flat assembler
Message board for the users of flat assembler.

Index > Windows > IoCreateDevice

Author
Thread Post new topic Reply to topic
bcdsys



Joined: 04 Aug 2008
Posts: 41
bcdsys 04 Aug 2008, 15:00
I have driver that uses IoCreateDevice to make an IO device. Driver full source code is:
Code:
;example of driver that creates device "\\.\\DEVICE" and deletes it
format PE DLL native 4.0 at 0x10000

;Driver object table
;0x0=Type rw 1
;0x2=Size rw 1
;0x4=DeviceObject rd 1
;0x8=Flags rd 1
;0xB=DriverStart rd 1
;0x10=DriverSize rd 1
;0x14=DriverSection rd 1
;0x18=DriverExtension rd 1
;0x1B=DriverName rb 8
;0x24=HardwareDatabase rd 1
;0x28=FastIoDispatch rd 1
;0x2B=DriverInit rd 1
;0x30=DriverStartIo rd 1
;0x34=DriverUnload rd 1
;0x38=MajorFunction rd 01Ch

section '.code' code readable executable notpageable

entry $ ;entry point of driver
cld
mov eax, [esp+4] ;get pointer to driver object
mov dword [eax+52], DriverUnload ;pointer to address of unload routine
mov [pDriverObject], eax ;save pointer to driver object
;create the I/O device
push pDeviceObject
push 0
push 0
push 0x22
push DeviceName
push 0
push eax
call [IoCreateDevice]
;print the return value
push eax
push FormatDispInt
call [DbgPrint]
add esp, 8
;delete the I/O device
push [pDeviceObject]
call [IoDeleteDevice]
;print the return value
push eax
push FormatDispInt
call [DbgPrint]
add esp, 8
;exit
xor eax, eax
ret 8

DriverUnload:
ret 4

section '.data' data readable writeable notpageable

pDriverObject dd 0 ;pointer to driver object
pDeviceObject dd 0 ;pointer to device object
FormatDispInt db '%d', 0
align 2
DeviceName du '\Device\DEVICE1', 0, 0

section '.idata' import readable

dd rva ntoskrnl_table, 0, 0, rva ntoskrnl_name, rva ntoskrnl_table
dd 0, 0, 0, 0, 0

ntoskrnl_table:
DbgPrint dd rva _DbgPrint
IoCreateDevice dd rva _IoCreateDevice
IoDeleteDevice dd rva _IoDeleteDevice
dd 0

ntoskrnl_name db 'NTOSKRNL.EXE', 0

_DbgPrint db 0, 0, 'DbgPrint', 0
_IoCreateDevice db 0, 0, 'IoCreateDevice', 0
_IoDeleteDevice db 0, 0, 'IoDeleteDevice', 0


section '.reloc' fixups discardable
    

Driver BSOD with *** STOP: 0x0000007E (0xC0000005,0x80902840,0xF902C704,0xF902C704)
This means that there was a memory access violation. by putting int3 before and after IoCreateDevice I saw breakpoint cause bsod before IoCreateDevice but when int3 put after access violation occurred, so breakpoint not hit, so crash must be in IoCreateDevice. Why is IoCreateDevice crashing? I need it because I want to communicate between driver and user-mode, and I need IO device to do that.
OS driver run on is Windows Server 2003.
Post 04 Aug 2008, 15:00
View user's profile Send private message Reply with quote
asmcoder



Joined: 02 Jun 2008
Posts: 784
asmcoder 04 Aug 2008, 16:13
[content deleted]


Last edited by asmcoder on 14 Aug 2009, 14:56; edited 1 time in total
Post 04 Aug 2008, 16:13
View user's profile Send private message Reply with quote
illuz1oN



Joined: 22 Feb 2008
Posts: 11
illuz1oN 04 Aug 2008, 16:47
Post 04 Aug 2008, 16:47
View user's profile Send private message Reply with quote
okasvi



Joined: 18 Aug 2005
Posts: 382
Location: Finland
okasvi 05 Aug 2008, 09:03
instead of
Code:
buff db '\',0,'D',0,'e',0,'v',0,'i',0,'c',0,'e',0,'\',0,'q',0,0,0     


you could use
Code:
buff du '\Device\q',0     
Post 05 Aug 2008, 09:03
View user's profile Send private message MSN Messenger Reply with quote
ManOfSteel



Joined: 02 Feb 2005
Posts: 1154
ManOfSteel 05 Aug 2008, 10:14
Yes, as okasvi said, it's much more readable.
Also is there any reason for using ecx with IoCreateDevice?
Post 05 Aug 2008, 10:14
View user's profile Send private message Reply with quote
asmcoder



Joined: 02 Jun 2008
Posts: 784
asmcoder 05 Aug 2008, 10:24
[content deleted]


Last edited by asmcoder on 14 Aug 2009, 14:56; edited 1 time in total
Post 05 Aug 2008, 10:24
View user's profile Send private message Reply with quote
ManOfSteel



Joined: 02 Feb 2005
Posts: 1154
ManOfSteel 05 Aug 2008, 10:40
But why trash ecx when you can directly push zero?
Unless of course you're optimizing for size, in which case using ecx will give you (1-byte) smaller code. Ok.
Post 05 Aug 2008, 10:40
View user's profile Send private message Reply with quote
asmcoder



Joined: 02 Jun 2008
Posts: 784
asmcoder 05 Aug 2008, 10:51
[content deleted]


Last edited by asmcoder on 14 Aug 2009, 14:56; edited 1 time in total
Post 05 Aug 2008, 10:51
View user's profile Send private message Reply with quote
bcdsys



Joined: 04 Aug 2008
Posts: 41
bcdsys 09 Aug 2008, 14:53
Good, I now fixed driver with asmcoder code, driver no longer BSOD. I have service control program for driver, which loads/unloads driver correctly, but CreateFile fails. Why CreateFile fails?
Driver source:
Code:
format PE native

;Driver object table
;0x0=Type rw 1
;0x2=Size rw 1
;0x4=DeviceObject rd 1
;0x8=Flags rd 1
;0xB=DriverStart rd 1
;0x10=DriverSize rd 1
;0x14=DriverSection rd 1
;0x18=DriverExtension rd 1
;0x1B=DriverName rb 8
;0x24=HardwareDatabase rd 1
;0x28=FastIoDispatch rd 1
;0x2B=DriverInit rd 1
;0x30=DriverStartIo rd 1
;0x34=DriverUnload rd 1
;0x38=MajorFunction rd 01Ch
;IRP_MJ_CREATE = 0x00
;IRP_MJ_CREATE_NAMED_PIPE = 0x01
;IRP_MJ_CLOSE = 0x02
;IRP_MJ_READ = 0x03
;IRP_MJ_WRITE = 0x04
;IRP_MJ_QUERY_INFORMATION = 0x05
;IRP_MJ_SET_INFORMATION = 0x06
;IRP_MJ_QUERY_EA = 0x07
;IRP_MJ_SET_EA = 0x08
;IRP_MJ_FLUSH_BUFFERS = 0x09
;IRP_MJ_QUERY_VOLUME_INFORMATION = 0x0a
;IRP_MJ_SET_VOLUME_INFORMATION = 0x0b
;IRP_MJ_DIRECTORY_CONTROL = 0x0c
;IRP_MJ_FILE_SYSTEM_CONTROL = 0x0d
;IRP_MJ_DEVICE_CONTROL = 0x0e
;IRP_MJ_INTERNAL_DEVICE_CONTROL = 0x0f
;IRP_MJ_SHUTDOWN = 0x10
;IRP_MJ_LOCK_CONTROL = 0x11
;IRP_MJ_CLEANUP = 0x12
;IRP_MJ_CREATE_MAILSLOT = 0x13
;IRP_MJ_QUERY_SECURITY = 0x14
;IRP_MJ_SET_SECURITY = 0x15
;IRP_MJ_POWER = 0x16
;IRP_MJ_SYSTEM_CONTROL = 0x17
;IRP_MJ_DEVICE_CHANGE = 0x18
;IRP_MJ_QUERY_QUOTA = 0x19
;IRP_MJ_SET_QUOTA = 0x1a

section '' code readable writeable executable notpageable

entry $
mov eax, [esp+4]
mov dword [eax+0x34], DriverUnload
mov dword [eax+0x38], create
mov dword [eax+0x40], close
mov dword [eax+0x70], io

push hello
call [DbgPrint]
add esp, 4

lea eax, [esp+4]
lea edx, [eax+4]
;create the device
push edx ;address of pointer to device object
push 0
push 0
push 0x22
push device ;name of device
push 0
push dword [eax] ;driver object
call [IoCreateDevice]
push eax
push msg_putint
call [DbgPrint]
add esp, 8

;create a symbolic link to the device
push device
push symlink
call [IoCreateSymbolicLink]
push eax
push msg_putint
call [DbgPrint]
add esp, 8

;exit the entry routine
xor eax, eax
ret 8

DriverUnload:
push symlink
call [IoDeleteSymbolicLink]
mov eax, [esp+4] ;pointer to driver object
push dword [eax+4] ;pointer to device object
call [IoDeleteDevice]
push goodbye
call [DbgPrint]
add esp, 4
ret 4

create:
push msg_create
call [DbgPrint]
add esp, 4 ;restore stack
xor eax, eax
ret 8

close:
push msg_close
call [DbgPrint]
add esp, 4
xor eax, eax
ret 8

io:
mov eax, [esp+8]
mov eax, [eax+0x60]
push dword [eax+0xC]
push msg_control
call [DbgPrint]
add esp, 8
push 0
push dword [esp+12] ;pointer to driver object
call [IoCompleteRequest]
xor eax, eax
ret 8

hello db 'Hello world!', 0
goodbye db 'Goodbye world!', 0
msg_create db 'create', 0
msg_close db 'close', 0
msg_control db 'I/O request %u', 0
msg_putint db '%x', 0

align 2
device:
dw 26
dw 28
dd @f
@@ du '\Device\Device1', 0

symlink:
dw 26
dw 28
dd @f
@@ du '\DosDevices\Device1', 0

section '' import readable

dd rva ntoskrnl_table, 0, 0, rva ntoskrnl_name, rva ntoskrnl_table
dd 0, 0, 0, 0, 0

ntoskrnl_table:
IoCreateDevice dd rva _IoCreateDevice
IoDeleteDevice dd rva _IoDeleteDevice
IoCreateSymbolicLink dd rva _IoCreateSymbolicLink
IoDeleteSymbolicLink dd rva _IoDeleteSymbolicLink
IoCompleteRequest dd rva _IoCompleteRequest
DbgPrint dd rva _DbgPrint
dd 0

ntoskrnl_name db 'ntoskrnl.exe', 0
_IoCreateDevice db 0, 0, 'IoCreateDevice', 0
_IoDeleteDevice db 0, 0, 'IoDeleteDevice', 0
_IoCreateSymbolicLink db 0, 0, 'IoCreateSymbolicLink', 0
_IoDeleteSymbolicLink db 0, 0, 'IoDeleteSymbolicLink', 0
_IoCompleteRequest db 0, 0, 'IoCompleteRequest', 0
_DbgPrint db 0, 0, 'DbgPrint', 0

section '' fixups discardable
    

control program code:
Code:
;service control manager for DeviceIoControl3.sys
format PE console

section '' code readable writeable executable
entry $

push 0xF003F
push 0
push 0
call [OpenSCManager]
test eax, eax
jnz @f
push msg_error_OpenSCManager
call [puts]
add esp, 4
jmp exit
@@:
mov ebx, eax ;save handle in eax
push 0
push DriverPath
push 255
push driver
call [GetFullPathName] ;get full path of driver
push 0
push 0
push 0
push 0
push 0
push DriverPath
push 0
push 3
push 1
push 0xF01FF
push s2
push s1
push ebx
call [CreateService] ;load driver
test eax, eax
jnz @f
push msg_error_CreateService
call [puts]
add esp, 4
jmp closeSCM
@@:
mov esi, eax ;save handle to service
push 0
push 0
push esi
call [StartService]
test eax, eax
jnz @f
push msg_error_StartService
call [puts]
add esp, 4
jmp exit_service
@@:
;send the I/O request to the driver
push 0 ;no template file
push 0
push 3
push 0
push 0
push 0 ;GENERIC_READ
push device
call [CreateFile]
cmp eax, -1
jne @f
call [GetLastError]
push msg_error_CreateFile
call [puts]
add esp, 4
jmp exit_service
@@:
mov edi, eax ;save file handle
push edi
call [CloseHandle]
exit_service:
sub esp, 28
mov eax, esp
push eax
push 1
push esi
call [ControlService]
add esp, 28
test eax, eax
jnz @f
push msg_error_ControlService
call [puts]
add esp, 4
@@:
push esi
call [DeleteService]
test eax, eax
jnz @f
push msg_error_DeleteService
call [puts]
add esp, 4
@@:
closeSCM:
push ebx
call [CloseServiceHandle]
exit:
ret ;exits

driver db 'DeviceIoControl3.sys', 0
DriverPath rb 256
device db '\\.\Device1', 0 ;name of device
s1 db 'DeviceIoControl3', 0
s2 db 'DeviceIoControl Samples', 0
msg_error_OpenSCManager db 'OpenSCManager Error', 0
msg_error_CreateService db 'CreateService Error', 0
msg_error_StartService db 'StartService Error', 0
msg_error_ControlService db 'ControlService Error', 0
msg_error_DeleteService db 'DeleteService Error', 0
msg_error_CreateFile db 'CreateFile Error', 0


section '' import readable

dd rva kernel32_table, 0, 0, rva kernel32_name, rva kernel32_table
dd rva advapi32_table, 0, 0, rva advapi32_name, rva advapi32_table
dd rva msvcrt_table, 0, 0, rva msvcrt_name, rva msvcrt_table
dd 0, 0, 0, 0, 0

kernel32_table:
ExitProcess dd rva _ExitProcess
GetFullPathName dd rva _GetFullPathName
GetLastError dd rva _GetLastError
CreateFile dd rva _CreateFile
DeviceIoControl dd rva _DeviceIoControl
CloseHandle dd rva _CloseHandle
dd 0

advapi32_table:
OpenSCManager dd rva _OpenSCManager
CreateService dd rva _CreateService
StartService dd rva _StartService
DeleteService dd rva _DeleteService
ControlService dd rva _ControlService
CloseServiceHandle dd rva _CloseServiceHandle
dd 0

msvcrt_table:
puts dd rva _puts
dd 0

kernel32_name db 'KERNEL32.DLL', 0
advapi32_name db 'ADVAPI32.DLL', 0
msvcrt_name db 'MSVCRT.DLL', 0

_GetFullPathName db 0, 0, 'GetFullPathNameA', 0
_ExitProcess db 0, 0, 'ExitProcess', 0
_GetLastError db 0, 0, 'GetLastError', 0
_CreateFile db 0, 0, 'CreateFileA', 0
_DeviceIoControl db 0, 0, 'DeviceIoControl', 0
_CloseHandle db 0, 0, 'CloseHandle', 0
_OpenSCManager db 0, 0, 'OpenSCManagerA', 0
_CreateService db 0, 0, 'CreateServiceA', 0
_StartService db 0, 0, 'StartServiceA', 0
_DeleteService db 0, 0, 'DeleteService', 0
_ControlService db 0, 0, 'ControlService', 0
_CloseServiceHandle db 0, 0, 'CloseServiceHandle', 0
_puts db 0, 0, 'puts', 0

section '' fixups discardable
    


Why is CreateFile failing? Bug in SCP, driver, or both?
Post 09 Aug 2008, 14:53
View user's profile Send private message Reply with quote
ManOfSteel



Joined: 02 Feb 2005
Posts: 1154
ManOfSteel 10 Aug 2008, 05:56
Code:
;send the I/O request to the driver 
push 0 ;no template file 
push 0 
push 3 
push 0 
push 0 
push 0 ;GENERIC_READ 
push device 
call [CreateFile]
    

Is it GENERIC_READ that you want? In that case, it should be 80000000h instead of 0.
Post 10 Aug 2008, 05:56
View user's profile Send private message Reply with quote
asmcoder



Joined: 02 Jun 2008
Posts: 784
asmcoder 10 Aug 2008, 11:28
[content deleted]


Last edited by asmcoder on 14 Aug 2009, 14:56; edited 1 time in total
Post 10 Aug 2008, 11:28
View user's profile Send private message Reply with quote
bcdsys



Joined: 04 Aug 2008
Posts: 41
bcdsys 11 Aug 2008, 01:23
I got driver/scp fully working. Here is driver code:
Code:
;driver that logs DeviceIoControl requests to \Device\DeviceX to debug output

format PE native

section '' code readable writeable executable notpageable

entry $
mov eax, [esp+4]
mov dword [eax+0x34], DriverUnload
mov dword [eax+0x38], create
mov dword [eax+0x40], close
mov dword [eax+0x70], io

push hello
call [DbgPrint]
add esp, 4

lea eax, [esp+4]
lea edx, [eax+4]
;create the device
push edx ;address of pointer to device object
push 0
push 0
push 0x22
push device ;name of device
push 0
push dword [eax] ;driver object
call [IoCreateDevice]
;exit the entry routine
xor eax, eax
ret 8

DriverUnload:
mov eax, [esp+4] ;pointer to driver object
push dword [eax+4] ;pointer to device object
call [IoDeleteDevice]
push bye
call [DbgPrint]
add esp, 4
ret 4

create:
push msg_create
call [DbgPrint]
add esp, 4 ;restore stack
xor eax, eax
ret 8

close:
push msg_close
call [DbgPrint]
add esp, 4
xor eax, eax
ret 8

io:
mov eax, [esp+8]
mov eax, [eax+0x60]
push dword [eax+0xC]
push msg_control
call [DbgPrint]
add esp, 8
push 0
push dword [esp+12] ;pointer to driver object
call [IoCompleteRequest]
xor eax, eax
ret 8

hello db 'Hello world!', 0
bye db 'Goodbye world!', 0
msg_create db 'create', 0
msg_close db 'close', 0
msg_control db 'I/O request %p', 0

align 4
device:
dw 26
dw 28
dd @f
@@ du '\Device\DeviceX', 0

section '' import readable

dd rva ntoskrnl_table, 0, 0, rva ntoskrnl_name, rva ntoskrnl_table
dd 0, 0, 0, 0, 0

ntoskrnl_table:
IoCreateDevice dd rva _IoCreateDevice
IoDeleteDevice dd rva _IoDeleteDevice
IoCompleteRequest dd rva _IoCompleteRequest
DbgPrint dd rva _DbgPrint
dd 0

ntoskrnl_name db 'ntoskrnl.exe', 0
_IoCreateDevice db 0, 0, 'IoCreateDevice', 0
_IoDeleteDevice db 0, 0, 'IoDeleteDevice', 0
_IoCompleteRequest db 0, 0, 'IoCompleteRequest', 0
_DbgPrint db 0, 0, 'DbgPrint', 0

section '' fixups discardable
    


SCP code:
Code:
;service control manager for DeviceIoControl3.sys
format PE console

section '' code readable writeable executable
entry $

push 0xF003F
push 0
push 0
call [OpenSCManager]
test eax, eax
jnz @f
push eax
push msg_error_OpenSCManager
call [printf]
add esp, 8
jmp exit
@@:
mov ebx, eax ;save handle in eax
push 0
push DriverPath
push 255
push driver
call [GetFullPathName] ;get full path of driver
push 0
push 0
push 0
push 0
push 0
push DriverPath
push 0
push 3
push 1
push 0xF01FF
push s2
push s1
push ebx
call [CreateService] ;load driver
test eax, eax
jnz @f
push eax
push msg_error_CreateService
call [printf]
add esp, 8
jmp closeSCM
@@:
mov esi, eax ;save handle to service
push 0
push 0
push esi
call [StartService]
test eax, eax
jnz @f
push eax
push msg_error_StartService
call [printf]
add esp, 8
jmp exit_service
@@:
;send the I/O request to the driver
push 0
push 0
push 0
push device
push 0
push 24
mov ecx, esp ;save pointer to OBJECT_ATTRIBUTES
sub esp, 12
mov eax, esp
push 0
push 0
push 0
push 0
push 0
push 0
push 0
push eax
push ecx
push 3
lea eax, [eax+8]
push eax
call [NtCreateFile]
mov edi, [esp+8] ;save file handle
add esp, 36 ;restore stack
test eax, eax
jz @f
push eax
push msg_error_NtCreateFile
call [printf]
add esp, 8
jmp exit_service
@@:
push msg_request_io_code
call [printf]
mov eax, esp
push eax ;store result in remaining argument from printf call
push get_io_code
call [scanf]
add esp, 8
pop ecx ;get I/O code
sub esp, 4
mov eax, esp
push 0
push eax
push 0
push 0
push 0
push 0
push ecx ;device I/O request code
push edi ;device handle
call [DeviceIoControl]
test eax, eax
jnz @f
push eax
push msg_error_DeviceIoControl
call [printf]
add esp, 8
@@:
add esp, 4 ;clean up stack
push edi
call [CloseHandle] ;close the device
test eax, eax
jnz @f
push eax
push msg_error_CloseHandle
call [printf]
add esp, 8
jmp exit_service
@@:
exit_service:
sub esp, 28
mov eax, esp
push eax
push 1
push esi
call [ControlService] ;stop the service
add esp, 28
test eax, eax
jnz @f
push eax
push msg_error_ControlService
call [printf]
add esp, 8
@@:
push esi
call [DeleteService]
test eax, eax
jnz @f
push eax
push msg_error_DeleteService
call [printf]
add esp, 8
@@:
closeSCM:
push ebx
call [CloseServiceHandle]
test eax, eax
jnz @f
push eax
push msg_error_CloseServiceHandle
call [printf]
add esp, 8
@@:
exit:
ret ;exits

driver db 'DeviceIoControl3.sys', 0
DriverPath rb 256
align 4
device:
dw 26
dw 28
dd @f
@@ du '\Device\DeviceX', 0 ;name of device
s1 db 'DeviceIoControl3', 0
s2 db 'DeviceIoControl Samples', 0
msg_error_OpenSCManager db 'OpenSCManager Error: %p', 10, 13, 0
msg_error_CreateService db 'CreateService Error: %p', 10, 13, 0
msg_error_StartService db 'StartService Error: %p', 10, 13, 0
msg_error_ControlService db 'ControlService Error: %p', 10, 13, 0
msg_error_DeleteService db 'DeleteService Error: %p', 10, 13, 0
msg_error_CloseServiceHandle db 'CloseServiceHandle Error: %p', 10, 13, 0
msg_error_NtCreateFile db 'NtCreateFile Error: %p', 10, 13, 0
msg_error_CloseHandle db 'CloseHandle Error: %p', 10, 13, 0
msg_error_DeviceIoControl db 'DeviceIoControl Error: %p', 10, 13, 0
msg_request_io_code db 'Specify the I/O request to send: ', 0
get_io_code db '%p', 0

section '' import readable

dd rva ntdll_table, 0, 0, rva ntdll_name, rva ntdll_table
dd rva kernel32_table, 0, 0, rva kernel32_name, rva kernel32_table
dd rva advapi32_table, 0, 0, rva advapi32_name, rva advapi32_table
dd rva msvcrt_table, 0, 0, rva msvcrt_name, rva msvcrt_table
dd 0, 0, 0, 0, 0

ntdll_table:
NtCreateFile dd rva _NtCreateFile
dd 0

kernel32_table:
ExitProcess dd rva _ExitProcess
GetFullPathName dd rva _GetFullPathName
GetLastError dd rva _GetLastError
DeviceIoControl dd rva _DeviceIoControl
CloseHandle dd rva _CloseHandle
dd 0

advapi32_table:
OpenSCManager dd rva _OpenSCManager
CreateService dd rva _CreateService
StartService dd rva _StartService
DeleteService dd rva _DeleteService
ControlService dd rva _ControlService
CloseServiceHandle dd rva _CloseServiceHandle
dd 0

msvcrt_table:
printf dd rva _printf
scanf dd rva _scanf
dd 0

ntdll_name db 'NTDLL.DLL', 0
kernel32_name db 'KERNEL32.DLL', 0
advapi32_name db 'ADVAPI32.DLL', 0
msvcrt_name db 'MSVCRT.DLL', 0

_NtCreateFile db 0, 0, 'NtCreateFile', 0
_GetFullPathName db 0, 0, 'GetFullPathNameA', 0
_ExitProcess db 0, 0, 'ExitProcess', 0
_GetLastError db 0, 0, 'GetLastError', 0
_DeviceIoControl db 0, 0, 'DeviceIoControl', 0
_CloseHandle db 0, 0, 'CloseHandle', 0
_OpenSCManager db 0, 0, 'OpenSCManagerA', 0
_CreateService db 0, 0, 'CreateServiceA', 0
_StartService db 0, 0, 'StartServiceA', 0
_DeleteService db 0, 0, 'DeleteService', 0
_ControlService db 0, 0, 'ControlService', 0
_CloseServiceHandle db 0, 0, 'CloseServiceHandle', 0
_printf db 0, 0, 'printf', 0
_scanf db 0, 0, 'scanf', 0

section '' fixups discardable
    


Driver works, in DebugView see messages and I/O request codes sent. Thanks asmcoder for your help. I did not copy your code exactly, I based mine on it since me wanted to learn and code, not copy.
I like native API. It works better than Win32 and is cleaner. No problems with symlinks (but tested it before and works with symlinks) and DosDevices, just access \Device\DeviceX. Only limitation was device open failed with 0xC0000034 in SCP if me changed device name < 4 chars in both driver and program. Is this Win2k3 limit, or is it bug in program?
If there is bug in code, please post, it took me lots of work to code this.
Post 11 Aug 2008, 01:23
View user's profile Send private message Reply with quote
asmcoder



Joined: 02 Jun 2008
Posts: 784
asmcoder 11 Aug 2008, 07:02
[content deleted]


Last edited by asmcoder on 14 Aug 2009, 14:56; edited 1 time in total
Post 11 Aug 2008, 07:02
View user's profile Send private message Reply with quote
bcdsys



Joined: 04 Aug 2008
Posts: 41
bcdsys 17 Aug 2008, 00:42
One more thing
Where are input/output buffers for the I/O request handler stored? Where can I find pointer to the buffers? I looked everywhere and could not find answer.
Post 17 Aug 2008, 00:42
View user's profile Send private message Reply with quote
asmcoder



Joined: 02 Jun 2008
Posts: 784
asmcoder 17 Aug 2008, 12:30
[content deleted]


Last edited by asmcoder on 14 Aug 2009, 14:56; edited 1 time in total
Post 17 Aug 2008, 12:30
View user's profile Send private message Reply with quote
bcdsys



Joined: 04 Aug 2008
Posts: 41
bcdsys 20 Aug 2008, 22:06
I found link to http://unitedcrew.org/viewtopic.php?p=70875 same forum different page, has structure offsets I needed (IRP+IO_STACK_LOCATION). Built working speaker driver based on it.
Post 20 Aug 2008, 22:06
View user's profile Send private message Reply with quote
Feryno



Joined: 23 Mar 2005
Posts: 514
Location: Czech republic, Slovak republic
Feryno 21 Aug 2008, 12:59
the header is usually created by the ring 3 application
the app may create it in its stack or in its data section or in any writeable section (or even read only section if it is never written - e.g. created at the time of compiling the app)
a pointer to the header is passed to the driver as a param from ring3 app
the question is just how the driver get it
the answer is simple, in IRP.Tail.Overlay.CurrentStackLocation - it is just a value at an offset in IRP containint the pointer to the header

good to know that you made it to work
there was somewhere kmd.inc file for win32 drivers but I don't know where
it is not necessary to count the offsets you have KMD.INC
doing drivers is a really big fun (and also a really big pain sometimes)
Post 21 Aug 2008, 12:59
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.