064 ReleaseForModWrite : (null)
+0x068 AcquireForCcFlush : 0xb9e676e2 long Ntfs!NtfsAcquireFileForCcFlush+0
+0x06c ReleaseForCcFlush : 0xb9e67708 long Ntfs!NtfsReleaseFileForCcFlush+0
能力值:
( LV2,RANK:10 )
5 楼
谢谢,ImHolly, 我把你给的命令都实践了下,但是+0x028 FastIoDeviceControl : (null)
从你给的命令,我知道怎么查地址了,但是这个是空,这个要怎么看他的反汇编代码?
我看filemon程序中hook这个函数后,有些输出后,直接调用的,那它调用的函数,实现过程我能查看到么
能力值:
( LV5,RANK:70 )
6 楼
FASTIOPRESENT( hookExt, FastIoDeviceControl )
这个是判断FastIo是否存在的