lkd> u IoCompleteRequest
nt!IoCompleteRequest:
804f04e2 8bff mov edi,edi
804f04e4 55 push ebp
804f04e5 8bec mov ebp,esp
804f04e7 8a550c mov dl,byte ptr [ebp+0Ch]
804f04ea 8b4d08 mov ecx,dword ptr [ebp+8]
804f04ed ff1504c85480 call dword ptr [nt!pIofCompleteRequest (8054c804)]
804f04f3 5d pop ebp
804f04f4 c20800 ret 8
逆向爲c:
VOID IoCompleteRequest( IN PIRP Irp,
IN CCHAR PriorityBoost )
{
pIofCompleteRequest(Irp,PriorityBoost);
}
可以看出pIofCompleteRequest 是一個函數指針. 我們看看這個函數指針的值是804f15d2 .
lkd> dd 8054c804
8054c804 804f15d2 804f0d12 804ef3dc 00000000
8054c814 00000000 00000000 00000000 00000000
因此我們繼續看看804f15d2 的彙編碼,
lkd> uf 804f15d2
nt!IopfCompleteRequest:
804f15d2 8bff mov edi,edi
804f15d4 55 push ebp
804f15d5 8bec mov ebp,esp
804f15d7 83ec10 sub esp,10h
804f15da 53 push ebx
804f15db 56 push esi
804f15dc 8bf1 mov esi,ecx ;IN PIRP Irp
804f15de 8a4e23 mov cl,byte ptr [esi+23h] ;cl = Irp->CurrentLocation
804f15e1 8955f8 mov dword ptr [ebp-8],edx ;PriorityBoost
804f15e4 8a5622 mov dl,byte ptr [esi+22h] ; dl = Irp->StackCount
804f15e7 33db xor ebx,ebx
804f15e9 fec2 inc dl
804f15eb 3aca cmp cl,dl
804f15ed 57 push edi
804f15ee 895df4 mov dword ptr [ebp-0Ch],ebx
804f15f1 0f8f91020000 jg nt!IopfCompleteRequest+0x2b6 (804f1888)
nt!IopfCompleteRequest+0x25:
804f15f7 66833e06 cmp word ptr [esi],6 ;Irp->Type
804f15fb 0f8587020000 jne nt!IopfCompleteRequest+0x2b6 (804f1888)
//從這裏開始循環
nt!IopfCompleteRequest+0x2f:
804f1601 8b7e60 mov edi,dword ptr [esi+60h];
;edi = Irp->Tail.Overlay.CurrentStackLocation
804f1604 fec1 inc cl ;Irp->CurrentLocation++
804f1606 3aca cmp cl,dl
804f1608 8d4724 lea eax,[edi+24h]
; eax 指向下一個IO_STACK_LOCATION
804f160b 884e23 mov byte ptr [esi+23h],cl ;Irp->CurrentLocation
804f160e 894660 mov dword ptr [esi+60h],eax
;Irp->Tail.Overlay.CurrentStackLocation++
804f1611 0f8fab000000 jg nt!IopfCompleteRequest+0xf0 (804f16c2)
nt!IopfCompleteRequest+0x45:
804f1617 83c703 add edi,3
;edi = Irp->Tail.Overlay.CurrentStackLocation.Control
nt!IopfCompleteRequest+0x48:
804f161a 8a17 mov dl,byte ptr [edi]
; dl = Irp->Tail.Overlay.CurrentStackLocation.Control
804f161c 80e201 and dl,1
804f161f 395e18 cmp dword ptr [esi+18h],ebx ;Irp->IoStatus ebx = 0
804f1622 8855ff mov byte ptr [ebp-1],dl
804f1625 885621 mov byte ptr [esi+21h],dl ;Irp->PendingReturned
804f1628 8a17 mov dl,byte ptr [edi]
;dl = Irp->Tail.Overlay.CurrentStackLocation. Control
804f162a 7c07 jl nt!IopfCompleteRequest+0x61 (804f1633)
nt!IopfCompleteRequest+0x5a:
804f162c f6c240 test dl,40h
804f162f 7510 jne nt!IopfCompleteRequest+0x6f (804f1641)
nt!IopfCompleteRequest+0x5f:
804f1631 eb04 jmp nt!IopfCompleteRequest+0x65 (804f1637)
nt!IopfCompleteRequest+0x61:
804f1633 84d2 test dl,dl
;dl = Irp->Tail.Overlay.CurrentStackLocation. Control
804f1635 780a js nt!IopfCompleteRequest+0x6f (804f1641)
nt!IopfCompleteRequest+0x65:
804f1637 385e24 cmp byte ptr [esi+24h],bl ;Irp->Cancel
804f163a 7444 je nt!IopfCompleteRequest+0xae (804f1680)
nt!IopfCompleteRequest+0x6a:
804f163c f6c220 test dl,20h
;dl = Irp->Tail.Overlay.CurrentStackLocation. Control
804f163f 743f je nt!IopfCompleteRequest+0xae (804f1680)
nt!IopfCompleteRequest+0x6f:
804f1641 885ffe mov byte ptr [edi-2],bl ;前面edi + 3,這裏再調整回來。
804f1644 885fff mov byte ptr [edi-1],bl
804f1647 881f mov byte ptr [edi],bl
804f1649 895f01 mov dword ptr [edi+1],ebx
804f164c 895f05 mov dword ptr [edi+5],ebx
804f164f 895f09 mov dword ptr [edi+9],ebx
804f1652 895f0d mov dword ptr [edi+0Dh],ebx
804f1655 895f15 mov dword ptr [edi+15h],ebx
804f1658 8a4622 mov al,byte ptr [esi+22h] ;Irp->StackCount
804f165b fec0 inc al
804f165d 384623 cmp byte ptr [esi+23h],al ;Irp->CurrentLocation
804f1660 7504 jne nt!IopfCompleteRequest+0x94 (804f1666)
nt!IopfCompleteRequest+0x90:
804f1662 33c0 xor eax,eax
804f1664 eb06 jmp nt!IopfCompleteRequest+0x9a (804f166c)
nt!IopfCompleteRequest+0x94:
804f1666 8b4660 mov eax,dword ptr [esi+60h];
;eax= Irp->Tail.Overlay.CurrentStackLocation.
804f1669 8b4014 mov eax,dword ptr [eax+14h]
;eax = Irp->Tail.Overlay.CurrentStackLocation.DeviceObject
nt!IopfCompleteRequest+0x9a:
804f166c ff771d push dword ptr [edi+1Dh]
; Irp->Tail.Overlay.CurrentStackLocation.Context
804f166f 56 push esi
804f1670 50 push eax
804f1671 ff5719 call dword ptr [edi+19h]
; Irp->Tail.Overlay.CurrentStackLocation.CompletionRoutine
804f1674 3d160000c0 cmp eax,0C0000016h
804f1679 752a jne nt!IopfCompleteRequest+0xd3 (804f16a5)
nt!IopfCompleteRequest+0xa9: ;退出
804f167b 5f pop edi
804f167c 5e pop esi
804f167d 5b pop ebx
804f167e c9 leave
804f167f c3 ret
nt!IopfCompleteRequest+0xae:
804f1680 385dff cmp byte ptr [ebp-1],bl
804f1683 7409 je nt!IopfCompleteRequest+0xbc (804f168e)
nt!IopfCompleteRequest+0xb3:
804f1685 3a4e22 cmp cl,byte ptr [esi+22h];Irp->StackCount
804f1688 7f04 jg nt!IopfCompleteRequest+0xbc (804f168e)
nt!IopfCompleteRequest+0xb8:
804f168a 80480301 or byte ptr [eax+3],1
nt!IopfCompleteRequest+0xbc: //清零
804f168e 885ffe mov byte ptr [edi-2],bl
804f1691 885fff mov byte ptr [edi-1],bl
804f1694 881f mov byte ptr [edi],bl
804f1696 895f01 mov dword ptr [edi+1],ebx
804f1699 895f05 mov dword ptr [edi+5],ebx
804f169c 895f09 mov dword ptr [edi+9],ebx
804f169f 895f0d mov dword ptr [edi+0Dh],ebx
804f16a2 895f15 mov dword ptr [edi+15h],ebx
nt!IopfCompleteRequest+0xd3:
804f16a5 83466024 add dword ptr [esi+60h],24h //循環步長
804f16a9 8b4660 mov eax,dword ptr [esi+60h]
804f16ac 83c724 add edi,24h
804f16af fe4623 inc byte ptr [esi+23h] ;Irp->CurrentLocation
804f16b2 8a5622 mov dl,byte ptr [esi+22h];Irp->StackCount
804f16b5 8a4e23 mov cl,byte ptr [esi+23h]
804f16b8 fec2 inc dl
804f16ba 3aca cmp cl,dl
804f16bc 0f8e58ffffff jle nt!IopfCompleteRequest+0x48 (804f161a) //回跳
//前面是一個循環。
nt!IopfCompleteRequest+0xf0:
804f16c2 f6460808 test byte ptr [esi+8],8 ;Irp->Flags
804f16c6 7428 je nt!IopfCompleteRequest+0x11e (804f16f0)
nt!IopfCompleteRequest+0xf6:
804f16c8 8b7e0c mov edi,dword ptr [esi+0Ch]
; Irp->AssociatedIrp.MasterIrp
804f16cb 6a0a push 0Ah
804f16cd 8d570c lea edx,[edi+0Ch]
804f16d0 59 pop ecx
804f16d1 e814310000 call nt!IopInterlockedDecrementUlong (804f47ea)
804f16d6 56 push esi
804f16d7 8bd8 mov ebx,eax
804f16d9 e85c2d0000 call nt!IopFreeIrpAndMdls (804f443a)
804f16de 83fb01 cmp ebx,1
804f16e1 7598 jne nt!IopfCompleteRequest+0xa9 (804f167b) ;退出
nt!IopfCompleteRequest+0x111:
804f16e3 8a55f8 mov dl,byte ptr [ebp-8]
804f16e6 8bcf mov ecx,edi
804f16e8 ff1504c85480 call dword ptr [nt!pIofCompleteRequest (8054c804)]
804f16ee eb8b jmp nt!IopfCompleteRequest+0xa9 (804f167b) ;退出
nt!IopfCompleteRequest+0x11e:
804f16f0 817e1804010000 cmp dword ptr [esi+18h],104h ;Irp->IoStatus
804f16f7 7521 jne nt!IopfCompleteRequest+0x148 (804f171a)
nt!IopfCompleteRequest+0x127:
804f16f9 8b461c mov eax,dword ptr [esi+1Ch]
804f16fc 83f801 cmp eax,1
804f16ff 7619 jbe nt!IopfCompleteRequest+0x148 (804f171a)
nt!IopfCompleteRequest+0x12f:
804f1701 3d030000a0 cmp eax,0A0000003h
804f1706 750b jne nt!IopfCompleteRequest+0x141 (804f1713)
nt!IopfCompleteRequest+0x136:
804f1708 8b4654 mov eax,dword ptr [esi+54h];
;Irp->Tail.Overlay.AuxiliaryBuffer
804f170b 8945f4 mov dword ptr [ebp-0Ch],eax
804f170e 895e54 mov dword ptr [esi+54h],ebx
804f1711 eb07 jmp nt!IopfCompleteRequest+0x148 (804f171a)
nt!IopfCompleteRequest+0x141:
804f1713 c74618790200c0 mov dword ptr [esi+18h],0C0000279h ;Irp->IoStatus
nt!IopfCompleteRequest+0x148:
804f171a 8b4654 mov eax,dword ptr [esi+54h]
;Irp->Tail.Overlay.AuxiliaryBuffer
804f171d 3bc3 cmp eax,ebx
804f171f 740a je nt!IopfCompleteRequest+0x159 (804f172b)
nt!IopfCompleteRequest+0x14f:
804f1721 53 push ebx ;
804f1722 50 push eax ;eax = Irp->Tail.Overlay.AuxiliaryBuffer
804f1723 e8be360500 call nt!ExFreePoolWithTag (80544de6)
804f1728 895e54 mov dword ptr [esi+54h],ebx
nt!IopfCompleteRequest+0x159:
804f172b 8b4608 mov eax,dword ptr [esi+8] ;Irp->Flags
804f172e 66a90204 test ax,402h
804f1732 747b je nt!IopfCompleteRequest+0x1dd (804f17af)
nt!IopfCompleteRequest+0x162:
804f1734 66a94004 test ax,440h
804f1738 53 push ebx //KeSetEvent 參數1
804f1739 7449 je nt!IopfCompleteRequest+0x1b2 (804f1784)
nt!IopfCompleteRequest+0x169:
804f173b 8b4e18 mov ecx,dword ptr [esi+18h] ;Irp->IoStatus
804f173e 83e042 and eax,42h
804f1741 8bf8 mov edi,eax
804f1743 8b4628 mov eax,dword ptr [esi+28h] ;eax = Irp->UserIosb
804f1746 8908 mov dword ptr [eax],ecx
804f1748 8b4e1c mov ecx,dword ptr [esi+1Ch]
;ecx = Irp->IoStatus.Information
804f174b 894804 mov dword ptr [eax+4],ecx
804f174e 0fbe45f8 movsx eax,byte ptr [ebp-8]
804f1752 50 push eax //KeSetEvent 參數2
804f1753 ff762c push dword ptr [esi+2Ch] ;Irp->UserEvent KeSetEvent 參數3
804f1756 e8db870000 call nt!KeSetEvent (804f9f36)
804f175b 3bfb cmp edi,ebx
804f175d 0f8418ffffff je nt!IopfCompleteRequest+0xa9 (804f167b) ;退出
nt!IopfCompleteRequest+0x191:
804f1763 3b35801d5580 cmp esi,dword ptr [nt!IopReserveIrpAllocator (80551d80)]
804f1769 750e jne nt!IopfCompleteRequest+0x1a7 (804f1779)
nt!IopfCompleteRequest+0x199:
804f176b ff75f8 push dword ptr [ebp-8] //KeInitializeApc 參數
804f176e 56 push esi
804f176f e886310000 call nt!IopFreeReserveIrp (804f48fa)
804f1774 e902ffffff jmp nt!IopfCompleteRequest+0xa9 (804f167b) ;退出
nt!IopfCompleteRequest+0x1a7:
804f1779 56 push esi
804f177a e84bdcffff call nt!IoFreeIrp (804ef3ca)
804f177f e9f7feffff jmp nt!IopfCompleteRequest+0xa9 (804f167b) ;退出
nt!IopfCompleteRequest+0x1b2:
804f1784 0fbe4626 movsx eax,byte ptr [esi+26h] ;Irp->ApcEnvironment
804f1788 53 push ebx
804f1789 53 push ebx
804f178a 53 push ebx
804f178b 6882424f80 push offset nt!IopCompletePageWrite (804f4282)
804f1790 50 push eax
804f1791 ff7650 push dword ptr [esi+50h] ;Irp->Tail.Overlay.Thread
804f1794 8d7e40 lea edi,[esi+40h] ; Irp->Tail.Apc
804f1797 57 push edi
804f1798 e835a20000 call nt!KeInitializeApc (804fb9d2)
804f179d 0fbe45f8 movsx eax,byte ptr [ebp-8]
804f17a1 50 push eax
804f17a2 53 push ebx
804f17a3 53 push ebx
nt!IopfCompleteRequest+0x1d2:
804f17a4 57 push edi
804f17a5 e88aa20000 call nt!KeInsertQueueApc (804fba34)
804f17aa e9ccfeffff jmp nt!IopfCompleteRequest+0xa9 (804f167b) ;退出
nt!IopfCompleteRequest+0x1dd:
804f17af 8b7e04 mov edi,dword ptr [esi+4] ;Irp->MdlAddress
804f17b2 eb08 jmp nt!IopfCompleteRequest+0x1ea (804f17bc)
nt!IopfCompleteRequest+0x1e2:
804f17b4 57 push edi ;edi = Irp->MdlAddress
804f17b5 e888590100 call nt!MmUnlockPages (80507142)
804f17ba 8b3f mov edi,dword ptr [edi] ;mdl = mdl->Next;
nt!IopfCompleteRequest+0x1ea:
804f17bc 3bfb cmp edi,ebx ;edi = Irp->MdlAddress ,ebx = 0
804f17be 75f4 jne nt!IopfCompleteRequest+0x1e2 (804f17b4)
nt!IopfCompleteRequest+0x1ee: //這裏
804f17c0 f6460908 test byte ptr [esi+9],8 ;Irp->Flags低字高位
804f17c4 742a je nt!IopfCompleteRequest+0x21e (804f17f0)
nt!IopfCompleteRequest+0x1f4:
804f17c6 385e21 cmp byte ptr [esi+21h],bl ;Irp->PendingReturned
804f17c9 7525 jne nt!IopfCompleteRequest+0x21e (804f17f0)
nt!IopfCompleteRequest+0x1f9:
804f17cb 817e1804010000 cmp dword ptr [esi+18h],104h;Irp->IoStatus
804f17d2 0f85a3feffff jne nt!IopfCompleteRequest+0xa9 (804f167b) ;退出
nt!IopfCompleteRequest+0x206:
804f17d8 817e1c030000a0 cmp dword ptr [esi+1Ch],0A0000003h
804f17df 0f8596feffff jne nt!IopfCompleteRequest+0xa9 (804f167b) ;退出
nt!IopfCompleteRequest+0x213:
804f17e5 8b45f4 mov eax,dword ptr [ebp-0Ch]
804f17e8 894654 mov dword ptr [esi+54h],eax
804f17eb e98bfeffff jmp nt!IopfCompleteRequest+0xa9 (804f167b) ;退出
nt!IopfCompleteRequest+0x21e:
804f17f0 385e24 cmp byte ptr [esi+24h],bl ;Irp->Cancel
804f17f3 8b7e64 mov edi,dword ptr [esi+64h]
;Irp->Tail.Overlay.OriginalFileObject
804f17f6 897df0 mov dword ptr [ebp-10h],edi
804f17f9 752e jne nt!IopfCompleteRequest+0x257 (804f1829)
nt!IopfCompleteRequest+0x229:
804f17fb 0fbe4626 movsx eax,byte ptr [esi+26h]
804f17ff 53 push ebx
804f1800 53 push ebx
804f1801 53 push ebx
804f1802 6852635780 push offset nt!IopAbortRequest (80576352)
804f1807 68aa4a4f80 push offset nt!IopCompleteRequest (804f4aaa)
804f180c 50 push eax
804f180d ff7650 push dword ptr [esi+50h]
804f1810 8d7e40 lea edi,[esi+40h]
804f1813 57 push edi
804f1814 e8b9a10000 call nt!KeInitializeApc (804fb9d2)
804f1819 0fbe45f8 movsx eax,byte ptr [ebp-8]
804f181d 50 push eax
804f181e ff75f4 push dword ptr [ebp-0Ch]
804f1821 ff75f0 push dword ptr [ebp-10h]
804f1824 e97bffffff jmp nt!IopfCompleteRequest+0x1d2 (804f17a4)
nt!IopfCompleteRequest+0x257:
804f1829 ff1514874d80 call dword ptr [nt!_imp__KeRaiseIrqlToDpcLevel (804d8714)]
804f182f 8ac8 mov cl,al
804f1831 8b4650 mov eax,dword ptr [esi+50h]
804f1834 3bc3 cmp eax,ebx
804f1836 884dff mov byte ptr [ebp-1],cl
804f1839 743b je nt!IopfCompleteRequest+0x2a4 (804f1876)
nt!IopfCompleteRequest+0x269:
804f183b 0fbe4e26 movsx ecx,byte ptr [esi+26h]
804f183f 53 push ebx
804f1840 53 push ebx
804f1841 53 push ebx
804f1842 6852635780 push offset nt!IopAbortRequest (80576352)
804f1847 68aa4a4f80 push offset nt!IopCompleteRequest (804f4aaa)
804f184c 51 push ecx
804f184d 50 push eax
804f184e 8d7e40 lea edi,[esi+40h]
804f1851 57 push edi
804f1852 e87ba10000 call nt!KeInitializeApc (804fb9d2)
804f1857 0fbe45f8 movsx eax,byte ptr [ebp-8]
804f185b 50 push eax
804f185c ff75f4 push dword ptr [ebp-0Ch]
804f185f ff75f0 push dword ptr [ebp-10h]
804f1862 57 push edi
804f1863 e8cca10000 call nt!KeInsertQueueApc (804fba34)
804f1868 8a4dff mov cl,byte ptr [ebp-1]
804f186b ff151c874d80 call dword ptr [nt!_imp_KfLowerIrql (804d871c)]
804f1871 e905feffff jmp nt!IopfCompleteRequest+0xa9 (804f167b) ;退出
nt!IopfCompleteRequest+0x2a4:
804f1876 ff151c874d80 call dword ptr [nt!_imp_KfLowerIrql (804d871c)]
804f187c 57 push edi
804f187d 56 push esi
804f187e e80b2b0000 call nt!IopDropIrp (804f438e)
804f1883 e9f3fdffff jmp nt!IopfCompleteRequest+0xa9 (804f167b) ;退出
nt!IopfCompleteRequest+0x2b6:
804f1888 53 push ebx
804f1889 53 push ebx
804f188a 68630d0000 push 0D63h
804f188f 56 push esi
804f1890 6a44 push 44h
804f1892 e88d830000 call nt!KeBugCheckEx (804f9c24)
804f1897 cc int 3
IoCompleteRequest深入學習之一
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.