experiment : DeviceIoControl调用流程

DeviceIoControl调用流程

试验环境:  vmware + WinXpSp3

 

在R3调用DeviceIoControl处和R0 IoDeviceIoControl处理例程处 各下一个WinDbg断点

从R3单步到sysenter, 可以看到R3处理流程

 

R3 

填好DeviceIoControl参数

=> kernel32!DeviceIoControl

=> ntdll!ZwDeviceIoControlFile

=> ntdll!KiFastSystemCall ///< mov     eax,42h

=> sysenter ///< 进入R0

 

当断在R0自己驱动DeviceIoControl处理例程时, 看调用链，可以看到sysenter进入R0后的处理流程

 

R0 => ntdll!KiFastSystemCallRet

=> nt!KiFastCallEntry

=> nt!NtDeviceIoControlFile

=> nt!IopXxxControlFile

=> nt!IopSynchronousServiceTail

=> nt!IopfCallDriver

=> LsNtDrv!DisPatchDeviceControl ///< 进入自己的驱动

 

 

备注

SSDT 表 0x42项为 nt!NtDeviceIoControlFile

kd> dd KeServiceDescriptorTable

80553fa0  80502b8c 00000000 0000011c 80503000

80553fb0  00000000 00000000 00000000 00000000

80553fc0  00000000 00000000 00000000 00000000

80553fd0  00000000 00000000 00000000 00000000

80553fe0  00002710 bf80c0b6 00000000 00000000

80553ff0  f7ac2a80 f7249b60 8619c0f0 806e2f40

80554000  00000000 00000000 2a8d70b4 00000000

80554010  e70c1c74 01cecc93 00000000 00000000

kd> dd (80502b8c + 4 * 42h)

80502c94  8056f442 8060a0ce 805b484e 805e4062

80502ca4  8060db50 8061bac6 8060db34 8061bd30

80502cb4  805aa126 805e420e 8060d068 8056cee8

80502cc4  805ace38 8061bf9a 805a2ab8 805acdda

80502cd4  805ac94a 805a9400 8056f476 805c871a

80502ce4  805bf4d8 8058f588 8051e9a2 805efd1c

80502cf4  8059b492 805cea5c 806193dc 805bf2be

80502d04  805cc484 805bf4c4 8059b69e 8057a588

kd> u 8056f442

nt!NtDeviceIoControlFile:

8056f442 8bff            mov     edi,edi

8056f444 55              push    ebp

8056f445 8bec            mov     ebp,esp

 

R3 WinDbg纪录

 

kd> t

kernel32!DeviceIoControl:

001b:7c801629 6a14            push    14h

kd> t

kernel32!DeviceIoControl+0x2:

001b:7c80162b 68400b817c      push    offset kernel32!`string'+0x44 (7c810b40)

kd> t

kernel32!DeviceIoControl+0x7:

001b:7c801630 e8a10e0000      call    kernel32!_SEH_prolog (7c8024d6)

kd> t

kernel32!_SEH_prolog:

001b:7c8024d6 68c09a837c      push    offset kernel32!_except_handler3 (7c839ac0)

kd> t

kernel32!_SEH_prolog+0x5:

001b:7c8024db 64a100000000    mov     eax,dword ptr fs:[00000000h]

kd> t

kernel32!_SEH_prolog+0xb:

001b:7c8024e1 50              push    eax

kd> t

kernel32!_SEH_prolog+0xc:

001b:7c8024e2 8b442410        mov     eax,dword ptr [esp+10h]

kd> t

kernel32!_SEH_prolog+0x10:

001b:7c8024e6 896c2410        mov     dword ptr [esp+10h],ebp

kd> t

kernel32!_SEH_prolog+0x14:

001b:7c8024ea 8d6c2410        lea     ebp,[esp+10h]

kd> t

kernel32!_SEH_prolog+0x18:

001b:7c8024ee 2be0            sub     esp,eax

kd> t

kernel32!_SEH_prolog+0x1a:

001b:7c8024f0 53              push    ebx

kd> t

kernel32!_SEH_prolog+0x1b:

001b:7c8024f1 56              push    esi

kd> t

kernel32!_SEH_prolog+0x1c:

001b:7c8024f2 57              push    edi

kd> t

kernel32!_SEH_prolog+0x1d:

001b:7c8024f3 8b45f8          mov     eax,dword ptr [ebp-8]

kd> t

kernel32!_SEH_prolog+0x20:

001b:7c8024f6 8965e8          mov     dword ptr [ebp-18h],esp

kd> t

kernel32!_SEH_prolog+0x23:

001b:7c8024f9 50              push    eax

kd> t

kernel32!_SEH_prolog+0x24:

001b:7c8024fa 8b45fc          mov     eax,dword ptr [ebp-4]

kd> t

kernel32!_SEH_prolog+0x27:

001b:7c8024fd c745fcffffffff  mov     dword ptr [ebp-4],0FFFFFFFFh

kd> t

kernel32!_SEH_prolog+0x2e:

001b:7c802504 8945f8          mov     dword ptr [ebp-8],eax

kd> t

kernel32!_SEH_prolog+0x31:

001b:7c802507 8d45f0          lea     eax,[ebp-10h]

kd> t

kernel32!_SEH_prolog+0x34:

001b:7c80250a 64a300000000    mov     dword ptr fs:[00000000h],eax

kd> t

kernel32!_SEH_prolog+0x3a:

001b:7c802510 c3              ret

kd> t

kernel32!DeviceIoControl+0xc:

001b:7c801635 8b4d0c          mov     ecx,dword ptr [ebp+0Ch]

kd> t

kernel32!DeviceIoControl+0xf:

001b:7c801638 8bc1            mov     eax,ecx

kd> t

kernel32!DeviceIoControl+0x11:

001b:7c80163a 250000ffff      and     eax,0FFFF0000h

kd> t

kernel32!DeviceIoControl+0x16:

001b:7c80163f 3d00000900      cmp     eax,90000h

kd> t

kernel32!DeviceIoControl+0x1b:

001b:7c801644 0f95c0          setne   al

kd> t

kernel32!DeviceIoControl+0x1e:

001b:7c801647 8b7524          mov     esi,dword ptr [ebp+24h]

kd> t

kernel32!DeviceIoControl+0x21:

001b:7c80164a 33db            xor     ebx,ebx

kd> t

kernel32!DeviceIoControl+0x23:

001b:7c80164c ff751c          push    dword ptr [ebp+1Ch]

kd> t

kernel32!DeviceIoControl+0x26:

001b:7c80164f ff7518          push    dword ptr [ebp+18h]

kd> t

kernel32!DeviceIoControl+0x29:

001b:7c801652 ff7514          push    dword ptr [ebp+14h]

kd> t

kernel32!DeviceIoControl+0x2c:

001b:7c801655 ff7510          push    dword ptr [ebp+10h]

kd> t

kernel32!DeviceIoControl+0x2f:

001b:7c801658 51              push    ecx

kd> t

kernel32!DeviceIoControl+0x30:

001b:7c801659 3bf3            cmp     esi,ebx

kd> t

kernel32!DeviceIoControl+0x32:

001b:7c80165b 753e            jne     kernel32!DeviceIoControl+0x38 (7c80169b)

kd> t

kernel32!DeviceIoControl+0xc1:

001b:7c80165d 3ac3            cmp     al,bl

kd> t

kernel32!DeviceIoControl+0xc3:

001b:7c80165f 8d45dc          lea     eax,[ebp-24h]

kd> t

kernel32!DeviceIoControl+0xc6:

001b:7c801662 50              push    eax

kd> t

kernel32!DeviceIoControl+0xc7:

001b:7c801663 53              push    ebx

kd> t

kernel32!DeviceIoControl+0xc8:

001b:7c801664 53              push    ebx

kd> t

kernel32!DeviceIoControl+0xc9:

001b:7c801665 53              push    ebx

kd> t

kernel32!DeviceIoControl+0xca:

001b:7c801666 ff7508          push    dword ptr [ebp+8]

kd> t

kernel32!DeviceIoControl+0xcd:

001b:7c801669 0f84d8000000    je      kernel32!DeviceIoControl+0xd7 (7c801747)

kd> t

kernel32!DeviceIoControl+0xcf:

001b:7c80166f ff153810807c    call    dword ptr [kernel32!_imp__NtDeviceIoControlFile (7c801038)]

kd> t

ntdll!ZwDeviceIoControlFile:

001b:7c92d260 b842000000      mov     eax,42h

kd> t

ntdll!NtDeviceIoControlFile+0x5:

001b:7c92d265 ba0003fe7f      mov     edx,offset SharedUserData!SystemCallStub (7ffe0300)

kd> t

ntdll!NtDeviceIoControlFile+0xa:

001b:7c92d26a ff12            call    dword ptr [edx]

kd> t

ntdll!KiFastSystemCall:

001b:7c92e4f0 8bd4            mov     edx,esp

kd> t

ntdll!KiFastSystemCall+0x2:

001b:7c92e4f2 0f34            sysenter ///< r3的调用结束

 

R0 堆栈调用链

 

00 ee3d3c34 804ef119 8602d460 86061008 806d32d0 LsNtDrv!DisPatchDeviceControl+0x83 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\lsworkdir\demo\srcbhowebpageautofill\prj\lsntdrv\lsntdrv.c @ 98]

01 ee3d3c44 80575d5e 86061078 860ae718 86061008 nt!IopfCallDriver+0x31 (FPO: [0,0,0])

02 ee3d3c58 80576bff 8602d460 86061008 860ae718 nt!IopSynchronousServiceTail+0x70 (FPO: [Non-Fpo])

03 ee3d3d00 8056f46c 000000fc 00000000 00000000 nt!IopXxxControlFile+0x5e7 (FPO: [Non-Fpo])

04 ee3d3d34 8053e638 000000fc 00000000 00000000 nt!NtDeviceIoControlFile+0x2a (FPO: [Non-Fpo])

05 ee3d3d34 7c92e4f4 000000fc 00000000 00000000 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ ee3d3d64)

06 0012fa30 7c92d26c 7c801675 000000fc 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])

07 0012fa34 7c801675 000000fc 00000000 00000000 ntdll!NtDeviceIoControlFile+0xc (FPO: [10,0,0])