Log in

View Full Version : Windbg - break on driver execution


Uridium
January 19th, 2011, 22:04
Hallo,
i've set up an IDA/Windbg/VMWare(XPSP3) kernel mode debug session and the target OS has already run for a while. How can i break at (say) 'disk.sys' when its already running? It doesn't matter where it breaks in the code but it should be possible to mark as code section and analyze it afterwards.

I tried "sxe ld:<driver module name>" and "bu disk.sys!DriverEntry" but i guess they never trigger since the driver is already running.

Any ideas?

http://www.abload.de/img/idaardm.png

Kayaker
January 20th, 2011, 01:16
Hi

This started as a simple 1 line reply, but then I wanted to see where it led, so bear with me

One way might be breaking on IRP_MJ_DEVICE_CONTROL for disk.sys. The assumption is that it will eventually be called.

In this case IRP_MJ_DEVICE_CONTROL is external and located in CLASSPNP)

Code:

kd> !drvobj disk 2

Driver object (82343940) is for:
\Driver\Disk
Driver Extension List: (id , addr)
(f85973be 82354900)
Device Object list:
823c8c68 82370ab8

Dispatch routines:
...
[0e] IRP_MJ_DEVICE_CONTROL f859144d CLASSPNP!ClassDeviceControlDispatch


Code:

kd> u f859144d
CLASSPNP!ClassDeviceControlDispatch:
f859144d 8bff mov edi,edi
f859144f 55 push ebp
f8591450 8bec mov ebp,esp
f8591452 53 push ebx
f8591453 56 push esi
f8591454 8b7508 mov esi,dword ptr [ebp+8]
f8591457 8b5e28 mov ebx,dword ptr [esi+28h]
f859145a 57 push edi
f859145b 8b7d0c mov edi,dword ptr [ebp+0Ch]
f859145e 68b8110000 push 11B8h
f8591463 68861459f8 push offset CLASSPNP!ClassFindModePage+0x6a (f859148
6)
f8591468 57 push edi
f8591469 56 push esi
f859146a e891efffff call CLASSPNP!ClassAcquireRemoveLockEx (f8590400)
f859146f 85c0 test eax,eax
f8591471 57 push edi
f8591472 56 push esi
f8591473 0f85f32a0000 jne CLASSPNP!ClassDeviceControlDispatch+0x28 (f8593
f6c)
f8591479 8b4360 mov eax,dword ptr [ebx+60h]
f859147c ff5018 call dword ptr [eax+18h]
f859147f 5f pop edi
f8591480 5e pop esi
f8591481 5b pop ebx
f8591482 5d pop ebp
f8591483 c20800 ret 8


Switching over to IDA to make it clearer:
(match with a byte search of 'push 11B8h' to find this in classpnp.sys)

Code:

:0001144D ; int __stdcall sub_1144D(PDEVICE_OBJECT DeviceObject, PVOID Tag)
:0001144D
:0001144D DeviceObject = dword ptr 8
:0001144D Tag = dword ptr 0Ch
:0001144D
:0001144D mov edi, edi
:0001144F push ebp
:00011450 mov ebp, esp
:00011452 push ebx
:00011453 push esi
:00011454 mov esi, [ebp+DeviceObject]
:00011457 mov ebx, [esi+DEVICE_OBJECT.DeviceExtension]
:0001145A push edi
:0001145B mov edi, [ebp+Tag]
:0001145E push 11B8h ; Line
:00011463 push offset aDXpsprtmDriversStorageClasspnpCl_5 ; "d:\\xpsprtm\\drivers\\storage\\classpnp\\cla"...
:00011468 push edi ; Tag
:00011469 push esi ; DeviceObject
:0001146A call ClassAcquireRemoveLockEx
:0001146F test eax, eax
:00011471 push edi
:00011472 push esi
:00011473 jnz loc_13F6C
:00011479 mov eax, [ebx+60h]
:0001147C call dword ptr [eax+18h]


Get DeviceObject:

Code:

kd> dt nt!_DRIVER_OBJECT 82343940
...
+0x004 DeviceObject : 0x823c8c68 _DEVICE_OBJECT


Get DeviceExtension:

Code:

kd> dt nt!_DEVICE_OBJECT 823c8c68
...
+0x028 DeviceExtension : 0x823c8d20


Display [DeviceExtension + 60h] ([ebx+60h])

Code:

kd> dd 823c8d20+60
823c8d80 82354968


Display what's in [eax+18h]:

Code:

kd> dd 82354968+18
82354980 f8580636


And that merry chase leads back to a proc in disk.sys, where you could probably set a breakpoint, and pray:

Code:

kd> u f8580636
disk!DiskDeviceControl:
f8580636 8bff mov edi,edi
f8580638 55 push ebp
...


Kayaker

blabberer
January 20th, 2011, 13:24
if the target is running and you dont want to reboot and dont want to pray but want to break somewhere in disk.sys

issue ctrl+break in windbg and when it breaks

set a bp here

kd> bl
0 e f8582234 0001 (0001) disk!ClassDeviceControl

isssue a g let the target run and in the target

start->run->diskmgmt.msc->enter

should break here

Code:

Breakpoint 0 hit
disk!ClassDeviceControl:
f8582234 ff25cc2358f8 jmp dword ptr [disk!_imp__ClassDeviceControl (f85823cc)]
kd> .reload /user ;k
Loading User Symbols
...........................
ChildEBP RetAddr
f4affbdc f85913ed disk!ClassDeviceControl
f4affbf8 804e37f7 CLASSPNP!ClassDeviceControlDispatch+0x48
f4affc08 f87da902 nt!IopfCallDriver+0x31
f4affc34 804e37f7 PartMgr!PmDeviceControl+0x8a
f4affc44 80567f81 nt!IopfCallDriver+0x31
f4affc58 8057aa9f nt!IopSynchronousServiceTail+0x70
f4affd00 8058efd7 nt!IopXxxControlFile+0x611
f4affd34 804de7ec nt!NtDeviceIoControlFile+0x2a
f4affd34 7c90e4f4 nt!KiFastCallEntry+0xf8
00aefcc8 7c90d26c ntdll!KiFastSystemCallRet
00aefccc 7c801675 ntdll!NtDeviceIoControlFile+0xc
00aefd2c 01012225 kernel32!DeviceIoControl+0xdd
00aefd74 01013788 dmadmin!PmpGetLegacyDeviceName+0x57
00aeffa0 0100b8ae dmadmin!PmpFillDeviceInformation+0xfd
00aeffb4 7c80b713 dmadmin!BuildDriveWorker+0x12
00aeffec 00000000 kernel32!BaseThreadStart+0x37
kd> bl
0 e f8582234 0001 (0001) disk!ClassDeviceControl


else this same breakpoint address can be used right from NtInitPhase onwards if you reboot

Code:


Will breakin on first symbol load at next boot. use ctrl+alt+k
Will NOT breakin at next use ctrl+alt+k
Will request initial breakpoint at next boot. use ctrl+alt+k
kd> .reboot
Shutdown occurred at (Thu Jan 20 23:29:41.281 2011 (UTC + 5:30))...unloading all symbol tables.
Waiting to reconnect...
Connected to Windows XP 2600 x86 compatible target at (Thu Jan 20 23:29:57.156 2011 (UTC + 5:30)), ptr64 FALSE
Kernel Debugger connection established. (Initial Breakpoint requested)
Symbol search path is: SRV*F:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 UP Free x86 compatible
Built by: 2600.xpsp.080413-2111
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055b1c0
System Uptime: not available
Break instruction exception - code 80000003 (first chance)
*******************************************************************************
* *
* You are seeing this message because you pressed either *
* CTRL+C (if you run kd.exe) or, *
* CTRL+BREAK (if you run WinDBG), *
* on your debugger machine's keyboard. *
* *
* THIS IS NOT A BUG OR A SYSTEM CRASH *
* *
* If you did not intend to break into the debugger, press the "g" key, then *
* press the "Enter" key now. This message might immediately reappear. If it *
* does, press "g" and "Enter" again. *
* *
*******************************************************************************
nt!RtlpBreakWithStatusInstruction:
804e3592 cc int 3
kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
NULL value in PsActiveProcess List
kd> k
ChildEBP RetAddr
80550d5c 806b9f57 nt!RtlpBreakWithStatusInstruction
80550ee8 806af12c nt!ExpInitializeExecutive+0x350
80550f3c 806aedeb nt!KiInitializeKernel+0x35e
00000000 00000000 nt!KiSystemStartup+0x2bf
kd> .reload /f
Connected to Windows XP 2600 x86 compatible target at (Thu Jan 20 23:31:05.765 2011 (UTC + 5:30)), ptr64 FALSE
Loading Kernel Symbols
.......*** ERROR: Module load completed but symbols could not be loaded for isapnp.sys
.*** ERROR: Module load completed but symbols could not be loaded for intelide.sys
................
Loading User Symbols

kd> bp disk!ClassDeviceControl
kd> g
Breakpoint 0 hit
disk!ClassDeviceControl:
f8582234 ff25cc2358f8 jmp dword ptr [disk!_imp__ClassDeviceControl (f85823cc)]
kd> .reload /f /user
Loading User Symbols

kd> k
ChildEBP RetAddr
f89a3c0c f85913ed disk!ClassDeviceControl
f89a3c28 804e37f7 CLASSPNP!ClassDeviceControlDispatch+0x48
f89a3c38 f87da902 nt!IopfCallDriver+0x31
f89a3c64 804e37f7 PartMgr!PmDeviceControl+0x8a
f89a3c74 f849e0b6 nt!IopfCallDriver+0x31
f89a3ca4 f849e183 atapi!DeviceQueryACPISettings+0xf0
f89a3cd0 f84a38be atapi!DeviceQueryFirmwareBootSettings+0x23
f89a3d00 f849828c atapi!DeviceQueryInitData+0x56
f89a3d28 f84a4327 atapi!DeviceStartDevice+0x94
f89a3d3c 804e37f7 atapi!IdePortDispatchPnp+0x25
f89a3d4c f85211d1 nt!IopfCallDriver+0x31
f89a3d74 804e426b ACPI!ACPIFilterIrpStartDeviceWorker+0x67
f89a3dac 8057aeff nt!ExpWorkerThread+0x100
f89a3ddc 804f88ea nt!PspSystemThreadStartup+0x34
00000000 00000000 nt!KiThreadStartup+0x16
kd> g
Breakpoint 0 hit
disk!ClassDeviceControl:
f8582234 ff25cc2358f8 jmp dword ptr [disk!_imp__ClassDeviceControl (f85823cc)]
kd> k
ChildEBP RetAddr
f89a3c0c f85913ed disk!ClassDeviceControl
f89a3c28 804e37f7 CLASSPNP!ClassDeviceControlDispatch+0x48
f89a3c38 f87da902 nt!IopfCallDriver+0x31
f89a3c64 804e37f7 PartMgr!PmDeviceControl+0x8a
f89a3c74 f849e0b6 nt!IopfCallDriver+0x31
f89a3ca4 f849e183 atapi!DeviceQueryACPISettings+0xf0
f89a3cd0 f84a38be atapi!DeviceQueryFirmwareBootSettings+0x23
f89a3d00 f849828c atapi!DeviceQueryInitData+0x56
f89a3d28 f84a4327 atapi!DeviceStartDevice+0x94
f89a3d3c 804e37f7 atapi!IdePortDispatchPnp+0x25
f89a3d4c f85211d1 nt!IopfCallDriver+0x31
f89a3d74 804e426b ACPI!ACPIFilterIrpStartDeviceWorker+0x67
f89a3dac 8057aeff nt!ExpWorkerThread+0x100
f89a3ddc 804f88ea nt!PspSystemThreadStartup+0x34
00000000 00000000 nt!KiThreadStartup+0x16
kd> g
Breakpoint 0 hit
disk!ClassDeviceControl:
f8582234 ff25cc2358f8 jmp dword ptr [disk!_imp__ClassDeviceControl (f85823cc)]
kd> k;g
ChildEBP RetAddr
f89671cc f85913ed disk!ClassDeviceControl
f89671e8 804e37f7 CLASSPNP!ClassDeviceControlDispatch+0x48
f89671f8 f8586a2f nt!IopfCallDriver+0x31
f896724c f8596e8b disk!DiskStartFdo+0x77
f8967274 f8596e0e CLASSPNP!ClassPnpStartDevice+0x209
f896729c 804e37f7 CLASSPNP!ClassDispatchPnp+0x162
f89672ac f87db432 nt!IopfCallDriver+0x31
f89672e0 804e37f7 PartMgr!PmPnp+0x2c4
f89672f0 8059be17 nt!IopfCallDriver+0x31
f896731c 805b4ed7 nt!IopSynchronousCall+0xb7
f8967360 80509638 nt!IopStartDevice+0x4d
f896737c 805b4d73 nt!PipProcessStartPhase1+0x4e
f89675d4 8050b69c nt!PipProcessDevNodeTree+0x1db
f8967618 8050fcb0 nt!PipDeviceActionWorker+0xa3
f8967630 806aa078 nt!PipRequestDeviceAction+0x107
f8967694 806a06df nt!IopInitializeBootDrivers+0x37a
f896783c 806a1a6c nt!IoInitSystem+0x712
f8967dac 8057aeff nt!Phase1Initialization+0x9b5
f8967ddc 804f88ea nt!PspSystemThreadStartup+0x34
00000000 00000000 nt!KiThreadStartup+0x16
Breakpoint 0 hit
disk!ClassDeviceControl:
f8582234 ff25cc2358f8 jmp dword ptr [disk!_imp__ClassDeviceControl (f85823cc)]
kd> k;g
ChildEBP RetAddr
f8967244 f85913ed disk!ClassDeviceControl
f8967260 804e37f7 CLASSPNP!ClassDeviceControlDispatch+0x48
f8967270 f87db819 nt!IopfCallDriver+0x31
f89672a8 f87db4a9 PartMgr!PmRegisterDevice+0x59
f89672e0 804e37f7 PartMgr!PmPnp+0x33b
f89672f0 8059be17 nt!IopfCallDriver+0x31
f896731c 805b4ed7 nt!IopSynchronousCall+0xb7
f8967360 80509638 nt!IopStartDevice+0x4d
f896737c 805b4d73 nt!PipProcessStartPhase1+0x4e
f89675d4 8050b69c nt!PipProcessDevNodeTree+0x1db
f8967618 8050fcb0 nt!PipDeviceActionWorker+0xa3
f8967630 806aa078 nt!PipRequestDeviceAction+0x107
f8967694 806a06df nt!IopInitializeBootDrivers+0x37a
f896783c 806a1a6c nt!IoInitSystem+0x712
f8967dac 8057aeff nt!Phase1Initialization+0x9b5
f8967ddc 804f88ea nt!PspSystemThreadStartup+0x34
00000000 00000000 nt!KiThreadStartup+0x16
Breakpoint 0 hit
disk!ClassDeviceControl:
f8582234 ff25cc2358f8 jmp dword ptr [disk!_imp__ClassDeviceControl (f85823cc)]
kd> k;g
ChildEBP RetAddr
f8967078 f85913ed disk!ClassDeviceControl
f8967094 804e37f7 CLASSPNP!ClassDeviceControlDispatch+0x48
f89670a4 f84d6d9a nt!IopfCallDriver+0x31
f896716c f84dbcaa ftdisk!FtpQueryPartitionInformation+0x5a
f89671f0 f84dc118 ftdisk!FtpPartitionArrivedHelper+0x32
f8967200 f84d2552 ftdisk!FtpPartitionArrived+0x26
f8967218 804e37f7 ftdisk!FtDiskInternalDeviceControl+0x84
f8967228 f87d8ea7 nt!IopfCallDriver+0x31
f896725c f87daf6a PartMgr!PmGivePartition+0x93
f89672a4 f87db376 PartMgr!PmQueryDeviceRelations+0x1e0
f89672e0 804e37f7 PartMgr!PmPnp+0x208
f89672f0 8059be17 nt!IopfCallDriver+0x31
f896731c 8050662c nt!IopSynchronousCall+0xb7
f8967364 805a978e nt!IopQueryDeviceRelations+0x45
f896737c 805a979b nt!PipEnumerateDevice+0x23
f89675d4 8050b69c nt!PipProcessDevNodeTree+0x21b
f8967618 8050fcb0 nt!PipDeviceActionWorker+0xa3
f8967630 806aa078 nt!PipRequestDeviceAction+0x107
f8967694 806a06df nt!IopInitializeBootDrivers+0x37a
f896783c 806a1a6c nt!IoInitSystem+0x712
f8967dac 8057aeff nt!Phase1Initialization+0x9b5
f8967ddc 804f88ea nt!PspSystemThreadStartup+0x34
00000000 00000000 nt!KiThreadStartup+0x16
Breakpoint 0 hit
disk!ClassDeviceControl:
f8582234 ff25cc2358f8 jmp dword ptr [disk!_imp__ClassDeviceControl (f85823cc)]
kd> k;g
ChildEBP RetAddr
f8966fd4 f85913ed disk!ClassDeviceControl
f8966ff0 804e37f7 CLASSPNP!ClassDeviceControlDispatch+0x48
f8967000 f87da902 nt!IopfCallDriver+0x31
f896702c 804e37f7 PartMgr!PmDeviceControl+0x8a
f896703c f84d6d9a nt!IopfCallDriver+0x31
f8967104 f84d342e ftdisk!FtpQueryPartitionInformation+0x5a
f8967188 f84dbe65 ftdisk!FT_LOGICAL_DISK_INFORMATION::Initialize+0x3c
f89671f0 f84dc118 ftdisk!FtpPartitionArrivedHelper+0x1ed
f8967200 f84d2552 ftdisk!FtpPartitionArrived+0x26
f8967218 804e37f7 ftdisk!FtDiskInternalDeviceControl+0x84
f8967228 f87d8ea7 nt!IopfCallDriver+0x31
f896725c f87daf6a PartMgr!PmGivePartition+0x93
f89672a4 f87db376 PartMgr!PmQueryDeviceRelations+0x1e0
f89672e0 804e37f7 PartMgr!PmPnp+0x208
f89672f0 8059be17 nt!IopfCallDriver+0x31
f896731c 8050662c nt!IopSynchronousCall+0xb7
f8967364 805a978e nt!IopQueryDeviceRelations+0x45
f896737c 805a979b nt!PipEnumerateDevice+0x23
f89675d4 8050b69c nt!PipProcessDevNodeTree+0x21b
f8967618 8050fcb0 nt!PipDeviceActionWorker+0xa3
f8967630 806aa078 nt!PipRequestDeviceAction+0x107
f8967694 806a06df nt!IopInitializeBootDrivers+0x37a
f896783c 806a1a6c nt!IoInitSystem+0x712
f8967dac 8057aeff nt!Phase1Initialization+0x9b5
f8967ddc 804f88ea nt!PspSystemThreadStartup+0x34
00000000 00000000 nt!KiThreadStartup+0x16
Breakpoint 0 hit
disk!ClassDeviceControl:
f8582234 ff25cc2358f8 jmp dword ptr [disk!_imp__ClassDeviceControl (f85823cc)]
kd>
ChildEBP RetAddr
f8966de4 f85913ed disk!ClassDeviceControl
f8966e00 804e37f7 CLASSPNP!ClassDeviceControlDispatch+0x48
f8966e10 f84d6d9a nt!IopfCallDriver+0x31
f8966ed8 f84d7a31 ftdisk!FtpQueryPartitionInformation+0x5a
f896704c f84dac2b ftdisk!FtpCreateOldNameLinks+0x5d
f8967164 f84dc0d7 ftdisk!FtpCreateNewDevice+0x43d
f89671f0 f84dc118 ftdisk!FtpPartitionArrivedHelper+0x45f
f8967200 f84d2552 ftdisk!FtpPartitionArrived+0x26
f8967218 804e37f7 ftdisk!FtDiskInternalDeviceControl+0x84
f8967228 f87d8ea7 nt!IopfCallDriver+0x31
f896725c f87daf6a PartMgr!PmGivePartition+0x93
f89672a4 f87db376 PartMgr!PmQueryDeviceRelations+0x1e0
f89672e0 804e37f7 PartMgr!PmPnp+0x208
f89672f0 8059be17 nt!IopfCallDriver+0x31
f896731c 8050662c nt!IopSynchronousCall+0xb7
f8967364 805a978e nt!IopQueryDeviceRelations+0x45
f896737c 805a979b nt!PipEnumerateDevice+0x23
f89675d4 8050b69c nt!PipProcessDevNodeTree+0x21b
f8967618 8050fcb0 nt!PipDeviceActionWorker+0xa3
f8967630 806aa078 nt!PipRequestDeviceAction+0x107
f8967694 806a06df nt!IopInitializeBootDrivers+0x37a
f896783c 806a1a6c nt!IoInitSystem+0x712
f8967dac 8057aeff nt!Phase1Initialization+0x9b5
f8967ddc 804f88ea nt!PspSystemThreadStartup+0x34
00000000 00000000 nt!KiThreadStartup+0x16
Breakpoint 0 hit
disk!ClassDeviceControl:
f8582234 ff25cc2358f8 jmp dword ptr [disk!_imp__ClassDeviceControl (f85823cc)]
kd>
ChildEBP RetAddr
f8967404 f85913ed disk!ClassDeviceControl
f8967420 804e37f7 CLASSPNP!ClassDeviceControlDispatch+0x48
f8967430 f87da902 nt!IopfCallDriver+0x31
f896745c 804e37f7 PartMgr!PmDeviceControl+0x8a
f896746c 806ae5e9 nt!IopfCallDriver+0x31
f8967644 806acd51 nt!IopCreateArcNames+0x3b7
f8967694 806a06df nt!IopInitializeBootDrivers+0x4b4
f896783c 806a1a6c nt!IoInitSystem+0x712
f8967dac 8057aeff nt!Phase1Initialization+0x9b5
f8967ddc 804f88ea nt!PspSystemThreadStartup+0x34
00000000 00000000 nt!KiThreadStartup+0x16
Breakpoint 0 hit
disk!ClassDeviceControl:
f8582234 ff25cc2358f8 jmp dword ptr [disk!_imp__ClassDeviceControl (f85823cc)]
kd>
ChildEBP RetAddr
f89879b0 f85913ed disk!ClassDeviceControl
f89879cc 804e37f7 CLASSPNP!ClassDeviceControlDispatch+0x48
f89879dc f84de656 nt!IopfCallDriver+0x31
f8987a10 804e37f7 ftdisk!FtDiskDeviceControl+0x6a4
f8987a20 f85782a6 nt!IopfCallDriver+0x31
f8987a34 804e37f7 VolSnap!VolSnapDeviceControl+0x152
f8987a44 805bd1e0 nt!IopfCallDriver+0x31
f8987a68 f8405632 nt!FsRtlBalanceReads+0x4d
f8987cb8 f8404310 Ntfs!NtfsMountVolume+0x15a7
f8987ccc f83c48ed Ntfs!NtfsCommonFileSystemControl+0x39
f8987d74 804e426b Ntfs!NtfsFspDispatch+0x1ff
f8987dac 8057aeff nt!ExpWorkerThread+0x100
f8987ddc 804f88ea nt!PspSystemThreadStartup+0x34
00000000 00000000 nt!KiThreadStartup+0x16
Breakpoint 0 hit
disk!ClassDeviceControl:
f8582234 ff25cc2358f8 jmp dword ptr [disk!_imp__ClassDeviceControl (f85823cc)]
kd>
ChildEBP RetAddr
f8987830 f85913ed disk!ClassDeviceControl
f898784c 804e37f7 CLASSPNP!ClassDeviceControlDispatch+0x48
f898785c f87da902 nt!IopfCallDriver+0x31
f8987888 804e37f7 PartMgr!PmDeviceControl+0x8a
f8987898 f85929ca nt!IopfCallDriver+0x31
f898791c f8581400 CLASSPNP!ClassDeviceControl+0x87e
f89879b0 f85913ed disk!DiskDeviceControl+0xdcc
f89879cc 804e37f7 CLASSPNP!ClassDeviceControlDispatch+0x48
f89879dc f84de656 nt!IopfCallDriver+0x31
f8987a10 804e37f7 ftdisk!FtDiskDeviceControl+0x6a4
f8987a20 f85782a6 nt!IopfCallDriver+0x31
f8987a34 804e37f7 VolSnap!VolSnapDeviceControl+0x152
f8987a44 805bd1e0 nt!IopfCallDriver+0x31
f8987a68 f8405632 nt!FsRtlBalanceReads+0x4d
f8987cb8 f8404310 Ntfs!NtfsMountVolume+0x15a7
f8987ccc f83c48ed Ntfs!NtfsCommonFileSystemControl+0x39
f8987d74 804e426b Ntfs!NtfsFspDispatch+0x1ff
f8987dac 8057aeff nt!ExpWorkerThread+0x100
f8987ddc 804f88ea nt!PspSystemThreadStartup+0x34
00000000 00000000 nt!KiThreadStartup+0x16
Breakpoint 0 hit
disk!ClassDeviceControl:
f8582234 ff25cc2358f8 jmp dword ptr [disk!_imp__ClassDeviceControl (f85823cc)]
kd> k;g
ChildEBP RetAddr
f8967470 f85913ed disk!ClassDeviceControl
f896748c 804e37f7 CLASSPNP!ClassDeviceControlDispatch+0x48
f896749c f87da902 nt!IopfCallDriver+0x31
f89674c8 804e37f7 PartMgr!PmDeviceControl+0x8a
f89674d8 805be459 nt!IopfCallDriver+0x31
f8967588 805c0313 nt!IopComputeHarddiskDerangements+0xf0
f8967694 806a07c1 nt!IoAssignDriveLetters+0x331
f896783c 806a1a6c nt!IoInitSystem+0x887
f8967dac 8057aeff nt!Phase1Initialization+0x9b5
f8967ddc 804f88ea nt!PspSystemThreadStartup+0x34
00000000 00000000 nt!KiThreadStartup+0x16
Breakpoint 0 hit
disk!ClassDeviceControl:
f8582234 ff25cc2358f8 jmp dword ptr [disk!_imp__ClassDeviceControl (f85823cc)]
kd> k;g
ChildEBP RetAddr
f834165c f85913ed disk!ClassDeviceControl
f8341678 804e37f7 CLASSPNP!ClassDeviceControlDispatch+0x48
f8341688 f84de656 nt!IopfCallDriver+0x31
f83416bc 804e37f7 ftdisk!FtDiskDeviceControl+0x6a4
f83416cc f85782a6 nt!IopfCallDriver+0x31
f83416e0 804e37f7 VolSnap!VolSnapDeviceControl+0x152
f83416f0 f840056a nt!IopfCallDriver+0x31
f8341758 f83ff7e0 Ntfs!NtfsCommonDeviceControl+0xef
f83417bc f83e34d5 Ntfs!NtfsFsdDispatchSwitch+0xe4
f83418e0 804e37f7 Ntfs!NtfsFsdDispatchWait+0x1c
f83418f0 f8461459 nt!IopfCallDriver+0x31
f83418f8 804e37f7 sr!SrPassThrough+0x31
f8341908 80567f81 nt!IopfCallDriver+0x31
f834191c 8057aa9f nt!IopSynchronousServiceTail+0x70
f83419c4 8058efd7 nt!IopXxxControlFile+0x611
f83419f8 804de7ec nt!NtDeviceIoControlFile+0x2a
f83419f8 804dcbf5 nt!KiFastCallEntry+0xf8
f8341a98 805bb2dd nt!ZwDeviceIoControlFile+0x11
f8341c04 805bb637 nt!IopGetDumpStack+0x13d
f8341c24 805bc61d nt!IoGetDumpStack+0x20
f8341c48 805bc33b nt!IoInitializeCrashDump+0x70
f8341d4c 804de7ec nt!NtCreatePagingFile+0x6d0
f8341d4c 7c90e4f4 nt!KiFastCallEntry+0xf8
0015fdc0 7c90d11c ntdll!KiFastSystemCallRet
0015fdc4 48583548 ntdll!ZwCreatePagingFile+0xc
WARNING: Frame IP not in any known module. Following frames may be wrong.
0015fde8 48583da9 0x48583548
0015fe20 48584213 0x48583da9
0015fe58 48588ceb 0x48584213
0015fecc 48588f27 0x48588ceb
0015ff18 48589bfc 0x48588f27
0015ffa8 4858ad97 0x48589bfc
0015fff4 00000000 0x4858ad97
Breakpoint 0 hit
disk!ClassDeviceControl:
f8582234 ff25cc2358f8 jmp dword ptr [disk!_imp__ClassDeviceControl (f85823cc)]
kd> .reload /user
Loading User Symbols
..
kd> k
ChildEBP RetAddr
f83414dc f85913ed disk!ClassDeviceControl
f83414f8 804e37f7 CLASSPNP!ClassDeviceControlDispatch+0x48
f8341508 f87da902 nt!IopfCallDriver+0x31
f8341534 804e37f7 PartMgr!PmDeviceControl+0x8a
f8341544 f85929ca nt!IopfCallDriver+0x31
f83415c8 f8581400 CLASSPNP!ClassDeviceControl+0x87e
f834165c f85913ed disk!DiskDeviceControl+0xdcc
f8341678 804e37f7 CLASSPNP!ClassDeviceControlDispatch+0x48
f8341688 f84de656 nt!IopfCallDriver+0x31
f83416bc 804e37f7 ftdisk!FtDiskDeviceControl+0x6a4
f83416cc f85782a6 nt!IopfCallDriver+0x31
f83416e0 804e37f7 VolSnap!VolSnapDeviceControl+0x152
f83416f0 f840056a nt!IopfCallDriver+0x31
f8341758 f83ff7e0 Ntfs!NtfsCommonDeviceControl+0xef
f83417bc f83e34d5 Ntfs!NtfsFsdDispatchSwitch+0xe4
f83418e0 804e37f7 Ntfs!NtfsFsdDispatchWait+0x1c
f83418f0 f8461459 nt!IopfCallDriver+0x31
f83418f8 804e37f7 sr!SrPassThrough+0x31
f8341908 80567f81 nt!IopfCallDriver+0x31
f834191c 8057aa9f nt!IopSynchronousServiceTail+0x70
f83419c4 8058efd7 nt!IopXxxControlFile+0x611
f83419f8 804de7ec nt!NtDeviceIoControlFile+0x2a
f83419f8 804dcbf5 nt!KiFastCallEntry+0xf8
f8341a98 805bb2dd nt!ZwDeviceIoControlFile+0x11
f8341c04 805bb637 nt!IopGetDumpStack+0x13d
f8341c24 805bc61d nt!IoGetDumpStack+0x20
f8341c48 805bc33b nt!IoInitializeCrashDump+0x70
f8341d4c 804de7ec nt!NtCreatePagingFile+0x6d0
f8341d4c 7c90e4f4 nt!KiFastCallEntry+0xf8
0015fdc0 7c90d11c ntdll!KiFastSystemCallRet
0015fdc4 48583548 ntdll!ZwCreatePagingFile+0xc
0015fde8 48583da9 smss!SmpCreatePagingFile+0x1d
0015fe20 48584213 smss!SmpCreatePagingFileOnFixedDrive+0x1ed
0015fe58 48588ceb smss!SmpCreatePagingFiles+0x185
0015fecc 48588f27 smss!SmpLoadDataFromRegistry+0x38e
0015ff18 48589bfc smss!SmpInit+0x1bd
0015ffa8 4858ad97 smss!main+0x68
0015fff4 00000000 smss!NtProcessStartup+0x1d2
kd> k;g
ChildEBP RetAddr
f83414dc f85913ed disk!ClassDeviceControl
f83414f8 804e37f7 CLASSPNP!ClassDeviceControlDispatch+0x48
f8341508 f87da902 nt!IopfCallDriver+0x31
f8341534 804e37f7 PartMgr!PmDeviceControl+0x8a
f8341544 f85929ca nt!IopfCallDriver+0x31
f83415c8 f8581400 CLASSPNP!ClassDeviceControl+0x87e
f834165c f85913ed disk!DiskDeviceControl+0xdcc
f8341678 804e37f7 CLASSPNP!ClassDeviceControlDispatch+0x48
f8341688 f84de656 nt!IopfCallDriver+0x31
f83416bc 804e37f7 ftdisk!FtDiskDeviceControl+0x6a4
f83416cc f85782a6 nt!IopfCallDriver+0x31
f83416e0 804e37f7 VolSnap!VolSnapDeviceControl+0x152
f83416f0 f840056a nt!IopfCallDriver+0x31
f8341758 f83ff7e0 Ntfs!NtfsCommonDeviceControl+0xef
f83417bc f83e34d5 Ntfs!NtfsFsdDispatchSwitch+0xe4
f83418e0 804e37f7 Ntfs!NtfsFsdDispatchWait+0x1c
f83418f0 f8461459 nt!IopfCallDriver+0x31
f83418f8 804e37f7 sr!SrPassThrough+0x31
f8341908 80567f81 nt!IopfCallDriver+0x31
f834191c 8057aa9f nt!IopSynchronousServiceTail+0x70
f83419c4 8058efd7 nt!IopXxxControlFile+0x611
f83419f8 804de7ec nt!NtDeviceIoControlFile+0x2a
f83419f8 804dcbf5 nt!KiFastCallEntry+0xf8
f8341a98 805bb2dd nt!ZwDeviceIoControlFile+0x11
f8341c04 805bb637 nt!IopGetDumpStack+0x13d
f8341c24 805bc61d nt!IoGetDumpStack+0x20
f8341c48 805bc33b nt!IoInitializeCrashDump+0x70
f8341d4c 804de7ec nt!NtCreatePagingFile+0x6d0
f8341d4c 7c90e4f4 nt!KiFastCallEntry+0xf8
0015fdc0 7c90d11c ntdll!KiFastSystemCallRet
0015fdc4 48583548 ntdll!ZwCreatePagingFile+0xc
0015fde8 48583da9 smss!SmpCreatePagingFile+0x1d
0015fe20 48584213 smss!SmpCreatePagingFileOnFixedDrive+0x1ed
0015fe58 48588ceb smss!SmpCreatePagingFiles+0x185
0015fecc 48588f27 smss!SmpLoadDataFromRegistry+0x38e
0015ff18 48589bfc smss!SmpInit+0x1bd
0015ffa8 4858ad97 smss!main+0x68
0015fff4 00000000 smss!NtProcessStartup+0x1d2
Breakpoint 0 hit
disk!ClassDeviceControl:
f8582234 ff25cc2358f8 jmp dword ptr [disk!_imp__ClassDeviceControl (f85823cc)]
kd> k
ChildEBP RetAddr
f8341814 f85913ed disk!ClassDeviceControl
f8341830 804e37f7 CLASSPNP!ClassDeviceControlDispatch+0x48
f8341840 f84de656 nt!IopfCallDriver+0x31
f8341874 804e37f7 ftdisk!FtDiskDeviceControl+0x6a4
f8341884 f85782a6 nt!IopfCallDriver+0x31
f8341898 804e37f7 VolSnap!VolSnapDeviceControl+0x152
f83418a8 f840056a nt!IopfCallDriver+0x31
f8341910 f83ff7e0 Ntfs!NtfsCommonDeviceControl+0xef
f8341974 f83e34d5 Ntfs!NtfsFsdDispatchSwitch+0xe4
f8341a98 804e37f7 Ntfs!NtfsFsdDispatchWait+0x1c
f8341aa8 f8461459 nt!IopfCallDriver+0x31
f8341ab0 804e37f7 sr!SrPassThrough+0x31
f8341ac0 805bb419 nt!IopfCallDriver+0x31
f8341c04 805bb637 nt!IopGetDumpStack+0x2b9
f8341c24 805bc61d nt!IoGetDumpStack+0x20
f8341c48 805bc33b nt!IoInitializeCrashDump+0x70
f8341d4c 804de7ec nt!NtCreatePagingFile+0x6d0
f8341d4c 7c90e4f4 nt!KiFastCallEntry+0xf8
0015fdc0 7c90d11c ntdll!KiFastSystemCallRet
0015fdc4 48583548 ntdll!ZwCreatePagingFile+0xc
0015fde8 48583da9 smss!SmpCreatePagingFile+0x1d
0015fe20 48584213 smss!SmpCreatePagingFileOnFixedDrive+0x1ed
0015fe58 48588ceb smss!SmpCreatePagingFiles+0x185
0015fecc 48588f27 smss!SmpLoadDataFromRegistry+0x38e
0015ff18 48589bfc smss!SmpInit+0x1bd
0015ffa8 4858ad97 smss!main+0x68
0015fff4 00000000 smss!NtProcessStartup+0x1d2
kd> k;g
ChildEBP RetAddr
f8341814 f85913ed disk!ClassDeviceControl
f8341830 804e37f7 CLASSPNP!ClassDeviceControlDispatch+0x48
f8341840 f84de656 nt!IopfCallDriver+0x31
f8341874 804e37f7 ftdisk!FtDiskDeviceControl+0x6a4
f8341884 f85782a6 nt!IopfCallDriver+0x31
f8341898 804e37f7 VolSnap!VolSnapDeviceControl+0x152
f83418a8 f840056a nt!IopfCallDriver+0x31
f8341910 f83ff7e0 Ntfs!NtfsCommonDeviceControl+0xef
f8341974 f83e34d5 Ntfs!NtfsFsdDispatchSwitch+0xe4
f8341a98 804e37f7 Ntfs!NtfsFsdDispatchWait+0x1c
f8341aa8 f8461459 nt!IopfCallDriver+0x31
f8341ab0 804e37f7 sr!SrPassThrough+0x31
f8341ac0 805bb419 nt!IopfCallDriver+0x31
f8341c04 805bb637 nt!IopGetDumpStack+0x2b9
f8341c24 805bc61d nt!IoGetDumpStack+0x20
f8341c48 805bc33b nt!IoInitializeCrashDump+0x70
f8341d4c 804de7ec nt!NtCreatePagingFile+0x6d0
f8341d4c 7c90e4f4 nt!KiFastCallEntry+0xf8
0015fdc0 7c90d11c ntdll!KiFastSystemCallRet
0015fdc4 48583548 ntdll!ZwCreatePagingFile+0xc
0015fde8 48583da9 smss!SmpCreatePagingFile+0x1d
0015fe20 48584213 smss!SmpCreatePagingFileOnFixedDrive+0x1ed
0015fe58 48588ceb smss!SmpCreatePagingFiles+0x185
0015fecc 48588f27 smss!SmpLoadDataFromRegistry+0x38e
0015ff18 48589bfc smss!SmpInit+0x1bd
0015ffa8 4858ad97 smss!main+0x68
0015fff4 00000000 smss!NtProcessStartup+0x1d2
Breakpoint 0 hit
disk!ClassDeviceControl:
f8582234 ff25cc2358f8 jmp dword ptr [disk!_imp__ClassDeviceControl (f85823cc)]
kd> k;g
ChildEBP RetAddr
f8341694 f85913ed disk!ClassDeviceControl
f83416b0 804e37f7 CLASSPNP!ClassDeviceControlDispatch+0x48
f83416c0 f87da902 nt!IopfCallDriver+0x31
f83416ec 804e37f7 PartMgr!PmDeviceControl+0x8a
f83416fc f85929ca nt!IopfCallDriver+0x31
f8341780 f8581400 CLASSPNP!ClassDeviceControl+0x87e
f8341814 f85913ed disk!DiskDeviceControl+0xdcc
f8341830 804e37f7 CLASSPNP!ClassDeviceControlDispatch+0x48
f8341840 f84de656 nt!IopfCallDriver+0x31
f8341874 804e37f7 ftdisk!FtDiskDeviceControl+0x6a4
f8341884 f85782a6 nt!IopfCallDriver+0x31
f8341898 804e37f7 VolSnap!VolSnapDeviceControl+0x152
f83418a8 f840056a nt!IopfCallDriver+0x31
f8341910 f83ff7e0 Ntfs!NtfsCommonDeviceControl+0xef
f8341974 f83e34d5 Ntfs!NtfsFsdDispatchSwitch+0xe4
f8341a98 804e37f7 Ntfs!NtfsFsdDispatchWait+0x1c
f8341aa8 f8461459 nt!IopfCallDriver+0x31
f8341ab0 804e37f7 sr!SrPassThrough+0x31
f8341ac0 805bb419 nt!IopfCallDriver+0x31
f8341c04 805bb637 nt!IopGetDumpStack+0x2b9
f8341c24 805bc61d nt!IoGetDumpStack+0x20
f8341c48 805bc33b nt!IoInitializeCrashDump+0x70
f8341d4c 804de7ec nt!NtCreatePagingFile+0x6d0
f8341d4c 7c90e4f4 nt!KiFastCallEntry+0xf8
0015fdc0 7c90d11c ntdll!KiFastSystemCallRet
0015fdc4 48583548 ntdll!ZwCreatePagingFile+0xc
0015fde8 48583da9 smss!SmpCreatePagingFile+0x1d
0015fe20 48584213 smss!SmpCreatePagingFileOnFixedDrive+0x1ed
0015fe58 48588ceb smss!SmpCreatePagingFiles+0x185
0015fecc 48588f27 smss!SmpLoadDataFromRegistry+0x38e
0015ff18 48589bfc smss!SmpInit+0x1bd
0015ffa8 4858ad97 smss!main+0x68
0015fff4 00000000 smss!NtProcessStartup+0x1d2
Breakpoint 0 hit
disk!ClassDeviceControl:
f8582234 ff25cc2358f8 jmp dword ptr [disk!_imp__ClassDeviceControl (f85823cc)]
kd> k
ChildEBP RetAddr
f512fbdc f85913ed disk!ClassDeviceControl
f512fbf8 804e37f7 CLASSPNP!ClassDeviceControlDispatch+0x48
f512fc08 f87da902 nt!IopfCallDriver+0x31
f512fc34 804e37f7 PartMgr!PmDeviceControl+0x8a
f512fc44 80567f81 nt!IopfCallDriver+0x31
f512fc58 8057aa9f nt!IopSynchronousServiceTail+0x70
f512fd00 8058efd7 nt!IopXxxControlFile+0x611
f512fd34 804de7ec nt!NtDeviceIoControlFile+0x2a
f512fd34 7c90e4f4 nt!KiFastCallEntry+0xf8
00b5f940 7c90d26c ntdll!KiFastSystemCallRet
00b5f944 7c801675 ntdll!NtDeviceIoControlFile+0xc
WARNING: Frame IP not in any known module. Following frames may be wrong.
00b5f9a4 776ec3af 0x7c801675
00b5fac0 7c910098 0x776ec3af
00b5facc 7c910021 ntdll!RtlpFreeToHeapLookaside+0x22
00b5fb98 77926964 ntdll!RtlFreeHeap+0x1e9
00b5fba8 00b5fbc8 0x77926964
00b5fbac 7792b0c1 0xb5fbc8
00b5fbc8 00b5fc00 0x7792b0c1
00b5fc00 00b5fcfc 0xb5fc00
00b5fc04 00000000 0xb5fcfc
kd> .reload /user ;k;g
Loading User Symbols
................................................................
.......
ChildEBP RetAddr
f512fbdc f85913ed disk!ClassDeviceControl
f512fbf8 804e37f7 CLASSPNP!ClassDeviceControlDispatch+0x48
f512fc08 f87da902 nt!IopfCallDriver+0x31
f512fc34 804e37f7 PartMgr!PmDeviceControl+0x8a
f512fc44 80567f81 nt!IopfCallDriver+0x31
f512fc58 8057aa9f nt!IopSynchronousServiceTail+0x70
f512fd00 8058efd7 nt!IopXxxControlFile+0x611
f512fd34 804de7ec nt!NtDeviceIoControlFile+0x2a
f512fd34 7c90e4f4 nt!KiFastCallEntry+0xf8
00b5f940 7c90d26c ntdll!KiFastSystemCallRet
00b5f944 7c801675 ntdll!NtDeviceIoControlFile+0xc
00b5f9a4 776ec3af kernel32!DeviceIoControl+0xdd
00b5f9dc 776ee98c shsvcs!_GetDeviceNumberInfoFromHandle+0x32
00b5fa40 776ee9de shsvcs!_GetDeviceNumberInfo+0x7d
00b5fa58 776eeacd shsvcs!CDisk::_Init+0x20
00b5fa64 776ef0fc shsvcs!CDisk::GetDeviceNumber+0xd
00b5faa0 776ef1dd shsvcs!CVolume::_GetDeviceIDDisk+0xa0
00b5fc74 776f128e shsvcs!CVolume::_InitHWDeviceInst+0x2f
00b5fca8 776f166e shsvcs!CVolume::_InitHelper+0x14a
00b5fcc0 776f985c shsvcs!CVolume::Init+0x5b
00b5fcd8 776f9f31 shsvcs!CNamedElemList::_Add+0x22
00b5ff08 776f3d97 shsvcs!CNamedElemList::ReEnum+0xe0
00b5ff38 776f5491 shsvcs!CHWEventDetectorImpl::_RegisterForNotif+0x21
00b5ff4c 776ebf4e shsvcs!CHWEventDetectorImpl::InitFinal+0x5c
00b5ff6c 010011cc shsvcs!CGenericServiceManager::_ServiceMain+0xcc
00b5ffa0 77df352b svchost!ServiceStarter+0x9e
00b5ffb4 7c80b713 ADVAPI32!ScSvcctrlThreadA+0x12
00b5ffec 00000000 kernel32!BaseThreadStart+0x37
ERROR: DavReadRegistryValues/RegQueryValueExW(4). WStatus = 5
ERROR: DavReadRegistryValues/RegQueryValueExW(5). WStatus = 5
ERROR: DavReadRegistryValues/RegQueryValueExW(6). WStatus = 5
Breakpoint 0 hit
disk!ClassDeviceControl:
f8582234 ff25cc2358f8 jmp dword ptr [disk!_imp__ClassDeviceControl (f85823cc)]
kd> .reload /user ;k;g
Loading User Symbols
................................................................
.......
ChildEBP RetAddr
f512fbb0 f85913ed disk!ClassDeviceControl
f512fbcc 804e37f7 CLASSPNP!ClassDeviceControlDispatch+0x48
f512fbdc f84de656 nt!IopfCallDriver+0x31
f512fc10 804e37f7 ftdisk!FtDiskDeviceControl+0x6a4
f512fc20 f85782a6 nt!IopfCallDriver+0x31
f512fc34 804e37f7 VolSnap!VolSnapDeviceControl+0x152
f512fc44 80567f81 nt!IopfCallDriver+0x31
f512fc58 8057aa9f nt!IopSynchronousServiceTail+0x70
f512fd00 8058efd7 nt!IopXxxControlFile+0x611
f512fd34 804de7ec nt!NtDeviceIoControlFile+0x2a
f512fd34 7c90e4f4 nt!KiFastCallEntry+0xf8
00b5fbc8 7c90d26c ntdll!KiFastSystemCallRet
00b5fbcc 7c801675 ntdll!NtDeviceIoControlFile+0xc
00b5fc2c 776ec3af kernel32!DeviceIoControl+0xdd
00b5fc64 776f1254 shsvcs!_GetDeviceNumberInfoFromHandle+0x32
00b5fca8 776f166e shsvcs!CVolume::_InitHelper+0x110
00b5fcc0 776f985c shsvcs!CVolume::Init+0x5b
00b5fcd8 776f9f31 shsvcs!CNamedElemList::_Add+0x22
00b5ff08 776f3d97 shsvcs!CNamedElemList::ReEnum+0xe0
00b5ff38 776f5491 shsvcs!CHWEventDetectorImpl::_RegisterForNotif+0x21
00b5ff4c 776ebf4e shsvcs!CHWEventDetectorImpl::InitFinal+0x5c
00b5ff6c 010011cc shsvcs!CGenericServiceManager::_ServiceMain+0xcc
00b5ffa0 77df352b svchost!ServiceStarter+0x9e
00b5ffb4 7c80b713 ADVAPI32!ScSvcctrlThreadA+0x12
00b5ffec 00000000 kernel32!BaseThreadStart+0x37
Breakpoint 0 hit
disk!ClassDeviceControl:
f8582234 ff25cc2358f8 jmp dword ptr [disk!_imp__ClassDeviceControl (f85823cc)]
kd> .reload /user ;k
Loading User Symbols
...........................
ChildEBP RetAddr
f4affbdc f85913ed disk!ClassDeviceControl
f4affbf8 804e37f7 CLASSPNP!ClassDeviceControlDispatch+0x48
f4affc08 f87da902 nt!IopfCallDriver+0x31
f4affc34 804e37f7 PartMgr!PmDeviceControl+0x8a
f4affc44 80567f81 nt!IopfCallDriver+0x31
f4affc58 8057aa9f nt!IopSynchronousServiceTail+0x70
f4affd00 8058efd7 nt!IopXxxControlFile+0x611
f4affd34 804de7ec nt!NtDeviceIoControlFile+0x2a
f4affd34 7c90e4f4 nt!KiFastCallEntry+0xf8
00aefcc8 7c90d26c ntdll!KiFastSystemCallRet
00aefccc 7c801675 ntdll!NtDeviceIoControlFile+0xc
00aefd2c 01012225 kernel32!DeviceIoControl+0xdd
00aefd74 01013788 dmadmin!PmpGetLegacyDeviceName+0x57
00aeffa0 0100b8ae dmadmin!PmpFillDeviceInformation+0xfd
00aeffb4 7c80b713 dmadmin!BuildDriveWorker+0x12
00aeffec 00000000 kernel32!BaseThreadStart+0x37

this last stack is after target is running
[/B]

Uridium
January 20th, 2011, 19:04
Thanks for all the impressions. I see you always try to break in by breakpoints on functions/symbols. I was hoping for some more "driver specific" approach or something like in Olly when you just set a breakpoint on the whole code section. Maybe one can do similar with 'bm'.. not sure though.

My specific target (actually not disk.sys) is a .sys driver that doesn't spit out any symbols or imports (x mytarget!*) so i cannot currently set any breakpoints on it but there are indeed many of them if i manually load the driver in IDA but they don't show up if i'm connected by remote kernel session.

I also don't have any user32.dll or kernel32.dll modules. Here ("http://www.hexblog.com/?p=92") [http://www.hexblog.com/?p=92] they talk about setting up a process server first. Is this really necessary? I can remember that in Softice one had to add these dll's separately as well in an import list.

http://www.hexblog.com/?p=92

Kayaker
January 20th, 2011, 22:26
You might be able to set a more general breakpoint, but !drvobj doesn't "need" symbols. As long as you know the name of the driver you can find addresses of any of the IRP_* Dispatch routines and essentially set a bp on the start of any of those code sections. IRP_MJ_DEVICE_CONTROL just happens to be a likely one if the driver has a usermode component which communicates with it.

It's the same idea as using the DRIVER command in Softice and getting a list of the IRP_* routines - to find an address to break on when there is some communication with the driver. I know of no more "generic" approach.

Even if you could set a whole code section bp like the old Softice BPR command, or with something like the Ollybone plugin, you'd *still* end up breaking at the start of one of the Dispatch routines since that would be the first instruction executed.

It seems to me that setting a bp on IRP_MJ_DEVICE_CONTROL and tracing your way through things, or somehow setting some kind of bp which triggers whenever a code section is entered, it would come to the same thing.

As for breaking on DriverEntry, you can actually step into it by setting a breakpoint within nt!IopLoadDriver (search this forum for details).
A Windbg trick I read on OpenRCE but haven't tried is 'bu drivername+entrypoint_rva'

Uridium
January 20th, 2011, 23:45
The problem was IDA never let me set such breakpoints or at least i didn't know how. My lack of basic knowledge about IDA is the main problem i think. At least i understand now what they tried to explain in the blog above about transferring usermode segments into kernel debugger. They prepare and feed the IDA database to provide these informations in the kernel debug process.

My driver was just a data block without any debug informations when the debugger was connected. But when i load it up in IDA first, analyze it and use the resulting database together with the debugger it will fill up the collected informations in the kernel debugger and the driver has all names, xrefs, functions, imports and such available once the cursor is in the code segment. That helps alot. Since the driver is just a small piece of code i should be able to play with the code/breakpoints now. I like the idea getting it by IRPs. I will put it on my learning schedule.

Thanks!

Kayaker
January 21st, 2011, 00:01
I've never used that setup, usually just VMWare/VirtualKD/Windbg remote for Win 7, good 'ol Softice/VMWare local for XP.

That looks like it might be useful, thanks for the heads up