Archive for July 22nd, 2010

Reading Notebook: 19-July-10

Thursday, July 22nd, 2010

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Viewing the loaded driver list (pp. 546 - 547) - if we don’t see company information in lmv command output we can examine raw driver data like in this pattern: http://www.dumpanalysis.org/blog/index.php/2007/08/16/crash-dump-analysis-patterns-part-22/

DriverEntry (p. 548) - consider this as similar to main (console) or WinMain (Win32). For example, if you are writing a Windows service you have to register certain functions with SCM.

Dispatch routines (p. 548) - if you know C++ consider them as class functions for a device object where DeviceObject is a this parameter (C++ class function implementation in C where an implicit this becomes the first function argument):

NTSTATUS (*PDRIVER_DISPATCH) (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);

and a driver object can be seen as a container for a virtual function table (vtable) for a device object (purely from implementation perspective): devObj->DriverObject->MajorFunction[IRP_MJ_XXX]

Relationship between device and driver objects (pp. 553 - 554) - long time ago when I was preparing a presentation about Windows drivers for escalation engineers I created some UML diagrams you can see in the following blog post: http://www.dumpanalysis.org/blog/index.php/2006/10/08/uml-and-device-drivers/ 

AttachedDevice vs. AttachedTo (p.554)

File object structure and extension (pp. 556 - 557) - Here are driver, device and file object structures from x64 W2K8:

0: kd> dt _DRIVER_OBJECT
ntdll!_DRIVER_OBJECT
+0x000 Type             : Int2B
+0x002 Size             : Int2B
+0x008 DeviceObject     : Ptr64 _DEVICE_OBJECT
+0x010 Flags            : Uint4B
+0x018 DriverStart      : Ptr64 Void
+0x020 DriverSize       : Uint4B
+0x028 DriverSection    : Ptr64 Void
+0x030 DriverExtension  : Ptr64 _DRIVER_EXTENSION
+0x038 DriverName       : _UNICODE_STRING
+0x048 HardwareDatabase : Ptr64 _UNICODE_STRING
+0x050 FastIoDispatch   : Ptr64 _FAST_IO_DISPATCH
+0x058 DriverInit       : Ptr64     long
+0x060 DriverStartIo    : Ptr64     void
+0x068 DriverUnload     : Ptr64     void
+0x070 MajorFunction    : [28] Ptr64     long

0: kd> dt _DEVICE_OBJECT
ntdll!_DEVICE_OBJECT
+0x000 Type             : Int2B
+0x002 Size             : Uint2B
+0x004 ReferenceCount   : Int4B
+0x008 DriverObject     : Ptr64 _DRIVER_OBJECT
+0x010 NextDevice       : Ptr64 _DEVICE_OBJECT
+0x018 AttachedDevice   : Ptr64 _DEVICE_OBJECT
+0x020 CurrentIrp       : Ptr64 _IRP
+0x028 Timer            : Ptr64 _IO_TIMER
+0x030 Flags            : Uint4B
+0x034 Characteristics  : Uint4B
+0x038 Vpb              : Ptr64 _VPB
+0x040 DeviceExtension  : Ptr64 Void
+0x048 DeviceType       : Uint4B
+0x04c StackSize        : Char
+0x050 Queue            : <unnamed-tag>
+0x098 AlignmentRequirement : Uint4B
+0x0a0 DeviceQueue      : _KDEVICE_QUEUE
+0x0c8 Dpc              : _KDPC
+0x108 ActiveThreadCount : Uint4B
+0x110 SecurityDescriptor : Ptr64 Void
+0x118 DeviceLock       : _KEVENT
+0x130 SectorSize       : Uint2B
+0x132 Spare1           : Uint2B
+0x138 DeviceObjectExtension : Ptr64 _DEVOBJ_EXTENSION
+0x140 Reserved         : Ptr64 Void

0: kd> dt _FILE_OBJECT
ntdll!_FILE_OBJECT
+0x000 Type             : Int2B
+0x002 Size             : Int2B
+0x008 DeviceObject     : Ptr64 _DEVICE_OBJECT
+0x010 Vpb              : Ptr64 _VPB
+0x018 FsContext        : Ptr64 Void
+0x020 FsContext2       : Ptr64 Void
+0x028 SectionObjectPointer : Ptr64 _SECTION_OBJECT_POINTERS
+0x030 PrivateCacheMap  : Ptr64 Void
+0x038 FinalStatus      : Int4B
+0x040 RelatedFileObject : Ptr64 _FILE_OBJECT
+0x048 LockOperation    : UChar
+0x049 DeletePending    : UChar
+0x04a ReadAccess       : UChar
+0x04b WriteAccess      : UChar
+0x04c DeleteAccess     : UChar
+0x04d SharedRead       : UChar
+0x04e SharedWrite      : UChar
+0x04f SharedDelete     : UChar
+0x050 Flags            : Uint4B
+0x058 FileName         : _UNICODE_STRING
+0x068 CurrentByteOffset : _LARGE_INTEGER
+0x070 Waiters          : Uint4B
+0x074 Busy             : Uint4B
+0x078 LastLock         : Ptr64 Void
+0x080 Lock             : _KEVENT
+0x098 Event            : _KEVENT
+0x0b0 CompletionContext : Ptr64 _IO_COMPLETION_CONTEXT
+0x0b8 IrpListLock      : Uint8B
+0x0c0 IrpList          : _LIST_ENTRY
+0x0d0 FileObjectExtension : Ptr64 Void

WDPF book is available on Kindle platform

Thursday, July 22nd, 2010

I’m pleased to announce that my book Windows Debugging: Practical Foundations is available on Amazon Kindle platform. It has been reformatted and edited to make it fit into the smallest Kindle device and pictures were specifically tailored to improve their viewing experience. The price has dropped to $9.99 (excluding possible VAT and international delivery if any). Please let me know if you have any problems with the content and I make any changes as soon as possible.

Windows Debugging: Practical Foundations (Kindle Edition)

Buy Kindle from Amazon

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Icons for Memory Dump Analysis Patterns (Part 60)

Thursday, July 22nd, 2010

Today we introduce an icon for High Contention (processors) pattern:

B/W

Color

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -