整理了一下...对驱动逆向很有用的,

楼主^#

更多发布于：2008-01-06 19:10

#define IoGetCurrentIrpStackLocation( Irp ) ( (Irp)->Tail.Overlay.CurrentStackLocation )

#define IoGetNextIrpStackLocation( Irp ) (\
   (Irp)->Tail.Overlay.CurrentStackLocation - 1 )

#define IoSkipCurrentIrpStackLocation( Irp ) \
   (Irp)->CurrentLocation++; \
   (Irp)->Tail.Overlay.CurrentStackLocation++;

NTSTATUS
DriverEntry (
   IN PDRIVER_OBJECT DriverObject,
   IN PUNICODE_STRING RegistryPath
   );
NTSTATUS __stdcall _MJ_POWER(IN PDEVICE_OBJECT DeviceObject,
   IN PIRP Irp)
VOID
_DriverUnload (
   IN PDRIVER_OBJECT DriverObject
);

NTSTATUS
_MJ_Close (
   IN PDEVICE_OBJECT DeviceObject,
   IN PIRP Irp
);

【DeviceObject+0x28 是 DeviceExtension】
【DriverExtension + 4 是 AddDevice】
【DriverObject+0x18 是 DriverExtension】

typedef struct _DRIVER_OBJECT {
0x00 CSHORT Type;
   CSHORT Size;
0x04 PDEVICE_OBJECT DeviceObject;
0x08 ULONG Flags;

0x0c PVOID DriverStart;
0x10 ULONG DriverSize;
0x14 PVOID DriverSection;
0x18 PDRIVER_EXTENSION DriverExtension;

0x1c UNICODE_STRING DriverName;

0x24 PUNICODE_STRING HardwareDatabase;

0x28 PFAST_IO_DISPATCH FastIoDispatch;

0x2c PDRIVER_INITIALIZE DriverInit;
0x30 PDRIVER_STARTIO DriverStartIo;
0x34 PDRIVER_UNLOAD DriverUnload;
   //PDRIVER_DISPATCH MajorFunction[IRP_MJ_MAXIMUM_FUNCTION + 1];
0x38 #define IRP_MJ_CREATE 0x00
0x3c #define IRP_MJ_CREATE_NAMED_PIPE 0x01
0x40 #define IRP_MJ_CLOSE 0x02
0x44 #define IRP_MJ_READ 0x03
0x48 #define IRP_MJ_WRITE 0x04
0x4c #define IRP_MJ_QUERY_INFORMATION 0x05
0x50 #define IRP_MJ_SET_INFORMATION 0x06
0x54 #define IRP_MJ_QUERY_EA 0x07
0x58 #define IRP_MJ_SET_EA 0x08
0x5c #define IRP_MJ_FLUSH_BUFFERS 0x09
0x60 #define IRP_MJ_QUERY_VOLUME_INFORMATION 0x0a
0x64 #define IRP_MJ_SET_VOLUME_INFORMATION 0x0b
0x68 #define IRP_MJ_DIRECTORY_CONTROL 0x0c
0x6c #define IRP_MJ_FILE_SYSTEM_CONTROL 0x0d
0x70 #define IRP_MJ_DEVICE_CONTROL 0x0e
0x74 #define IRP_MJ_INTERNAL_DEVICE_CONTROL 0x0f
0x78 #define IRP_MJ_SHUTDOWN 0x10
0x7c #define IRP_MJ_LOCK_CONTROL 0x11
0x80 #define IRP_MJ_CLEANUP 0x12
0x84 #define IRP_MJ_CREATE_MAILSLOT 0x13
0x88 #define IRP_MJ_QUERY_SECURITY 0x14
0x8c #define IRP_MJ_SET_SECURITY 0x15
0x90 #define IRP_MJ_POWER 0x16
0x94 #define IRP_MJ_SYSTEM_CONTROL 0x17
0x98 #define IRP_MJ_DEVICE_CHANGE 0x18
0x9c #define IRP_MJ_QUERY_QUOTA 0x19
0xa0 #define IRP_MJ_SET_QUOTA 0x1a
0xa4 #define IRP_MJ_PNP 0x1b
0xa8 #define IRP_MJ_PNP_POWER IRP_MJ_PNP // Obsolete....
   #define IRP_MJ_MAXIMUM_FUNCTION 0x1b
} DRIVER_OBJECT;

typedef struct _DEVICE_OBJECT {
   CSHORT Type;
   USHORT Size;
   LONG ReferenceCount;
   struct _DRIVER_OBJECT *DriverObject;
   struct _DEVICE_OBJECT *NextDevice;
   struct _DEVICE_OBJECT *AttachedDevice;
   struct _IRP *CurrentIrp;
   PIO_TIMER Timer;
   ULONG Flags; // See above: DO_...
   ULONG Characteristics; // See ntioapi: FILE_...
   PVPB Vpb;
   PVOID DeviceExtension;
   DEVICE_TYPE DeviceType;
   CCHAR StackSize;
   union {
   LIST_ENTRY ListEntry;
   WAIT_CONTEXT_BLOCK Wcb;
   } Queue;
   ULONG AlignmentRequirement;
   KDEVICE_QUEUE DeviceQueue;
   KDPC Dpc;

   //
   // The following field is for exclusive use by the filesystem to keep
   // track of the number of Fsp threads currently using the device
   //

   ULONG ActiveThreadCount;
   PSECURITY_DESCRIPTOR SecurityDescriptor;
   KEVENT DeviceLock;

   USHORT SectorSize;
   USHORT Spare1;

   struct _DEVOBJ_EXTENSION *DeviceObjectExtension;
   PVOID Reserved;
} DEVICE_OBJECT;
typedef struct _DEVICE_OBJECT *PDEVICE_OBJECT; // ntndis

typedef struct _IRP {
   CSHORT Type;
   USHORT Size;
0x04 PMDL MdlAddress;
0x08 ULONG Flags;

0x0c union {
   struct _IRP *MasterIrp;
   LONG IrpCount;
   PVOID SystemBuffer;
   } AssociatedIrp;

0x10 LIST_ENTRY ThreadListEntry;

   //IO_STATUS_BLOCK IoStatus;
0x18 typedef struct _IO_STATUS_BLOCK {
   union {
   NTSTATUS Status;
   PVOID Pointer;
   };

0x1c ULONG_PTR Information;
   } IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
0x20 KPROCESSOR_MODE RequestorMode;

0x21 BOOLEAN PendingReturned;

0x22 CHAR StackCount;
0x23 CHAR CurrentLocation;

0x24 BOOLEAN Cancel;

   KIRQL CancelIrql;
   CCHAR ApcEnvironment;

   UCHAR AllocationFlags;

   PIO_STATUS_BLOCK UserIosb;
   PKEVENT UserEvent;
   union {
   struct {
   PIO_APC_ROUTINE UserApcRoutine;
   PVOID UserApcContext;
   } AsynchronousParameters;
   LARGE_INTEGER AllocationSize;
   } Overlay;
   PDRIVER_CANCEL CancelRoutine;
   PVOID UserBuffer;
   union {
   struct {
   union {
   KDEVICE_QUEUE_ENTRY DeviceQueueEntry;

   struct {

   PVOID DriverContext[4];

   } ;
   } ;
   PETHREAD Thread;
   PCHAR AuxiliaryBuffer;
   struct {

   LIST_ENTRY ListEntry;
   union {
0x60 struct _IO_STACK_LOCATION *CurrentStackLocation;

   ULONG PacketType;
   };
   };
   PFILE_OBJECT OriginalFileObject;
   } Overlay;
   KAPC Apc;
   PVOID CompletionKey;

   } Tail;

} IRP, *PIRP;

typedef struct _IO_STACK_LOCATION {
   UCHAR MajorFunction;
   UCHAR MinorFunction;
   UCHAR Flags;
   UCHAR Control;

   //
   // The following user parameters are based on the service that is being
   // invoked. Drivers and file systems can determine which set to use based
   // on the above major and minor function codes.
   //

   union {

   //
   // System service parameters for: NtCreateFile
   //

   struct {
   PIO_SECURITY_CONTEXT SecurityContext;
   ULONG Options;
   USHORT POINTER_ALIGNMENT FileAttributes;
   USHORT ShareAccess;
   ULONG POINTER_ALIGNMENT EaLength;
   } Create;

   //
   // System service parameters for: NtReadFile
   //

   struct {
   ULONG Length;
   ULONG POINTER_ALIGNMENT Key;
   LARGE_INTEGER ByteOffset;
   } Read;

   //
   // System service parameters for: NtWriteFile
   //

   struct {
   ULONG Length;
   ULONG POINTER_ALIGNMENT Key;
   LARGE_INTEGER ByteOffset;
   } Write;

   //
   // System service parameters for: NtQueryInformationFile
   //

   struct {
   ULONG Length;
   FILE_INFORMATION_CLASS POINTER_ALIGNMENT FileInformationClass;
   } QueryFile;

   //
   // System service parameters for: NtSetInformationFile
   //

   struct {
   ULONG Length;
   FILE_INFORMATION_CLASS POINTER_ALIGNMENT FileInformationClass;
   PFILE_OBJECT FileObject;
   union {
   struct {
   BOOLEAN ReplaceIfExists;
   BOOLEAN AdvanceOnly;
   };
   ULONG ClusterCount;
   HANDLE DeleteHandle;
   };
   } SetFile;

   //
   // System service parameters for: NtQueryVolumeInformationFile
   //

   struct {
   ULONG Length;
   FS_INFORMATION_CLASS POINTER_ALIGNMENT FsInformationClass;
   } QueryVolume;

   //
   // System service parameters for: NtFlushBuffersFile
   //
   // No extra user-supplied parameters.
   //

   //
   // System service parameters for: NtDeviceIoControlFile
   //
   // Note that the user's output buffer is stored in the UserBuffer field
   // and the user's input buffer is stored in the SystemBuffer field.
   //

   struct {
   ULONG OutputBufferLength;
   ULONG POINTER_ALIGNMENT InputBufferLength;
   ULONG POINTER_ALIGNMENT IoControlCode;
   PVOID Type3InputBuffer;
   } DeviceIoControl;

// end_wdm
   //
   // System service parameters for: NtQuerySecurityObject
   //

   struct {
   SECURITY_INFORMATION SecurityInformation;
   ULONG POINTER_ALIGNMENT Length;
   } QuerySecurity;

   //
   // System service parameters for: NtSetSecurityObject
   //

   struct {
   SECURITY_INFORMATION SecurityInformation;
   PSECURITY_DESCRIPTOR SecurityDescriptor;
   } SetSecurity;

// begin_wdm
   //
   // Non-system service parameters.
   //
   // Parameters for MountVolume
   //

   struct {
   PVPB Vpb;
   PDEVICE_OBJECT DeviceObject;
   } MountVolume;

   //
   // Parameters for VerifyVolume
   //

   struct {
   PVPB Vpb;
   PDEVICE_OBJECT DeviceObject;
   } VerifyVolume;

   //
   // Parameters for Scsi with internal device contorl.
   //

   struct {
   struct _SCSI_REQUEST_BLOCK *Srb;
   } Scsi;

   //
   // Parameters for IRP_MN_QUERY_DEVICE_RELATIONS
   //

   struct {
   DEVICE_RELATION_TYPE Type;
   } QueryDeviceRelations;

   //
   // Parameters for IRP_MN_QUERY_INTERFACE
   //

   struct {
   CONST GUID *InterfaceType;
   USHORT Size;
   USHORT Version;
   PINTERFACE Interface;
   PVOID InterfaceSpecificData;
   } QueryInterface;

// end_ntifs

   //
   // Parameters for IRP_MN_QUERY_CAPABILITIES
   //

   struct {
   PDEVICE_CAPABILITIES Capabilities;
   } DeviceCapabilities;

   //
   // Parameters for IRP_MN_FILTER_RESOURCE_REQUIREMENTS
   //

   struct {
   PIO_RESOURCE_REQUIREMENTS_LIST IoResourceRequirementList;
   } FilterResourceRequirements;

   //
   // Parameters for IRP_MN_READ_CONFIG and IRP_MN_WRITE_CONFIG
   //

   struct {
   ULONG WhichSpace;
   PVOID Buffer;
   ULONG Offset;
   ULONG POINTER_ALIGNMENT Length;
   } ReadWriteConfig;

   //
   // Parameters for IRP_MN_SET_LOCK
   //

   struct {
   BOOLEAN Lock;
   } SetLock;

   //
   // Parameters for IRP_MN_QUERY_ID
   //

   struct {
   BUS_QUERY_ID_TYPE IdType;
   } QueryId;

   //
   // Parameters for IRP_MN_QUERY_DEVICE_TEXT
   //

   struct {
   DEVICE_TEXT_TYPE DeviceTextType;
   LCID POINTER_ALIGNMENT LocaleId;
   } QueryDeviceText;

   //
   // Parameters for IRP_MN_DEVICE_USAGE_NOTIFICATION
   //

   struct {
   BOOLEAN InPath;
   BOOLEAN Reserved[3];
   DEVICE_USAGE_NOTIFICATION_TYPE POINTER_ALIGNMENT Type;
   } UsageNotification;

   //
   // Parameters for IRP_MN_WAIT_WAKE
   //

   struct {
   SYSTEM_POWER_STATE PowerState;
   } WaitWake;

   //
   // Parameter for IRP_MN_POWER_SEQUENCE
   //

   struct {
   PPOWER_SEQUENCE PowerSequence;
   } PowerSequence;

   //
   // Parameters for IRP_MN_SET_POWER and IRP_MN_QUERY_POWER
   //

   struct {
   ULONG SystemContext;
   POWER_STATE_TYPE POINTER_ALIGNMENT Type;
   POWER_STATE POINTER_ALIGNMENT State;
   POWER_ACTION POINTER_ALIGNMENT ShutdownType;
   } Power;

   //
   // Parameters for StartDevice
   //

   struct {
   PCM_RESOURCE_LIST AllocatedResources;
   PCM_RESOURCE_LIST AllocatedResourcesTranslated;
   } StartDevice;

// begin_ntifs
   //
   // Parameters for Cleanup
   //
   // No extra parameters supplied
   //

   //
   // WMI Irps
   //

   struct {
   ULONG_PTR ProviderId;
   PVOID DataPath;
   ULONG BufferSize;
   PVOID Buffer;
   } WMI;

   //
   // Others - driver-specific
   //

   struct {
   PVOID Argument1;
   PVOID Argument2;
   PVOID Argument3;
   PVOID Argument4;
   } Others;

   } Parameters;

   //
   // Save a pointer to this device driver's device object for this request
   // so it can be passed to the completion routine if needed.
   //

   PDEVICE_OBJECT DeviceObject;

   //
   // The following location contains a pointer to the file object for this
   //

   PFILE_OBJECT FileObject;

   //
   // The following routine is invoked depending on the flags in the above
   // flags field.
   //

   PIO_COMPLETION_ROUTINE CompletionRoutine;

   //
   // The following is used to store the address of the context parameter
   // that should be passed to the CompletionRoutine.
   //

   PVOID Context;

} IO_STACK_LOCATION, *PIO_STACK_LOCATION;

typedef struct _LIST_ENTRY {
   struct _LIST_ENTRY *Flink;
   struct _LIST_ENTRY *Blink;
} LIST_ENTRY, *PLIST_ENTRY, *RESTRICTED_POINTER PRLIST_ENTRY;
#define FILE_DEVICE_BEEP 0x00000001
#define FILE_DEVICE_CD_ROM 0x00000002
#define FILE_DEVICE_CD_ROM_FILE_SYSTEM 0x00000003
#define FILE_DEVICE_CONTROLLER 0x00000004
#define FILE_DEVICE_DATALINK 0x00000005
#define FILE_DEVICE_DFS 0x00000006
#define FILE_DEVICE_DISK 0x00000007
#define FILE_DEVICE_DISK_FILE_SYSTEM 0x00000008
#define FILE_DEVICE_FILE_SYSTEM 0x00000009
#define FILE_DEVICE_INPORT_PORT 0x0000000a
#define FILE_DEVICE_KEYBOARD 0x0000000b
#define FILE_DEVICE_MAILSLOT 0x0000000c
#define FILE_DEVICE_MIDI_IN 0x0000000d
#define FILE_DEVICE_MIDI_OUT 0x0000000e
#define FILE_DEVICE_MOUSE 0x0000000f
#define FILE_DEVICE_MULTI_UNC_PROVIDER 0x00000010
#define FILE_DEVICE_NAMED_PIPE 0x00000011
#define FILE_DEVICE_NETWORK 0x00000012
#define FILE_DEVICE_NETWORK_BROWSER 0x00000013
#define FILE_DEVICE_NETWORK_FILE_SYSTEM 0x00000014
#define FILE_DEVICE_NULL 0x00000015
#define FILE_DEVICE_PARALLEL_PORT 0x00000016
#define FILE_DEVICE_PHYSICAL_NETCARD 0x00000017
#define FILE_DEVICE_PRINTER 0x00000018
#define FILE_DEVICE_SCANNER 0x00000019
#define FILE_DEVICE_SERIAL_MOUSE_PORT 0x0000001a
#define FILE_DEVICE_SERIAL_PORT 0x0000001b
#define FILE_DEVICE_SCREEN 0x0000001c
#define FILE_DEVICE_SOUND 0x0000001d
#define FILE_DEVICE_STREAMS 0x0000001e
#define FILE_DEVICE_TAPE 0x0000001f
#define FILE_DEVICE_TAPE_FILE_SYSTEM 0x00000020
#define FILE_DEVICE_TRANSPORT 0x00000021
#define FILE_DEVICE_UNKNOWN 0x00000022
#define FILE_DEVICE_VIDEO 0x00000023
#define FILE_DEVICE_VIRTUAL_DISK 0x00000024
#define FILE_DEVICE_WAVE_IN 0x00000025
#define FILE_DEVICE_WAVE_OUT 0x00000026
#define FILE_DEVICE_8042_PORT 0x00000027
#define FILE_DEVICE_NETWORK_REDIRECTOR 0x00000028
#define FILE_DEVICE_BATTERY 0x00000029
#define FILE_DEVICE_BUS_EXTENDER 0x0000002a
#define FILE_DEVICE_MODEM 0x0000002b
#define FILE_DEVICE_VDM 0x0000002c
#define FILE_DEVICE_MASS_STORAGE 0x0000002d
#define FILE_DEVICE_SMB 0x0000002e
#define FILE_DEVICE_KS 0x0000002f
#define FILE_DEVICE_CHANGER 0x00000030
#define FILE_DEVICE_SMARTCARD 0x00000031
#define FILE_DEVICE_ACPI 0x00000032
#define FILE_DEVICE_DVD 0x00000033
#define FILE_DEVICE_FULLSCREEN_VIDEO 0x00000034
#define FILE_DEVICE_DFS_FILE_SYSTEM 0x00000035
#define FILE_DEVICE_DFS_VOLUME 0x00000036
#define FILE_DEVICE_SERENUM 0x00000037
#define FILE_DEVICE_TERMSRV 0x00000038
#define FILE_DEVICE_KSEC 0x00000039

喜欢2

最新喜欢：

Greed

mz_suy...

ai3000 驱动牛犊注册日期2007-01-08 最后登录2011-01-18 粉丝2 关注1 积分10分威望140点贡献值1点好评度75点原创分1分专家分0分加关注写私信	沙发^# 发布于：2008-01-06 20:28 真不错！我早看到就不需要费半天事了。
	回复(0) 喜欢(0)

poize 驱动牛犊注册日期2005-08-17 最后登录2013-09-13 粉丝0 关注0 积分2分威望32点贡献值0点好评度29点原创分0分专家分0分加关注写私信	板凳^# 发布于：2008-01-24 20:57 很好，很和谐
	回复(0) 喜欢(0)

logicfeeling 驱动牛犊注册日期2005-08-14 最后登录2012-02-29 粉丝0 关注0 积分-5分威望119点贡献值0点好评度33点原创分0分专家分0分加关注写私信	地板^# 发布于：2008-02-03 12:15 弄成Hexrays的插件，自动把东西加到反编译结果里面去就更好了：）
	回复(0) 喜欢(0)

LOIEN

驱动牛犊

注册日期2007-12-20
最后登录2009-10-18
粉丝0
关注0
积分13分
威望61点
贡献值0点
好评度2点
原创分0分
专家分0分

加关注写私信

地下室^#

发布于：2008-06-16 03:08

太及时了

驱网无线，快乐无限

回复喜欢

zzq191

驱动中牛

注册日期2001-08-09
最后登录2018-05-29
粉丝17
关注0
积分1041分
威望716点
贡献值0点
好评度318点
原创分0分
专家分0分

加关注写私信

5楼^#

发布于：2008-06-20 10:37

这些ＤＤＫ里不是有吗

QQ:416331891，承接windows下应用和驱动的开发,雅虎通:zzq191, Email:zzq191@21cn.com

回复喜欢

sawayaka 驱动牛犊注册日期2008-06-20 最后登录2008-06-27 粉丝0 关注0 积分7分威望7点贡献值0点好评度0点原创分0分专家分0分加关注写私信	6楼^# 发布于：2008-06-21 10:22 记号！
	回复(0) 喜欢(0)

pandaforum 驱动小牛注册日期2007-02-13 最后登录2011-09-06 粉丝0 关注0 积分728分威望282点贡献值1点好评度66点原创分0分专家分0分加关注写私信	7楼^# 发布于：2008-08-06 19:33 多谢非常有用对于反汇编
	回复(0) 喜欢(0)

hugo650 驱动牛犊注册日期2007-10-21 最后登录2009-11-07 粉丝0 关注0 积分5分威望28点贡献值0点好评度4点原创分0分专家分0分加关注写私信	8楼^# 发布于：2008-08-16 11:17 好帖，收藏！！！！
	回复(0) 喜欢(0)

beginl08 驱动牛犊注册日期2008-10-24 最后登录2009-01-06 粉丝0 关注0 积分4分威望24点贡献值0点好评度0点原创分0分专家分0分加关注写私信	9楼^# 发布于：2008-10-24 11:45 太强大了，收藏之
	回复(0) 喜欢(0)

solidyjd 驱动牛犊注册日期2008-11-23 最后登录2010-01-08 粉丝0 关注0 积分6分威望35点贡献值0点好评度0点原创分0分专家分0分加关注写私信	10楼^# 发布于：2008-11-23 19:53 非常感谢你的付出非常
	回复(0) 喜欢(0)

newkey

驱动小牛

注册日期2002-10-03
最后登录2013-10-13
粉丝1
关注0
积分45分
威望392点
贡献值1点
好评度90点
原创分0分
专家分0分

加关注写私信

11楼^#

发布于：2008-12-17 17:30

在Windbg中dt 就行了

www.xDrv.com

回复喜欢

smellydog 驱动牛犊注册日期2007-07-08 最后登录2014-06-06 粉丝0 关注0 积分11分威望79点贡献值0点好评度13点原创分0分专家分0分加关注写私信	12楼^# 发布于：2009-04-17 11:00 虽然是一年前的帖子，不过归纳的不错
	回复(0) 喜欢(0)

asdfjmjgx 驱动牛犊注册日期2016-11-17 最后登录2017-08-11 粉丝0 关注0 积分4分威望30点贡献值0点好评度0点原创分0分专家分0分加关注写私信	13楼^# 发布于：2017-08-10 22:30 收为什么这么长时间没人回帖了
	回复(0) 喜欢(0)

您需要登录后才可以回帖，登录或者注册