Reading Notebook: 19-July-10
Comments in italics are mine and express my own views, thoughts and opinions
Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:
Viewing the loaded driver list (pp. 546 - 547) - if we don’t see company information in lmv command output we can examine raw driver data like in this pattern: http://www.dumpanalysis.org/blog/index.php/2007/08/16/crash-dump-analysis-patterns-part-22/
DriverEntry (p. 548) - consider this as similar to main (console) or WinMain (Win32). For example, if you are writing a Windows service you have to register certain functions with SCM.
Dispatch routines (p. 548) - if you know C++ consider them as class functions for a device object where DeviceObject is a this parameter (C++ class function implementation in C where an implicit this becomes the first function argument):
NTSTATUS (*PDRIVER_DISPATCH) (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);
and a driver object can be seen as a container for a virtual function table (vtable) for a device object (purely from implementation perspective): devObj->DriverObject->MajorFunction[IRP_MJ_XXX]
Relationship between device and driver objects (pp. 553 - 554) - long time ago when I was preparing a presentation about Windows drivers for escalation engineers I created some UML diagrams you can see in the following blog post: http://www.dumpanalysis.org/blog/index.php/2006/10/08/uml-and-device-drivers/
AttachedDevice vs. AttachedTo (p.554)
File object structure and extension (pp. 556 - 557) - Here are driver, device and file object structures from x64 W2K8:
0: kd> dt _DRIVER_OBJECT
ntdll!_DRIVER_OBJECT
+0x000 Type : Int2B
+0x002 Size : Int2B
+0x008 DeviceObject : Ptr64 _DEVICE_OBJECT
+0x010 Flags : Uint4B
+0x018 DriverStart : Ptr64 Void
+0x020 DriverSize : Uint4B
+0x028 DriverSection : Ptr64 Void
+0x030 DriverExtension : Ptr64 _DRIVER_EXTENSION
+0x038 DriverName : _UNICODE_STRING
+0x048 HardwareDatabase : Ptr64 _UNICODE_STRING
+0x050 FastIoDispatch : Ptr64 _FAST_IO_DISPATCH
+0x058 DriverInit : Ptr64 long
+0x060 DriverStartIo : Ptr64 void
+0x068 DriverUnload : Ptr64 void
+0x070 MajorFunction : [28] Ptr64 long
0: kd> dt _DEVICE_OBJECT
ntdll!_DEVICE_OBJECT
+0x000 Type : Int2B
+0x002 Size : Uint2B
+0x004 ReferenceCount : Int4B
+0x008 DriverObject : Ptr64 _DRIVER_OBJECT
+0x010 NextDevice : Ptr64 _DEVICE_OBJECT
+0x018 AttachedDevice : Ptr64 _DEVICE_OBJECT
+0x020 CurrentIrp : Ptr64 _IRP
+0x028 Timer : Ptr64 _IO_TIMER
+0x030 Flags : Uint4B
+0x034 Characteristics : Uint4B
+0x038 Vpb : Ptr64 _VPB
+0x040 DeviceExtension : Ptr64 Void
+0x048 DeviceType : Uint4B
+0x04c StackSize : Char
+0x050 Queue : <unnamed-tag>
+0x098 AlignmentRequirement : Uint4B
+0x0a0 DeviceQueue : _KDEVICE_QUEUE
+0x0c8 Dpc : _KDPC
+0x108 ActiveThreadCount : Uint4B
+0x110 SecurityDescriptor : Ptr64 Void
+0x118 DeviceLock : _KEVENT
+0x130 SectorSize : Uint2B
+0x132 Spare1 : Uint2B
+0x138 DeviceObjectExtension : Ptr64 _DEVOBJ_EXTENSION
+0x140 Reserved : Ptr64 Void
0: kd> dt _FILE_OBJECT
ntdll!_FILE_OBJECT
+0x000 Type : Int2B
+0x002 Size : Int2B
+0x008 DeviceObject : Ptr64 _DEVICE_OBJECT
+0x010 Vpb : Ptr64 _VPB
+0x018 FsContext : Ptr64 Void
+0x020 FsContext2 : Ptr64 Void
+0x028 SectionObjectPointer : Ptr64 _SECTION_OBJECT_POINTERS
+0x030 PrivateCacheMap : Ptr64 Void
+0x038 FinalStatus : Int4B
+0x040 RelatedFileObject : Ptr64 _FILE_OBJECT
+0x048 LockOperation : UChar
+0x049 DeletePending : UChar
+0x04a ReadAccess : UChar
+0x04b WriteAccess : UChar
+0x04c DeleteAccess : UChar
+0x04d SharedRead : UChar
+0x04e SharedWrite : UChar
+0x04f SharedDelete : UChar
+0x050 Flags : Uint4B
+0x058 FileName : _UNICODE_STRING
+0x068 CurrentByteOffset : _LARGE_INTEGER
+0x070 Waiters : Uint4B
+0x074 Busy : Uint4B
+0x078 LastLock : Ptr64 Void
+0x080 Lock : _KEVENT
+0x098 Event : _KEVENT
+0x0b0 CompletionContext : Ptr64 _IO_COMPLETION_CONTEXT
+0x0b8 IrpListLock : Uint8B
+0x0c0 IrpList : _LIST_ENTRY
+0x0d0 FileObjectExtension : Ptr64 Void