本文解析了驱动程序初始化过程中的关键步骤,包括DriverEntry函数中设备对象的创建与配置,以及重新初始化例程的注册等。介绍了IoCreateDevice与IoRegisterDriverReinitialization等API的使用方法。
直接看代码,在DriverEntry前面部分有关于InitSafeBootMode和KdDebuggerEnabled这两个变量的检测没有贴出来,可能还有字符串的处理(没太看懂)。下面是来自DriverEntry的一部分:
.text:00010632 test eax, eax
.text:00010634 jnz short loc_10667
.text:00010636 lea edi, [ebp+var_20] ;DeviceObject
.text:00010639 mov esi, [ebp+DriverObject]
.text:0001063C call sub_10DB0 ;**
.text:00010641 test eax, eax
.text:00010643 jnz short loc_10667
.text:00010645 mov ecx, [esi+18h]
.text:00010648 mov dword ptr [ecx+4], offset sub_10450
.text:0001064F push eax ; Context
.text:00010650 push offset DriverReinitializationRoutine ; DriverReinitializationRoutine
.text:00010655 push esi ; DriverObject
.text:00010656 call ds:IoRegisterDriverReinitializationvar_20(DeviceObject 设备对象)和DriverObject(驱动对象)将作为两个变量在 sub_10db0里被使用。
.text:00010DB0 sub esp, 8
.text:00010DB3 push offset word_15274 ; SourceString
.text:00010DB8 lea eax, [esp+0Ch+DestinationString]
.text:00010DBC push eax ; DestinationString
.text:00010DBD call ds:RtlInitUnicodeString
.text:00010DC3 push edi ; DeviceObject
.text:00010DC4 push 0 ; Exclusive
.text:00010DC6 push 100h ; DeviceCharacteristics
.text:00010DCB push 22h ; DeviceType
.text:00010DCD lea ecx, [esp+18h+DestinationString]
.text:00010DD1 push ecx ; DeviceName
.text:00010DD2 push 0 ; DeviceExtensionSize
.text:00010DD4 push esi ; DriverObject
.text:00010DD5 call ds:IoCreateDevice
.text:00010DDB test eax, eax
.text:00010DDD jnz loc_10E63
.text:00010DE3 mov ecx, offset sub_10CE0
.text:00010DE8 mov [esi+38h], ecx
.text:00010DEB mov [esi+3Ch], ecx
.text:00010DEE mov [esi+40h], ecx
.text:00010DF1 mov [esi+44h], ecx
.text:00010DF4 mov [esi+48h], ecx
.text:00010DF7 mov [esi+4Ch], ecx
.text:00010DFA mov [esi+50h], ecx
.text:00010DFD mov [esi+54h], ecx
.text:00010E00 mov [esi+58h], ecx
.text:00010E03 mov [esi+5Ch], ecx
.text:00010E06 mov [esi+60h], ecx
.text:00010E09 mov [esi+64h], ecx
.text:00010E0C mov [esi+68h], ecx
.text:00010E0F mov [esi+6Ch], ecx
.text:00010E12 mov [esi+70h], ecx
.text:00010E15 mov [esi+74h], ecx
.text:00010E18 mov [esi+78h], ecx
.text:00010E1B mov [esi+7Ch], ecx
.text:00010E1E mov [esi+80h], ecx
.text:00010E24 mov [esi+84h], ecx
.text:00010E2A mov [esi+88h], ecx
.text:00010E30 mov [esi+8Ch], ecx
.text:00010E36 mov [esi+90h], ecx
.text:00010E3C mov [esi+94h], ecx
.text:00010E42 mov [esi+98h], ecx
.text:00010E48 mov [esi+9Ch], ecx
.text:00010E4E mov [esi+0A0h], ecx
.text:00010E54 mov [esi+0A4h], ecx
.text:00010E5A mov ecx, [edi]
.text:00010E5C and dword ptr [ecx+1Ch], 0FFFFFF7Fh相当于:
/*
(**from windows ddk**)
NTSTATUS
IoCreateDevice(
IN PDRIVER_OBJECT DriverObject,
IN ULONG DeviceExtensionSize,
IN PUNICODE_STRING DeviceName OPTIONAL,
IN DEVICE_TYPE DeviceType,
IN ULONG DeviceCharacteristics,
IN BOOLEAN Exclusive,
OUT PDEVICE_OBJECT *DeviceObject//返回值
);
*/
status=IoCeateDevice(DriverObject,0,*word_15274,FILE_DEVICE_UNKNOWN,0x100,FALSE,&DeviceObject);
if(STATUS_SUCCESS==status)
{
jmp to loc_10e63;
}
else
{
for(i=0;i<=IRP_MJ_MAXMIUM_FUNTION;I++)
{
DriverObject->MajorFunction[I]=sub_10ce0;
}
}
sub_10db0执行完后回到DriverEntry接着看:
DriverObject->DriverExtension->AddDevice=sub_10450;//从字面意思可以看出这是要创建设备
IoRegisterDriveReInitializatio(DriverObject,&DriverReInitializationRoutine,Context);
/(**from ddk**)
The IoRegisterDriverReinitialization routine is called by a driver during its initialization or reinitialization to register its Reinitialize routine to be called again before the driver's and, possibly the system's, initialization is complete./
就是说,在驱动初始化或重新初始化时它注册的重新初始化例程(Reinitialization Routine)会在该驱动本身的,或许系统的初始化完成之前执行(重点)。DriverReInitializationRoutine:
.text:0001040C mov edx, [ebp+DeviceObject]
.text:0001040F push edx ; DeviceObject
.text:00010410 call ds:IoAllocateWorkItem
.text:00010416 test eax, eax
.text:00010418 jz short loc_10434
.text:0001041A push eax ; Context
.text:0001041B push 1 ; QueueType
.text:0001041D push offset WorkerRoutine ; WorkerRoutine
.text:00010422 push eax ; IoWorkItem
.text:00010423 call ds:IoQueueWorkItem
相当于:
PWorkItem=IoAllocateWorkItem(DeviceObject);
IoQueueWorkItem(PWorkItem,&WorkerRoutine,1/*DelayedWorkQueue*/,PWorkItem);WorkerRoutine调用其他函数,在那里进行了不少操作,最后好像是要记录一些文件信息,采用的RTL_GENERIC_TABLE来存储。
/*(from ddk)
File systems call RtlInitializeGenericTable to initialize a generic table to store file system-specific data, such as name-lookup information for currently open files. The sort order, structure, and contents of the elements are caller-defined.
*/
就是说文件系统会调用 RtlInitializeGenericTable 去初始化一张来保存文件系统具体的数据(翻译的不清楚,file system-specific data) ,例如当前打开文件的名字查询信息。这张表里的元素的排列顺序,结构和内容由调用者定义。
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
