Friday, June 17, 2011

[Windows]dbg

cheating sheet ntsd: user mode debugger
kd: kernel mode debugger
windbg: GUI wrapp for ntsd and kd

最基本命令
.hh: 查看help
k: show call stack
r: show register
Q: quit dbg
bp: set breakpoint
  • bp foo!main
  • bp `source.c:31`
  • ba: set data breakpoint

p: step
pc: step to next call


kb: Dump the stack with Params
kn: Dump the stack with Frame #
kd: Dump stack dissassembly
~#s: Change to thread (Example: ~3s)
dd # - Dump the data (Example: dd 01f056548)
bl: list breakpoints
bd: disable breakpoint
bc: remove breakpoint
lm: system modules
x foo!*: 查看所有module foo的symbol
.sympath: 查看当前sympath
!sympath+“\\your_computer\path\to\your\pdb”: 添加路径到sympath中
!sym noisy/quiet: Generate verbose output from symbol loader
.srcpath: 查看当前srcpath
!srcpath+"\\your_computer\path\to\your\pdb": 添加路径到srcpath中



Kernel Mode Extension
!symfix: 碰到说nt symbols are incorrect please fix的时候运行
!reload: 重新读入symbols 包括kernel symbols, private symbols, user symbols.
!reload foo.sys: 重新读入foo.sys这个driver的symbols
!process: 查看所有进程
!process 0 0 myprocess.exe: 查看叫myprocess.exe的进程
!thread: 查看所有线程
!driveinfo: 驱动信息
!irp: IRP
!irpfind


读取symbol
!symfix
!reload
Connected to Windows 7 7601 x64 target at (Tue Jun 21 13:22:28.221 2011 (UTC - 7:00)), ptr64 TRUE
Loading Kernel Symbols
...............................................................
................................................................
............................
Loading User Symbols
................................................................
.........................
Loading unloaded module list
..........
显示driver object (比如kbdclass)
!drvobj kbdclass
Driver object (fffffa8007370870) is for:
 \Driver\kbdclass
Driver Extension List: (id , addr)
显示driver object (比如kbdclass)的dispatch routines
!drvobj kbdclass 7
Driver object (fffffa8007370870) is for:
 \Driver\kbdclass
Driver Extension List: (id , addr)

Device Object list:
fffffa8007a31ce0  fffffa800743d6c0  

DriverEntry:   fffff8800440becc kbdclass!GsDriverEntry
DriverStartIo: 00000000 
DriverUnload:  00000000 
AddDevice:     fffff880044083b4 kbdclass!KeyboardAddDevice

Dispatch routines:
[00] IRP_MJ_CREATE                      fffff88004401dd4 kbdclass!KeyboardClassCreate
[01] IRP_MJ_CREATE_NAMED_PIPE           fffff800034b58ac nt!IopInvalidDeviceRequest
[02] IRP_MJ_CLOSE                       fffff8800440217c kbdclass!KeyboardClassClose
[03] IRP_MJ_READ                        fffff88004402804 kbdclass!KeyboardClassRead
[04] IRP_MJ_WRITE                       fffff800034b58ac nt!IopInvalidDeviceRequest
[05] IRP_MJ_QUERY_INFORMATION           fffff800034b58ac nt!IopInvalidDeviceRequest
[06] IRP_MJ_SET_INFORMATION             fffff800034b58ac nt!IopInvalidDeviceRequest
[07] IRP_MJ_QUERY_EA                    fffff800034b58ac nt!IopInvalidDeviceRequest
[08] IRP_MJ_SET_EA                      fffff800034b58ac nt!IopInvalidDeviceRequest
[09] IRP_MJ_FLUSH_BUFFERS               fffff88004401ce0 kbdclass!KeyboardClassFlush
[0a] IRP_MJ_QUERY_VOLUME_INFORMATION    fffff800034b58ac nt!IopInvalidDeviceRequest
[0b] IRP_MJ_SET_VOLUME_INFORMATION      fffff800034b58ac nt!IopInvalidDeviceRequest
[0c] IRP_MJ_DIRECTORY_CONTROL           fffff800034b58ac nt!IopInvalidDeviceRequest
[0d] IRP_MJ_FILE_SYSTEM_CONTROL         fffff800034b58ac nt!IopInvalidDeviceRequest
[0e] IRP_MJ_DEVICE_CONTROL              fffff88004408a40 kbdclass!KeyboardClassDeviceControl
[0f] IRP_MJ_INTERNAL_DEVICE_CONTROL     fffff880044082b4 kbdclass!KeyboardClassPassThrough
[10] IRP_MJ_SHUTDOWN                    fffff800034b58ac nt!IopInvalidDeviceRequest
[11] IRP_MJ_LOCK_CONTROL                fffff800034b58ac nt!IopInvalidDeviceRequest
[12] IRP_MJ_CLEANUP                     fffff88004401afc kbdclass!KeyboardClassCleanup
[13] IRP_MJ_CREATE_MAILSLOT             fffff800034b58ac nt!IopInvalidDeviceRequest
[14] IRP_MJ_QUERY_SECURITY              fffff800034b58ac nt!IopInvalidDeviceRequest
[15] IRP_MJ_SET_SECURITY                fffff800034b58ac nt!IopInvalidDeviceRequest
[16] IRP_MJ_POWER                       fffff88004409fd4 kbdclass!KeyboardClassPower
[17] IRP_MJ_SYSTEM_CONTROL              fffff8800440a364 kbdclass!KeyboardClassSystemControl
[18] IRP_MJ_DEVICE_CHANGE               fffff800034b58ac nt!IopInvalidDeviceRequest
[19] IRP_MJ_QUERY_QUOTA                 fffff800034b58ac nt!IopInvalidDeviceRequest
[1a] IRP_MJ_SET_QUOTA                   fffff800034b58ac nt!IopInvalidDeviceRequest
[1b] IRP_MJ_PNP                         fffff88004403368 kbdclass!KeyboardPnP

列出当前所有irp
!irpfind

Scanning large pool allocation table for Tag: Irp? (fffffa8005481000 : fffffa8005781000)

  Irp    [ Thread ] irpStack: (Mj,Mn)   DevObj  [Driver]         MDL Process
fffffa8007375930 [00000000] Irp is complete (CurrentLocation 4 > StackCount 3)
fffffa8004f19520 [00000000] Irp is complete (CurrentLocation 2 > StackCount 1) 0x0000000000000000
fffffa8007dcfe10 [fffffa80081438f0] irpStack: ( e,2d)  fffffa8006e6eb10 [ \Driver\AFD]
fffffa8007ecdbc0 [fffffa80088a9b60] irpStack: ( e, 0)  fffffa8006aa4da0 [ \Driver\Beep]
...

特别查看某个irp (比如地址是fffffa8007dcfe10的这个)
!irp fffffa8007dcfe10
Irp is active with 4 stacks 4 is current (= 0xfffffa8007dcffb8)
 No Mdl: System buffer=fffffa8008dc7d80: Thread fffffa80081438f0:  Irp stack trace.  
     cmd  flg cl Device   File     Completion-Context
 [  0, 0]   0  0 00000000 00000000 00000000-00000000    

   Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000    

   Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000    

   Args: 00000000 00000000 00000000 00000000
>[  e,2d]   5  1 fffffa8006e6eb10 fffffa80086bfa30 00000000-00000000    pending
        \Driver\AFD
   Args: fffffa80081844b0 fffffa80081844b0 fffff88003f03150 fffffa8007ecf810
最后一行显示出这个irp的major function是e 也就是IRP_MJ_DEVICE_CONTROL

查看namespace里\Driver里的内容:
!object \Driver
Object: fffff8a00008b7f0  Type: (fffffa8004e83a90) Directory
    ObjectHeader: fffff8a00008b7c0 (new version)
    HandleCount: 0  PointerCount: 107
    Directory Object: fffff8a000004dc0  Name: Driver

    Hash Address          Type          Name
    ---- -------          ----          ----
     00  fffffa8006fbae70 Driver        nvlddmkm
         fffffa80069eae70 Driver        fvevol
         fffffa8005d2e890 Driver        iaStorV
...

查看_DRIVER_OBJECT的结构
dt nt!_DRIVER_OBJECT
   +0x000 Type             : Int2B
   +0x002 Size             : Int2B
   +0x008 DeviceObject     : Ptr64 _DEVICE_OBJECT
   +0x010 Flags            : Uint4B
   +0x018 DriverStart      : Ptr64 Void
   +0x020 DriverSize       : Uint4B
   +0x028 DriverSection    : Ptr64 Void
   +0x030 DriverExtension  : Ptr64 _DRIVER_EXTENSION
   +0x038 DriverName       : _UNICODE_STRING
   +0x048 HardwareDatabase : Ptr64 _UNICODE_STRING
   +0x050 FastIoDispatch   : Ptr64 _FAST_IO_DISPATCH
   +0x058 DriverInit       : Ptr64     long 
   +0x060 DriverStartIo    : Ptr64     void 
   +0x068 DriverUnload     : Ptr64     void 
   +0x070 MajorFunction    : [28] Ptr64     long 

Tuesday, June 14, 2011

[Windows]cmd命令笔记

删除一个文件夹foo所有内容
rd foo /s

查看当前所有进程(类似ps)
tasklist

杀死一个进程(类似kill)
taskkill

查找文件中出现的字符串
findstr

5秒内关机并重启
shutdown -r -t 5

Monday, June 13, 2011

[Winodws]内核驱动笔记

占坑
背景知识

用户模式(User Mode):
内核模式(Kernel Mode):
Win32 API:

C++注意事项

微软官方的文档C++ for Kernel Mode Drivers: Pros and Cons
求摘要?看这里Advanced C++ features and Kernel-mode programming don't mix


cmd或者在(Start->Run)运行msinfo32,然后选"software environment"->"system drivers"可以看到当前系统里所有安装了的驱动

编译

source文件相当于Linux/Unix下的Makefile. 如何写一个source文件? 参见http://randomlearningnotes.wordpress.com/2009/04/20/using-wdkddk-build-environment-for-drivers-and-non-drivers/

build 命令相当于Linux/Unix下的make

build /c 把所有obj文件全部删除再编译

build的output很少, 详细信息可以参见编译时生成的.log,.wrn和.err文件

disable所有编译优化: 在source 文件中加设置环境变量
MSC_OPTIMIZATION=/Od /Oi

debugview是一个可以用来查看kernel debug输出信息的工具. 可以connect到local machine来查看本机的, 也可以连接到remote机器上. 后者的方法是先在remote的机器上运行debugview /c, 接着使用debugview在local机器上

常用API

信号量
KeWaitForSingleObject 阻塞当前线程直至信号变量(比如一个event object)被置成signaled
KeSetEvent 把一个event object设为signaled
KeResetEvent 把一个event object重置成not-signaled

文件操作:
ZwReadFile: Read data from the file.
ZwWriteFile: Write data to the file.
ZwQueryInformationFile: Read metadata for the file or file handle.
ZwSetInformationFile: Write metadata for the file or file handle.