注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

且行且记录

点滴记录,行的更远!

 
 
 

日志

 
 

AFD的DeviceIoControl控制码与处理函数对应  

2013-03-21 13:47:40|  分类: 调试记录 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |

列模块afd

kd> lm m afd
start    end        module name
f7fac000 f7fcdd00   afd        (deferred)            

查驱动对象
kd> !drvobj afd
Driver object (82144da0) is for:
 \Driver\AFD
Driver Extension List: (id , addr)

Device Object list:
821424d8 

驱动对象
kd> dt _DRIVER_OBJECT 82144da0
ntdll!_DRIVER_OBJECT
   +0x000 Type             : 4
   +0x002 Size             : 168
   +0x004 DeviceObject     : 0x821424d8 _DEVICE_OBJECT
   +0x008 Flags            : 0x12
   +0x00c DriverStart      : 0xf7fac000
   +0x010 DriverSize       : 0x21d00
   +0x014 DriverSection    : 0x8224a110
   +0x018 DriverExtension  : 0x82144e48 _DRIVER_EXTENSION
   +0x01c DriverName       : _UNICODE_STRING "\Driver\AFD"
   +0x024 HardwareDatabase : 0x80690e10 _UNICODE_STRING "\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM"
   +0x028 FastIoDispatch   : 0xf7fae030 _FAST_IO_DISPATCH
   +0x02c DriverInit       : 0xf7fc9f40     long  afd!GsDriverEntry+0
   +0x030 DriverStartIo    : (null)
   +0x034 DriverUnload     : 0xf7fb34a0     void  afd!AfdUnload+0
   +0x038 MajorFunction    : [28] 0xf7fb7d50     long  afd!AfdDispatch+0

派发函数为第e项

kd> dds 82144da0+38+0e*4

...

82144e10  f7fb7290 afd!AfdDispatchDeviceControl

...


该函数如下

afd!AfdDispatchDeviceControl:
f7fb7290 8bff            mov     edi,edi
f7fb7292 55              push    ebp
f7fb7293 8bec            mov     ebp,esp
f7fb7295 8b4d0c          mov     ecx,dword ptr [ebp+0Ch]
f7fb7298 8b5160          mov     edx,dword ptr [ecx+60h]
f7fb729b 56              push    esi
f7fb729c 57              push    edi
f7fb729d 8b7a0c          mov     edi,dword ptr [edx+0Ch]
f7fb72a0 8bc7            mov     eax,edi
f7fb72a2 c1e802          shr     eax,2
f7fb72a5 25ff030000      and     eax,3FFh
f7fb72aa 83f846          cmp     eax,46h <---个数
f7fb72ad 0f8340690000    jae     afd!AfdDispatchDeviceControl+0x3d (f7fbdbf3)

afd!AfdDispatchDeviceControl+0x1f:
f7fb72b3 8bf0            mov     esi,eax
f7fb72b5 c1e602          shl     esi,2
f7fb72b8 39bea0e0faf7    cmp     dword ptr afd!AfdIoctlTable (f7fae0a0)[esi],edi <---控制码表f7fae0a0
f7fb72be 0f852f690000    jne     afd!AfdDispatchDeviceControl+0x3d (f7fbdbf3)

afd!AfdDispatchDeviceControl+0x2c:
f7fb72c4 884201          mov     byte ptr [edx+1],al
f7fb72c7 8bb6b8e1faf7    mov     esi,dword ptr afd!AfdIrpCallDispatch (f7fae1b8)[esi] <---处理函数表f7fae1b8
f7fb72cd 85f6            test    esi,esi
f7fb72cf 0f841e690000    je      afd!AfdDispatchDeviceControl+0x3d (f7fbdbf3)

afd!AfdDispatchDeviceControl+0x39:
f7fb72d5 ffd6            call    esi

afd!AfdDispatchDeviceControl+0x53:
f7fb72d7 5f              pop     edi
f7fb72d8 5e              pop     esi
f7fb72d9 5d              pop     ebp
f7fb72da c20800          ret     8

afd!AfdDispatchDeviceControl+0x3d:
f7fbdbf3 be100000c0      mov     esi,0C0000010h
f7fbdbf8 897118          mov     dword ptr [ecx+18h],esi
f7fbdbfb 8a1511e0faf7    mov     dl,byte ptr [afd!AfdPriorityBoost (f7fae011)]
f7fbdc01 ff15acd5faf7    call    dword ptr [afd!_imp_IofCompleteRequest (f7fad5ac)]
f7fbdc07 8bc6            mov     eax,esi
f7fbdc09 e9c996ffff      jmp     afd!AfdDispatchDeviceControl+0x53 (f7fb72d7)

这两个表导出如下:

kd> dds f7fae0a0 l46
f7fae0a0  00012003
f7fae0a4  00012007
f7fae0a8  0001200b
f7fae0ac  0001200c
f7fae0b0  00012010
f7fae0b4  00012017
f7fae0b8  0001201b
f7fae0bc  0001201f
f7fae0c0  00012023
f7fae0c4  00012024
f7fae0c8  0001202b
f7fae0cc  0001202f
f7fae0d0  00012033
f7fae0d4  00012037
f7fae0d8  0001203b
f7fae0dc  0001203f
f7fae0e0  00012043
f7fae0e4  00012047
f7fae0e8  0001204b
f7fae0ec  0001204f
f7fae0f0  00012053
f7fae0f4  00012057
f7fae0f8  0001205b
f7fae0fc  0001205f
f7fae100  00012063
f7fae104  00012067
f7fae108  0001206b
f7fae10c  0001206f
f7fae110  00012073
f7fae114  00012077
f7fae118  0001207b
f7fae11c  0001207f
f7fae120  00012083
f7fae124  00012087
f7fae128  0001208b
f7fae12c  0001208c
f7fae130  00012090
f7fae134  00012094
f7fae138  00012098
f7fae13c  0001209f
f7fae140  000120a0
f7fae144  000120a7
f7fae148  000120ab
f7fae14c  000120ac
f7fae150  000120b3
f7fae154  000120b4
f7fae158  000120bb
f7fae15c  00000000
f7fae160  000120c3
f7fae164  000120c7
f7fae168  000120cb
f7fae16c  000120cf
f7fae170  000120d3
f7fae174  000120d7
f7fae178  000120db
f7fae17c  000120de
f7fae180  000120e3
f7fae184  000120e7
f7fae188  000120eb
f7fae18c  000120ef
f7fae190  000120f3
f7fae194  000120f7
f7fae198  000120fb
f7fae19c  000120ff
f7fae1a0  00012103
f7fae1a4  00012107
f7fae1a8  00012108
f7fae1ac  0001210c
f7fae1b0  00012113
f7fae1b4  00012117


kd> dds f7fae1b8 l46
f7fae1b8  f7fb044d afd!AfdBind
f7fae1bc  f7fafc55 afd!AfdConnect
f7fae1c0  f7facbff afd!AfdDispatchImmediateIrp
f7fae1c4  f7fc25ec afd!AfdWaitForListen
f7fae1c8  f7fc1062 afd!AfdAccept
f7fae1cc  f7fb9513 afd!AfdReceive
f7fae1d0  f7fbb2a9 afd!AfdReceiveDatagram
f7fae1d4  f7fbb969 afd!AfdSend
f7fae1d8  f7fc5e48 afd!AfdSendDatagram
f7fae1dc  f7fb7a24 afd!AfdPoll
f7fae1e0  f7facbff afd!AfdDispatchImmediateIrp
f7fae1e4  f7fb02cb afd!AfdGetAddress
f7fae1e8  f7facbff afd!AfdDispatchImmediateIrp
f7fae1ec  f7facbff afd!AfdDispatchImmediateIrp
f7fae1f0  f7facbff afd!AfdDispatchImmediateIrp
f7fae1f4  f7facbff afd!AfdDispatchImmediateIrp
f7fae1f8  f7facbff afd!AfdDispatchImmediateIrp
f7fae1fc  f7facbff afd!AfdDispatchImmediateIrp
f7fae200  f7facbff afd!AfdDispatchImmediateIrp
f7fae204  f7facbff afd!AfdDispatchImmediateIrp
f7fae208  f7facbff afd!AfdDispatchImmediateIrp
f7fae20c  f7facbff afd!AfdDispatchImmediateIrp
f7fae210  f7facbff afd!AfdDispatchImmediateIrp
f7fae214  f7facbff afd!AfdDispatchImmediateIrp
f7fae218  f7facbff afd!AfdDispatchImmediateIrp
f7fae21c  f7facbff afd!AfdDispatchImmediateIrp
f7fae220  f7facbff afd!AfdDispatchImmediateIrp
f7fae224  f7facbff afd!AfdDispatchImmediateIrp
f7fae228  f7facbff afd!AfdDispatchImmediateIrp
f7fae22c  f7facbff afd!AfdDispatchImmediateIrp
f7fae230  f7facbff afd!AfdDispatchImmediateIrp
f7fae234  f7fb5798 afd!AfdTransmitFile
f7fae238  f7fbac79 afd!AfdSuperAccept
f7fae23c  f7facbff afd!AfdDispatchImmediateIrp
f7fae240  f7facbff afd!AfdDispatchImmediateIrp
f7fae244  f7fc0b89 afd!AfdDeferAccept
f7fae248  f7fc25ec afd!AfdWaitForListen
f7fae24c  f7fc3572 afd!AfdSetQos
f7fae250  f7fb392f afd!AfdGetQos
f7fae254  f7fb3dfb afd!AfdNoOperation
f7fae258  f7fc41a6 afd!AfdValidateGroup
f7fae25c  f7facbff afd!AfdDispatchImmediateIrp
f7fae260  f7facbff afd!AfdDispatchImmediateIrp
f7fae264  f7facf6d afd!AfdRoutingInterfaceChange
f7fae268  f7facbff afd!AfdDispatchImmediateIrp
f7fae26c  f7fba90f afd!AfdAddressListChange
f7fae270  f7fb2c9d afd!AfdJoinLeaf
f7fae274  00000000
f7fae278  f7fb5cb4 afd!AfdTransmitPackets
f7fae27c  f7fb28e6 afd!AfdSuperConnect
f7fae280  f7fad0d9 afd!AfdSuperDisconnect
f7fae284  f7fbb2a9 afd!AfdReceiveDatagram
f7fae288  f7facbff afd!AfdDispatchImmediateIrp
f7fae28c  f7facbff afd!AfdDispatchImmediateIrp
f7fae290  f7facbff afd!AfdDispatchImmediateIrp
f7fae294  f7fc7e24 afd!AfdSanConnectHandler
f7fae298  f7facbff afd!AfdDispatchImmediateIrp
f7fae29c  f7facbff afd!AfdDispatchImmediateIrp
f7fae2a0  f7facbff afd!AfdDispatchImmediateIrp
f7fae2a4  f7facbff afd!AfdDispatchImmediateIrp
f7fae2a8  f7facbff afd!AfdDispatchImmediateIrp
f7fae2ac  f7fc9694 afd!AfdSanAcquireContext
f7fae2b0  f7facbff afd!AfdDispatchImmediateIrp
f7fae2b4  f7facbff afd!AfdDispatchImmediateIrp
f7fae2b8  f7facbff afd!AfdDispatchImmediateIrp
f7fae2bc  f7facbff afd!AfdDispatchImmediateIrp
f7fae2c0  f7fb6b22 afd!AfdSanAddrListChange
f7fae2c4  f7fba209 afd!AfdSocketCloseNotify
f7fae2c8  f7facbff afd!AfdDispatchImmediateIrp
f7fae2cc  f7fb3ec6 afd!AfdQueryFirewallSocketAddress

选出控制码结尾为3,7,B,F的项,这样的项就是用的就是METHOD_NETHER方式。

用excel转成对应形式

00012003 afd!AfdBind
00012007 afd!AfdConnect
0001200b afd!AfdDispatchImmediateIrp
00012017 afd!AfdReceive
0001201b afd!AfdReceiveDatagram
0001201f afd!AfdSend
00012023 afd!AfdSendDatagram
0001202b afd!AfdDispatchImmediateIrp
0001202f afd!AfdGetAddress
00012033 afd!AfdDispatchImmediateIrp
00012037 afd!AfdDispatchImmediateIrp
0001203b afd!AfdDispatchImmediateIrp
0001203f afd!AfdDispatchImmediateIrp
00012043 afd!AfdDispatchImmediateIrp
00012047 afd!AfdDispatchImmediateIrp
0001204b afd!AfdDispatchImmediateIrp
0001204f afd!AfdDispatchImmediateIrp
00012053 afd!AfdDispatchImmediateIrp
00012057 afd!AfdDispatchImmediateIrp
0001205b afd!AfdDispatchImmediateIrp
0001205f afd!AfdDispatchImmediateIrp
00012063 afd!AfdDispatchImmediateIrp
00012067 afd!AfdDispatchImmediateIrp
0001206b afd!AfdDispatchImmediateIrp
0001206f afd!AfdDispatchImmediateIrp
00012073 afd!AfdDispatchImmediateIrp
00012077 afd!AfdDispatchImmediateIrp
0001207b afd!AfdDispatchImmediateIrp
0001207f afd!AfdTransmitFile
00012083 afd!AfdSuperAccept
00012087 afd!AfdDispatchImmediateIrp
0001208b afd!AfdDispatchImmediateIrp
0001209f afd!AfdNoOperation
000120a7 afd!AfdDispatchImmediateIrp
000120ab afd!AfdDispatchImmediateIrp
000120b3 afd!AfdDispatchImmediateIrp
000120bb afd!AfdJoinLeaf
000120c3 afd!AfdTransmitPackets
000120c7 afd!AfdSuperConnect
000120cb afd!AfdSuperDisconnect
000120cf afd!AfdReceiveDatagram
000120d3 afd!AfdDispatchImmediateIrp
000120d7 afd!AfdDispatchImmediateIrp
000120db afd!AfdDispatchImmediateIrp
000120e3 afd!AfdDispatchImmediateIrp
000120e7 afd!AfdDispatchImmediateIrp
000120eb afd!AfdDispatchImmediateIrp
000120ef afd!AfdDispatchImmediateIrp
000120f3 afd!AfdDispatchImmediateIrp
000120f7 afd!AfdSanAcquireContext
000120fb afd!AfdDispatchImmediateIrp
000120ff afd!AfdDispatchImmediateIrp
00012103 afd!AfdDispatchImmediateIrp
00012107 afd!AfdDispatchImmediateIrp
00012113 afd!AfdDispatchImmediateIrp
00012117 afd!AfdQueryFirewallSocketAddress

去掉重复的项,只要关注以下这些函数就可以了。

afd!AfdBind
afd!AfdConnect
afd!AfdDispatchImmediateIrp
afd!AfdReceive
afd!AfdReceiveDatagram
afd!AfdSend
afd!AfdSendDatagram
afd!AfdGetAddress
afd!AfdTransmitFile
afd!AfdSuperAccept
afd!AfdNoOperation
afd!AfdJoinLeaf
afd!AfdTransmitPackets
afd!AfdSuperConnect
afd!AfdSuperDisconnect
afd!AfdSanAcquireContext
afd!AfdQueryFirewallSocketAddress

  评论这张
 
阅读(663)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017