[求助]windows驱动发IRP进行文件操作的疑惑-付费问答-看雪-安全社区|安全招聘|kanxue.com

[旧帖] [求助]windows驱动发IRP进行文件操作的疑惑 0.00雪花

发表于: 2013-8-8 11:28 1297

[旧帖] [求助]windows驱动发IRP进行文件操作的疑惑 0.00雪花

宝宝的xql

2013-8-8 11:28

1297

在开源的ROll Your own中，有进行发IRP进行读，写文件操作的函数，举例读操作的

static VOID KfcRead(PFILE_OBJECT FileObject,
                  PLARGE_INTEGER Offset,
                  ULONG Length,
                  PMDL Mdl,
                  PIO_STATUS_BLOCK IoStatusBlock)
{
PIRP irp;
KEVENT event;
PIO_STACK_LOCATION ioStackLocation;
PDEVICE_OBJECT fsdDevice = IoGetRelatedDeviceObject(FileObject);//获得与文件对象相关联的设备对象
//
// Set up the event we'll use.
//
KeInitializeEvent(&event, SynchronizationEvent, FALSE);
//
// Allocate and build the IRP we'll be sending to the FSD.
//
irp = IoAllocateIrp(fsdDevice->StackSize, FALSE);
if (!irp)
{
      //
      // Allocation failed, presumably due to memory allocation failure.
      //
      IoStatusBlock->Status = STATUS_INSUFFICIENT_RESOURCES;
      IoStatusBlock->Information = 0;
}
irp->MdlAddress = Mdl;
irp->UserEvent = &event;
irp->UserIosb = IoStatusBlock;
irp->Tail.Overlay.Thread = PsGetCurrentThread();
irp->Tail.Overlay.OriginalFileObject= FileObject;
irp->RequestorMode = KernelMode;
//
// Indicate that this is a READ operation.
//
irp->Flags = IRP_READ_OPERATION;
//
// Set up the next I/O stack location.  These are the parameters
// that will be passed to the underlying driver.
//
ioStackLocation = IoGetNextIrpStackLocation(irp);
ioStackLocation->MajorFunction = IRP_MJ_READ;
ioStackLocation->MinorFunction = 0;
ioStackLocation->DeviceObject = fsdDevice;
ioStackLocation->FileObject = FileObject;
//
// We use a completion routine to keep the I/O Manager from doing
// "cleanup" on our IRP - like freeing our MDL.
//
IoSetCompletionRoutine(irp, KfcIoCompletion, 0, TRUE, TRUE, TRUE);

ioStackLocation->Parameters.Read.Length = Length;
ioStackLocation->Parameters.Read.ByteOffset = *Offset;
//
// Send it on.  Ignore the return code.
//
(void) IoCallDriver(fsdDevice, irp);
//
// Wait for the I/O to complete.
//
KeWaitForSingleObject(&event, Executive, KernelMode, TRUE, 0);
//
// Done.  Return results are in the io status block.
//
return;
}
问题：以上函数static VOID KfcRead（）这个函数发出去IRP后，读取到的文件的内容存在哪里的？

[招生]科锐逆向工程师培训(2024年11月15日实地，远程教学同时开班, 第51期)

收藏・0

免费・0

支持

最新回复 (1)
SdKfz 雪币： 1 活跃值： (1174) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 81 粉丝 2 关注私信	SdKfz 2 楼 MSDN IRP_MJ_READ: Output Parameters Depending on whether the underlying device driver sets up the target device object's Flags with DO_BUFFERED_IO or with DO_DIRECT_IO, data is transferred into one of the following: The buffer at Irp->AssociatedIrp.SystemBuffer if the driver uses buffered I/O. The buffer described by the MDL at Irp->MdlAddress if the underlying device driver uses direct I/O (DMA or PIO). 2013-8-8 11:43 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

最新回复 (1)

SdKfz

雪币： 1

活跃值： (1174)

能力值：

( LV2，RANK：10 )

在线值：

发帖

回帖

粉丝

关注

私信

SdKfz: 2 楼

MSDN IRP_MJ_READ:

Output Parameters

Depending on whether the underlying device driver sets up the target device object's Flags with DO_BUFFERED_IO or with DO_DIRECT_IO, data is transferred into one of the following:

The buffer at Irp->AssociatedIrp.SystemBuffer if the driver uses buffered I/O.

The buffer described by the MDL at Irp->MdlAddress if the underlying device driver uses direct I/O (DMA or PIO).

2013-8-8 11:43

宝宝的xql

发帖

134

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

专注于PC、移动、智能设备安全研究及逆向工程的开发者社区