[已解决]编程弹出硬件遇到的奇怪问题ZwDeviceIoControlFile(..FSCTL_LOCK_VOLUME..)锁定卷-编程技术-看雪-安全社区|安全招聘|kanxue.com

最新回复 (2)
liwenl 雪币： 53 活跃值： (42) 能力值： ( LV2，RANK：10 ) 在线值：发帖 12 回帖 66 粉丝 0 关注私信	liwenl 2 楼应用层相应的函数： BOOL LockVolume(HANDLE hVolume) { DWORD dwBytesReturned; DWORD dwSleepAmount; int nTryCount; dwSleepAmount = LOCK_TIMEOUT / LOCK_RETRIES; // Do this in a loop until a timeout period has expired for (nTryCount = 0; nTryCount < LOCK_RETRIES; nTryCount++) { if (DeviceIoControl(hVolume, FSCTL_LOCK_VOLUME, NULL, 0, NULL, 0, &dwBytesReturned, NULL)) return TRUE; Sleep(dwSleepAmount); } return FALSE; } LockVolume改写成驱动代码后出问题的地方： ZwDeviceIoControlFile BOOLEAN LockVolume(HANDLE hVolume) { NTSTATUS status; IO_STATUS_BLOCK IoStatusBlock; DWORD dwSleepAmount=LOCK_TIMEOUT / LOCK_RETRIES; int nTryCount; LARGE_INTEGER Sleeptime=RtlConvertLongToLargeInteger(-101000dwSleepAmount); // Do this in a loop until a timeout period has expired for (nTryCount = 0; nTryCount < LOCK_RETRIES; nTryCount++) { status = ZwDeviceIoControlFile(hVolume, //status=C00000BB STATUS_NOT_SUPPORTED NULL, NULL, NULL, &IoStatusBlock, FSCTL_LOCK_VOLUME, NULL, 0, NULL, 0 ); DbgPrint("LockVolume status:%x\n", status); if (NT_SUCCESS(status)) return TRUE; //Sleep(dwSleepAmount); KeDelayExecutionThread(KernelMode,FALSE,&Sleeptime); } return FALSE; } 2015-5-3 21:50 0
liwenl 雪币： 53 活跃值： (42) 能力值： ( LV2，RANK：10 ) 在线值：发帖 12 回帖 66 粉丝 0 关注私信	liwenl 3 楼问题已经解决了：看一下kernel32!DeviceIoControl的调用关系 0:000> uf /c kernel32!DeviceIoControl kernel32!DeviceIoControl (7c801629) kernel32!DeviceIoControl+0x7 (7c801630): call to kernel32!ReleaseMutex+0x1f (7c8024d6) kernel32!DeviceIoControl+0x46 (7c80166f): call to ntdll!NtDeviceIoControlFile (7c92d27e) kernel32!DeviceIoControl+0x6a (7c801693): call to kernel32!ReleaseMutex+0x5a (7c802511) kernel32!DeviceIoControl+0x93 (7c8016bc): call to ntdll!NtDeviceIoControlFile (7c92d27e) kernel32!DeviceIoControl+0xcb (7c8016f4): call to kernel32!GetTickCount+0xcf (7c809419) kernel32!DeviceIoControl+0xe5 (7c80170e): call to ntdll!NtFsControlFile (7c92d39e) kernel32!DeviceIoControl+0x10c (7c801735): call to ntdll!ZwWaitForSingleObject (7c92df4e) kernel32!DeviceIoControl+0x11e (7c801747): call to ntdll!NtFsControlFile (7c92d39e) 从调用关系里可以看到主要有两个函数 ntdll!NtDeviceIoControlFile ntdll!NtFsControlFile 把驱动代码ZwDeviceIoControlFile换成NtFsControlFile之后就解决了，==，自己动手丰衣足食。放一个在驱动中安全删除硬件的代码附件： usbremove-driver.rar 是根据这个应用层代码改的：原文如何在 Windows NT / Windows 2000/Windows XP 中的弹出可移动媒体 https://support.microsoft.com/zh-cn/kb/165721/zh-cn 上传的附件： 1111.png （0.94kb，4次下载） usbremove-driver.rar （62.67kb，33次下载） 2015-5-4 10:47 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

最新回复 (2)
liwenl 雪币： 53 活跃值： (42) 能力值： ( LV2，RANK：10 ) 在线值：发帖 12 回帖 66 粉丝 0 关注私信	liwenl 2 楼应用层相应的函数： BOOL LockVolume(HANDLE hVolume) { DWORD dwBytesReturned; DWORD dwSleepAmount; int nTryCount; dwSleepAmount = LOCK_TIMEOUT / LOCK_RETRIES; // Do this in a loop until a timeout period has expired for (nTryCount = 0; nTryCount < LOCK_RETRIES; nTryCount++) { if (DeviceIoControl(hVolume, FSCTL_LOCK_VOLUME, NULL, 0, NULL, 0, &dwBytesReturned, NULL)) return TRUE; Sleep(dwSleepAmount); } return FALSE; } LockVolume改写成驱动代码后出问题的地方： ZwDeviceIoControlFile BOOLEAN LockVolume(HANDLE hVolume) { NTSTATUS status; IO_STATUS_BLOCK IoStatusBlock; DWORD dwSleepAmount=LOCK_TIMEOUT / LOCK_RETRIES; int nTryCount; LARGE_INTEGER Sleeptime=RtlConvertLongToLargeInteger(-101000dwSleepAmount); // Do this in a loop until a timeout period has expired for (nTryCount = 0; nTryCount < LOCK_RETRIES; nTryCount++) { status = ZwDeviceIoControlFile(hVolume, //status=C00000BB STATUS_NOT_SUPPORTED NULL, NULL, NULL, &IoStatusBlock, FSCTL_LOCK_VOLUME, NULL, 0, NULL, 0 ); DbgPrint("LockVolume status:%x\n", status); if (NT_SUCCESS(status)) return TRUE; //Sleep(dwSleepAmount); KeDelayExecutionThread(KernelMode,FALSE,&Sleeptime); } return FALSE; } 2015-5-3 21:50 0
liwenl 雪币： 53 活跃值： (42) 能力值： ( LV2，RANK：10 ) 在线值：发帖 12 回帖 66 粉丝 0 关注私信	liwenl 3 楼问题已经解决了：看一下kernel32!DeviceIoControl的调用关系 0:000> uf /c kernel32!DeviceIoControl kernel32!DeviceIoControl (7c801629) kernel32!DeviceIoControl+0x7 (7c801630): call to kernel32!ReleaseMutex+0x1f (7c8024d6) kernel32!DeviceIoControl+0x46 (7c80166f): call to ntdll!NtDeviceIoControlFile (7c92d27e) kernel32!DeviceIoControl+0x6a (7c801693): call to kernel32!ReleaseMutex+0x5a (7c802511) kernel32!DeviceIoControl+0x93 (7c8016bc): call to ntdll!NtDeviceIoControlFile (7c92d27e) kernel32!DeviceIoControl+0xcb (7c8016f4): call to kernel32!GetTickCount+0xcf (7c809419) kernel32!DeviceIoControl+0xe5 (7c80170e): call to ntdll!NtFsControlFile (7c92d39e) kernel32!DeviceIoControl+0x10c (7c801735): call to ntdll!ZwWaitForSingleObject (7c92df4e) kernel32!DeviceIoControl+0x11e (7c801747): call to ntdll!NtFsControlFile (7c92d39e) 从调用关系里可以看到主要有两个函数 ntdll!NtDeviceIoControlFile ntdll!NtFsControlFile 把驱动代码ZwDeviceIoControlFile换成NtFsControlFile之后就解决了，==，自己动手丰衣足食。放一个在驱动中安全删除硬件的代码附件： usbremove-driver.rar 是根据这个应用层代码改的：原文如何在 Windows NT / Windows 2000/Windows XP 中的弹出可移动媒体 https://support.microsoft.com/zh-cn/kb/165721/zh-cn 上传的附件： 1111.png （0.94kb，4次下载） usbremove-driver.rar （62.67kb，33次下载） 2015-5-4 10:47 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复