5、 我们可以偷笑了!
以上内容均为理论知识,下面我们来实践下。
es1371mp.sys 问题
在 90 年代末期,由 CreativeLabs 创建的驱动 es137lmp.sys 被广泛应用于声卡驱动
“Ensoniq PCI 1371”中。甚至在今日,这一驱动依然被应用于诸多传真声卡的 VMware 产
品之中。实际上,驱动是自动通过 Microsoft Windows Update 进行安装的。这在近十年之
中,我们一直讨论着WDM驱动,但遗撼的是,Creative不再为硬件或者驱动提供任何补丁。
开始吧!
绑定到 PortCls.sys:
module: es1371mp.sys
1. PAGE:00014CE8 start proc near
2. PAGE:00014CE8
3. PAGE:00014CE8 arg_0 = dword ptr 4
4. PAGE:00014CE8 arg_4 = dword ptr 8
5. PAGE:00014CE8
6. PAGE:00014CE8 push ebx
7. PAGE:00014CE9 xor ebx, ebx
8. [...]
9. PAGE:00014D2C mov esi, [esp+8+arg_0]
10.PAGE:00014D30 push offset sub_14CCC ; AddDevice
11.PAGE:00014D35 push [esp+0Ch+arg_4]
12.PAGE:00014D39 push esi
13.PAGE:00014D3A call PcInitializeAdapterDriver
14.PAGE:00014D3F cmp eax, ebx
15.PAGE:00014D41 mov dword ptr [esi+34h], offset sub_14780
16.PAGE:00014D48 jl short loc_14D7A
17.PAGE:00014D4A mov dword ptr [esi+38h], offset sub_1803C
;overrides IRP_MJ_CREATE
18.PAGE:00014D51 mov dword ptr [esi+40h], offset sub_1803C
;overrides IRP_MJ_CLOSE
19.PAGE:00014D58 mov dword ptr [esi+0A4h], offset sub_17FC0
;overrides IRP_MJ_PNP
20.PAGE:00014D62 mov dword ptr [esi+90h], offset sub_17FE4; ...
21.PAGE:00014D6C mov dword ptr [esi+70h], offset sub_18072
;overrides IRP_MJ_DEVICE_CONTROL
22.PAGE:00014D73 mov dword ptr [esi+74h], offset sub_180AE;...
该驱动重写了多个默认KSA IRP handler,后面会讲到原因。
下面看下新的DispatchCreate:
module: es1371mp.sys
1. PAGE:0001803C sub_1803C proc near ; DATA XREF: start+62o
2. PAGE:0001803C ; start+69o
3. PAGE:0001803C
4. PAGE:0001803C arg_0 = dword ptr 4
5. PAGE:0001803C Irp = dword ptr 8
6. PAGE:0001803C
7. PAGE:0001803C mov eax, [esp+arg_0]
8. PAGE:00018040 mov ecx, [eax+28h]
9. PAGE:00018043 push esi
10.PAGE:00018044 xor esi, esi
11.PAGE:00018046 cmp byte ptr [ecx+111h], 0 ;
Discriminate device by checking certain flag within the DeviceExtension
12.PAGE:0001804D jz short loc_18060
13.PAGE:0001804F mov ecx, [esp+4+Irp] ; Irp
14.PAGE:00018053 and [ecx+18h], esi
15.PAGE:00018056 xor dl, dl ; PriorityBoost
16.PAGE:00018058 call ds:IofCompleteRequest
17.PAGE:0001805E jmp short loc_1806C
18.PAGE:00018060 ;
--------------------------------------------------------------------------
19.PAGE:00018060
20.PAGE:00018060 loc_18060: ; CODE XREF:
sub_1803C+11j
21.PAGE:00018060 push [esp+4+Irp]
22.PAGE:00018064 push eax
23.PAGE:00018065
24.PAGE:00018065 loc_18065:
25.PAGE:00018065 call PcDispatchIrp
26.PAGE:0001806A mov esi, eax
27.PAGE:0001806C
28.PAGE:0001806C loc_1806C: ; CODE XREF:
sub_1803C+22j
29.PAGE:0001806C mov eax, esi
30.PAGE:0001806E pop esi
31.PAGE:0001806F retn 8
32.PAGE:0001806F sub1803C endp
由上可知,例程通过检测DeviceExtension上的flag来区分GamePort PDO和KSA设备。
因此如果接收到 IRP_MJ_CREATE 的设备是 KSA 设备,那么函数将通过调用
PortCls!PcDispathchIrp来分发它,该函数在一定情况 下,会先初始化FsContext。否则,
完成 IRP 请求。
下面再看下EsDispatchPnp:
module: es1371mp.sys
PAGE:00017FC0 sub_17FC0 proc near ; DATA XREF: start+70o
PAGE:00017FC0
PAGE:00017FC0 arg_0 = dword ptr 4
PAGE:00017FC0 Irp = dword ptr 8
PAGE:00017FC0
PAGE:00017FC0 mov eax, [esp+arg_0]
PAGE:00017FC4 mov ecx, [eax+28h]
PAGE:00017FC7 cmp byte ptr [ecx+111h], 0 ; Discriminates
Device by checking certain offset within the DeviceExtension
PAGE:00017FCE push [esp+Irp] ; Irp
PAGE:00017FD2 push eax ; int
PAGE:00017FD3 jz short loc_17FDC
PAGE:00017FD5 call sub_188F2
PAGE:00017FDA jmp short locret_17FE1
PAGE:00017FDC ;
---------------------------------------------------------------------------
PAGE:00017FDC
PAGE:00017FDC loc_17FDC: ; CODE XREF: sub_17FC0+13j
PAGE:00017FDC call sub_18314
PAGE:00017FE1
PAGE:00017FE1 locret_17FE1: ; CODE XREF: sub_17FC0+1Aj
PAGE:00017FE1 retn 8
PAGE:00017FE1 sub_17FC0 endp | 
