How to test drivers?

If I have some WDM drivers and I dont have the source code!!

Can I use API:Setupxxx to communiate with some hardwares?
like Read/Write to the hardware's buffers.

thx

你必须知道相应的IOCTL码，或设备是否支持ReadFile/WriteFile。

if your wdm driver use guid,before you use setupxxx api,you must kown its guid, there is a way to get it:
1.you'd have the ida(the deasssemble tool)
   use ida to open your wdm driver(xxx.sys),serch the text IoRegisterDeviceInterface :
lea     eax, [ebp+var_C]
.text:00010550                 push    eax
.text:00010551                 push    esi
.text:00010552                 push    offset unk_16B98
.text:00010557                 push    dword ptr [ebx+8]
.text:0001055A                 call    ds:IoRegisterDeviceInterface
.text:00010560                 test    eax, eax
.text:00010562                 jl      short loc_10591

 you can see the instruction :push offset unk_16B98
unk_16B98 is the address of guid;double click unk_16B98,you can get the guid:

 unk_16B98       db 0E4h ; ?            ; DATA XREF: sub_10444+10Eo
.rdata:00016B99                 db  3Dh ; =
.rdata:00016B9A                 db 0D7h ; ?
.rdata:00016B9B                 db 0D8h ; ?
.rdata:00016B9C                 db 0E1h ; ?
.rdata:00016B9D                 db 0B1h ; ?
.rdata:00016B9E                 db 0E6h ; ?
.rdata:00016B9F                 db  47h ; G
.rdata:00016BA0                 db 0B2h ; ?
.rdata:00016BA1                 db  22h ; "
.rdata:00016BA2                 db  50h ; P
.rdata:00016BA3                 db  53h ; S
.rdata:00016BA4                 db  6Ah ; j
.rdata:00016BA5                 db  99h ; ?
.rdata:00016BA6                 db  40h ; @
.rdata:00016BA7                 db  9Dh ; ?
 you can get the 16 bytes guid:E43DD7D8E1B1E647B22250536A99409
 
to get IoControlCode:

in the DriverEntry(press crtl+E):you can get the read/write/DeviceIoControl/Pnp/AddDevice dispatch:

 mov     eax, [esp+arg_0]; driverobject
mov     ecx, offset loc_12D30;read/write dispatch
mov     ecx, [eax+18h]
.text:0001031F                 mov     dword ptr [eax+38h], offset loc_12D16;create dispatch
.text:00010326                 mov     dword ptr [eax+40h], offset loc_12D16;close dispatch
.text:0001032D                 mov     dword ptr [eax+34h], offset nullsub_1;unload dispatch
.text:00010334                 mov     dword ptr [ecx+4], offset sub_10444; adddevice dispatch
.text:0001033B                 mov     dword ptr [eax+70h], offset loc_11D72;DeviceIoControl dispatch
.text:00010342                 mov     dword ptr [eax+74h], offset sub_1270E;internaldevicedispatch/scsi dispatch
.text:00010349                 mov     dword ptr [eax+30h], offset sub_12502; startio dispatch
.text:00010350                 mov     dword ptr [eax+90h], offset loc_11980;  power dispatch
.text:0001035A                 mov     dword ptr [eax+94h], offset loc_105C4; systemcontrol dispatch
.text:00010364                 mov     dword ptr [eax+0A4h], offset loc_10608;pnp dispatch

double click loc_11D72, you can go to the deviceIocontrol dispatch.
in this dispatch :
 you can get the alike instruction:
     mov eax,[ebp+arg_4]; to get the IRP
     mov edi,[eax+60]; get irpstacklocation(the api:IoGetCurrentIrpStackLocation )
     mov eax,[edi+0Ch];get the iodevicecode
     cmp     eax, 95002540h; 95002540h is a iodevicecode;
youcan get the other devicecode;

but is diffcult to get the stuct that is sent from the app by DeviceIoControl(you need to analyse it).

if there isn't read/write dispatch in the DriverEntry, your testing program doesn't call readfile/writefile