1: kd> dv
DeviceObject = 0x895a5038 Device for "\FileSystem\Npfs"
Irp = 0x8979be28
FileObject = 0x8981a0d0
DeferredIoCompletion = 0x01 ''
RequestorMode = 0n1 ''
SynchronousIo = 0x00 ''
TransferType = OtherTransfer (0n2)
第一部分:IopQueueThreadIrp( Irp );
#define IopQueueThreadIrp( Irp ) { \
KIRQL irql; \
KeRaiseIrql( (KIRQL)APC_LEVEL, &irql ); \
InsertHeadList( &Irp->Tail.Overlay.Thread->IrpList, \
&Irp->ThreadListEntry ); \
KeLowerIrql( irql ); \
}
1: kd> dt eTHREAD 8981f740
+0x218 IrpList : _LIST_ENTRY [ 0x8981f958 - 0x8981f958 ]
1: kd> dx -id 0,0,89838358 -r1 (*((ntdll!_LIST_ENTRY *)0x8981f958))
(*((ntdll!_LIST_ENTRY *)0x8981f958)) [Type: _LIST_ENTRY]
[+0x000] Flink : 0x8981f958 [Type: _LIST_ENTRY *]
[+0x004] Blink : 0x8981f958 [Type: _LIST_ENTRY *]
变为:
1: kd> dx -id 0,0,89838358 -r1 (*((ntdll!_LIST_ENTRY *)0x8981f958))
(*((ntdll!_LIST_ENTRY *)0x8981f958)) [Type: _LIST_ENTRY]
[+0x000] Flink : 0x8979be38 [Type: _LIST_ENTRY *]
[+0x004] Blink : 0x8979be38 [Type: _LIST_ENTRY *]
1: kd> dx -r1 -nv (*((ntkrnlmp!_IRP *)0x8979be28))
(*((ntkrnlmp!_IRP *)0x8979be28)) [Type: _IRP]
[+0x000] Type : 6 [Type: short]
[+0x002] Size : 0x94 [Type: unsigned short]
[+0x004] MdlAddress : 0x0 [Type: _MDL *]
[+0x008] Flags : 0x800 [Type: unsigned long]
[+0x00c] AssociatedIrp [Type: __unnamed]
[+0x010] ThreadListEntry [Type: _LIST_ENTRY]
1: kd> dx -r1 (*((ntkrnlmp!_LIST_ENTRY *)0x8979be38))
(*((ntkrnlmp!_LIST_ENTRY *)0x8979be38)) [Type: _LIST_ENTRY]
[+0x000] Flink : 0x8979be38 [Type: _LIST_ENTRY *]
[+0x004] Blink : 0x8979be38 [Type: _LIST_ENTRY *]
变为:
1: kd> dx -r1 -nv (*((ntkrnlmp!_IRP *)0x8979be28))
(*((ntkrnlmp!_IRP *)0x8979be28)) [Type: _IRP]
[+0x000] Type : 6 [Type: short]
[+0x002] Size : 0x94 [Type: unsigned short]
[+0x004] MdlAddress : 0x0 [Type: _MDL *]
[+0x008] Flags : 0x800 [Type: unsigned long]
[+0x00c] AssociatedIrp [Type: __unnamed]
[+0x010] ThreadListEntry [Type: _LIST_ENTRY]
1: kd> dx -r1 (*((ntkrnlmp!_LIST_ENTRY *)0x8979be38))
(*((ntkrnlmp!_LIST_ENTRY *)0x8979be38)) [Type: _LIST_ENTRY]
[+0x000] Flink : 0x8981f958 [Type: _LIST_ENTRY *]
[+0x004] Blink : 0x8981f958 [Type: _LIST_ENTRY *]
第二部分:IopUpdateOtherOperationCount
VOID
IopUpdateOtherOperationCount(
VOID
)
--*/
{
if (IoCountOperations == TRUE) {
IoOtherOperationCount += 1;
ExInterlockedAddLargeStatistic( &THREAD_TO_PROCESS(PsGetCurrentThread())->OtherOperationCount, 1);
}
}
1: kd> x nt!IoCountOperations
80b0e288 nt!IoCountOperations = 1
1: kd> x nt!IoOtherOperationCount
80b1eea8 nt!IoOtherOperationCount = 0x286d
1: kd> dt ePROCESS 0x89838358
ntdll!EPROCESS
+0x198 ReadOperationCount : _LARGE_INTEGER 0x97
+0x1a0 WriteOperationCount : _LARGE_INTEGER 0x27
+0x1a8 OtherOperationCount : _LARGE_INTEGER 0x4af
变为:
1: kd> dt ePROCESS 0x89838358
+0x198 ReadOperationCount : _LARGE_INTEGER 0x97
+0x1a0 WriteOperationCount : _LARGE_INTEGER 0x27
+0x1a8 OtherOperationCount : _LARGE_INTEGER 0x4b0
1: kd> x nt!IoOtherOperationCount
80b1eea8 nt!IoOtherOperationCount = 0x286e
第三部分:IopfCallDriver函数分析,重要
1: kd> t
nt!IopSynchronousServiceTail+0x152:
80c70be6 8bd6 mov edx,esi
1: kd> t
nt!IopSynchronousServiceTail+0x154:
80c70be8 e80d5bdbff call nt!IofCallDriver (80a266fa)
1: kd> kc 9
#
00 nt!IofCallDriver
01 nt!IopSynchronousServiceTail
02 nt!IopXxxControlFile
03 nt!NtFsControlFile
04 nt!_KiSystemService
05 SharedUserData!SystemCallStub
06 ntdll!ZwFsControlFile
07 kernel32!TransactNamedPipe
08 RPCRT4!NMP_SyncSendRecv
NTSTATUS
FORCEINLINE
IopfCallDriver(
IN PDEVICE_OBJECT DeviceObject,
IN OUT PIRP Irp
)
{
PIO_STACK_LOCATION irpSp;
PDRIVER_OBJECT driverObject;
NTSTATUS status;
//
// Ensure that this is really an I/O Request Packet.
//
ASSERT( Irp->Type == IO_TYPE_IRP );
//
// Update the IRP stack to point to the next location.
//
Irp->CurrentLocation--;
if (Irp->CurrentLocation <= 0) {
KeBugCheckEx( NO_MORE_IRP_STACK_LOCATIONS, (ULONG_PTR) Irp, 0, 0, 0 );
}
irpSp = IoGetNextIrpStackLocation( Irp );
Irp->Tail.Overlay.CurrentStackLocation = irpSp;
//
// Save a pointer to the device object for this request so that it can
// be used later in completion.
//
irpSp->DeviceObject = DeviceObject;
//
// Invoke the driver at its dispatch routine entry point.
//
driverObject = DeviceObject->DriverObject;
//
// Prevent the driver from unloading.
//
status = driverObject->MajorFunction[irpSp->MajorFunction]( DeviceObject,
Irp );
return status;
}
1: kd> t
nt!IofCallDriver+0x5d:
80a26757 57 push edi
1: kd> t
nt!IofCallDriver+0x5e:
80a26758 ff548138 call dword ptr [ecx+eax*4+38h]
1: kd> r
eax=0000000d ebx=00000000 ecx=8953dd20 edx=8979be28 esi=8979be28 edi=895a5038
eip=80a26758 esp=ba18ec28 ebp=ba18ec3c iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282
1: kd> dt IO_STACK_LOCATION 8979be98
GDI32!IO_STACK_LOCATION
+0x000 MajorFunction : 0xd ''
+0x001 MinorFunction : 0 ''
+0x002 Flags : 0x5 ''
+0x003 Control : 0 ''
+0x004 Parameters : __unnamed
+0x014 DeviceObject : 0x895a5038 _DEVICE_OBJECT
+0x018 FileObject : 0x8981a0d0 _FILE_OBJECT
+0x01c CompletionRoutine : (null)
+0x020 Context : (null)
1: kd> dx -id 0,0,89838358 -r1 ((GDI32!_DEVICE_OBJECT *)0x895a5038)
((GDI32!_DEVICE_OBJECT *)0x895a5038) : 0x895a5038 : Device for "\FileSystem\Npfs" [Type: _DEVICE_OBJECT *]
[<Raw View>] [Type: _DEVICE_OBJECT]
Flags : 0x240
UpperDevices : None
LowerDevices
Driver : 0x8953dd20 : Driver "\FileSystem\Npfs" [Type: _DRIVER_OBJECT *]
1: kd> dx -id 0,0,89838358 -r1 -nv (*((GDI32!_DEVICE_OBJECT *)0x895a5038))
(*((GDI32!_DEVICE_OBJECT *)0x895a5038)) : Device for "\FileSystem\Npfs" [Type: _DEVICE_OBJECT]
[+0x000] Type : 3 [Type: short]
[+0x002] Size : 0x140 [Type: unsigned short]
[+0x004] ReferenceCount : 113 [Type: long]
[+0x008] DriverObject : 0x8953dd20 : Driver "\FileSystem\Npfs" [Type: _DRIVER_OBJECT *]
[+0x00c] NextDevice : 0x0 [Type: _DEVICE_OBJECT *]
[+0x010] AttachedDevice : 0x0 [Type: _DEVICE_OBJECT *]
[+0x014] CurrentIrp : 0x0 [Type: _IRP *]
[+0x018] Timer : 0x0 [Type: _IO_TIMER *]
[+0x01c] Flags : 0x240 [Type: unsigned long]
[+0x020] Characteristics : 0x0 [Type: unsigned long]
[+0x024] Vpb : 0x0 [Type: _VPB *]
[+0x028] DeviceExtension : 0x895a50f0 [Type: void *]
[+0x02c] DeviceType : 0x11 [Type: unsigned long]
[+0x030] StackSize : 1 [Type: char]
[+0x034] Queue [Type: __unnamed]
[+0x05c] AlignmentRequirement : 0x0 [Type: unsigned long]
[+0x060] DeviceQueue [Type: _KDEVICE_QUEUE]
[+0x074] Dpc [Type: _KDPC]
[+0x094] ActiveThreadCount : 0x0 [Type: unsigned long]
[+0x098] SecurityDescriptor : 0xe1294580 [Type: void *]
[+0x09c] DeviceLock [Type: _KEVENT]
[+0x0ac] SectorSize : 0x0 [Type: unsigned short]
[+0x0ae] Spare1 : 0x0 [Type: unsigned short]
[+0x0b0] DeviceObjectExtension : 0x895a5178 [Type: _DEVOBJ_EXTENSION *]
[+0x0b4] Reserved : 0x0 [Type: void *]
1: kd> dx -id 0,0,89838358 -r1 ((GDI32!_DRIVER_OBJECT *)0x8953dd20)
((GDI32!_DRIVER_OBJECT *)0x8953dd20) : 0x8953dd20 : Driver "\FileSystem\Npfs" [Type: _DRIVER_OBJECT *]
[<Raw View>] [Type: _DRIVER_OBJECT]
HardwareDatabase : 0x80e3c260 : "\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM" [Type: _UNICODE_STRING *]
DeviceObject : 0x895a5038 : Device for "\FileSystem\Npfs" [Type: _DEVICE_OBJECT *]
Flags : 0x12
Devices
1: kd> dx -id 0,0,89838358 -r1 -nv (*((GDI32!_DRIVER_OBJECT *)0x8953dd20))
(*((GDI32!_DRIVER_OBJECT *)0x8953dd20)) : Driver "\FileSystem\Npfs" [Type: _DRIVER_OBJECT]
[+0x000] Type : 4 [Type: short]
[+0x002] Size : 168 [Type: short]
[+0x004] DeviceObject : 0x895a5038 : Device for "\FileSystem\Npfs" [Type: _DEVICE_OBJECT *]
[+0x008] Flags : 0x12 [Type: unsigned long]
[+0x00c] DriverStart : 0xbaae8000 [Type: void *]
[+0x010] DriverSize : 0x11000 [Type: unsigned long]
[+0x014] DriverSection : 0x8984cc50 [Type: void *]
[+0x018] DriverExtension : 0x8953ddc8 [Type: _DRIVER_EXTENSION *]
[+0x01c] DriverName [Type: _UNICODE_STRING]
[+0x024] HardwareDatabase : 0x80e3c260 : "\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM" [Type: _UNICODE_STRING *]
[+0x028] FastIoDispatch : 0xbaaeb008 [Type: _FAST_IO_DISPATCH *]
[+0x02c] DriverInit : 0xbaaf6737 [Type: long (*)(_DRIVER_OBJECT *,_UNICODE_STRING *)]
[+0x030] DriverStartIo : 0x0 [Type: void (*)(_DEVICE_OBJECT *,_IRP *)]
[+0x034] DriverUnload : 0xbaaf2262 [Type: void (*)(_DRIVER_OBJECT *)]
[+0x038] MajorFunction [Type: long (* [28])(_DEVICE_OBJECT *,_IRP *)]
1: kd> dx -id 0,0,89838358 -r1 (*((GDI32!long (*(*)[28])(_DEVICE_OBJECT *,_IRP *))0x8953dd58))
(*((GDI32!long (*(*)[28])(_DEVICE_OBJECT *,_IRP *))0x8953dd58)) [Type: long (* [28])(_DEVICE_OBJECT *,_IRP *)]
[0] : 0xbaaecba6 [Type: long (*)(_DEVICE_OBJECT *,_IRP *)]
[1] : 0xbaaed2f4 [Type: long (*)(_DEVICE_OBJECT *,_IRP *)]
[2] : 0xbaaec772 [Type: long (*)(_DEVICE_OBJECT *,_IRP *)]
[3] : 0xbaaf2892 [Type: long (*)(_DEVICE_OBJECT *,_IRP *)]
[4] : 0xbaaf522a [Type: long (*)(_DEVICE_OBJECT *,_IRP *)]
[5] : 0xbaaef9e8 [Type: long (*)(_DEVICE_OBJECT *,_IRP *)]
[6] : 0xbaaefb62 [Type: long (*)(_DEVICE_OBJECT *,_IRP *)]
[7] : 0x80a2b404 [Type: long (*)(_DEVICE_OBJECT *,_IRP *)]
[8] : 0x80a2b404 [Type: long (*)(_DEVICE_OBJECT *,_IRP *)]
[9] : 0xbaaefff6 [Type: long (*)(_DEVICE_OBJECT *,_IRP *)]
[10] : 0xbaaf4bca [Type: long (*)(_DEVICE_OBJECT *,_IRP *)]
[11] : 0x80a2b404 [Type: long (*)(_DEVICE_OBJECT *,_IRP *)]
[12] : 0xbaaeec1c [Type: long (*)(_DEVICE_OBJECT *,_IRP *)]
[13] : 0xbaaf2148 [Type: long (*)(_DEVICE_OBJECT *,_IRP *)] //eax=0000000d
[14] : 0x80a2b404 [Type: long (*)(_DEVICE_OBJECT *,_IRP *)]
[15] : 0x80a2b404 [Type: long (*)(_DEVICE_OBJECT *,_IRP *)]
[16] : 0x80a2b404 [Type: long (*)(_DEVICE_OBJECT *,_IRP *)]
[17] : 0x80a2b404 [Type: long (*)(_DEVICE_OBJECT *,_IRP *)]
[18] : 0xbaaec4e8 [Type: long (*)(_DEVICE_OBJECT *,_IRP *)]
[19] : 0x80a2b404 [Type: long (*)(_DEVICE_OBJECT *,_IRP *)]
[20] : 0xbaaf35f8 [Type: long (*)(_DEVICE_OBJECT *,_IRP *)]
[21] : 0xbaaf3772 [Type: long (*)(_DEVICE_OBJECT *,_IRP *)]
[22] : 0x80a2b404 [Type: long (*)(_DEVICE_OBJECT *,_IRP *)]
[23] : 0x80a2b404 [Type: long (*)(_DEVICE_OBJECT *,_IRP *)]
[24] : 0x80a2b404 [Type: long (*)(_DEVICE_OBJECT *,_IRP *)]
[25] : 0x80a2b404 [Type: long (*)(_DEVICE_OBJECT *,_IRP *)]
[26] : 0x80a2b404 [Type: long (*)(_DEVICE_OBJECT *,_IRP *)]
[27] : 0x80a2b404 [Type: long (*)(_DEVICE_OBJECT *,_IRP *)]
1: kd> t
nt!IofCallDriver+0x5e:
80a26758 ff548138 call dword ptr [ecx+eax*4+38h]
1: kd> r
eax=0000000d ebx=00000000 ecx=8953dd20
ecx=8953dd20
[+0x038] MajorFunction
1: kd> u baaf2148
Npfs!NpFsdFileSystemControl [d:\srv03rtm\base\fs\npfs\fsctrl.c @ 83]:
baaf2148 55 push ebp
baaf2149 8bec mov ebp,esp
baaf214b 51 push ecx
baaf214c 56 push esi
baaf214d 8b3504a0aeba mov esi,dword ptr [Npfs!_imp__KeGetCurrentIrql (baaea004)]
baaf2153 57 push edi
baaf2154 ffd6 call esi
baaf2156 3c01 cmp al,1