首页
社区
课程
招聘
DeviceIoControl函数的用法?
发表于: 2006-7-10 16:24 10483

DeviceIoControl函数的用法?

2006-7-10 16:24
10483
在跟踪一软件时遇到调用了DeviceIoControl函数,不知此函数是取什么硬件信息?有什么作用?具体调用参数的各项意义是什么?如何取得这些信息?

请各位高手不吝指教,在此先谢谢了。

[招生]系统0day安全班,企业级设备固件漏洞挖掘,Linux平台漏洞挖掘!

收藏
免费 0
支持
分享
最新回复 (7)
雪    币: 53161
活跃值: (20700)
能力值: (RANK:350 )
在线值:
发帖
回帖
粉丝
2
Google
2006-7-10 16:38
0
雪    币: 325
活跃值: (97)
能力值: ( LV13,RANK:530 )
在线值:
发帖
回帖
粉丝
3
DeviceIoControl

The DeviceIoControl function sends a control code directly to a specified device driver, causing the corresponding device to perform the corresponding operation.

BOOL DeviceIoControl(
  HANDLE hDevice,
  DWORD dwIoControlCode,
  LPVOID lpInBuffer,
  DWORD nInBufferSize,
  LPVOID lpOutBuffer,
  DWORD nOutBufferSize,
  LPDWORD lpBytesReturned,
  LPOVERLAPPED lpOverlapped
);

Parameters
hDevice
[in] Handle to the device on which the operation is to be performed. The device is typically a volume, directory, file, or stream. To retrieve a device handle, use the CreateFile function. For more information, see Remarks.
dwIoControlCode
[in] Control code for the operation. This value identifies the specific operation to be performed and the type of device on which to perform it.
For a list of the control codes, see Remarks. The documentation for each control code provides usage details for the lpInBuffer, nInBufferSize, lpOutBuffer, and nOutBufferSize parameters.

lpInBuffer
[in] Pointer to the input buffer that contains the data required to perform the operation. The format of this data depends on the value of the dwIoControlCode parameter.
This parameter can be NULL if dwIoControlCode specifies an operation that does not require input data.

nInBufferSize
[in] Size of the input buffer, in bytes.
lpOutBuffer
[out] Pointer to the output buffer that is to receive the data returned by the operation. The format of this data depends on the value of the dwIoControlCode parameter.
This parameter can be NULL if dwIoControlCode specifies an operation that does not return data.

nOutBufferSize
[in] Size of the output buffer, in bytes.
lpBytesReturned
[out] Pointer to a variable that receives the size of the data stored in the output buffer, in bytes.
If the output buffer is too small to receive any data, the call fails, GetLastError returns ERROR_INSUFFICIENT_BUFFER, and lpBytesReturned is zero.

If the output buffer is too small to hold all of the data but can hold some entries, some drivers will return as much data as fits. In this case, the call fails, GetLastError returns ERROR_MORE_DATA, and lpBytesReturned indicates the amount of data received. Your application should call DeviceIoControl again with the same operation, specifying a new starting point.

If lpOverlapped is NULL, lpBytesReturned cannot be NULL. Even when an operation returns no output data and lpOutBuffer is NULL, DeviceIoControl makes use of lpBytesReturned. After such an operation, the value of lpBytesReturned is meaningless.

If lpOverlapped is not NULL, lpBytesReturned can be NULL. If this parameter is not NULL and the operation returns data, lpBytesReturned is meaningless until the overlapped operation has completed. To retrieve the number of bytes returned, call GetOverlappedResult. If hDevice is associated with an I/O completion port, you can retrieve the number of bytes returned by calling GetQueuedCompletionStatus.

lpOverlapped
[in] Pointer to an OVERLAPPED structure.
If hDevice was opened without specifying FILE_FLAG_OVERLAPPED, lpOverlapped is ignored.

If hDevice was opened with the FILE_FLAG_OVERLAPPED flag, the operation is performed as an overlapped (asynchronous) operation. In this case, lpOverlapped must point to a valid OVERLAPPED structure that contains a handle to an event object. Otherwise, the function fails in unpredictable ways.

For overlapped operations, DeviceIoControl returns immediately, and the event object is signaled when the operation has been completed. Otherwise, the function does not return until the operation has been completed or an error occurs.
2006-7-11 10:41
0
雪    币: 226
活跃值: (10)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
4
最初由 foxabu 发布
DeviceIoControl

The DeviceIoControl function sends a control code directly to a specified device driver, causing the corresponding device to perform the corresponding operation.


........

英文的,看不懂。能否给个中文的解答?详细解答一下呢?
2006-7-15 11:03
0
雪    币: 226
活跃值: (10)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
5
请帮帮忙呀!
2006-7-18 15:07
0
雪    币: 226
活跃值: (10)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
6
上面的问题还是没能解决,请各位师父帮帮帮忙啊!谢谢啦。
下面是我所跟踪的程序调用DeviceIoControl函数的具体程序代码:
004569F6      |.  E>call 00491610                       ;  DataExpl.00491610
004569FB      |.  8>mov eax,dword ptr ds:[esi+8]
004569FE      |.  3>xor ebx,ebx
00456A00      |.  5>push ebx                            ; /pOverlapped => NULL
00456A01      |.  8>lea ecx,dword ptr ss:[esp+20]       ; |
00456A05      |.  5>push ecx                            ; |pBytesReturned
00456A06      |.  6>push 18                             ; |OutBufferSize = 18 (24.)
00456A08      |.  8>lea edx,dword ptr ss:[esp+50]       ; |
00456A0C      |.  5>push edx                            ; |OutBuffer
00456A0D      |.  5>push ebx                            ; |InBufferSize => 0
00456A0E      |.  5>push ebx                            ; |InBuffer => NULL
00456A0F      |.  6>push 70000                          ; |IoControlCode = IOCTL_DISK_GET_DRIVE_GEOMETRY
00456A14      |.  5>push eax                            ; |hDevice
00456A15      |.  C>mov byte ptr ss:[esp+84],5          ; |
00456A1D      |.  F>call dword ptr ds:[5972FC]          ; \DeviceIoControl
00456A23      |.  8>test eax,eax
00456A25      |.  0>je 00456BC1                         ;  DataExpl.00456BC1
00456A2B      |.  8>mov ebx,dword ptr ss:[esp+54]       ss:[esp+54]中存放的是计算注册码所需的硬盘参数1
00456A2F      |.  8>mov ebp,dword ptr ss:[esp+50]       ss:[esp+50]中存放的是计算注册码所需的硬盘参数2
00456A33      |.  8>mov ecx,dword ptr ss:[esp+58]       ss:[esp+58]中存放的是计算注册码所需的硬盘参数3

下面是程序执行到4a651d处的堆栈情况:
ESP ==>  02E4FBA8     000000F0  |hDevice = 000000F0 (window)
ESP+4    02E4FBAC     00070000  |IoControlCode = IOCTL_DISK_GET_DRIVE_GEOMETRY
ESP+8    02E4FBB0     00000000  |InBuffer = NULL
ESP+C    02E4FBB4     00000000  |InBufferSize = 0
ESP+10   02E4FBB8     02E4FC0C  |OutBuffer = 02E4FC0C
ESP+14   02E4FBBC     00000018  |OutBufferSize = 18 (24.)
ESP+18   02E4FBC0     02E4FBE4  |pBytesReturned = 02E4FBE4
ESP+1C   02E4FBC4     00000000  \pOverlapped = NULL

请各位师父帮忙看一下,主要有以下问题不知如何解决:
在C++中,怎样调用DeviceIoControl函数以取得硬盘的参数(上面的需求硬盘参数1、2、3)(最好是具体实现程序)?
如何取得hDevicet、OutBuffert和pBytesReturned三个参数的值?
OutBuffer是否是输出缓冲区的起始地址?
2006-7-18 15:16
0
雪    币: 207
活跃值: (40)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
7
api 的帮助都在msdn 中,如果你看布懂英文就麻烦了, 因为所有api 都是英文说明, 看不懂怎么编程呢. 还是学好英文先
2006-7-18 19:08
0
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
8
设备控制选项的部分列表――参考DeviceIoControl函数

操作 参数 设置成……
撤消同一个卷的连接 dwIoControlCode FSCTL_DISMOUNT_VOLUME
lpInBuffer ByVal 0
nInBufferSize 0
lpOutBuffer ByVal 0
nOutBufferSize 0
获得卷压缩属性 dwIoControlCode FSCTL_GET_COMPRESSION
lpInBuffer ByVal 0
nInBufferSize 0
lpOutBuffer 用于装载带有COMPRESSION_VALUE_???前缀的一个常数的整数型变量
nOutBufferSize 2
锁定一个卷 dwIoControlCode FSCTL_LOCK_VOLUME
lpInBuffer ByVal 0
nInBufferSize 0
lpOutBuffer ByVal 0
nOutBufferSize 0
设置卷压缩属性 dwIoControlCode FSCTL_SET_COMPRESSION
lpInBuffer 用于装载带有COMPRESSION_VALUE_???前缀的一个常数的整数型变量
nInBufferSize 2
lpOutBuffer ByVal 0
nOutBufferSize 0
lpBytesReturned 用于装载操作结果的一个Long型变量
解除对一个卷的锁定 dwIoControlCode FSCTL_UNLOCK_VOLUME
lpInBuffer ByVal 0
nInBufferSize 0
lpOutBuffer ByVal 0
nOutBufferSize 0
核实一个便携式媒体设备的媒体是否存在及可读 dwIoControlCode IOCTL_DISK_CHECK_VERIFY
lpInBuffer ByVal 0
nInBufferSize 0
lpOutBuffer ByVal 0
nOutBufferSize 0
函数返回值 如设备可以访问,而且媒体存在,就返回TURE
弹出SCSI设备中的媒体 dwIoControlCode IOCTL_DISK_EJECT_MEDIA
lpInBuffer ByVal 0
nInBufferSize 0
lpOutBuffer ByVal 0
nOutBufferSize 0
格式化设备中的轨道(磁道) dwIoControlCode IOCTL_DISK_FORMAT_TRACKS
lpInBuffer 一个FORMAT_PARAMETERS数据结构,包含了磁道中要格式化的信息
nInBufferSize FORMAT_PARAMETERS结构的长度
lpOutBuffer ByVal 0
nOutBufferSize 0
判断一个设备的属性 dwIoControlCode IOCTL_DISK_GET_DRIVE_GEOMETRY
lpInBuffer ByVal 0
nInBufferSize 0
lpOutBuffer 一个DISK_GEOMETRY数据结构,用于装载与磁盘驱动器有关的信息
nOutBufferSize DISK_GEOMETRY结构的长度
判断驱动器的分区布局情况 dwIoControlCode IOCTL_DISK_GET_DRIVE_LAYOUT
lpInBuffer ByVal 0
nInBufferSize 0
lpOutBuffer 一个DRIVE_LAYOUT_INFORMATION结构,后面跟随一个或多个PARTITION_INFORMATION结构,用于装载与磁盘驱动器布局有关的信息
nOutBufferSize 分配的缓冲区大小
判断驱动器支持的媒体类型 dwIoControlCode IOCTL_DISK_GET_MEDIA_TYPES
lpInBuffer ByVal 0
nInBufferSize 0
lpOutBuffer 一个DISK_GEOMETRY数据结构数组,用于装载与磁盘驱动器支持的媒体有关的信息
nOutBufferSize 输出缓冲区的长度
取得与一个分区有关的信息 dwIoControlCode IOCTL_DISK_GET_PARTITION_INFO
lpInBuffer ByVal 0
nInBufferSize 0
lpOutBuffer 一个PARTITION_INFORMATION结构,用于装载与分区有关的信息
nOutBufferSize 分配的缓冲区大小
在设备中装载媒体 dwIoControlCode IOCTL_DISK_LOAD_MEDIA
lpInBuffer ByVal 0
nInBufferSize 0
lpOutBuffer ByVal 0
nOutBufferSize 0
允许或禁止媒体拆卸 dwIoControlCode IOCTL_DISK_MEDIA_REMOVAL
lpInBuffer 一个PREVENT_MEDIA_REMOVAL数据结构,其中包含的信息用于决定允许或禁止媒体拆卸
nInBufferSize PREVENT_MEDIA_REMOVAL结构的长度
lpOutBuffer ByVal 0
nOutBufferSize 0
判断一个驱动器的性能 dwIoControlCode IOCTL_DISK_PERFORMANCE
lpInBuffer ByVal 0
nInBufferSize 0
lpOutBuffer 一个DISK_PERFORMANCE数据结构,用于装载与驱动器性能有关的信息
nOutBufferSize 已分配的缓冲区的大小
控制数据流中一个调制解调器状态数据的外观 dwIoControlCode IOCTL_SERIAL_LSRMST_INSERT
lpInBuffer 一个字节变量。如果不为零,则使用换码字符。如果为零,则禁止显示内部状态
nInBufferSize 1
lpOutBuffer ByVal 0
nOutBufferSize 0
2006-10-9 18:17
0
游客
登录 | 注册 方可回帖
返回
// // 统计代码