WDM驱动调试
驱动入口函数DriverEntry
2022-02-24
275
0
DriverEntry是Windows内核驱动的入口函数,其函数原型如下:
NTSTATUS DriverEntry(__in PDRIVER_OBJECT drvobj, __in PUNICODE_STRING RegistryPath);
其包括两个参数,一个为该驱动的对象结构体指针,另一个是该驱动服务的注册表字符串路径。
在DriverEntry中,一个最基本的功能是需要初始化PDRIVER_OBJECT drvobj的各种回调函数指针。
typedef struct _DRIVER_OBJECT {
CSHORT Type;
CSHORT Size;
//
// The following links all of the devices created by a single driver
// together on a list, and the Flags word provides an extensible flag
// location for driver objects.
//
PDEVICE_OBJECT DeviceObject;
ULONG Flags;
//
// The following section describes where the driver is loaded. The count
// field is used to count the number of times the driver has had its
// registered reinitialization routine invoked.
//
PVOID DriverStart;
ULONG DriverSize;
PVOID DriverSection;
PDRIVER_EXTENSION DriverExtension;
//
// The driver name field is used by the error log thread
// determine the name of the driver that an I/O request is/was bound.
//
UNICODE_STRING DriverName;
//
// The following section is for registry support. This is a pointer
// to the path to the hardware information in the registry
//
PUNICODE_STRING HardwareDatabase;
//
// The following section contains the optional pointer to an array of
// alternate entry points to a driver for "fast I/O" support. Fast I/O
// is performed by invoking the driver routine directly with separate
// parameters, rather than using the standard IRP call mechanism. Note
// that these functions may only be used for synchronous I/O, and when
// the file is cached.
//
PFAST_IO_DISPATCH FastIoDispatch;
//
// The following section describes the entry points to this particular
// driver. Note that the major function dispatch table must be the last
// field in the object so that it remains extensible.
//
PDRIVER_INITIALIZE DriverInit;
PDRIVER_STARTIO DriverStartIo;
PDRIVER_UNLOAD DriverUnload;
PDRIVER_DISPATCH MajorFunction[IRP_MJ_MAXIMUM_FUNCTION + 1];
} DRIVER_OBJECT;
typedef struct _DRIVER_OBJECT *PDRIVER_OBJECT;
如我们这里以USBIP的函数为例,在DriverEntry中中断下来,看一下该结构体的成员信息。
kd> dt _DRIVER_OBJECT 0xffffbc88`3db017d0
usbip_vhci!_DRIVER_OBJECT
+0x000 Type : 0n4
+0x002 Size : 0n336
+0x008 DeviceObject : (null)
+0x010 Flags : 2
+0x018 DriverStart : 0xfffff807`b5c30000 Void
+0x020 DriverSize : 0x1f000
+0x028 DriverSection : 0xffffbc88`3d0afb40 Void
+0x030 DriverExtension : 0xffffbc88`3db01920 _DRIVER_EXTENSION
+0x038 DriverName : _UNICODE_STRING "\Driver\usbip_vhci"
+0x048 HardwareDatabase : 0xfffff803`655c2eb8 _UNICODE_STRING "\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM"
+0x050 FastIoDispatch : (null)
+0x058 DriverInit : 0xfffff807`b5c38050 long usbip_vhci!FxDriverEntry+0
+0x060 DriverStartIo : (null)
+0x068 DriverUnload : (null)
+0x070 MajorFunction : [28] 0xfffff803`64ebf6b4 long nt!KeInsertQueue+0
2: kd> dt _DRIVER_EXTENSION 0xffffbc88`3db01920
usbip_vhci!_DRIVER_EXTENSION
+0x000 DriverObject : 0xffffbc88`3db017d0 _DRIVER_OBJECT
+0x008 AddDevice : (null)
+0x010 Count : 0
+0x018 ServiceKeyName : _UNICODE_STRING "usbip_vhci"
而其注册表信息PUNICODE_STRING RegistryPath内容如:
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\usbip_vhci
