Kayaker
January 20th, 2011, 01:16
Hi
This started as a simple 1 line reply, but then I wanted to see where it led, so bear with me
One way might be breaking on IRP_MJ_DEVICE_CONTROL for disk.sys. The assumption is that it will eventually be called.
In this case IRP_MJ_DEVICE_CONTROL is external and located in CLASSPNP)
Code:
kd> !drvobj disk 2
Driver object (82343940) is for:
\Driver\Disk
Driver Extension List: (id , addr)
(f85973be 82354900)
Device Object list:
823c8c68 82370ab8
Dispatch routines:
...
[0e] IRP_MJ_DEVICE_CONTROL f859144d CLASSPNP!ClassDeviceControlDispatch
Code:
kd> u f859144d
CLASSPNP!ClassDeviceControlDispatch:
f859144d 8bff mov edi,edi
f859144f 55 push ebp
f8591450 8bec mov ebp,esp
f8591452 53 push ebx
f8591453 56 push esi
f8591454 8b7508 mov esi,dword ptr [ebp+8]
f8591457 8b5e28 mov ebx,dword ptr [esi+28h]
f859145a 57 push edi
f859145b 8b7d0c mov edi,dword ptr [ebp+0Ch]
f859145e 68b8110000 push 11B8h
f8591463 68861459f8 push offset CLASSPNP!ClassFindModePage+0x6a (f859148
6)
f8591468 57 push edi
f8591469 56 push esi
f859146a e891efffff call CLASSPNP!ClassAcquireRemoveLockEx (f8590400)
f859146f 85c0 test eax,eax
f8591471 57 push edi
f8591472 56 push esi
f8591473 0f85f32a0000 jne CLASSPNP!ClassDeviceControlDispatch+0x28 (f8593
f6c)
f8591479 8b4360 mov eax,dword ptr [ebx+60h]
f859147c ff5018 call dword ptr [eax+18h]
f859147f 5f pop edi
f8591480 5e pop esi
f8591481 5b pop ebx
f8591482 5d pop ebp
f8591483 c20800 ret 8
Switching over to IDA to make it clearer:
(match with a byte search of 'push 11B8h' to find this in classpnp.sys)
Code:
:0001144D ; int __stdcall sub_1144D(PDEVICE_OBJECT DeviceObject, PVOID Tag)
:0001144D
:0001144D DeviceObject = dword ptr 8
:0001144D Tag = dword ptr 0Ch
:0001144D
:0001144D mov edi, edi
:0001144F push ebp
:00011450 mov ebp, esp
:00011452 push ebx
:00011453 push esi
:00011454 mov esi, [ebp+DeviceObject]
:00011457 mov ebx, [esi+DEVICE_OBJECT.DeviceExtension]
:0001145A push edi
:0001145B mov edi, [ebp+Tag]
:0001145E push 11B8h ; Line
:00011463 push offset aDXpsprtmDriversStorageClasspnpCl_5 ; "d:\\xpsprtm\\drivers\\storage\\classpnp\\cla"...
:00011468 push edi ; Tag
:00011469 push esi ; DeviceObject
:0001146A call ClassAcquireRemoveLockEx
:0001146F test eax, eax
:00011471 push edi
:00011472 push esi
:00011473 jnz loc_13F6C
:00011479 mov eax, [ebx+60h]
:0001147C call dword ptr [eax+18h]
Get DeviceObject:
Code:
kd> dt nt!_DRIVER_OBJECT 82343940
...
+0x004 DeviceObject : 0x823c8c68 _DEVICE_OBJECT
Get DeviceExtension:
Code:
kd> dt nt!_DEVICE_OBJECT 823c8c68
...
+0x028 DeviceExtension : 0x823c8d20
Display [DeviceExtension + 60h] ([ebx+60h])
Code:
kd> dd 823c8d20+60
823c8d80 82354968
Display what's in [eax+18h]:
Code:
kd> dd 82354968+18
82354980 f8580636
And that merry chase leads back to a proc in disk.sys, where you could probably set a breakpoint, and pray:
Code:
kd> u f8580636
disk!DiskDeviceControl:
f8580636 8bff mov edi,edi
f8580638 55 push ebp
...
Kayaker