在Ntfs.sys中找MajorFunction

 

lkd> u ntfs!GsDriverEntry l 100

Ntfs!GsDriverEntry:

ba598184 8bff            mov     edi,edi

ba598186 55              push    ebp

ba598187 8bec            mov     ebp,esp

ba598189 a1d82553ba      mov     eax,dword ptr [Ntfs!__security_cookie (ba5325d8)]

ba59818e 85c0            test    eax,eax

ba598190 b940bb0000      mov     ecx,0BB40h

ba598195 7404            je      Ntfs!GsDriverEntry+0x17 (ba59819b)

ba598197 3bc1            cmp     eax,ecx

ba598199 7520            jne     Ntfs!GsDriverEntry+0x3a (ba5981bb)

ba59819b 8b1500ae52ba    mov     edx,dword ptr [Ntfs!_imp__KeTickCount (ba52ae00)]

ba5981a1 b8d82553ba      mov     eax,offset Ntfs!__security_cookie (ba5325d8)

ba5981a6 c1e808          shr     eax,8

ba5981a9 3302            xor     eax,dword ptr [edx]

ba5981ab 25ffff0000      and     eax,0FFFFh

ba5981b0 a3d82553ba      mov     dword ptr [Ntfs!__security_cookie (ba5325d8)],eax

ba5981b5 0f84aa120000    je      Ntfs!GsDriverEntry+0x33 (ba599465)

ba5981bb f7d0            not     eax

ba5981bd a3d42553ba      mov     dword ptr [Ntfs!__security_cookie_complement (ba5325d4)],eax

ba5981c2 5d              pop     ebp

ba5981c3 90              nop

ba5981c4 90              nop

ba5981c5 90              nop

ba5981c6 90              nop

ba5981c7 90              nop

Ntfs!DriverEntry:

ba5981c8 8bff            mov     edi,edi

ba5981ca 55              push    ebp

ba5981cb 8bec            mov     ebp,esp

ba5981cd 81ecc8000000    sub     esp,0C8h

ba5981d3 a1d82553ba      mov     eax,dword ptr [Ntfs!__security_cookie (ba5325d8)]

ba5981d8 53              push    ebx

ba5981d9 56              push    esi

。。。。。。。。。

ba598270 ff154cac52ba    call    dword ptr [Ntfs!_imp__IoCreateDevice (ba52ac4c)]

ba598276 3bc3            cmp     eax,ebx

ba598278 0f8cfb050000    jl      Ntfs!DriverEntry+0x854 (ba598879)

ba59827e c7467ca3ca58ba mov     dword ptr [esi+7Ch],offset Ntfs!NtfsFsdLockControl (ba58caa3)

ba598285 c74668bdaf53ba mov     dword ptr [esi+68h],offset Ntfs!NtfsFsdDirectoryControl (ba53afbd)

ba59828c c74650186651ba mov     dword ptr [esi+50h],offset Ntfs!NtfsFsdSetInformation (ba516618)

ba598293 c74638018c53ba mov     dword ptr [esi+38h],offset Ntfs!NtfsFsdCreate (ba538c01)

ba59829a c74640ea8053ba mov     dword ptr [esi+40h],offset Ntfs!NtfsFsdClose (ba5380ea)

ba5982a1 c746443b5f51ba mov     dword ptr [esi+44h],offset Ntfs!NtfsFsdRead (ba515f3b)

ba5982a8 c74648574b51ba mov     dword ptr [esi+48h],offset Ntfs!NtfsFsdWrite (ba514b57)

ba5982af c7465cc82e55ba mov     dword ptr [esi+5Ch],offset Ntfs!NtfsFsdFlushBuffers (ba552ec8)

ba5982b6 c7466c58d753ba mov     dword ptr [esi+6Ch],offset Ntfs!NtfsFsdFileSystemControl (ba53d758)

ba5982bd c78680000000b88a53ba mov dword ptr [esi+80h],offset Ntfs!NtfsFsdCleanup (ba538ab8)

ba5982c7 c74678af7552ba mov     dword ptr [esi+78h],offset Ntfs!NtfsFsdShutdown (ba5275af)

ba5982ce c786a4000000f05755ba mov dword ptr [esi+0A4h],offset Ntfs!NtfsFsdPnp (ba5557f0)

ba5982d8 c74628a02753ba mov     dword ptr [esi+28h],offset Ntfs!NtfsFastIoDispatch (ba5327a0)

ba5982df b8b99253ba      mov     eax,offset Ntfs!NtfsFsdDispatchWait (ba5392b9)

ba5982e4 89464c          mov     dword ptr [esi+4Ch],eax

ba5982e7 8986a0000000    mov     dword ptr [esi+0A0h],eax

ba5982ed 89869c000000    mov     dword ptr [esi+9Ch],eax

ba5982f3 894658          mov     dword ptr [esi+58h],eax

ba5982f6 894654          mov     dword ptr [esi+54h],eax

ba5982f9 b8049453ba      mov     eax,offset Ntfs!NtfsFsdDispatch (ba539404)

ba5982fe 894664          mov     dword ptr [esi+64h],eax

ba598301 894660          mov     dword ptr [esi+60h],eax

ba598304 89868c000000    mov     dword ptr [esi+8Ch],eax

ba59830a 898688000000    mov     dword ptr [esi+88h],eax

ba598310 894670          mov     dword ptr [esi+70h],eax

ba598313 a14cad52ba     mov     eax,dword ptr [Ntfs!_imp__FsRtlMdlReadCompleteDev (ba52ad4c)]