驱动小牛
|
阅读:3169回复:11
驱动反汇编常用结构体OffSet
typedef struct _DEVICE_OBJECT {
CSHORT Type; 0x00 USHORT Size; 0x02 LONG ReferenceCount; 0x04 struct _DRIVER_OBJECT *DriverObject; 0x08 struct _DEVICE_OBJECT *NextDevice; 0x0c struct _DEVICE_OBJECT *AttachedDevice; 0x10 struct _IRP *CurrentIrp; 0x14 PIO_TIMER Timer; 0x18 ULONG Flags; 0x1c // See above: DO_... ULONG Characteristics; 0x20 // See ntioapi: FILE_... PVPB Vpb;0x24 PVOID DeviceExtension; 0x28 -----------------//经常用的哦 DEVICE_TYPE DeviceType;0x2c CCHAR StackSize;0x30 union { LIST_ENTRY ListEntry; WAIT_CONTEXT_BLOCK Wcb; } Queue; 0x31 ULONG AlignmentRequirement; KDEVICE_QUEUE DeviceQueue; KDPC Dpc; |
|
驱动小牛
|
沙发#
发布于:2008-03-26 15:32
typedef struct _UNICODE_STRING {
USHORT Length; USHORT MaximumLength; #ifdef MIDL_PASS [size_is(MaximumLength / 2), length_is((Length) / 2) ] USHORT * Buffer; #else // MIDL_PASS PWSTR Buffer; #endif // MIDL_PASS } UNICODE_STRING; 所以UNICODE_STRING占8个字节 |
|
驱动小牛
|
板凳#
发布于:2008-03-26 15:48
typedef struct _LIST_ENTRY {
struct _LIST_ENTRY *Flink; struct _LIST_ENTRY *Blink; } LIST_ENTRY, *PLIST_ENTRY, *RESTRICTED_POINTER PRLIST_ENTRY; 两个指针LIST_ENTRY长度为8个字节 |
|
驱动小牛
|
地板#
发布于:2008-03-26 15:50
typedef struct _IO_STATUS_BLOCK {
union { NTSTATUS Status; PVOID Pointer; };0x00 ULONG_PTR Information;0x04 } IO_STATUS_BLOCK, *PIO_STATUS_BLOCK; |
|
驱动小牛
|
地下室#
发布于:2008-03-26 15:54
typedef struct _IRP {
CSHORT Type; 0x00 USHORT Size; 0x02 PMDL MdlAddress;0x04 ULONG Flags;0x08 union { struct _IRP *MasterIrp; LONG IrpCount; PVOID SystemBuffer; } AssociatedIrp; 0x0c LIST_ENTRY ThreadListEntry;0x10 IO_STATUS_BLOCK IoStatus;0x18 --- 如果是0x1C 就是Information KPROCESSOR_MODE RequestorMode;0x20 BOOLEAN PendingReturned;0x21 CHAR StackCount;0x22 CHAR CurrentLocation;0x23 BOOLEAN Cancel;0x24 KIRQL CancelIrql;0x25 CCHAR ApcEnvironment;0x26 UCHAR AllocationFlags;0x27 PIO_STATUS_BLOCK UserIosb;0x28 PKEVENT UserEvent;0x2c union { struct { PIO_APC_ROUTINE UserApcRoutine; PVOID UserApcContext; } AsynchronousParameters; LARGE_INTEGER AllocationSize; } Overlay;0x30 PDRIVER_CANCEL CancelRoutine;0x38 PVOID UserBuffer;0x3c union { struct //0x40 { union //0x40 { KDEVICE_QUEUE_ENTRY DeviceQueueEntry; //0x40 struct { PVOID DriverContext[4];//0x40 } ; } ; PETHREAD Thread;0x50 PCHAR AuxiliaryBuffer;0x54 struct //0x58 { LIST_ENTRY ListEntry;//0x58 union//0x60 -------常用 就是CurrentStackLocation { struct _IO_STACK_LOCATION *CurrentStackLocation;//0x60 ULONG PacketType;//0x60 }; }; PFILE_OBJECT OriginalFileObject;//0x64 } Overlay;//struct KAPC Apc;//0x40 PVOID CompletionKey;//0x40 } Tail;0x40 } IRP, *PIRP; |
|
5楼#
发布于:2008-03-27 21:26
打开Windbg, !dt 一下就什么都清楚了。
|
|
|
驱动小牛
|
6楼#
发布于:2008-04-03 15:44
typedef struct _IO_STACK_LOCATION {
UCHAR MajorFunction;0x00 UCHAR MinorFunction;0x01 UCHAR Flags;0x02 UCHAR Control;0x03 // // The following user parameters are based on the service that is being // invoked. Drivers and file systems can determine which set to use based // on the above major and minor function codes. // union { // // System service parameters for: NtCreateFile // struct { PIO_SECURITY_CONTEXT SecurityContext; ULONG Options; USHORT POINTER_ALIGNMENT FileAttributes; USHORT ShareAccess; ULONG POINTER_ALIGNMENT EaLength; } Create; // // System service parameters for: NtReadFile // struct { ULONG Length; ULONG POINTER_ALIGNMENT Key; LARGE_INTEGER ByteOffset; } Read; // // System service parameters for: NtWriteFile // struct { ULONG Length; ULONG POINTER_ALIGNMENT Key; LARGE_INTEGER ByteOffset; } Write; // // System service parameters for: NtQueryInformationFile // struct { ULONG Length; FILE_INFORMATION_CLASS POINTER_ALIGNMENT FileInformationClass; } QueryFile; // // System service parameters for: NtSetInformationFile // struct { ULONG Length; FILE_INFORMATION_CLASS POINTER_ALIGNMENT FileInformationClass; PFILE_OBJECT FileObject; union { struct { BOOLEAN ReplaceIfExists; BOOLEAN AdvanceOnly; }; ULONG ClusterCount; HANDLE DeleteHandle; }; } SetFile; // // System service parameters for: NtQueryVolumeInformationFile // struct { ULONG Length; FS_INFORMATION_CLASS POINTER_ALIGNMENT FsInformationClass; } QueryVolume; // // System service parameters for: NtFlushBuffersFile // // No extra user-supplied parameters. // // // System service parameters for: NtDeviceIoControlFile // // Note that the user's output buffer is stored in the UserBuffer field // and the user's input buffer is stored in the SystemBuffer field. // struct { ULONG OutputBufferLength; ULONG POINTER_ALIGNMENT InputBufferLength; ULONG POINTER_ALIGNMENT IoControlCode; PVOID Type3InputBuffer; } DeviceIoControl; // end_wdm // // System service parameters for: NtQuerySecurityObject // struct { SECURITY_INFORMATION SecurityInformation; ULONG POINTER_ALIGNMENT Length; } QuerySecurity; // // System service parameters for: NtSetSecurityObject // struct { SECURITY_INFORMATION SecurityInformation; PSECURITY_DESCRIPTOR SecurityDescriptor; } SetSecurity; // begin_wdm // // Non-system service parameters. // // Parameters for MountVolume // struct { PVPB Vpb; PDEVICE_OBJECT DeviceObject; } MountVolume; // // Parameters for VerifyVolume // struct { PVPB Vpb; PDEVICE_OBJECT DeviceObject; } VerifyVolume; // // Parameters for Scsi with internal device contorl. // struct { struct _SCSI_REQUEST_BLOCK *Srb; } Scsi; // // Parameters for IRP_MN_QUERY_DEVICE_RELATIONS // struct { DEVICE_RELATION_TYPE Type; } QueryDeviceRelations; // // Parameters for IRP_MN_QUERY_INTERFACE // struct { CONST GUID *InterfaceType; USHORT Size; USHORT Version; PINTERFACE Interface; PVOID InterfaceSpecificData; } QueryInterface; // end_ntifs // // Parameters for IRP_MN_QUERY_CAPABILITIES // struct { PDEVICE_CAPABILITIES Capabilities; } DeviceCapabilities; // // Parameters for IRP_MN_FILTER_RESOURCE_REQUIREMENTS // struct { PIO_RESOURCE_REQUIREMENTS_LIST IoResourceRequirementList; } FilterResourceRequirements; // // Parameters for IRP_MN_READ_CONFIG and IRP_MN_WRITE_CONFIG // struct { ULONG WhichSpace; PVOID Buffer; ULONG Offset; ULONG POINTER_ALIGNMENT Length; } ReadWriteConfig; // // Parameters for IRP_MN_SET_LOCK // struct { BOOLEAN Lock; } SetLock; // // Parameters for IRP_MN_QUERY_ID // struct { BUS_QUERY_ID_TYPE IdType; } QueryId; // // Parameters for IRP_MN_QUERY_DEVICE_TEXT // struct { DEVICE_TEXT_TYPE DeviceTextType; LCID POINTER_ALIGNMENT LocaleId; } QueryDeviceText; // // Parameters for IRP_MN_DEVICE_USAGE_NOTIFICATION // struct { BOOLEAN InPath; BOOLEAN Reserved[3]; DEVICE_USAGE_NOTIFICATION_TYPE POINTER_ALIGNMENT Type; } UsageNotification; // // Parameters for IRP_MN_WAIT_WAKE // struct { SYSTEM_POWER_STATE PowerState; } WaitWake; // // Parameter for IRP_MN_POWER_SEQUENCE // struct { PPOWER_SEQUENCE PowerSequence; } PowerSequence; // // Parameters for IRP_MN_SET_POWER and IRP_MN_QUERY_POWER // struct { ULONG SystemContext; \\0x04 POWER_STATE_TYPE POINTER_ALIGNMENT Type; \\0x08 POWER_STATE POINTER_ALIGNMENT State; POWER_ACTION POINTER_ALIGNMENT ShutdownType; } Power; // // Parameters for StartDevice // struct { PCM_RESOURCE_LIST AllocatedResources; PCM_RESOURCE_LIST AllocatedResourcesTranslated; } StartDevice; // begin_ntifs // // Parameters for Cleanup // // No extra parameters supplied // // // WMI Irps // struct { ULONG_PTR ProviderId; PVOID DataPath; ULONG BufferSize; PVOID Buffer; } WMI; // // Others - driver-specific // struct { PVOID Argument1; PVOID Argument2; PVOID Argument3; PVOID Argument4; } Others; } Parameters;0x04 // // Save a pointer to this device driver's device object for this request // so it can be passed to the completion routine if needed. // PDEVICE_OBJECT DeviceObject;0x14 // // The following location contains a pointer to the file object for this // PFILE_OBJECT FileObject;0x18 // // The following routine is invoked depending on the flags in the above // flags field. // PIO_COMPLETION_ROUTINE CompletionRoutine;0x1c // // The following is used to store the address of the context parameter // that should be passed to the CompletionRoutine. // PVOID Context;0x20 } IO_STACK_LOCATION, *PIO_STACK_LOCATION; |
|
驱动小牛
|
7楼#
发布于:2008-04-08 15:17
typedef struct _LIST_ENTRY {
struct _LIST_ENTRY *Flink; struct _LIST_ENTRY *Blink; }LIST_ENTRY,*PLIST_ENTRY; // // Doubly-linked list manipulation routines. Implemented as macros // but logically these are procedures. // // // VOID // InitializeListHead( // PLIST_ENTRY ListHead // ); // #define InitializeListHead(ListHead) (\ (ListHead)->Flink = (ListHead)->Blink = (ListHead)) // // BOOLEAN // IsListEmpty( // PLIST_ENTRY ListHead // ); // #define IsListEmpty(ListHead) \ ((ListHead)->Flink == (ListHead)) // // PLIST_ENTRY // RemoveHeadList( // PLIST_ENTRY ListHead // ); // #define RemoveHeadList(ListHead) \ (ListHead)->Flink;\ {RemoveEntryList((ListHead)->Flink)} // // PLIST_ENTRY // RemoveTailList( // PLIST_ENTRY ListHead // ); // #define RemoveTailList(ListHead) \ (ListHead)->Blink;\ {RemoveEntryList((ListHead)->Blink)} // // VOID // RemoveEntryList( // PLIST_ENTRY Entry // ); // #define RemoveEntryList(Entry) {\ PLIST_ENTRY _EX_Blink;\ PLIST_ENTRY _EX_Flink;\ _EX_Flink = (Entry)->Flink;\ _EX_Blink = (Entry)->Blink;\ _EX_Blink->Flink = _EX_Flink;\ _EX_Flink->Blink = _EX_Blink;\ } // // VOID // InsertTailList( // PLIST_ENTRY ListHead, // PLIST_ENTRY Entry // ); // #define InsertTailList(ListHead,Entry) {\ PLIST_ENTRY _EX_Blink;\ PLIST_ENTRY _EX_ListHead;\ _EX_ListHead = (ListHead);\ _EX_Blink = _EX_ListHead->Blink;\ (Entry)->Flink = _EX_ListHead;\ (Entry)->Blink = _EX_Blink;\ _EX_Blink->Flink = (Entry);\ _EX_ListHead->Blink = (Entry);\ } // // VOID // InsertHeadList( // PLIST_ENTRY ListHead, // PLIST_ENTRY Entry // ); // #define InsertHeadList(ListHead,Entry) {\ PLIST_ENTRY _EX_Flink;\ PLIST_ENTRY _EX_ListHead;\ _EX_ListHead = (ListHead);\ _EX_Flink = _EX_ListHead->Flink;\ (Entry)->Flink = _EX_Flink;\ (Entry)->Blink = _EX_ListHead;\ _EX_Flink->Blink = (Entry);\ _EX_ListHead->Flink = (Entry);\ } |
|
驱动小牛
|
8楼#
发布于:2008-04-13 09:21
typedef struct _DRIVER_OBJECT {
CSHORT Type;0x00 CSHORT Size;0x02 PDEVICE_OBJECT DeviceObject;0x04 ULONG Flags;0x08 PVOID DriverStart;0x0c ULONG DriverSize;0x10 PVOID DriverSection;0x14 PDRIVER_EXTENSION DriverExtension;0x18 UNICODE_STRING DriverName;0x1c PUNICODE_STRING HardwareDatabase;0x24 PFAST_IO_DISPATCH FastIoDispatch;0x28 PDRIVER_INITIALIZE DriverInit;0x2c PDRIVER_STARTIO DriverStartIo;0x30 PDRIVER_UNLOAD DriverUnload;0x34 PDRIVER_DISPATCH MajorFunction[IRP_MJ_MAXIMUM_FUNCTION + 1];0x38 } DRIVER_OBJECT; |
|
驱动小牛
|
9楼#
发布于:2008-05-08 17:04
typedef struct _DEVICE_CAPABILITIES {
USHORT Size;//0x00 USHORT Version; //0x02 // the version documented here is version 1 ////////////////////0x04开始到0x08 ULONG DeviceD1:1; ULONG DeviceD2:1; ULONG LockSupported:1; ULONG EjectSupported:1; // Ejectable in S0 ULONG Removable:1; ULONG DockDevice:1; ULONG UniqueID:1; ULONG SilentInstall:1; ULONG RawDeviceOK:1; ULONG SurpriseRemovalOK:1; ULONG WakeFromD0:1; ULONG WakeFromD1:1; ULONG WakeFromD2:1; ULONG WakeFromD3:1; ULONG HardwareDisabled:1; ULONG NonDynamic:1; ULONG WarmEjectSupported:1; ULONG NoDisplayInUI:1; ULONG Reserved:14; ULONG Address;//0x08 ULONG UINumber;//0x0c DEVICE_POWER_STATE DeviceState[PowerSystemMaximum];//0x10 ---> SYSTEM_POWER_STATE SystemWake;//0x2c DEVICE_POWER_STATE DeviceWake;//0x30 ULONG D1Latency;//0x34 ULONG D2Latency;//0x38 ULONG D3Latency;//0x3c } DEVICE_CAPABILITIES, *PDEVICE_CAPABILITIES; |
|
10楼#
发布于:2008-06-04 11:33
 怎么有人跟我干一样的事…… 我是偷偷的干,你还发到网上了。 说实话这样是不是很笨…… |
|
|
驱动小牛
|
11楼#
发布于:2008-06-04 16:06
有更好的办法吗?我觉得这样虽然繁琐,但是也别无它法,静态反汇编有这些方便许多。
|