|
阅读:1585回复:9
IRP 汇编下有一些问题想要求教
push ebp
mov ebp, esp sub esp, 10h mov eax, [ebp+arg_fdo] mov ecx, [eax+28h] ; ecx = fdo->DeviceExtension mov [ebp+var_dx], ecx ; dx = DeviceExtension mov edx, [ebp+arg_irp] mov dword ptr [edx+1Ch], 0 mov [ebp+var_C], 0 mov eax, [ebp+arg_irp] mov ecx, [eax+60h] 在下现在所面临的问题是: 由于刚刚接触irp,所以对irp内部的变量不是非常熟悉。 特别是,不知道某些变量的size,比如:LIST_ENTRY,PIO_STATUS_BLOCK 等等...... 各位前辈可否告知irp的总体大小吗? 另一方面,可否告知哪里可以了解到irp里面的各个变量的size 和作用。 比如上面的一段汇编 irp+0x1C 和 irp+0x60 各指向irp的哪一个成员变量? 谢谢! ps: 我看了DDK里面的irp的构成,可是看的一头雾水,555555 |
|
|
沙发#
发布于:2003-10-22 08:04
别告诉我你不会看。
+0x000 Type : Int2B +0x002 Size : Uint2B +0x004 MdlAddress : Ptr32 +0x008 Flags : Uint4B +0x00c AssociatedIrp : +0x000 MasterIrp : Ptr32 +0x000 IrpCount : Int4B +0x000 SystemBuffer : Ptr32 +0x010 ThreadListEntry : +0x000 Flink : Ptr32 +0x004 Blink : Ptr32 +0x018 IoStatus : +0x000 Status : Int4B +0x000 Pointer : Ptr32 +0x004 Information : Uint4B +0x020 RequestorMode : Char +0x021 PendingReturned : UChar +0x022 StackCount : Char +0x023 CurrentLocation : Char +0x024 Cancel : UChar +0x025 CancelIrql : UChar +0x026 ApcEnvironment : Char +0x027 AllocationFlags : UChar +0x028 UserIosb : Ptr32 +0x02c UserEvent : Ptr32 +0x030 Overlay : +0x000 AsynchronousParameters : +0x000 UserApcRoutine : Ptr32 +0x004 UserApcContext : Ptr32 +0x000 AllocationSize : +0x000 LowPart : Uint4B +0x004 HighPart : Int4B +0x000 u : +0x000 LowPart : Uint4B +0x004 HighPart : Int4B +0x000 QuadPart : Int8B +0x038 CancelRoutine : Ptr32 +0x03c UserBuffer : Ptr32 +0x040 Tail : +0x000 Overlay : +0x000 DeviceQueueEntry : +0x000 DeviceListEntry : +0x000 Flink : Ptr32 +0x004 Blink : Ptr32 +0x008 SortKey : Uint4B +0x00c Inserted : UChar +0x000 DriverContext : Ptr32 +0x010 Thread : Ptr32 +0x014 AuxiliaryBuffer : Ptr32 +0x018 ListEntry : +0x000 Flink : Ptr32 +0x004 Blink : Ptr32 +0x020 CurrentStackLocation : Ptr32 +0x020 PacketType : Uint4B +0x024 OriginalFileObject : Ptr32 +0x000 Apc : +0x000 Type : Int2B +0x002 Size : Int2B +0x004 Spare0 : Uint4B +0x008 Thread : Ptr32 +0x00c ApcListEntry : +0x000 Flink : Ptr32 +0x004 Blink : Ptr32 +0x014 KernelRoutine : Ptr32 +0x018 RundownRoutine : Ptr32 +0x01c NormalRoutine : Ptr32 +0x020 NormalContext : Ptr32 +0x024 SystemArgument1 : Ptr32 +0x028 SystemArgument2 : Ptr32 +0x02c ApcStateIndex : Char +0x02d ApcMode : Char +0x02e Inserted : UChar +0x000 CompletionKey : Ptr32 |
|
|
板凳#
发布于:2003-10-21 08:48
收到!不客气,呵呵!
|
|
|
地板#
发布于:2003-10-21 08:00
谢谢,楼上的帮助!!
给分哈 ;) ps : irp+60H 等效于 IoGetCurrentIrpStackLocation(Irp) |
|
|
地下室#
发布于:2003-10-20 08:54
还没给分吗?我回答对了给分哦!请看附件图。
|
|
|
|
5楼#
发布于:2003-10-20 00:53
[quote]不要着急三,做这个工作肯定要把里面的每一个定义找全
|
|
论坛版主
|
6楼#
发布于:2003-10-18 20:27
不要着急三,做这个工作肯定要把里面的每一个定义找全
|
|
|
7楼#
发布于:2003-10-18 12:27
那自己还得修练内功,先从8086/8088开始吧!
|
|
|
8楼#
发布于:2003-10-18 10:29
对对,就是上面一大群东西,看得我一头雾水。
那我该如何分析别人的汇编语言啊,请问? 里面都是 IRP+0x60H 之类的,而IRP的各个变量的大小又不知道, 请问前辈是怎么知道某个偏移量指向哪一个IRP的成员变量? 谢谢....... ;) |
|
|
9楼#
发布于:2003-10-17 22:59
IRP对用户来说,大部分是不透明的
mov dword ptr [edx+1Ch], 0 ;应该是pIrp->IoStatus.Information = 0;吧 下面是WDM.H的IRP // // I/O Request Packet (IRP) definition // typedef struct _IRP { CSHORT Type; USHORT Size; // // Define the common fields used to control the IRP. // // // Define a pointer to the Memory Descriptor List (MDL) for this I/O // request. This field is only used if the I/O is \"direct I/O\". // PMDL MdlAddress; // // Flags word - used to remember various flags. // ULONG Flags; // // The following union is used for one of three purposes: // // 1. This IRP is an associated IRP. The field is a pointer to a master // IRP. // // 2. This is the master IRP. The field is the count of the number of // IRPs which must complete (associated IRPs) before the master can // complete. // // 3. This operation is being buffered and the field is the address of // the system space buffer. // union { struct _IRP *MasterIrp; LONG IrpCount; PVOID SystemBuffer; } AssociatedIrp; // // Thread list entry - allows queueing the IRP to the thread pending I/O // request packet list. // LIST_ENTRY ThreadListEntry; // // I/O status - final status of operation. // IO_STATUS_BLOCK IoStatus; // // Requestor mode - mode of the original requestor of this operation. // KPROCESSOR_MODE RequestorMode; // // Pending returned - TRUE if pending was initially returned as the // status for this packet. // BOOLEAN PendingReturned; // // Stack state information. // CHAR StackCount; CHAR CurrentLocation; // // Cancel - packet has been canceled. // BOOLEAN Cancel; // // Cancel Irql - Irql at which the cancel spinlock was acquired. // KIRQL CancelIrql; // // ApcEnvironment - Used to save the APC environment at the time that the // packet was initialized. // CCHAR ApcEnvironment; // // Allocation control flags. // UCHAR AllocationFlags; // // User parameters. // PIO_STATUS_BLOCK UserIosb; PKEVENT UserEvent; union { struct { PIO_APC_ROUTINE UserApcRoutine; PVOID UserApcContext; } AsynchronousParameters; LARGE_INTEGER AllocationSize; } Overlay; // // CancelRoutine - Used to contain the address of a cancel routine supplied // by a device driver when the IRP is in a cancelable state. // PDRIVER_CANCEL CancelRoutine; // // Note that the UserBuffer parameter is outside of the stack so that I/O // completion can copy data back into the user\'s address space without // having to know exactly which service was being invoked. The length // of the copy is stored in the second half of the I/O status block. If // the UserBuffer field is NULL, then no copy is performed. // PVOID UserBuffer; // // Kernel structures // // The following section contains kernel structures which the IRP needs // in order to place various work information in kernel controller system // queues. Because the size and alignment cannot be controlled, they are // placed here at the end so they just hang off and do not affect the // alignment of other fields in the IRP. // union { struct { union { // // DeviceQueueEntry - The device queue entry field is used to // queue the IRP to the device driver device queue. // KDEVICE_QUEUE_ENTRY DeviceQueueEntry; struct { // // The following are available to the driver to use in // whatever manner is desired, while the driver owns the // packet. // PVOID DriverContext[4]; } ; } ; // // Thread - pointer to caller\'s Thread Control Block. // PETHREAD Thread; // // Auxiliary buffer - pointer to any auxiliary buffer that is // required to pass information to a driver that is not contained // in a normal buffer. // PCHAR AuxiliaryBuffer; // // The following unnamed structure must be exactly identical // to the unnamed structure used in the minipacket header used // for completion queue entries. // struct { // // List entry - used to queue the packet to completion queue, among // others. // LIST_ENTRY ListEntry; union { // // Current stack location - contains a pointer to the current // IO_STACK_LOCATION structure in the IRP stack. This field // should never be directly accessed by drivers. They should // use the standard functions. // struct _IO_STACK_LOCATION *CurrentStackLocation; // // Minipacket type. // ULONG PacketType; }; }; // // Original file object - pointer to the original file object // that was used to open the file. This field is owned by the // I/O system and should not be used by any other drivers. // PFILE_OBJECT OriginalFileObject; } Overlay; // // APC - This APC control block is used for the special kernel APC as // well as for the caller\'s APC, if one was specified in the original // argument list. If so, then the APC is reused for the normal APC for // whatever mode the caller was in and the \"special\" routine that is // invoked before the APC gets control simply deallocates the IRP. // KAPC Apc; // // CompletionKey - This is the key that is used to distinguish // individual I/O operations initiated on a single file handle. // PVOID CompletionKey; } Tail; } IRP, *PIRP; |
|
