如题,当"!drvobj"命令失效时怎么办?调试ddk sample:wdffeatrued驱动时遇到这个问题,现象如下:
kd> lml start end module name 8201e000 82082000 hal (private pdb symbols) D:\symbols\win10Rs2x86\halmacpi.pdb\4E9BD9D216E244095545EAFA3EF6563F1\halmacpi.pdb 82082000 82703000 nt (private pdb symbols) D:\symbols\win10Rs2x86\ntkrpamp.pdb\70298DDA981447F18AE18C7DF819303A1\ntkrpamp.pdb 85e60000 85f53000 mcupdate_GenuineIntel (pdb symbols) D:\symbols\win10Rs2x86\mcupdate_GenuineIntel.pdb\FB614FE599FDFA11D5E1125EEC6DF07A1\mcupdate_GenuineIntel.pdb a8220000 a822a000 wdffeatured (private pdb symbols) c:\winddk\windows-driver-samples-master\general\toaster\toastdrv\kmdf\func\featured\debug\wdffeatured.pdb
不要怀疑是符号不匹配的原因!lml明确的告诉我,已经加载匹配的符号。然而很不幸"!drvobj"的输出不尽人意:
kd> !drvobj wdffeatured Driver object (a8220000) is for: a8220000: is not a driver object
起初以为windbg对32位WDF驱动支持不好,就让同事帮忙验证一我的猜测,很显然,我猜错了!那怎么办?试试间接途径:!wdfdriverinfo可以显示驱动程序WDFDRIVER句柄值:
kd> !wdfkd.wdfdriverinfo wdffeatured ---------------------------------- Default driver image name: wdffeatured WDF library image name: Wdf01000 FxDriverGlobals 0xa5bef778 WdfBindInfo 0xa822404c Version v1.15 build(0000) ---------------------------------- WDFDRIVER: 0x4f59f678 ;<---------句柄值 !WDFDEVICE 0x5a412d88 (FDO) Pnp/Power State: WdfDevStatePnpStarted, WdfDevStatePowerDx, WdfDevStatePwrPolWaitingUnarmed context: dt 0xa5bed400 FDO_DATA (size is 0x28 bytes) EvtCleanupCallback a8225380 wdffeatured!ToasterEvtDeviceContextCleanup
从句柄值用!wdfhandle获得框架对象地址:
kd> !wdfhandle 0x4f59f678 ;<----上一步!wdfdriverinfo获得的句柄值 Dumping WDFHANDLE 0x4f59f678 ============================= Handle type is WDFDRIVER Refcount: 1 Contexts: <no associated contexts or attribute callbacks> !wdfobject 0xb0a60980 kd> !wdfobject 0xb0a60980 ;<-----FxDriver对象地址 The type for object 0xb0a60980 is FxDriver State: FxObjectStateCreated (0x1) !wdfhandle 0x4f59f678 dt FxDriver 0xb0a60980 Contexts: <no associated contexts or attribute callbacks>
FxDriver中保存Driver_Object对象指针,感觉离目标很近了:
kd> dt FxDriver 0xb0a60980 Wdf01000!FxDriver +0x044 m_DriverObject : MxDriverObject ;这两个成员怎么看都觉得是DriverEntry的参数! +0x048 m_RegistryPath : _UNICODE_STRING "\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wdffeatured"
FxDriver+0x44处保存了Driver_Object对象指针,地址0xb0a60980+0x44处并不是真正的Driver_Object,得再进行一次访存取地址:
kd> dd 0xb0a60980+0x44 L4 b0a609c4 8e54baf8 00780076 ae984c38 b5bc8801 kd> dt MxDriverObject 8e54baf8 Wdf01000!MxDriverObject +0x000 m_DriverObject : 0x00a80004 _DRIVER_OBJECT
最后在0x8e54baf8 处取到Driver_Object地址(这个地址看着还算靠谱),再试一下!drvobj命令,总算没有白费功夫,曲线达成目标:
kd> !drvobj 8e54baf8 7 Driver object (8e54baf8) is for: \Driver\wdffeatured Driver Extension List: (id , addr) (862ecd8a a4a06068) Device Object list: b0a90390 DriverEntry: a82224e0 wdffeatured!FxDriverEntry DriverStartIo: 00000000 DriverUnload: a82225cc wdffeatured!FxStubDriverUnload AddDevice: 862b09de Wdf01000!FxDriver::AddDevice Dispatch routines: [00] IRP_MJ_CREATE 862918a0 Wdf01000!FxDevice::DispatchWithLock [01] IRP_MJ_CREATE_NAMED_PIPE 862918a0 Wdf01000!FxDevice::DispatchWithLock [02] IRP_MJ_CLOSE 862918a0 Wdf01000!FxDevice::DispatchWithLock [03] IRP_MJ_READ 862918a0 Wdf01000!FxDevice::DispatchWithLock [04] IRP_MJ_WRITE 862918a0 Wdf01000!FxDevice::DispatchWithLock [05] IRP_MJ_QUERY_INFORMATION 862918a0 Wdf01000!FxDevice::DispatchWithLock [06] IRP_MJ_SET_INFORMATION 862918a0 Wdf01000!FxDevice::DispatchWithLock [07] IRP_MJ_QUERY_EA 862918a0 Wdf01000!FxDevice::DispatchWithLock [08] IRP_MJ_SET_EA 862918a0 Wdf01000!FxDevice::DispatchWithLock [09] IRP_MJ_FLUSH_BUFFERS 862918a0 Wdf01000!FxDevice::DispatchWithLock [0a] IRP_MJ_QUERY_VOLUME_INFORMATION 862918a0 Wdf01000!FxDevice::DispatchWithLock [0b] IRP_MJ_SET_VOLUME_INFORMATION 862918a0 Wdf01000!FxDevice::DispatchWithLock [0c] IRP_MJ_DIRECTORY_CONTROL 862918a0 Wdf01000!FxDevice::DispatchWithLock [0d] IRP_MJ_FILE_SYSTEM_CONTROL 862918a0 Wdf01000!FxDevice::DispatchWithLock [0e] IRP_MJ_DEVICE_CONTROL 862918a0 Wdf01000!FxDevice::DispatchWithLock [0f] IRP_MJ_INTERNAL_DEVICE_CONTROL 862918a0 Wdf01000!FxDevice::DispatchWithLock [10] IRP_MJ_SHUTDOWN 862918a0 Wdf01000!FxDevice::DispatchWithLock [11] IRP_MJ_LOCK_CONTROL 862918a0 Wdf01000!FxDevice::DispatchWithLock [12] IRP_MJ_CLEANUP 862918a0 Wdf01000!FxDevice::DispatchWithLock [13] IRP_MJ_CREATE_MAILSLOT 862918a0 Wdf01000!FxDevice::DispatchWithLock [14] IRP_MJ_QUERY_SECURITY 862918a0 Wdf01000!FxDevice::DispatchWithLock [15] IRP_MJ_SET_SECURITY 862918a0 Wdf01000!FxDevice::DispatchWithLock [16] IRP_MJ_POWER 862918a0 Wdf01000!FxDevice::DispatchWithLock [17] IRP_MJ_SYSTEM_CONTROL 862918a0 Wdf01000!FxDevice::DispatchWithLock [18] IRP_MJ_DEVICE_CHANGE 862918a0 Wdf01000!FxDevice::DispatchWithLock [19] IRP_MJ_QUERY_QUOTA 862918a0 Wdf01000!FxDevice::DispatchWithLock [1a] IRP_MJ_SET_QUOTA 862918a0 Wdf01000!FxDevice::DispatchWithLock [1b] IRP_MJ_PNP 862918a0 Wdf01000!FxDevice::DispatchWithLock
下篇预告:
好久没有更新WDF框架分析了,不是我断更了,是WDF驱动的WDFIOQUEUE实在太复杂。大家留意一下!drvobj wdffeatured输出中关于驱动DISPATCH处理函数的原型----齐刷刷统一着装为:Wdf01000!FxDevice::DispatchWithLock。这是WDF框架中分析IoQueue重要的一环,且听我下回分解