来源：passthru.sys反汇编和源代码

一，导入的模块
二，模块要使用的函数
三，函数原型
四，文件中函数列表

有源代码，反汇编比源代码更简洁，特别是总揽方面，有优势。
有兴趣的话，可以把汇编和代码对应。我已经把函数内调用函数都罗列了。

////////////////////////////////////////////////

一，导入三个模块：
import Module:ntoskrnl.exe
              HAL.dll
              NDIS.SYS

//////////////////////////////////////////////

二，每个模块导出函数：
我们有函数名，就可以bp 模块！函数  下断了。
有的函数是被宏调用的，具体可以查看ndis.h中宏的定义。

ntoskrnl.exe:
KeBugCheckEx
KeTickCount
IoGetDeviceProperty
RtlCopyUnicodeString
RtlAppendUnicodeToString
IoCreateDevice
_vsnprint f
MmMapLockedPagesSpecifyCache
IoDeleteDevice
memcpy
IofCompleteRequest
memset
RtlInitUnicodeString
DbgPring
RtlAssert
RtlUnwind

HAL.dll:
KfReleaseSpinLock
KfAcquireSpinLock

接下来是重点了，ndis专用函数
NDIS.SYS:

NdisIMNotifyPnPEvent
NdisGetReceivedPacket
NdisDprAllocatePacket
NdisDprFreePacket
NdisDeregisterProtocol
NdisIMCancelInitializeDeviceInstance
NdisReEnumerateProtocolBindings
NdisFreeMemory
NdisOpenProtocolConfiguration
NdisReadConfiguration
NdisAllocateMemoryWithTag
NdisInitializeEvent
NdisAllocatePacketPoolEx
NdisPacketPoolUsage
NdisIMDeInitializeDeviceInstance
NdisCloseAdapter
NdisSetEvent
NdisMSetAttributesEx
NdisIMGetDeviceContext
NdisFreePacket
NdisIMCopySendCompletePerPacketInfo
NdisIMCopySendPerPacketInfo
NdisAllocatePacket
NdisIMGetCurrentPacketStack
NdisRequest
NdisMIndicateStatusComplete
NdisMIndicateStatus
NdisReturnPackets
NdisGetPoolFromPacket
NdisWaitEvent
NdisResetEvent
NdisCancelSendPackets
NdisFreePacketPool
NdisTerminateWrapper
NdisIMAssociateMiniport
NdisIMDeregisterLayeredMiniport
NdisRegisterProtocol
NdisMRegisterUnloadHandler
NdisIMRegisterLayeredMiniport
NdisInitializeWrapper
NdisMRegisterDevice
NdisMSleep
NdisMDeregisterDevice
NdisCloseConfiguration
NdisIMInitializeDeviceInstanceEx
NdisOpenAdapter

/////////////////////////////////////
三，函数原型：呵呵

NDIS_STATUS  NdisIMNotifyPnPEvent(    IN  NDIS_HANDLE  MiniportHandle,    IN  PNET_PNP_EVENT  NetPnPEvent    );

PNDIS_PACKET   NdisGetReceivedPacket(    IN PNDIS_HANDLE  NdisBindingHandle,    IN PNDIS_HANDLE  MacContext    );

VOID  NdisDprAllocatePacket(    OUT PNDIS_STATUS  Status,    OUT PNDIS_PACKET  *Packet,    IN NDIS_HANDLE  PoolHandle    );

VOID  NdisDprFreePacket(    IN PNDIS_PACKET  Packet    );

NDIS_STATUS   NdisIMCancelInitializeDeviceInstance(    IN NDIS_HANDLE  DriverHandle,    IN PNDIS_STRING  DeviceInstance    );

VOID  NdisReEnumerateProtocolBindings(    IN NDIS_HANDLE  NdisProtocolHandle    );

VOID  NdisFreeMemory(    IN PVOID  VirtualAddress,    IN UINT  Length,    IN UINT  MemoryFlags    );

VOID  NdisOpenProtocolConfiguration(    OUT PNDIS_STATUS  Status,    OUT PNDIS_HANDLE  ConfigurationHandle,    IN PNDIS_STRING  ProtocolSection    );

VOID  NdisReadConfiguration(    OUT PNDIS_STATUS  Status,    OUT PNDIS_CONFIGURATION_PARAMETER  *ParameterValue,    IN NDIS_HANDLE  ConfigurationHandle,    IN PNDIS_STRING  Keyword,    IN NDIS_PARAMETER_TYPE  ParameterType    );

NDIS_STATUS  NdisAllocateMemoryWithTag(    OUT PVOID  *VirtualAddress,    IN UINT  Length,    IN ULONG  Tag    );

VOID  NdisInitializeEvent(    IN PNDIS_EVENT  Event    );

VOID  NdisAllocatePacketPoolEx(    OUT PNDIS_STATUS  Status,    OUT PNDIS_HANDLE  PoolHandle,    IN UINT  NumberOfDescriptors,    IN UINT  NumberOfOverflowDescriptors,    IN UINT  ProtocolReservedLength    );

UINT  NdisPacketPoolUsage(    IN NDIS_HANDLE  PoolHandle    );

NDIS_STATUS  NdisIMDeInitializeDeviceInstance(    IN NDIS_HANDLE  NdisMiniportHandle    );

VOID  NdisCloseAdapter(    OUT PNDIS_STATUS  Status,    IN NDIS_HANDLE  NdisBindingHandle    );

VOID  NdisSetEvent(    IN PNDIS_EVENT  Event    );

VOID   NdisMSetAttributesEx(    IN NDIS_HANDLE MiniportAdapterHandle,    IN NDIS_HANDLE MiniportAdapterContext,    IN UINT  CheckForHangTimeInSeconds  OPTIONAL,    IN ULONG  AttributeFlags,    IN NDIS_INTERFACE_TYPE AdapterType    );

NDIS_HANDLE  NdisIMGetDeviceContext(    IN NDIS_HANDLE  MiniportAdapterHandle    );

VOID  NdisFreePacket(    IN PNDIS_PACKET  Packet    );

VOID  NdisIMCopySendCompletePerPacketInfo(    IN PNDIS_PACKET  DstPacket,    IN PNDIS_PACKET  SrcPacket    );

VOID  NdisIMCopySendPerPacketInfo(    IN PNDIS_PACKET  DstPacket,    IN PNDIS_PACKET  SrcPacket    );

VOID  NdisAllocatePacket(    OUT PNDIS_STATUS  Status,    OUT PNDIS_PACKET  *Packet,    IN NDIS_HANDLE  PoolHandle    );

PNDIS_PACKET_STACK  NdisIMGetCurrentPacketStack(    IN PNDIS_PACKET  Packet    OUT BOOLEAN  *StacksRemaining    );

VOID  NdisRequest(    OUT PNDIS_STATUS  Status,    IN NDIS_HANDLE  NdisBindingHandle,    IN PNDIS_REQUEST  NdisRequest    );

VOID   NdisMIndicateStatusComplete(    IN NDIS_HANDLE  MiniportAdapterHandle    );

VOID   NdisMIndicateStatus(    IN NDIS_HANDLE  MiniportAdapterHandle,    IN NDIS_STATUS  GeneralStatus,    IN PVOID  StatusBuffer,    IN UINT  StatusBufferSize    );

VOID  NdisReturnPackets(    IN PNDIS_PACKET  *PacketsToReturn,    IN UINT  NumberOfPackets    );

NDIS_Handle  NdisGetPoolFromPacket(    IN PNDIS_PACKET  Packet    );

BOOLEAN  NdisWaitEvent(    IN PNDIS_EVENT  Event,    IN UINT  MsToWait    );

VOID  NdisResetEvent(    IN PNDIS_EVENT  Event    );

VOID  NdisCancelSendPackets(    IN NDIS_HANDLE  NdisBindingHandle    IN PVOID  CancelId    );

VOID  NdisFreePacketPool(    IN NDIS_HANDLE  PoolHandle    );

VOID  NdisTerminateWrapper(    IN NDIS_HANDLE  NdisWrapperHandle,    IN PVOID  SystemSpecific    );

VOID  NdisIMAssociateMiniport(    IN NDIS_HANDLE  DriverHandle,    IN NDIS_HANDLE  ProtocolHandle    );

VOID   NdisIMDeregisterLayeredMiniport(    IN NDIS_HANDLE  DriverHandle    );

VOID  NdisRegisterProtocol(    OUT PNDIS_STATUS  Status,    OUT PNDIS_HANDLE  NdisProtocolHandle,    IN PNDIS_PROTOCOL_CHARACTERISTICS  ProtocolCharacteristics,    IN UINT  CharacteristicsLength    );

VOID  NdisMRegisterUnloadHandler(    IN NDIS_HANDLE  NdisWrapperHandle,    IN PDRIVER_UNLOAD  UnloadHandler    );

NDIS_STATUS  NdisIMRegisterLayeredMiniport(    IN NDIS_HANDLE  NdisWrapperHandle,    IN PNDIS_MINIPORT_CHARACTERISTICS  MiniportCharacteristics,    IN UINT  CharacteristicsLength,    OUT PNDIS_HANDLE  DriverHandle    );

NDIS_STATUS  NdisMRegisterDevice(    IN NDIS_HANDLE  NdisWrapperHandle,    IN PNDIS_STRING  DeviceName,    IN PNDIS_STRING  SymbolicName,    IN PDRIVER_DISPATCH  MajorFunctions[],    OUT PDEVICE_OBJECT  *pDeviceObject,    OUT NDIS_HANDLE  *NdisDeviceHandle    );

VOID  NdisMSleep(    IN ULONG  MicrosecondsToSleep    );

NDIS_STATUS  NdisMDeregisterDevice(    IN NDIS_HANDLE  NdisDeviceHandle    );

VOID  NdisCloseConfiguration(    IN NDIS_HANDLE  ConfigurationHandle    );

NDIS_STATUS  NdisIMInitializeDeviceInstanceEx(    IN NDIS_HANDLE  DriverHandle,    IN PNDIS_STRING  DriverInstance,    IN NDIS_HANDLE  DeviceContext  OPTIONAL    );

VOID  NdisOpenAdapter(    OUT PNDIS_STATUS  Status,    OUT PNDIS_STATUS  OpenErrorStatus,    OUT PNDIS_HANDLE  NdisBindingHandle,    OUT PUINT  SelectedMediumIndex,    IN PNDIS_MEDIUM  MediumArray,    IN UINT  MediumArraySize,    IN NDIS_HANDLE  NdisProtocolHandle,    IN NDIS_HANDLE  ProtocolBindingContext,    IN PNDIS_STRING  AdapterName,    IN UINT  OpenOptions,    IN PSTRING  AddressingInformation  OPTIONAL,    );

///////////////////////////////////////

四，文件中函数列表
常用的就不在函数内罗列了
NdisZeroMemory
NdisMoveMemory
NdisFreeMemory
NdisMSleep
NdisInitUnicodeString
NdisAcquireSpinLock
NdisReleaseSpinLock
NdisFreeSpinLock
 

1，passthru.c:
   DriverEntry
     其中大概用了下面这些：
     NdisAllocateSpinLock
     NdisMInitializeWrapper
     NdisIMRegisterLayeredMiniport
     NdisRegisterProtocol
     NdisIMAssociateMiniport
    

   PtRegisterDevice

     NdisMRegisterDevice
    
   PtDispatch
     IoGetCurrentIrpStackLocation
     IoCompleteRequest
    
   PtDeregisterDevice

    
   PtUnload
     PtUnloadProtocol
     NdisIMDeregisterLayeredMiniport

    
2，miniport.c
   MPInitialize
     NdisMSetAttributesEx
     PtRegisterDevice
     NdisSetEvent

   MPSend
     NdisIMGetCurrentPacketStack
     NdisSend
     NdisAllocatePacket
     NdisFreePacket
  
   MPSendPackets
     NdisMSendComplete
     NdisIMGetCurrentPacketStack
     NdisSend
     NdisAllocatePacket
     NdisGetPacketFlags
     NdisIMCopySendPerPacketInfo
    
   MPQueryInformation
     NdisRequest
     PtRequestComplete
    
   MPQueryPNPCapabilities
    
   MPSetInformation
     MPProcessSetPowerOid
    
   MPProcessSetPowerOid
     NdisMIndicateStatus
     NdisMIndicateStatusComplete
    
   MPReturnPacket
     NdisGetPoolFromPacket
     NdisReturnPackets
     NdisFreePacket
    
   MPTransferData
     IsIMDeviceStateOn
     NdisTransferData
     PtDeregisterDevice
     NdisResetEvent
     PtDereferenceAdapt
    
   MPCancelSendPackets
     NdisCancelSendPackets
    
   MPDevicePnPEvent
    
   MPAdapterShutdown
  
   MPFreeAllPacketPools
     NdisFreePacketPool
    
3，protocol.c
   PtBindAdapter
     NdisOpenProtocolConfiguration
     NdisReadConfiguration
     NdisAllocateMemoryWithTag
     NdisInitializeEvent
     NdisAllocatePacketPoolEx
     NdisOpenAdapter
     NdisWaitEvent
     PtReferenceAdapt
     NdisInitializeEvent
     NdisIMInitializeDeviceInstanceEx
     PtDereferenceAdapt
     NdisCloseConfiguration
     NdisCloseAdapter
    
   PtOpenAdapterComplete
     NdisSetEvent
    
   PtUnbindAdapter
     PtRequestComplete
     NdisIMCancelInitializeDeviceInstance
     NdisWaitEvent
     NdisIMDeInitializeDeviceInstance
     NdisResetEvent
     NdisCloseAdapter
     NdisWaitEvent
     MPFreeAllPacketPools     
  
   PtUnloadProtocol
     NdisDeregisterProtocol
     IoDeleteDevice
    
   PtCloseAdapterComplete
     NdisSetEvent
    
   PtResetComplete
    
   PtRequestComplete
     NdisMQueryInformationComplete
     NdisMSetInformationComplete
    
   PtStatus
     NdisMIndicateStatus
    
   PtStatusComplete
     NdisMIndicateStatusComplete
    
   PtSendComplete
     NdisGetPoolFromPacket
     NdisMSendComplete
     NdisDprFreePacket
    
   PtTransferDataComplete
     NdisMTransferDataComplete
    
   PtReceive
     NdisGetReceivedPacket
     NdisDprAllocatePacket
     NdisMIndicateReceivePacket
     NdisDprFreePacket
     NdisMEthIndicateReceive
     NdisMTrIndicateReceive
     NdisMFddiIndicateReceive
    
    
   PtReceiveComplete
     KeGetCurrentProcessorNumber
     NdisMTrIndicateReceiveComplete
     NdisMFddiIndicateReceiveComplete
    
    
   PtReceivePacket
     NdisIMGetCurrentPacketStack
     NdisMIndicateReceivePacket
     NdisDprFreePacket
    
   PtPNPHandler
     PtPnPNetEventSetPower
     PtPnPNetEventReconfigure
     NdisIMNotifyPnPEvent
    
   PtPnPNetEventReconfigure
     NdisReEnumerateProtocolBindings
     NdisIMNotifyPnPEvent
    
   PtPnPNetEventSetPower
     NdisIMNotifyPnPEvent
     PtRequestComplete
     NdisPacketPoolUsage
     NdisRequest
     PtRequestComplete
    
    
   PtReferenceAdapt
     MPFreeAllPacketPools

程序：bz6

以前的驱动程序简直毫无驱动的样子，现在用个稍微健全的例子：

NTSTATUS DriverEntry(PDRIVER_OBJECT driver, PUNICODE_STRING reg_path)
{
 NTSTATUS status;
 
#if DBG
       _asm int 3
#endif

 driver->DriverUnload = DriverUnload;
 
 status = CreateDevice(driver);
 
 Dump(driver);
 
 return status;
}

CreateDevice(driver)是自定义函数，用来真正建立一个驱动设备。返回一个status，猜猜看，我们能不能在eax中读取返回值。

反汇编先：
kd> uf bz6!driverentry
bz6!DriverEntry [d:\mydriver\bz6\bz6.c @ 110]:
  110 f8428680 8bff            mov     edi,edi
  110 f8428682 55              push    ebp
  110 f8428683 8bec            mov     ebp,esp
  110 f8428685 51              push    ecx
  114 f8428686 cc              int     3
  121 f8428687 8b4508          mov     eax,dword ptr [ebp+8]
  121 f842868a c74034d08442f8  mov     dword ptr [eax+34h],offset bz6!DriverUnload (f84284d0)
  123 f8428691 8b4d08          mov     ecx,dword ptr [ebp+8]
  123 f8428694 51              push    ecx
  123 f8428695 e876fdffff      call    bz6!CreateDevice (f8428410)
  123 f842869a 8945fc          mov     dword ptr [ebp-4],eax
  125 f842869d 8b5508          mov     edx,dword ptr [ebp+8]
  125 f84286a0 52              push    edx
  125 f84286a1 e8aafeffff      call    bz6!Dump (f8428550)
  127 f84286a6 8b45fc          mov     eax,dword ptr [ebp-4]
  128 f84286a9 8be5            mov     esp,ebp
  128 f84286ab 5d              pop     ebp
  128 f84286ac c20800          ret     8

我们在源程序或Disassembly窗口在调用处F9下断，按g运行：

kd> g
Breakpoint 0 hit
bz6!DriverEntry+0x15:
f8428695 e876fdffff      call    bz6!CreateDevice (f8428410)
kd> d eax
81e64f38  04 00 a8 00 00 00 00 00-02 00 00 00 00 80 42 f8  ..............B.
81e64f48  00 0c 00 00 b8 f3 d5 81-e0 4f e6 81 16 00 16 00

没错，返回值是04。

Dump(driver)是显示driver和device的一个函数，里面有个循环。
我们看看非玩具状态（呵呵，以前的函数毫无实用价值）下反汇编以后是什么样子。

void Dump(IN PDRIVER_OBJECT pDriverObject)
{
 ULONG i=1;
 PDEVICE_OBJECT pDevice = pDriverObject->DeviceObject;
 KdPrint(("----------------------------------------------\n"));
 KdPrint(("Begin Dump...\n"));
 KdPrint(("Driver Address:0X%08X\n",pDriverObject));
 KdPrint(("Driver name:%wZ\n",&pDriverObject->DriverName));
 KdPrint(("Driver HardwareDatabase:%wZ\n",pDriverObject->HardwareDatabase));
 KdPrint(("Driver first device:0X%08X\n",pDriverObject->DeviceObject));
 
 
 
 for (;pDevice!=NULL;pDevice = pDevice->NextDevice)
 {
  KdPrint(("The %d device\n",i++));
  KdPrint(("Device AttachedDevice:0X%08X\n",pDevice->AttachedDevice));
  KdPrint(("Device NextDevice:0X%08X\n",pDevice->NextDevice));
  KdPrint(("Device StackSize:%d\n",pDevice->StackSize));
  KdPrint(("Device's DriverObject:0X%08X\n",pDevice->DriverObject));
 }
 
 KdPrint(("Dump over!\n"));
 KdPrint(("----------------------------------------------\n"));
}

////////////////////////////////////
反汇编：
kd> uf bz6!dump
bz6!Dump [d:\mydriver\bz6\bz6.c @ 82]:
   82 f8428550 8bff            mov     edi,edi
   82 f8428552 55              push    ebp
   82 f8428553 8bec            mov     ebp,esp
   82 f8428555 83ec0c          sub     esp,0Ch
   83 f8428558 c745f801000000  mov     dword ptr [ebp-8],1
   84 f842855f 8b4508          mov     eax,dword ptr [ebp+8]
   84 f8428562 8b4804          mov     ecx,dword ptr [eax+4]
   84 f8428565 894dfc          mov     dword ptr [ebp-4],ecx
   85 f8428568 68608842f8      push    offset bz6! ?? ::FNODOBFM::`string' (f8428860)
   85 f842856d e842010000      call    bz6!DbgPrint (f84286b4)
   85 f8428572 83c404          add     esp,4
   86 f8428575 68508842f8      push    offset bz6! ?? ::FNODOBFM::`string' (f8428850)
   86 f842857a e835010000      call    bz6!DbgPrint (f84286b4)
   86 f842857f 83c404          add     esp,4
   87 f8428582 8b5508          mov     edx,dword ptr [ebp+8]
   87 f8428585 52              push    edx
   87 f8428586 68308842f8      push    offset bz6! ?? ::FNODOBFM::`string' (f8428830)
   87 f842858b e824010000      call    bz6!DbgPrint (f84286b4)
   87 f8428590 83c408          add     esp,8
   88 f8428593 8b4508          mov     eax,dword ptr [ebp+8]
   88 f8428596 83c01c          add     eax,1Ch
   88 f8428599 50              push    eax
   88 f842859a 68108842f8      push    offset bz6! ?? ::FNODOBFM::`string' (f8428810)
   88 f842859f e810010000      call    bz6!DbgPrint (f84286b4)
   88 f84285a4 83c408          add     esp,8
   89 f84285a7 8b4d08          mov     ecx,dword ptr [ebp+8]
   89 f84285aa 8b5124          mov     edx,dword ptr [ecx+24h]
   89 f84285ad 52              push    edx
   89 f84285ae 68f08742f8      push    offset bz6! ?? ::FNODOBFM::`string' (f84287f0)
   89 f84285b3 e8fc000000      call    bz6!DbgPrint (f84286b4)
   89 f84285b8 83c408          add     esp,8
   90 f84285bb 8b4508          mov     eax,dword ptr [ebp+8]
   90 f84285be 8b4804          mov     ecx,dword ptr [eax+4]
   90 f84285c1 51              push    ecx
   90 f84285c2 68d08742f8      push    offset bz6! ?? ::FNODOBFM::`string' (f84287d0)
   90 f84285c7 e8e8000000      call    bz6!DbgPrint (f84286b4)
   90 f84285cc 83c408          add     esp,8
   90 f84285cf eb09            jmp     bz6!Dump+0x8a (f84285da)

bz6!Dump+0x81 [d:\mydriver\bz6\bz6.c @ 94]:
   94 f84285d1 8b55fc          mov     edx,dword ptr [ebp-4]
   94 f84285d4 8b420c          mov     eax,dword ptr [edx+0Ch]
   94 f84285d7 8945fc          mov     dword ptr [ebp-4],eax

bz6!Dump+0x8a [d:\mydriver\bz6\bz6.c @ 94]:
   94 f84285da 837dfc00        cmp     dword ptr [ebp-4],0
   94 f84285de 7476            je      bz6!Dump+0x106 (f8428656)

bz6!Dump+0x90 [d:\mydriver\bz6\bz6.c @ 96]:
   96 f84285e0 8b4df8          mov     ecx,dword ptr [ebp-8]
   96 f84285e3 894df4          mov     dword ptr [ebp-0Ch],ecx
   96 f84285e6 8b55f4          mov     edx,dword ptr [ebp-0Ch]
   96 f84285e9 52              push    edx
   96 f84285ea 68c08742f8      push    offset bz6! ?? ::FNODOBFM::`string' (f84287c0)
   96 f84285ef e8c0000000      call    bz6!DbgPrint (f84286b4)
   96 f84285f4 83c408          add     esp,8
   96 f84285f7 8b45f8          mov     eax,dword ptr [ebp-8]
   96 f84285fa 83c001          add     eax,1
   96 f84285fd 8945f8          mov     dword ptr [ebp-8],eax
   97 f8428600 8b4dfc          mov     ecx,dword ptr [ebp-4]
   97 f8428603 8b5110          mov     edx,dword ptr [ecx+10h]
   97 f8428606 52              push    edx
   97 f8428607 68a08742f8      push    offset bz6! ?? ::FNODOBFM::`string' (f84287a0)
   97 f842860c e8a3000000      call    bz6!DbgPrint (f84286b4)
   97 f8428611 83c408          add     esp,8
   98 f8428614 8b45fc          mov     eax,dword ptr [ebp-4]
   98 f8428617 8b480c          mov     ecx,dword ptr [eax+0Ch]
   98 f842861a 51              push    ecx
   98 f842861b 68808742f8      push    offset bz6! ?? ::FNODOBFM::`string' (f8428780)
   98 f8428620 e88f000000      call    bz6!DbgPrint (f84286b4)
   98 f8428625 83c408          add     esp,8
   99 f8428628 8b55fc          mov     edx,dword ptr [ebp-4]
   99 f842862b 0fbe4230        movsx   eax,byte ptr [edx+30h]
   99 f842862f 50              push    eax
   99 f8428630 68608742f8      push    offset bz6! ?? ::FNODOBFM::`string' (f8428760)
   99 f8428635 e87a000000      call    bz6!DbgPrint (f84286b4)
   99 f842863a 83c408          add     esp,8
  100 f842863d 8b4dfc          mov     ecx,dword ptr [ebp-4]
  100 f8428640 8b5108          mov     edx,dword ptr [ecx+8]
  100 f8428643 52              push    edx
  100 f8428644 68408742f8      push    offset bz6! ?? ::FNODOBFM::`string' (f8428740)
  100 f8428649 e866000000      call    bz6!DbgPrint (f84286b4)
  100 f842864e 83c408          add     esp,8
  101 f8428651 e97bffffff      jmp     bz6!Dump+0x81 (f84285d1)

bz6!Dump+0x106 [d:\mydriver\bz6\bz6.c @ 103]:
  103 f8428656 68308742f8      push    offset bz6! ?? ::FNODOBFM::`string' (f8428730)
  103 f842865b e854000000      call    bz6!DbgPrint (f84286b4)
  103 f8428660 83c404          add     esp,4
  104 f8428663 68608842f8      push    offset bz6! ?? ::FNODOBFM::`string' (f8428860)
  104 f8428668 e847000000      call    bz6!DbgPrint (f84286b4)
  104 f842866d 83c404          add     esp,4
  105 f8428670 8be5            mov     esp,ebp
  105 f8428672 5d              pop     ebp
  105 f8428673 c20400          ret     4

/////////////
我们简单数下源程序中的KdPrint，再比较call，6个call以后开始循环：
   94 f84285da 837dfc00        cmp     dword ptr [ebp-4],0
   94 f84285de 7476            je      bz6!Dump+0x106 (f8428656)
   ........
  
  
 //////
 开始手工看数据啦~~~
  
   我们可以dt _driver_object来看数据结构
  
   kd> dt _driver_object
ntdll!_DRIVER_OBJECT
   +0x000 Type             : Int2B
   +0x002 Size             : Int2B
   +0x004 DeviceObject     : Ptr32 _DEVICE_OBJECT
   +0x008 Flags            : Uint4B
   +0x00c DriverStart      : Ptr32 Void
   +0x010 DriverSize       : Uint4B
   +0x014 DriverSection    : Ptr32 Void
   +0x018 DriverExtension  : Ptr32 _DRIVER_EXTENSION
   +0x01c DriverName       : _UNICODE_STRING
   +0x024 HardwareDatabase : Ptr32 _UNICODE_STRING
   +0x028 FastIoDispatch   : Ptr32 _FAST_IO_DISPATCH
   +0x02c DriverInit       : Ptr32     long
   +0x030 DriverStartIo    : Ptr32     void
   +0x034 DriverUnload     : Ptr32     void
   +0x038 MajorFunction    : [28] Ptr32     long

显然是driver_object+10会得到DriverSize，那我们手工查看一下。

从反汇编窗口其实已经在代码后有提示了。
我们dd ebp+8可以获得driver_object的地址，在这个地址上+10（dd driver_object地址+10就可以了，当然也可以直接dd 算好的地址）：
kd> dd 81e64f38+10
81e64f48  00000c00 81d5f3b8 81e64fe0 00160016

我们还可以进循环，看device_object的具体情况，先看下结构：

kd> dt _device_object
ntdll!_DEVICE_OBJECT
   +0x000 Type             : Int2B
   +0x002 Size             : Uint2B
   +0x004 ReferenceCount   : Int4B
   +0x008 DriverObject     : Ptr32 _DRIVER_OBJECT
   +0x00c NextDevice       : Ptr32 _DEVICE_OBJECT
   +0x010 AttachedDevice   : Ptr32 _DEVICE_OBJECT
   +0x014 CurrentIrp       : Ptr32 _IRP
   +0x018 Timer            : Ptr32 _IO_TIMER
   +0x01c Flags            : Uint4B
   +0x020 Characteristics  : Uint4B
   +0x024 Vpb              : Ptr32 _VPB
   +0x028 DeviceExtension  : Ptr32 Void
   +0x02c DeviceType       : Uint4B
   +0x030 StackSize        : Char
   +0x034 Queue            : __unnamed
   +0x05c AlignmentRequirement : Uint4B
   +0x060 DeviceQueue      : _KDEVICE_QUEUE
   +0x074 Dpc              : _KDPC
   +0x094 ActiveThreadCount : Uint4B
   +0x098 SecurityDescriptor : Ptr32 Void
   +0x09c DeviceLock       : _KEVENT
   +0x0ac SectorSize       : Uint2B
   +0x0ae Spare1           : Uint2B
   +0x0b0 DeviceObjectExtension : Ptr32 _DEVOBJ_EXTENSION
   +0x0b4 Reserved         : Ptr32 Void

在循环中下断，进去看数据：
kd> dd 81d23b28
81d23b28  00cc0003 00000000 81e64f38 00000000

对照看看：
+0x000 Type             : Int2B   00cc0003中的03
+0x002 Size             : Uint2B  00cc0003中的cc

一般来说，如果内存中涉及堆栈，那么堆中放数据，栈中放数据指针......反正就这么慢慢看吧。

需要掌握：
if else在程序反汇编中的状态，用16进制编辑器修改程序

cmp  比较
jbe  小于等于
jmp  无条件转移
shl  数值左移：左移一位（shl     ecx,1）等于乘2，左移2位等于乘4
add  加

需要了解：
jg,jl,jgl 大于，小于，大于等于
PUSH 入栈同时esp-4
POP  出栈同时esp+4
用16进制编辑器修改程序

命令(16进制代码)
JA/JNBE (77)　
JAE/JNB (73) 
JB/JNAE (72) 
JBE/JNA (76) 
JG/JNLE (7F) 
JGE/JNL (7D)   
JL/JNGE (7C) 
JLE/JNG (7E)   

无需了解
call与ret对esp的影响
右移shr

正确的来说左移和右移操作是操作数乘于（或除于）2的平方（（SHL）n * 2 ^ 2、（SHR）n / 2 ^ 2)。
即操作数每向左或右移动一次都乘于或除于2一次。

文件校验和

/////////////

ULONG MyAdd1(ULONG u1,ULONG u2)
{
 ULONG u3;
 if (u1>u2)
  u3=u1*2;
 else
  u3=u2*4;
  
  return u3+100; 
 
 }
 
 使用：
MyAdd1(5,8)
////////////

kd> uf bz5!myadd1
bz5!MyAdd1 [d:\mydriver\bz5\bz5.c @ 7]:
    7 f8513490 8bff            mov     edi,edi
    7 f8513492 55              push    ebp
    7 f8513493 8bec            mov     ebp,esp
    7 f8513495 51              push    ecx
    //这里开始
    9 f8513496 8b4508          mov     eax,dword ptr [ebp+8]       ;5
    9 f8513499 3b450c          cmp     eax,dword ptr [ebp+0Ch]     ;将5与8比较
    9 f851349c 760a            jbe     bz5!MyAdd1+0x18 (f85134a8)  ;小于等于就跳转到f85134a8运行

bz5!MyAdd1+0xe [d:\mydriver\bz5\bz5.c @ 10]:
   10 f851349e 8b4d08          mov     ecx,dword ptr [ebp+8]
   10 f85134a1 d1e1            shl     ecx,1
   10 f85134a3 894dfc          mov     dword ptr [ebp-4],ecx
   11 f85134a6 eb09            jmp     bz5!MyAdd1+0x21 (f85134b1)

bz5!MyAdd1+0x18 [d:\mydriver\bz5\bz5.c @ 12]:
   12 f85134a8 8b550c          mov     edx,dword ptr [ebp+0Ch]    ;8
   12 f85134ab c1e202          shl     edx,2                      ;8*4
   12 f85134ae 8955fc          mov     dword ptr [ebp-4],edx      ;32

bz5!MyAdd1+0x21 [d:\mydriver\bz5\bz5.c @ 14]:
   14 f85134b1 8b45fc          mov     eax,dword ptr [ebp-4]      ;32
   14 f85134b4 83c064          add     eax,64h                    ;32+100  准备返回
   //赋值给eax作为返回值结束
   16 f85134b7 8be5            mov     esp,ebp
   16 f85134b9 5d              pop     ebp
   16 f85134ba c20800          ret     8

最后运行结果：
kd> g
x3 Result:132
!
当我把
  if (u1>u2)
改为
  if (u1<u2) 
   
反汇编以后：
    9 f8567499 3b450c          cmp     eax,dword ptr [ebp+0Ch]
    9 f856749c 730a            jae     bz5!MyAdd1+0x18 (f85674a8)
   
运行结果:
kd> g
x3 Result:110
!

内核反编译学习笔记4(下)附windbg常用命令

那么我们能否把原来的730a改为7f0a这样的手段，修改驱动的判断呢？

当然可以，我们可以用ultraedit等编辑器，打开bz5.sys，搜索"3b450c"，下面的73改为自己需要的：
命令(16进制代码)
JA/JNBE (77)　
JAE/JNB (73) 
JB/JNAE (72) 
JBE/JNA (76) 
JG/JNLE (7F) 
JGE/JNL (7D)   
JL/JNGE (7C) 
JLE/JNG (7E) 

比如7F，保存，然后注册运行。没错，你会发现不能运行。

////////////////////////
解决方法：重新计算校验和并保存。
用loadPe就可以了，里面有校验和，旁边有个问号，重新计算以后别忘了保存，再确定，然后，阿弥陀佛。

1.基本调试控制
运行程序(Run): 快捷键:F5 命令:g
单步步入(Step In)： 快捷键:F8 命令:p
单步步过(Step Over): 快捷键:F10
运行到光标所在行： 快捷键:F7
执行到返回：gu
执行到指定地址：g [Address]
重新运行调试程序: 快捷键:Ctrl+Shift+F5(这个对驱动一般用不到)

2.断点
断点之于调试当然是非常重要的
常用命令：
bp [Address]or[Symbol] 在指定地址下断
可以使用地址或符号，如
    bp 80561259(Windbg默认使用16进制)
    bp MyDriver!GetKernelPath
    bp MyDriver!GetKernelPath+0x12
bp [Address] /p eprocess 仅当当前进程为eprocess时才中断
这个很常用，比如你bp nt!NtTerminateProcess,但是只想在某一进程触发此断点时才断下来，那就加上这个参数吧，因为内核中的代码是各个进程共用的，所以此命令很实用
bp [Address] /t ethread 仅当当前线程为ethread时才中断，用法跟/p参数类似
bu [Address]or[Symbol] 下一个未解析的断点(就是说这个断点需要延迟解析)
这个也很常用，比如我们的驱动名为MyDriver.sys,那么在驱动加载之前下断bu MyDriver!DriverEntry，
然后加载这个驱动时就可以断在驱动入口，并且这个是不需要调试符号支持的
bl 列出所有断点,L=List
bc[id] 清除断点，c=Clear,id是bl查看时的断点编号
bd[id] 禁用断点，d=Disable,id即断点编号
be[id] 启用断点，e=Enable,id为断点编号

3.查看和修改数据
调试中不可避免的要查看和修改数据
查看内存：
db/dw/dd/dq [Address]       字节/字/双字/四字方式查看数据
da/du [Address]           ASCII字符串/Unicode字符串方式查看指定地址
其它常用的如查看结构
dt nt!_EPROCESS
dt nt!_EPROCESS 89330da0 (把0x89330da0作为对象指针)
修改内存：
eb/ew/ed/eq/ef/ep Address [Values]
字节/字/双字/四字/浮点数/指针/
ea/eu/eza/ezu Address [Values]
ASCII字符串/Unicode字符串/以NULL结尾的ASCII字符串/以NULL结尾的Unicode字符串
搜索内存：
s -[b/w/d/q/a/u] Range Target
搜索字节/字/双字/四字/ASCII字符串/Unicode字符串

4.寄存器
在用Windbg调试时可以Alt+4直接调出寄存器窗口，然后拖放到合适的位置就可以。
要修改呢就直接双击相应的项就可以了。
把命令的方式也说一下，比较简单：
r 显示所有寄存器的值
r eax 显示eax的值
r eax=1 修改eax的值为1

5.辅助命令
!process 显示当前进程信息
!process 0 0 显示当前所有进程(会有僵尸进程)
!process 1f4 显示pid为1f4的进程信息，后面也可以跟eprocess的值
!thread 显示当前线程信息
!thread
!process 1f4 显示tid为768的线程信息，后面也可以跟ethread的值
栈相关:
k 显示调用栈
kb 显示ebp和前3个参数
kp 以函数调用形式显示栈

本节任务：通过具有不同数量参数的函数调用，看其中区别
所用程序bz3
需要掌握：
windbg命令：
uf 反汇编
dd 查看内容

调用的时候：
mov     给参数赋值
push   eax 供函数使用的参数
被调用函数内部
push    ebp         保存ebp，用来保存调用前运行的代码地址
mov     ebp,esp     将esp赋值给ebp，现在有新的ebp指针了,指向栈顶

pop     ebp         恢复ebp，取得地址，准备跳到那地址的代码，继续运行程序

需要了解
JMP    无条件跳转，去运行跳转后地址的代码
ret     8           返回，注意,调用前每push一个参数，esp就-4，两个参数就-8，ret的时候，需要+8返回

无需了解：
call=push+JMP
ret = pop+JMP      将在后面继续说明

//先贴代码，仔细看其实很简单

VOID MyP0()
{
 DbgPrint("no arg...\r\n");
}

VOID MyP1(ULONG u1)
{
 DbgPrint("One arg:%d\n!",u1);
}

VOID MyP2(ULONG u1,ULONG u2)
{
   ULONG u3;
   u3 = u1+u2;
   DbgPrint("two arg:%d\n!",u3);

}
 

VOID DriverUnload(PDRIVER_OBJECT driver)
{
 
 DbgPrint("unload…\r\n");
}

NTSTATUS DriverEntry(PDRIVER_OBJECT driver, PUNICODE_STRING reg_path)
{
 ULONG x1 = 5;
 ULONG x2 = 8;
 
 
 
#if DBG
       _asm int 3
#endif
 
 MyP0();
 MyP1(x1);
 MyP2(x1,x2);
 

 
 driver->DriverUnload = DriverUnload;
 return STATUS_SUCCESS;
}

//////代码结束

以下分别为Entry主函数和3个自定义函数的反汇编。
汇编完了先放那，具体解析在下面。

kd> uf bz3!driverentry
bz3!DriverEntry [d:\mydriver\bz3\bz3.c @ 31]:
   31 f8451520 8bff            mov     edi,edi
   31 f8451522 55              push    ebp
   31 f8451523 8bec            mov     ebp,esp
   31 f8451525 83ec08          sub     esp,8
   32 f8451528 c745f805000000  mov     dword ptr [ebp-8],5
   33 f845152f c745fc08000000  mov     dword ptr [ebp-4],8
   38 f8451536 cc              int     3
   41 f8451537 e854ffffff      call    bz3!MyP0 (f8451490)
   42 f845153c 8b45f8          mov     eax,dword ptr [ebp-8]
   42 f845153f 50              push    eax
   42 f8451540 e86bffffff      call    bz3!MyP1 (f84514b0)
   43 f8451545 8b4dfc          mov     ecx,dword ptr [ebp-4]
   43 f8451548 51              push    ecx
   43 f8451549 8b55f8          mov     edx,dword ptr [ebp-8]
   43 f845154c 52              push    edx
   43 f845154d e87effffff      call    bz3!MyP2 (f84514d0)
   47 f8451552 8b4508          mov     eax,dword ptr [ebp+8]
   47 f8451555 c74034001545f8  mov     dword ptr [eax+34h],offset bz3!DriverUnload (f8451500)
   48 f845155c 33c0            xor     eax,eax
   49 f845155e 8be5            mov     esp,ebp
   49 f8451560 5d              pop     ebp
   49 f8451561 c20800          ret     8
  

内核反编译学习笔记2（下）

三个自定义：
kd> uf bz3!myp0
bz3!MyP0 [d:\mydriver\bz3\bz3.c @ 5]:
    5 f8451490 8bff            mov     edi,edi
    5 f8451492 55              push    ebp
    5 f8451493 8bec            mov     ebp,esp
    6 f8451495 68701545f8      push    offset bz3! ?? ::FNODOBFM::`string' (f8451570)
    6 f845149a e8cb000000      call    bz3!DbgPrint (f845156a)
    6 f845149f 83c404          add     esp,4
    7 f84514a2 5d              pop     ebp
    7 f84514a3 c3              ret
kd> uf bz3!myp1
bz3!MyP1 [d:\mydriver\bz3\bz3.c @ 10]:
   10 f84514b0 8bff            mov     edi,edi
   10 f84514b2 55              push    ebp
   10 f84514b3 8bec            mov     ebp,esp
   11 f84514b5 8b4508          mov     eax,dword ptr [ebp+8]
   11 f84514b8 50              push    eax
   11 f84514b9 68801545f8      push    offset bz3! ?? ::FNODOBFM::`string' (f8451580)
   11 f84514be e8a7000000      call    bz3!DbgPrint (f845156a)
   11 f84514c3 83c408          add     esp,8
   12 f84514c6 5d              pop     ebp
   12 f84514c7 c20400          ret     4
kd> uf bz3!myp2
bz3!MyP2 [d:\mydriver\bz3\bz3.c @ 15]:
   15 f84514d0 8bff            mov     edi,edi
   15 f84514d2 55              push    ebp
   15 f84514d3 8bec            mov     ebp,esp
   15 f84514d5 51              push    ecx
   17 f84514d6 8b4508          mov     eax,dword ptr [ebp+8]
   17 f84514d9 03450c          add     eax,dword ptr [ebp+0Ch]
   17 f84514dc 8945fc          mov     dword ptr [ebp-4],eax
   18 f84514df 8b4dfc          mov     ecx,dword ptr [ebp-4]
   18 f84514e2 51              push    ecx
   18 f84514e3 68901545f8      push    offset bz3! ?? ::FNODOBFM::`string' (f8451590)
   18 f84514e8 e87d000000      call    bz3!DbgPrint (f845156a)
   18 f84514ed 83c408          add     esp,8
   20 f84514f0 8be5            mov     esp,ebp
   20 f84514f2 5d              pop     ebp
   20 f84514f3 c20800          ret     8
  
  
   正式开始我们的任务
   ////////////
   以下为Entry中调用函数的反汇编代码
  
         call    bz3!MyP0 (f8451490)     ;无参数
        
         mov     eax,dword ptr [ebp-8]   ;1个参数
         push    eax
         call    bz3!MyP1 (f84514b0)    
        
         mov     ecx,dword ptr [ebp-4]   ;2个参数
         push    ecx
         mov     edx,dword ptr [ebp-8]
         push    edx
         call    bz3!MyP2 (f84514d0)   

   显然我们可以得出结论：
   在调用函数的时候，无参数，直接call，
   有参数，有几个要push几个，把eax等寄存器内的数据入栈:push exx
   eax,edx等寄存器内的数据哪里来的呢？通过mov，从存放地点移动过来赋值。
  
  
  //接下来我们进入函数内部，要动态追踪下面代码。以后每次看见这样代码，明白道理，就直接忽略：
  push    ebp         保存ebp
  mov     ebp,esp     保存esp

  pop     ebp         获得ebp
  ret     8           返回，注意，后面为什么是8
 
  我们先看一下Entry调用MyP0处的地址：
   38 f8451536 cc              int     3
   41 f8451537 e854ffffff      call    bz3!MyP0 (f8451490)
   42 f845153c 8b45f8          mov     eax,dword ptr [ebp-8]
  
   显然调用MyP0后，要运行f845153c的代码。然后我们到函数内部看
     push    ebp         中ebp的内容，是不是f845153c
    
  进入windbg:
//////////////////////////
  kd> t
bz3!DriverEntry+0x17:
f8451537 e854ffffff      call    bz3!MyP0 (f8451490)
kd> t
bz3!MyP0:
f8451490 8bff            mov     edi,edi
kd> p
bz3!MyP0+0x5:
f8451495 68701545f8      push    offset bz3! ?? ::FNODOBFM::`string' (f8451570)
kd> dd ebp
f8282c6c  f8282c7c f845153c 00000005 00000008
//////////////////
呵呵，没错，f845153c,5,8,都是要用的。
下面两个地址也应该出现在下面两个函数的ebp中,不然程序返回后不知道继续运行哪里的代码。
 f8451545 f8451552
 
 顺便看下类似下面命令是什么意思
 mov     eax,dword ptr [ebp+8]
 
我们要知道 ebp+8，要先看下ebp:
 
kd> dd ebp
f8282c64：  f8282c7c f8451552 00000005 00000008

可以看到，ebp+4就是f8451552，返回后继续运行的地址，ebp+8当然是5了,ebp+12(哦，要16进制:ebp+c)是8。
那我们直接看下dd ebp+8：
kd> dd ebp+8
f8282c6c:   00000005 00000008 00000005 00000008
kd> dd ebp+c
f8282c70：  00000008 00000005 00000008 f8282d4c

应该没疑问了。
 
//////////////
以后看汇编代码的时候，可以忽略：
  push    ebp         保存返回地址
  mov     ebp,esp     设置新的ebp指针，指向栈顶
中间是具体实现
  pop     ebp         获得返回地址
  ret     8           返回

只看这些代码中间的代码就可以了，以后直接贴这些代码中间的实现。

• Download source code - 9.42 KB

Contents

1. Introduction
2. Creating a simple File System Filter Driver
3. How to install a driver
4. Running a sample
5. Improvements
6. Conclusion
7. Useful references

Introduction

This tutorial will show you how to develop a simple file system filter driver. The demo driver will print the names of opening files to the debug output.

The article requires basic Windows driver development and C/C++ knowledge. However, it may also be interesting to people without Windows driver development experience.

What is a file system filter driver?

A file system filter driver is called on every file system I/O operation (create, read, write, rename, and etc.), and thus it can modify the file system behavior. File system filter drivers are almost similar to legacy drivers, but they require some special steps to do. Such drivers are used by anti-viruses, security, backup, and snapshot software.

Creating a simple File System Filter Driver

Before starting

To build a driver, you need WDK or the IFS Kit. You can get them from Microsoft’s website. Also, you have to set an environment variable %WINDDK% to the path where you have installed the WDK/IFS Kit.

Be careful: Even a small error in the driver may cause a BSOD or system instability.

Main.c

Driver entry

This is the entry point of any driver. The first thing that we do is to store DriverObject to a global variable (we will need it later).

Collapse Copy Code

////////////////////////////////////////////////////////
// Global data

PDRIVER_OBJECT   g_fsFilterDriverObject = NULL;
////////////////////////////////////////////////////////
// DriverEntry - Entry point of the driver

NTSTATUS DriverEntry(
__inout PDRIVER_OBJECT  DriverObject,
__in    PUNICODE_STRING RegistryPath
)
{
NTSTATUS status = STATUS_SUCCESS;
ULONG    i      = 0;
//ASSERT(FALSE); // This will break to debugger

//
    // Store our driver object.
    //

g_fsFilterDriverObject = DriverObject;
...
}

Set IRP dispatch table

The next step is to populate the IRP dispatch table with function pointers to IRP handlers. In our filter driver, there is a generic pass-through IRP handler (which sends the request further). And, we will need a handler for IRP_MJ_CREATE to retrieve the names of the opening files. The implementation of the IRP handlers will be described later.

Collapse Copy Code

//////////////////////////////////////////////////////////////////////////
// DriverEntry - Entry point of the driver

NTSTATUS DriverEntry(
__inout PDRIVER_OBJECT  DriverObject,
__in    PUNICODE_STRING RegistryPath
)
{
...
//
    //  Initialize the driver object dispatch table.
    //

for (i = 0; i <= IRP_MJ_MAXIMUM_FUNCTION; ++i)
{
DriverObject->MajorFunction[i] = FsFilterDispatchPassThrough;
}
DriverObject->MajorFunction[IRP_MJ_CREATE] = FsFilterDispatchCreate;
...
}

Set Fast-IO dispatch table

A file system filter driver must have the fast-IO dispatch table. If you’ve forgot to set up the fast-IO dispatch table, it will lead to system crash. Fast-IO is an alternative way to initiate I/O operations (and it’s faster than IRP). Fast-IO operations are always synchronous. If the Fast-IO handler returns FALSE, it means the Fast-IO way is impossible and an IRP will be created.

Collapse Copy Code

//////////////////////////////////////////////////////////////////////////
// Global data

FAST_IO_DISPATCH g_fastIoDispatch =
{
sizeof(FAST_IO_DISPATCH),
FsFilterFastIoCheckIfPossible,
...
};
//////////////////////////////////////////////////////////////////////////
// DriverEntry - Entry point of the driver

NTSTATUS DriverEntry(
__inout PDRIVER_OBJECT  DriverObject,
__in    PUNICODE_STRING RegistryPath
)
{
...
//
    // Set fast-io dispatch table.
    //

DriverObject->FastIoDispatch = &g_fastIoDispatch;
...
}

Register a notification for file system changes

We should track the file system being activated/deactivated to perform attaching/detaching of our file system filter driver. How to start tracking file system changes is shown below.

Collapse Copy Code

//////////////////////////////////////////////////////////////////////////
// DriverEntry - Entry point of the driver

NTSTATUS DriverEntry(
__inout PDRIVER_OBJECT  DriverObject,
__in    PUNICODE_STRING RegistryPath
)
{
...
//
    //  Registered callback routine for file system changes.
    //

status = IoRegisterFsRegistrationChange(DriverObject,
FsFilterNotificationCallback);
if (!NT_SUCCESS(status))
{
return status;
}
...
}

Set driver unload routine

The last part of the driver initialization sets an unload routine. Setting the driver unload routine makes the driver unloadable, and you can load/unload it multiple times without system restart. However, this driver is made unloadable only for debugging purpose, because file system filters can’t be unloaded safely. Never do this in production code.

Collapse Copy Code

//////////////////////////////////////////////////////////////////////////
// DriverEntry - Entry point of the driver

NTSTATUS DriverEntry(
__inout PDRIVER_OBJECT  DriverObject,
__in    PUNICODE_STRING RegistryPath
)
{
...
//
    // Set driver unload routine (debug purpose only).
    //

DriverObject->DriverUnload = FsFilterUnload;
return STATUS_SUCCESS;
}

Driver unload implementation

Driver unload routine is responsible for cleaning up and deallocation of resources. First of all, unregister the notification for file system changes.

Collapse Copy Code

//////////////////////////////////////////////////////////////////////////
// Unload routine

VOID FsFilterUnload(
__in PDRIVER_OBJECT DriverObject
)
{
...
//
    //  Unregistered callback routine for file system changes.
    //

IoUnregisterFsRegistrationChange(DriverObject, FsFilterNotificationCallback);
...
}

Then loop through the devices we created, detach and delete them. Wait for 5 seconds to let all outstanding IRPs to be completed. As it was mentioned before, this is a debug only solution. It works in the majority of cases, but there is no guarantee for all.

Collapse Copy Code

//////////////////////////////////////////////////////////////////////////
// Unload routine

VOID FsFilterUnload(
__in PDRIVER_OBJECT DriverObject
)
{
...
for (;;)
{
IoEnumerateDeviceObjectList(
DriverObject,
devList,
sizeof(devList),
&numDevices);
if (0 == numDevices)
{
break;
}
numDevices = min(numDevices, RTL_NUMBER_OF(devList));
for (i = 0; i < numDevices; ++i)
{
FsFilterDetachFromDevice(devList[i]);
ObDereferenceObject(devList[i]);
}
KeDelayExecutionThread(KernelMode, FALSE, &interval);
}
}

IrpDispatch.c

Dispatch pass-through

This IRP handler does nothing except passing requests further to the next driver. We have the next driver object stored in our device extension.

Collapse Copy Code

/////////////////////////////////////////////////////////////////
// PassThrough IRP Handler

NTSTATUS FsFilterDispatchPassThrough(
__in PDEVICE_OBJECT DeviceObject,
__in PIRP           Irp
)
{
PFSFILTER_DEVICE_EXTENSION pDevExt =
(PFSFILTER_DEVICE_EXTENSION)DeviceObject->DeviceExtension;
IoSkipCurrentIrpStackLocation(Irp);
return IoCallDriver(pDevExt->AttachedToDeviceObject, Irp);
}

Dispatch create

This IRP handler is invoked on every create file operation. We will grab a filename from PFILE_OBJECT and print it to the debug output. Then, we call the pass-through handler described above. Pay attention to the fact that a valid file name exists in PFILE_OBJECT only while the create file operation is being performed! Also there are relative opens, and opens by ID. Retrieving file names in those cases is beyond the scope of this article.

Collapse Copy Code

//////////////////////////////////////////////////////////////////////////////
// IRP_MJ_CREATE IRP Handler

NTSTATUS FsFilterDispatchCreate(
__in PDEVICE_OBJECT DeviceObject,
__in PIRP           Irp
)
{
PFILE_OBJECT pFileObject = IoGetCurrentIrpStackLocation(Irp)->FileObject;
DbgPrint("%wZ\n", &pFileObject->FileName);
return FsFilterDispatchPassThrough(DeviceObject, Irp);
}

FastIo.c

To test the Fast-IO dispatch table validity for the next driver, we will use the following helper macro (not all of the Fast-IO routines must be implemented by the underlying file system, so we have to be sure about that):

Collapse Copy Code

//  Macro to test if FAST_IO_DISPATCH handling routine is valid
#define VALID_FAST_IO_DISPATCH_HANDLER(_FastIoDispatchPtr, _FieldName) \
(((_FastIoDispatchPtr) != NULL) && \
(((_FastIoDispatchPtr)->SizeOfFastIoDispatch) >= \
(FIELD_OFFSET(FAST_IO_DISPATCH, _FieldName) + sizeof(void *))) && \
((_FastIoDispatchPtr)->_FieldName != NULL))

Fast-IO pass-through

Passing through Fast-IO requests requires writing a lot of code (in contrast to passing through IRP requests) because each Fast-IO function has its own set of parameters. A typical pass-through function is shown below:

Collapse Copy Code

BOOLEAN FsFilterFastIoQueryBasicInfo(
__in PFILE_OBJECT       FileObject,
__in BOOLEAN            Wait,
__out PFILE_BASIC_INFORMATION Buffer,
__out PIO_STATUS_BLOCK  IoStatus,
__in PDEVICE_OBJECT     DeviceObject
)
{
//
    //  Pass through logic for this type of Fast I/O
    //

PDEVICE_OBJECT    nextDeviceObject =
((PFSFILTER_DEVICE_EXTENSION)DeviceObject->DeviceExtension)->AttachedToDeviceObject;
PFAST_IO_DISPATCH fastIoDispatch   = nextDeviceObject->DriverObject->FastIoDispatch;
if (VALID_FAST_IO_DISPATCH_HANDLER(fastIoDispatch, FastIoQueryBasicInfo))
{
return (fastIoDispatch->FastIoQueryBasicInfo)(
FileObject,
Wait,
Buffer,
IoStatus,
nextDeviceObject);
}
return FALSE;
}

Fast-IO detach device

This is a special Fast-IO request which we have to handle ourselves and not call the next driver. We have to detach our filter device from the file system device stack and delete our device. That can be done easily by the following code:

Collapse Copy Code

VOID FsFilterFastIoDetachDevice(
__in PDEVICE_OBJECT     SourceDevice,
__in PDEVICE_OBJECT     TargetDevice
)
{
//
    //  Detach from the file system's volume device object.
    //

IoDetachDevice(TargetDevice);
IoDeleteDevice(SourceDevice);
}

Notification.c

A typical file system consists of a control device and volume devices. A volume device is attached to the storage device stack. The control device is registered as a file system.

We have a callback which is invoked for all active file systems and whenever a file system has either registered or unregistered itself as an active one. This is a good place to attach/detach our filter device. When a file system activates itself, we attach to its control device (only if we are not already attached), enumerate its volume devices, and attach to them too. On file system deactivation, we examine the file system control device stack, find our device, and detach it. Detaching from the file system volume devices is performed in the FsFilterFastIoDetachDevice routine described earlier.

Collapse Copy Code

////////////////////////////////////////////////////////////////////////////
// This routine is invoked whenever a file system has either registered or
// unregistered itself as an active file system.

VOID FsFilterNotificationCallback(
__in PDEVICE_OBJECT DeviceObject,
__in BOOLEAN        FsActive
)
{
//
    //  Handle attaching/detaching from the given file system.
    //

if (FsActive)
{
FsFilterAttachToFileSystemDevice(DeviceObject);
}
else
{
FsFilterDetachFromFileSystemDevice(DeviceObject);
}
}

AttachDetach.c

This file contains helper routines for attaching, detaching, and checking whether our filter is already attached.

Attaching

To perform attaching, we create a new device object with the device extension (call IoCreateDevice) and the propagate device object flags from the device object we are trying to attach to (DO_BUFFERED_IO, DO_DIRECT_IO, FILE_DEVICE_SECURE_OPEN). Then, we call IoAttachDeviceToDeviceStackSafe in a loop with a delay in the case of failure. It is possible for this attachment request to fail because the device object has not finished initialization. This situation can occur if we try to mount the filter that was loaded as the volume only. When attaching is finished, we save the “attached to” device object to the device extension and clear the DO_DEVICE_INITIALIZING flag. The device extension is shown below:

Collapse Copy Code

//////////////////////////////////////////////////////////////////////////
// Structures

typedef struct _FSFILTER_DEVICE_EXTENSION
{
PDEVICE_OBJECT AttachedToDeviceObject;
} FSFILTER_DEVICE_EXTENSION, *PFSFILTER_DEVICE_EXTENSION;

Detaching

Detaching is quite simple. Get the “attached to” device object from the device extension and call IoDetachDevice and IoDeleteDevice.

Collapse Copy Code

void FsFilterDetachFromDevice(
__in PDEVICE_OBJECT DeviceObject
)
{
PFSFILTER_DEVICE_EXTENSION pDevExt =
(PFSFILTER_DEVICE_EXTENSION)DeviceObject->DeviceExtension;
IoDetachDevice(pDevExt->AttachedToDeviceObject);
IoDeleteDevice(DeviceObject);
}

Checking whether our device is attached

To check whether we are attached to a device, we have to iterate through the device stack (using IoGetAttachedDeviceReference and IoGetLowerDeviceObject) and search for our device there. We distinguish our devices by comparing the device driver object with our driver object (g_fsFilterDriverObject).

Collapse Copy Code

//////////////////////////////////////////////////////////////////////////
// Misc

BOOLEAN FsFilterIsMyDeviceObject(
__in PDEVICE_OBJECT DeviceObject
)
{
return DeviceObject->DriverObject == g_fsFilterDriverObject;
}

Sources and makefile

Sources and makefile files are used by the build utility to build the driver. It contains project settings and source file names.

Sources file contents:

Collapse Copy Code

TARGETNAME  = FsFilter
TARGETPATH  = obj
TARGETTYPE  = DRIVER
DRIVERTYPE  = FS
SOURCES     = \
Main.c \
IrpDispatch.c \
AttachDetach.c \
Notification.c \
FastIo.c

The makefile is standard:

Collapse Copy Code

!include $(NTMAKEENV)\makefile.def

The MSVC makefile project build command line is:

Collapse Copy Code

call $(WINDDK)\bin\setenv.bat $(WINDDK) chk wxp
cd /d $(ProjectDir)
build.exe –I

How to install a driver

SC.EXE overview

We will use sc.exe (sc – service control) to manage our driver. It is a command-line utility that can be used to query or modify the database of installed services. It is shipped with Windows XP and higher, or you can find it in the Windows SDK/DDK.

Install

To install the driver, call:

Collapse Copy Code

sc create FsFilter type= filesys binPath= c:\FSFilter.sys

A new service entry will be created with the name FsFilter; the service type will be file system, and the binary path, c:\FsFilter.sys.

Start

To start the driver, call:

Collapse Copy Code

sc start FsFilter

This starts a service named FsFilter.

Stop

To stop the driver, call:

Collapse Copy Code

sc stop FsFilter

This stop the service named FsFilter.

Uninstall

And to uninstall, call:

Collapse Copy Code

sc delete FsFilter

This instructs the service manager to delete the service entry with the name FsFilter.

Resulting script

All those commands are put into a single batch file to make driver testing easier. Here is the listing of the Install.cmd command file:

Collapse Copy Code

sc create FsFilter type= filesys binPath= c:\FsFilter.sys
sc start FsFilter
pause
sc stop FsFilter
sc delete FsFilter
pause

Running a sample

This is the most interesting part. To demonstrate the file system filter work, we will use Sysinternals DebugView for Windows to monitor the debug output, and OSR Device Tree to see the devices and drivers.

So, build the driver. Then, copy the build output file FsFilter.sys and the install the script Install.cmd to the root of the disk C.

Run Install.cmd. It will install and start the driver and then wait for user input.

Now start the DebugView utility.

We can see what files are being opened! Our filter works. Now, run the device tree utility and locate our driver there.

We can see numerous devices created by our driver. Now let’s open the NTFS driver and look at the device tree:

We are attached. Let’s take a look at the other file systems.

And finally, press any key to move our install script forward. It will stop and uninstall the driver.

Refresh the device tree list by pressing F5:

Our filter is gone. The system is running as before.

Improvements

The sample driver lacks a commonly required functionality of attaching to the newly arrived volumes. It is done so to make the driver as easy to understand as possible. You can write a IRP_MJ_FILE_SYSTEM_CONTROL handler of your own to track the newly arrived volumes.

Conclusion

This tutorial showed how to create a simple file system filter driver, and how to install, start, stop, and uninstall it from a command line. Also, some file system filter driver aspects were discussed. We saw the file system device stack with the attached filters, and learned how to monitor the debug output from the driver. You may use the provided sources as a skeleton for your own file system filter driver or modify its behavior.

Useful references

1. File System Filter Drivers
2. Content for File System or File System Filter Developers
3. Windows NT File System Internals (OSR Classic Reprints) (Paperback)
4. sfilter DDK sample

Read more Driver Development tips at the Apriorit Case Studies section.

我们知道，在NT/2K/XP中，操作系统利用虚拟内存管理技术来维护地址空间映像，每个进程分配一个4GB的虚拟地址空间。运行在用户态的应用程序，不能直接访问物理内存地址；而运行在核心态的驱动程序，能将虚拟地址空间映射为物理地址空间，从而访问物理内存地址。

如果要在应用程序中以物理地址方式访问内存，自然而然的办法，是编写一个专用的驱动程序（如大家熟悉的WinIO），里面设置一定的IOCTL码，应用程序通过调用DeviceIoCtrol()来实现这样的功能。

那么，有没有一种方法，省去编写专用驱动程序这一步，很方便地就能访问物理内存呢？答案是肯定的。实际上，微软早就给我们准备好了一套办法，只是他们秘而不宣罢了。系统内建一个叫做PhysicalMemory的内核对象，可以通过系统核心文件NTDLL.DLL中的有关API进行操纵，从而实现物理内存的直接访问。微软声称这些API是用于驱动程序开发的，在VC/.NET中未提供原型说明和库文件，然而事实证明在应用程序中调用它们是没有问题的。我们感兴趣的API主要包括：

typedef LONG    NTSTATUS;
typedef struct _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
typedef enum _SECTION_INHERIT
{
ViewShare = 1,
ViewUnmap = 2
} SECTION_INHERIT, *PSECTION_INHERIT;
typedef struct _OBJECT_ATTRIBUTES
{
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
#define InitializeObjectAttributes( p, n, a, r, s ) { \
(p)->Length = sizeof( OBJECT_ATTRIBUTES ); \
(p)->RootDirectory = r; \
(p)->Attributes = a; \
(p)->ObjectName = n; \
(p)->SecurityDescriptor = s; \
(p)->SecurityQualityOfService = NULL; \
}
// Interesting functions in NTDLL
typedef NTSTATUS (WINAPI *ZwOpenSectionProc)
(
PHANDLE SectionHandle,
DWORD DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes
);
typedef NTSTATUS (WINAPI *ZwMapViewOfSectionProc)
(
HANDLE SectionHandle,
HANDLE ProcessHandle,
PVOID *BaseAddress,
ULONG ZeroBits,
ULONG CommitSize,
PLARGE_INTEGER SectionOffset,
PULONG ViewSize,
SECTION_INHERIT InheritDisposition,
ULONG AllocationType,
ULONG Protect
);
typedef NTSTATUS (WINAPI *ZwUnmapViewOfSectionProc)
(
HANDLE ProcessHandle,
PVOID BaseAddress
);
typedef VOID (WINAPI *RtlInitUnicodeStringProc)
(
IN OUT PUNICODE_STRING DestinationString,
IN PCWSTR SourceString
);
// Global variables
static HMODULE hModule = NULL;
static HANDLE hPhysicalMemory = NULL;
static ZwOpenSectionProc ZwOpenSection;
static ZwMapViewOfSectionProc ZwMapViewOfSection;
static ZwUnmapViewOfSectionProc ZwUnmapViewOfSection;
static RtlInitUnicodeStringProc RtlInitUnicodeString;
// initialize
BOOL InitPhysicalMemory()
{
if (!(hModule = LoadLibrary("ntdll.dll")))
{
return FALSE;
}
// 以下从NTDLL获取我们需要的几个函数指针
if (!(ZwOpenSection = (ZwOpenSectionProc)GetProcAddress(hModule, "ZwOpenSection")))
{
return FALSE;
}
if (!(ZwMapViewOfSection = (ZwMapViewOfSectionProc)GetProcAddress(hModule, "ZwMapViewOfSection")))
{
return FALSE;
}
if (!(ZwUnmapViewOfSection = (ZwUnmapViewOfSectionProc)GetProcAddress(hModule, "ZwUnmapViewOfSection")))
{
return FALSE;
}
if (!(RtlInitUnicodeString = (RtlInitUnicodeStringProc)GetProcAddress(hModule, "RtlInitUnicodeString")))
{
return FALSE;
}
// 以下打开内核对象
WCHAR PhysicalMemoryName[] = L"\\Device\\PhysicalMemory";
UNICODE_STRING PhysicalMemoryString;
OBJECT_ATTRIBUTES attributes;
RtlInitUnicodeString(&PhysicalMemoryString, PhysicalMemoryName);
InitializeObjectAttributes(&attributes, &PhysicalMemoryString, 0, NULL, NULL);
NTSTATUS status = ZwOpenSection(&hPhysicalMemory, SECTION_MAP_READ, &attributes );
return (status >= 0);
}
// terminate -- free handles
void ExitPhysicalMemory()
{
if (hPhysicalMemory != NULL)
{
CloseHandle(hPhysicalMemory);
}
if (hModule != NULL)
{
FreeLibrary(hModule);
}
}
BOOL ReadPhysicalMemory(PVOID buffer, DWORD address, DWORD length)
{
DWORD outlen;            // 输出长度，根据内存分页大小可能大于要求的长度
PVOID vaddress;          // 映射的虚地址
NTSTATUS status;         // NTDLL函数返回的状态
LARGE_INTEGER base;      // 物理内存地址
vaddress = 0;
outlen = length;
base.QuadPart = (ULONGLONG)(address);
// 映射物理内存地址到当前进程的虚地址空间
status = ZwMapViewOfSection(hPhysicalMemory,
(HANDLE) -1,
(PVOID *)&vaddress,
0,
length,
&base,
&outlen,
ViewShare,
0,
PAGE_READONLY);
if (status < 0)
{
return FALSE;
}
// 当前进程的虚地址空间中，复制数据到输出缓冲区
memmove(buffer, vaddress, length);
// 完成访问，取消地址映射
status = ZwUnmapViewOfSection((HANDLE)-1, (PVOID)vaddress);
return (status >= 0);
}
// 一个测试函数，从物理地址0xfe000开始，读取4096个字节
// 对于Award BIOS，可以从这段数据找到序列号等信息
BOOL test()
{
UCHAR buf[4096];
if (!InitPhysicalMemory())
{
return FALSE;
}
if (!ReadPhysicalMemory(buf, 0xfe000, 4096))
{
// ... 成功读取了指定数据
ExitPhysicalMemory();
return FALSE;
}
ExitPhysicalMemory();
return TRUE;
}

Q 在NT/2000/XP中，如何读取CMOS数据？

Q 在NT/2000/XP中，如何控制speaker发声？

Q 在NT/2000/XP中，如何直接访问物理端口？

A 看似小小问题，难倒多少好汉！

NT/2000/XP从安全性、可靠性、稳定性上考虑，应用程序和操作系统是分开的，操作系统代码运行在核心态，有权访问系统数据和硬件，能执行特权指令；应用程序运行在用户态，能够使用的接口和访问系统数据的权限都受到严格限制。当用户程序调用系统服务时，处理器捕获该调用，然后把调用的线程切换到核心态。当系统服务完成后，操作系统将线程描述表切换回用户态，调用者继续运行。

想在用户态应用程序中实现I/O读写，直接存取硬件，可以通过编写驱动程序，实现CreateFile、CloseHandle、 DeviceIOControl、ReadFile、WriteFile等功能。从Windows 2000开始，引入WDM核心态驱动程序的概念。

下面是本人写的一个非常简单的驱动程序，可实现字节型端口I/O。

#include <ntddk.h>
#include "MyPort.h"
// 设备类型定义
// 0-32767被Microsoft占用，用户自定义可用32768-65535
#define FILE_DEVICE_MYPORT    0x0000f000
// I/O控制码定义
// 0-2047被Microsoft占用，用户自定义可用2048-4095 
#define MYPORT_IOCTL_BASE 0xf00
#define IOCTL_MYPORT_READ_BYTE   CTL_CODE(FILE_DEVICE_MYPORT, MYPORT_IOCTL_BASE, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_MYPORT_WRITE_BYTE  CTL_CODE(FILE_DEVICE_MYPORT, MYPORT_IOCTL_BASE+1, METHOD_BUFFERED, FILE_ANY_ACCESS)
// IOPM是65536个端口的位屏蔽矩阵，包含8192字节(8192 x 8 = 65536)
// 0 bit: 允许应用程序访问对应端口
// 1 bit: 禁止应用程序访问对应端口
#define IOPM_SIZE    8192
typedef UCHAR IOPM[IOPM_SIZE];
IOPM *pIOPM = NULL;
// 设备名(要求以UNICODE表示)
const WCHAR NameBuffer[] = L"\\Device\\MyPort";
const WCHAR DOSNameBuffer[] = L"\\DosDevices\\MyPort";
// 这是两个在ntoskrnl.exe中的未见文档的服务例程
// 没有现成的已经说明它们原型的头文件，我们自己声明
void Ke386SetIoAccessMap(int, IOPM *);
void Ke386IoSetAccessProcess(PEPROCESS, int);
// 函数原型预先说明
NTSTATUS MyPortDispatch(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);
void MyPortUnload(IN PDRIVER_OBJECT DriverObject);
// 驱动程序入口，由系统自动调用，就像WIN32应用程序的WinMain
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
PDEVICE_OBJECT deviceObject;
NTSTATUS status;
UNICODE_STRING uniNameString, uniDOSString;
// 为IOPM分配内存
pIOPM = MmAllocateNonCachedMemory(sizeof(IOPM));
if (pIOPM == 0)
{
return STATUS_INSUFFICIENT_RESOURCES;
}
// IOPM全部初始化为0(允许访问所有端口)
RtlZeroMemory(pIOPM, sizeof(IOPM));
// 将IOPM加载到当前进程
Ke386IoSetAccessProcess(PsGetCurrentProcess(), 1);
Ke386SetIoAccessMap(1, pIOPM);
// 指定驱动名字
RtlInitUnicodeString(&uniNameString, NameBuffer);
RtlInitUnicodeString(&uniDOSString, DOSNameBuffer);
// 创建设备
status = IoCreateDevice(DriverObject, 0,
&uniNameString,
FILE_DEVICE_MYPORT,
0, FALSE, &deviceObject);
if (!NT_SUCCESS(status))
{
return status;
}
// 创建WIN32应用程序需要的符号连接
status = IoCreateSymbolicLink (&uniDOSString, &uniNameString);
if (!NT_SUCCESS(status))
{
return status;
}
// 指定驱动程序有关操作的模块入口(函数指针)
// 涉及以下两个模块：MyPortDispatch和MyPortUnload
DriverObject->MajorFunction[IRP_MJ_CREATE]         =
DriverObject->MajorFunction[IRP_MJ_CLOSE]          =
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = MyPortDispatch;
DriverObject->DriverUnload = MyPortUnload;
return STATUS_SUCCESS;
}
// IRP处理模块
NTSTATUS MyPortDispatch(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
PIO_STACK_LOCATION IrpStack;
ULONG              dwInputBufferLength;
ULONG              dwOutputBufferLength;
ULONG              dwIoControlCode;
PULONG             pvIOBuffer;
NTSTATUS           ntStatus;
// 填充几个默认值
Irp->IoStatus.Status = STATUS_SUCCESS;    // 返回状态
Irp->IoStatus.Information = 0;            // 输出长度
IrpStack = IoGetCurrentIrpStackLocation(Irp);
// Get the pointer to the input/output buffer and it's length
// 输入输出共用的缓冲区
// 因为我们在IOCTL中指定了METHOD_BUFFERED，
pvIOBuffer = Irp->AssociatedIrp.SystemBuffer;
switch (IrpStack->MajorFunction)
{
case IRP_MJ_CREATE:        // 与WIN32应用程序中的CreateFile对应
break;
case IRP_MJ_CLOSE:        // 与WIN32应用程序中的CloseHandle对应
break;
case IRP_MJ_DEVICE_CONTROL:        // 与WIN32应用程序中的DeviceIoControl对应
dwIoControlCode = IrpStack->Parameters.DeviceIoControl.IoControlCode;
switch (dwIoControlCode)
{
// 我们约定，缓冲区共两个DWORD，第一个DWORD为端口，第二个DWORD为数据
// 一般做法是专门定义一个结构，此处简单化处理了
case IOCTL_MYPORT_READ_BYTE:        // 从端口读字节
pvIOBuffer[1] = _inp(pvIOBuffer[0]);
Irp->IoStatus.Information = 8;  // 输出长度为8
break;
case IOCTL_MYPORT_WRITE_BYTE:       // 写字节到端口
_outp(pvIOBuffer[0], pvIOBuffer[1]);
break;
default:        // 不支持的IOCTL
Irp->IoStatus.Status = STATUS_INVALID_PARAMETER;
}
}
ntStatus = Irp->IoStatus.Status;
IoCompleteRequest (Irp, IO_NO_INCREMENT);
return ntStatus;
}
// 删除驱动
void MyPortUnload(IN PDRIVER_OBJECT DriverObject)
{
UNICODE_STRING uniDOSString;
if(pIOPM)
{
// 释放IOPM占用的空间
MmFreeNonCachedMemory(pIOPM, sizeof(IOPM));
}
RtlInitUnicodeString(&uniDOSString, DOSNameBuffer);
// 删除符号连接和设备
IoDeleteSymbolicLink (&uniDOSString);
IoDeleteDevice(DriverObject->DeviceObject);
}

下面给出实现设备驱动程序的动态加载的源码。动态加载的好处是，你不用做任何添加新硬件的操作，也不用编辑注册表，更不用重新启动计算机。

// 安装驱动并启动服务
// lpszDriverPath:  驱动程序路径
// lpszServiceName: 服务名 
BOOL StartDriver(LPCTSTR lpszDriverPath, LPCTSTR lpszServiceName)
{
SC_HANDLE hSCManager;        // 服务控制管理器句柄
SC_HANDLE hService;          // 服务句柄
DWORD dwLastError;           // 错误码
BOOL bResult = FALSE;        // 返回值
// 打开服务控制管理器
hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
if (hSCManager)
{
// 创建服务
hService = CreateService(hSCManager,
lpszServiceName,
lpszServiceName,
SERVICE_ALL_ACCESS,
SERVICE_KERNEL_DRIVER,
SERVICE_DEMAND_START,
SERVICE_ERROR_NORMAL,
lpszDriverPath,
NULL,
NULL,
NULL,
NULL,
NULL);
if (hService == NULL)
{
if (::GetLastError() == ERROR_SERVICE_EXISTS)
{
hService = ::OpenService(hSCManager, lpszServiceName, SERVICE_ALL_ACCESS);
}
}
if (hService)
{
// 启动服务
bResult = StartService(hService, 0, NULL);
// 关闭服务句柄
CloseServiceHandle(hService);
}
// 关闭服务控制管理器句柄
CloseServiceHandle(hSCManager);
}
return bResult;
}
// 停止服务并卸下驱动
// lpszServiceName: 服务名 
BOOL StopDriver(LPCTSTR lpszServiceName)
{
SC_HANDLE hSCManager;        // 服务控制管理器句柄
SC_HANDLE hService;          // 服务句柄
BOOL bResult;                // 返回值
SERVICE_STATUS ServiceStatus;
bResult = FALSE;
// 打开服务控制管理器
hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
if (hSCManager)
{
// 打开服务
hService = OpenService(hSCManager, lpszServiceName, SERVICE_ALL_ACCESS);
if (hService)
{
// 停止服务
bResult = ControlService(hService, SERVICE_CONTROL_STOP, &ServiceStatus);
// 删除服务
bResult = bResult && DeleteService(hService);
// 关闭服务句柄
CloseServiceHandle(hService);
}
// 关闭服务控制管理器句柄
CloseServiceHandle(hSCManager);
}
return bResult;
}

应用程序实现端口I/O的接口如下：

// 全局的设备句柄
HANDLE hMyPort;
// 打开设备
// lpszDevicePath: 设备的路径
HANDLE OpenDevice(LPCTSTR lpszDevicePath)
{
HANDLE hDevice;
// 打开设备
hDevice = ::CreateFile(lpszDevicePath,    // 设备路径
GENERIC_READ | GENERIC_WRITE,        // 读写方式
FILE_SHARE_READ | FILE_SHARE_WRITE,  // 共享方式
NULL,                    // 默认的安全描述符
OPEN_EXISTING,           // 创建方式
0,                       // 不需设置文件属性
NULL);                   // 不需参照模板文件
return hDevice;
}
// 打开端口驱动
BOOL OpenMyPort()
{
BOOL bResult;
// 设备名为"MyPort"，驱动程序位于Windows的"system32\drivers"目录中
bResult = StartDriver("system32\\drivers\\MyPort.sys", "MyPort");
// 设备路径为"\\.\MyPort"
if (bResult)
{
hMyPort = OpenDevice("\\\\.\\MyPort");
}
return (bResult && (hMyPort != INVALID_HANDLE_VALUE));
}
// 关闭端口驱动
BOOL CloseMyPort()
{
return (CloseHandle(hMyPort) && StopDriver("MyPort"));
}
// 从指定端口读一个字节
// port: 端口
BYTE ReadPortByte(WORD port)
{
DWORD buf[2];            // 输入输出缓冲区            
DWORD dwOutBytes;        // IOCTL输出数据长度
buf[0] = port;           // 第一个DWORD是端口
//  buf[1] = 0;              // 第二个DWORD是数据
// 用IOCTL_MYPORT_READ_BYTE读端口
::DeviceIoControl(hMyPort,   // 设备句柄
IOCTL_MYPORT_READ_BYTE,  // 取设备属性信息
buf, sizeof(buf),        // 输入数据缓冲区
buf, sizeof(buf),        // 输出数据缓冲区
&dwOutBytes,             // 输出数据长度
(LPOVERLAPPED)NULL);     // 用同步I/O    
return (BYTE)buf[1];
}
// 将一个字节写到指定端口
// port: 端口
// data: 字节数据
void WritePortByte(WORD port, BYTE data)
{
DWORD buf[2];            // 输入输出缓冲区            
DWORD dwOutBytes;        // IOCTL输出数据长度
buf[0] = port;           // 第一个DWORD是端口
buf[1] = data;           // 第二个DWORD是数据
// 用IOCTL_MYPORT_WRITE_BYTE写端口
::DeviceIoControl(hMyPort,   // 设备句柄
IOCTL_MYPORT_WRITE_BYTE, // 取设备属性信息
buf, sizeof(buf),        // 输入数据缓冲区
buf, sizeof(buf),        // 输出数据缓冲区
&dwOutBytes,             // 输出数据长度
(LPOVERLAPPED)NULL);     // 用同步I/O
}

有了ReadPortByte和WritePortByte这两个函数，我们就能很容易地操纵CMOS和speaker了(关于CMOS值的含义以及定时器寄存器定义，请参考相应的硬件资料)：

// 0x70是CMOS索引端口(只写)
// 0x71是CMOS数据端口
BYTE ReadCmos(BYTE index)
{
BYTE data;
::WritePortByte(0x70, index);
data = ::ReadPortByte(0x71);
return data;
}
// 0x61是speaker控制端口
// 0x43是8253/8254定时器控制端口
// 0x42是8253/8254定时器通道2的端口
void Sound(DWORD freq)
{
BYTE data;
if ((freq >= 20) && (freq <= 20000))
{
freq = 1193181 / freq;
data = ::ReadPortByte(0x61);
if ((data & 3) == 0)
{
::WritePortByte(0x61, data | 3);
::WritePortByte(0x43, 0xb6);
}
::WritePortByte(0x42, (BYTE)(freq % 256));
::WritePortByte(0x42, (BYTE)(freq / 256));
}
}
void NoSound(void)
{
BYTE data;
data = ::ReadPortByte(0x61);
::WritePortByte(0x61, data & 0xfc);
}

// 以下读出CMOS 128个字节
for (int i = 0; i < 128; i++)
{
BYTE data = ::ReadCmos(i);
... ...
}
// 以下用C调演奏“多-来-米”
// 1 = 262 Hz
::Sound(262);
::Sleep(200);
::NoSound();
// 2 = 288 Hz
::Sound(288);
::Sleep(200);
::NoSound();
// 3 = 320 Hz
::Sound(320);
::Sleep(200);
::NoSound();

Q 就是个简单的端口I/O，这么麻烦才能实现，搞得俺头脑稀昏，有没有简洁明了的办法啊？

A 上面的例子，之所以从编写驱动程序，到安装驱动，到启动服务，到打开设备，到访问设备，一直到读写端口，这样一路下来，是为了揭示在NT/2000/XP中硬件访问技术的本质。假如将所有过程封装起来，只提供OpenMyPort, CloseMyPort, ReadPortByte, WritePortByte甚至更高层的ReadCmos、WriteCmos、Sound、NoSound给你调用，是不是会感觉清爽许多？

实际上，我们平常做的基于一定硬件的二次开发，一般会先安装驱动程序(DRV)和用户接口的运行库(DLL)，然后在此基础上开发出我们的应用程序(APP)。DRV、DLL、APP三者分别运行在核心态、核心态/用户态联络带、用户态。比如买了一块图象采集卡，要先安装核心驱动，它的“Development Tool Kit”，提供类似于PCV_Initialize, PCV_Capture等的API，就是扮演核心态和用户态联络员的角色。我们根本不需要CreateFile、CloseHandle、 DeviceIOControl、ReadFile、WriteFile等较低层次的直接调用。

Yariv Kaplan写过一个WinIO的例子，能实现对物理端口和内存的访问，提供了DRV、DLL、APP三方面的源码，有兴趣的话可以深入研究一下。

[相关资源]