订阅
机器狗穿透还原的磁盘级文件读写完整驱动代码
Ewebeditor编辑器各版本
IRP结构
作者:admin 日期:2009-11-09
IRP 是 I/O request packet 的缩写,即 I/O 请求包。驱动与驱动之间通过 IRP 进行通信。而使用驱动的应用层调用的 CreatFile,ReadFile,WriteFile,DeviceIoControl 等函数,说到底也是使用 IRP 和驱动进行通信。
可以这么看这个IRP,这首先是一个定义好的数据结构,里面含有一个叫IO_STACK_LOCATION 结构组成的数组,每个元素是一个IO_STACK_LOCATION 结构,这个结构组成的数组的数量是有你irp包所在的驱动的层数决定的,如果此是所处的驱动程序的层数是2,也就是说下边还有一个驱动程序,数组就有两个IO_STACK_LOCATION 结构,可以用函数PIO_STACK_LOCATION pIrpStack = IoGetCurrentIrpStackLocation( pIrp );得到此时所处驱动的IO_STACK_LOCATION 结构
此为一个IRP的整体结构,其中的Tail部分分为三部分组成,如下图:
其中的Tail.Overlay.currentStackLocation就是一个用 IoGetCurrentIrpStackLocation( pIrp )得到的所处驱动的IO_STACK_LOCATION 结构。
IRP中每个部分都有自己的作用,主要是用于用户层的请求以包驱动的方式带给下边的驱动程序,而一些请求就记录在IRP包中,这样通过函数驱动程序就知道要做什么,怎么做,完成之后怎么传递。由于能力有限目前还是只了解其中几个部分。
以下是一个具体的IRP结构,前边数字代表地址,我自己认为的,供大家参考,地址相同就说明这个是属于的关系,可以算作是结构体里的一部分。
IRP 结构定义如下
struct _IRP (sizeof=112)
00 int16 Type
02 uint16 Size
04 struct _MDL *MdlAddress
08 uint32 Flags
0c union __unnamed14 AssociatedIrp
0c struct _IRP *MasterIrp
0c int32 IrpCount
0c void *SystemBuffer
10 struct _LIST_ENTRY ThreadListEntry
10 struct _LIST_ENTRY *Flink
14 struct _LIST_ENTRY *Blink
18 struct _IO_STATUS_BLOCK IoStatus
18 int32 Status
18 void *Pointer
1c uint32 Information
20 char RequestorMode
21 byte PendingReturned
22 char StackCount
23 char CurrentLocation
24 byte Cancel
25 byte CancelIrql
26 char ApcEnvironment
27 byte AllocationFlags
28 struct _IO_STATUS_BLOCK *UserIosb
2c struct _KEVENT *UserEvent
30 union __unnamed15 Overlay
30 struct __unnamed16 AsynchronousParameters
30 function *UserApcRoutine
34 void *UserApcContext
30 union _LARGE_INTEGER AllocationSize
30 uint32 LowPart
34 int32 HighPart
30 struct __unnamed3 u
30 uint32 LowPart
34 int32 HighPart
30 int64 QuadPart
38 function *CancelRoutine
3c void *UserBuffer
40 union __unnamed17 Tail
40 struct __unnamed18 Overlay
40 struct _KDEVICE_QUEUE_ENTRY DeviceQueueEntry
40 struct _LIST_ENTRY DeviceListEntry
40 struct _LIST_ENTRY *Flink
44 struct _LIST_ENTRY *Blink
48 uint32 SortKey
4c byte Inserted
40 void *DriverContext[4]
50 struct _ETHREAD *Thread
54 char *AuxiliaryBuffer
58 struct _LIST_ENTRY ListEntry
58 struct _LIST_ENTRY *Flink
5c struct _LIST_ENTRY *Blink
60 struct _IO_STACK_LOCATION *CurrentStackLocation
60 uint32 PacketType
64 struct _FILE_OBJECT *OriginalFileObject
40 struct _KAPC Apc
40 int16 Type
42 int16 Size
44 uint32 Spare0
48 struct _KTHREAD *Thread
4c struct _LIST_ENTRY ApcListEntry
4c struct _LIST_ENTRY *Flink
50 struct _LIST_ENTRY *Blink
54 function *KernelRoutine
58 function *RundownRoutine
5c function *NormalRoutine
60 void *NormalContext
64 void *SystemArgument1
68 void *SystemArgument2
6c char ApcStateIndex
6d char ApcMode
6e byte Inserted
40 void *CompletionKey
IO_STACK_LOCATION 结构定义如下
struct _IO_STACK_LOCATION (sizeof=36)
00 byte MajorFunction
01 byte MinorFunction
02 byte Flags
03 byte Control
04 union __unnamed19 Parameters
04 struct __unnamed20 Create
04 struct _IO_SECURITY_CONTEXT *SecurityContext
08 uint32 Options
0c uint16 FileAttributes
0e uint16 ShareAccess
10 uint32 EaLength
04 struct __unnamed21 CreatePipe
04 struct _IO_SECURITY_CONTEXT *SecurityContext
08 uint32 Options
0c uint16 Reserved
0e uint16 ShareAccess
10 struct _NAMED_PIPE_Create_PARAMETERS *Parameters
04 struct __unnamed22 CreateMailslot
04 struct _IO_SECURITY_CONTEXT *SecurityContext
08 uint32 Options
0c uint16 Reserved
0e uint16 ShareAccess
10 struct _MAILSLOT_Create_PARAMETERS *Parameters
04 struct __unnamed23 Read
04 uint32 Length
08 uint32 Key
0c union _LARGE_INTEGER ByteOffset
0c uint32 LowPart
10 int32 HighPart
0c struct __unnamed3 u
0c uint32 LowPart
10 int32 HighPart
0c int64 QuadPart
04 struct __unnamed23 Write
04 uint32 Length
08 uint32 Key
0c union _LARGE_INTEGER ByteOffset
0c uint32 LowPart
10 int32 HighPart
0c struct __unnamed3 u
0c uint32 LowPart
10 int32 HighPart
0c int64 QuadPart
04 struct __unnamed24 QueryDirectory
04 uint32 Length
08 struct _STRING *FileName
0c int32 FileInformationClass
10 uint32 FileIndex
04 struct __unnamed25 NotifyDirectory
04 uint32 Length
08 uint32 CompletionFilter
04 struct __unnamed26 QueryFile
04 uint32 Length
08 int32 FileInformationClass
04 struct __unnamed27 SetFile
04 uint32 Length
08 int32 FileInformationClass
0c struct _FILE_OBJECT *FileObject
10 byte ReplaceIfExists
11 byte AdvanceOnly
10 uint32 ClusterCount
10 void *DeleteHandle
04 struct __unnamed28 QueryEa
04 uint32 Length
08 void *EaList
0c uint32 EaListLength
10 uint32 EaIndex
04 struct __unnamed29 SetEa
04 uint32 Length
04 struct __unnamed30 QueryVolume
04 uint32 Length
08 int32 FsInformationClass
04 struct __unnamed30 SetVolume
04 uint32 Length
08 int32 FsInformationClass
04 struct __unnamed31 FileSystemControl
04 uint32 OutputBufferLength
08 uint32 InputBufferLength
0c uint32 FsControlCode
10 void *Type3InputBuffer
04 struct __unnamed32 LockControl
04 union _LARGE_INTEGER *Length
08 uint32 Key
0c union _LARGE_INTEGER ByteOffset
0c uint32 LowPart
10 int32 HighPart
0c struct __unnamed3 u
0c uint32 LowPart
10 int32 HighPart
0c int64 QuadPart
04 struct __unnamed33 DeviceIoControl
04 uint32 OutputBufferLength
08 uint32 InputBufferLength
0c uint32 IoControlCode
10 void *Type3InputBuffer
04 struct __unnamed34 QuerySecurity
04 uint32 SecurityInformation
08 uint32 Length
04 struct __unnamed35 SetSecurity
04 uint32 SecurityInformation
08 void *SecurityDescriptor
04 struct __unnamed36 MountVolume
04 struct _VPB *Vpb
08 struct _DEVICE_OBJECT *DeviceObject
04 struct __unnamed36 VerifyVolume
04 struct _VPB *Vpb
08 struct _DEVICE_OBJECT *DeviceObject
04 struct __unnamed37 Scsi
04 *Srb
04 struct __unnamed38 QueryQuota
04 uint32 Length
08 void *StartSid
0c struct _FILE_GET_QUOTA_INFORMATION *SidList
10 uint32 SidListLength
04 struct __unnamed29 SetQuota
04 uint32 Length
04 struct __unnamed39 QueryDeviceRelations
04 int32 Type
04 struct __unnamed40 QueryInterface
04 struct _GUID *InterfaceType
08 uint16 Size
0a uint16 Version
0c struct _INTERFACE *Interface
10 void *InterfaceSpecificData
04 struct __unnamed41 DeviceCapabilities
04 struct _DEVICE_CAPABILITIES *Capabilities
04 struct __unnamed42 FilterResourceRequirements
04 struct _IO_RESOURCE_REQUIREMENTS_LIST *IoResourceRequirementList
04 struct __unnamed51 ReadWriteConfig
04 uint32 WhichSpace
08 void *Buffer
0c uint32 Offset
10 uint32 Length
04 struct __unnamed52 SetLock
04 byte Lock
04 struct __unnamed53 QueryId
04 int32 IdType
04 struct __unnamed54 QueryDeviceText
04 int32 DeviceTextType
08 uint32 LocaleId
04 struct __unnamed55 UsageNotification
04 byte InPath
05 byte Reserved[3]
08 int32 Type
04 struct __unnamed56 WaitWake
04 int32 PowerState
04 struct __unnamed57 PowerSequence
04 struct _POWER_SEQUENCE *PowerSequence
04 struct __unnamed58 Power
04 uint32 SystemContext
08 int32 Type
0c union _POWER_STATE State
0c int32 SystemState
0c int32 DeviceState
10 int32 ShutdownType
04 struct __unnamed59 StartDevice
04 struct _CM_RESOURCE_LIST *AllocatedResources
08 struct _CM_RESOURCE_LIST *AllocatedR
可以这么看这个IRP,这首先是一个定义好的数据结构,里面含有一个叫IO_STACK_LOCATION 结构组成的数组,每个元素是一个IO_STACK_LOCATION 结构,这个结构组成的数组的数量是有你irp包所在的驱动的层数决定的,如果此是所处的驱动程序的层数是2,也就是说下边还有一个驱动程序,数组就有两个IO_STACK_LOCATION 结构,可以用函数PIO_STACK_LOCATION pIrpStack = IoGetCurrentIrpStackLocation( pIrp );得到此时所处驱动的IO_STACK_LOCATION 结构
此为一个IRP的整体结构,其中的Tail部分分为三部分组成,如下图:
其中的Tail.Overlay.currentStackLocation就是一个用 IoGetCurrentIrpStackLocation( pIrp )得到的所处驱动的IO_STACK_LOCATION 结构。
IRP中每个部分都有自己的作用,主要是用于用户层的请求以包驱动的方式带给下边的驱动程序,而一些请求就记录在IRP包中,这样通过函数驱动程序就知道要做什么,怎么做,完成之后怎么传递。由于能力有限目前还是只了解其中几个部分。
以下是一个具体的IRP结构,前边数字代表地址,我自己认为的,供大家参考,地址相同就说明这个是属于的关系,可以算作是结构体里的一部分。
IRP 结构定义如下
struct _IRP (sizeof=112)
00 int16 Type
02 uint16 Size
04 struct _MDL *MdlAddress
08 uint32 Flags
0c union __unnamed14 AssociatedIrp
0c struct _IRP *MasterIrp
0c int32 IrpCount
0c void *SystemBuffer
10 struct _LIST_ENTRY ThreadListEntry
10 struct _LIST_ENTRY *Flink
14 struct _LIST_ENTRY *Blink
18 struct _IO_STATUS_BLOCK IoStatus
18 int32 Status
18 void *Pointer
1c uint32 Information
20 char RequestorMode
21 byte PendingReturned
22 char StackCount
23 char CurrentLocation
24 byte Cancel
25 byte CancelIrql
26 char ApcEnvironment
27 byte AllocationFlags
28 struct _IO_STATUS_BLOCK *UserIosb
2c struct _KEVENT *UserEvent
30 union __unnamed15 Overlay
30 struct __unnamed16 AsynchronousParameters
30 function *UserApcRoutine
34 void *UserApcContext
30 union _LARGE_INTEGER AllocationSize
30 uint32 LowPart
34 int32 HighPart
30 struct __unnamed3 u
30 uint32 LowPart
34 int32 HighPart
30 int64 QuadPart
38 function *CancelRoutine
3c void *UserBuffer
40 union __unnamed17 Tail
40 struct __unnamed18 Overlay
40 struct _KDEVICE_QUEUE_ENTRY DeviceQueueEntry
40 struct _LIST_ENTRY DeviceListEntry
40 struct _LIST_ENTRY *Flink
44 struct _LIST_ENTRY *Blink
48 uint32 SortKey
4c byte Inserted
40 void *DriverContext[4]
50 struct _ETHREAD *Thread
54 char *AuxiliaryBuffer
58 struct _LIST_ENTRY ListEntry
58 struct _LIST_ENTRY *Flink
5c struct _LIST_ENTRY *Blink
60 struct _IO_STACK_LOCATION *CurrentStackLocation
60 uint32 PacketType
64 struct _FILE_OBJECT *OriginalFileObject
40 struct _KAPC Apc
40 int16 Type
42 int16 Size
44 uint32 Spare0
48 struct _KTHREAD *Thread
4c struct _LIST_ENTRY ApcListEntry
4c struct _LIST_ENTRY *Flink
50 struct _LIST_ENTRY *Blink
54 function *KernelRoutine
58 function *RundownRoutine
5c function *NormalRoutine
60 void *NormalContext
64 void *SystemArgument1
68 void *SystemArgument2
6c char ApcStateIndex
6d char ApcMode
6e byte Inserted
40 void *CompletionKey
IO_STACK_LOCATION 结构定义如下
struct _IO_STACK_LOCATION (sizeof=36)
00 byte MajorFunction
01 byte MinorFunction
02 byte Flags
03 byte Control
04 union __unnamed19 Parameters
04 struct __unnamed20 Create
04 struct _IO_SECURITY_CONTEXT *SecurityContext
08 uint32 Options
0c uint16 FileAttributes
0e uint16 ShareAccess
10 uint32 EaLength
04 struct __unnamed21 CreatePipe
04 struct _IO_SECURITY_CONTEXT *SecurityContext
08 uint32 Options
0c uint16 Reserved
0e uint16 ShareAccess
10 struct _NAMED_PIPE_Create_PARAMETERS *Parameters
04 struct __unnamed22 CreateMailslot
04 struct _IO_SECURITY_CONTEXT *SecurityContext
08 uint32 Options
0c uint16 Reserved
0e uint16 ShareAccess
10 struct _MAILSLOT_Create_PARAMETERS *Parameters
04 struct __unnamed23 Read
04 uint32 Length
08 uint32 Key
0c union _LARGE_INTEGER ByteOffset
0c uint32 LowPart
10 int32 HighPart
0c struct __unnamed3 u
0c uint32 LowPart
10 int32 HighPart
0c int64 QuadPart
04 struct __unnamed23 Write
04 uint32 Length
08 uint32 Key
0c union _LARGE_INTEGER ByteOffset
0c uint32 LowPart
10 int32 HighPart
0c struct __unnamed3 u
0c uint32 LowPart
10 int32 HighPart
0c int64 QuadPart
04 struct __unnamed24 QueryDirectory
04 uint32 Length
08 struct _STRING *FileName
0c int32 FileInformationClass
10 uint32 FileIndex
04 struct __unnamed25 NotifyDirectory
04 uint32 Length
08 uint32 CompletionFilter
04 struct __unnamed26 QueryFile
04 uint32 Length
08 int32 FileInformationClass
04 struct __unnamed27 SetFile
04 uint32 Length
08 int32 FileInformationClass
0c struct _FILE_OBJECT *FileObject
10 byte ReplaceIfExists
11 byte AdvanceOnly
10 uint32 ClusterCount
10 void *DeleteHandle
04 struct __unnamed28 QueryEa
04 uint32 Length
08 void *EaList
0c uint32 EaListLength
10 uint32 EaIndex
04 struct __unnamed29 SetEa
04 uint32 Length
04 struct __unnamed30 QueryVolume
04 uint32 Length
08 int32 FsInformationClass
04 struct __unnamed30 SetVolume
04 uint32 Length
08 int32 FsInformationClass
04 struct __unnamed31 FileSystemControl
04 uint32 OutputBufferLength
08 uint32 InputBufferLength
0c uint32 FsControlCode
10 void *Type3InputBuffer
04 struct __unnamed32 LockControl
04 union _LARGE_INTEGER *Length
08 uint32 Key
0c union _LARGE_INTEGER ByteOffset
0c uint32 LowPart
10 int32 HighPart
0c struct __unnamed3 u
0c uint32 LowPart
10 int32 HighPart
0c int64 QuadPart
04 struct __unnamed33 DeviceIoControl
04 uint32 OutputBufferLength
08 uint32 InputBufferLength
0c uint32 IoControlCode
10 void *Type3InputBuffer
04 struct __unnamed34 QuerySecurity
04 uint32 SecurityInformation
08 uint32 Length
04 struct __unnamed35 SetSecurity
04 uint32 SecurityInformation
08 void *SecurityDescriptor
04 struct __unnamed36 MountVolume
04 struct _VPB *Vpb
08 struct _DEVICE_OBJECT *DeviceObject
04 struct __unnamed36 VerifyVolume
04 struct _VPB *Vpb
08 struct _DEVICE_OBJECT *DeviceObject
04 struct __unnamed37 Scsi
04 *Srb
04 struct __unnamed38 QueryQuota
04 uint32 Length
08 void *StartSid
0c struct _FILE_GET_QUOTA_INFORMATION *SidList
10 uint32 SidListLength
04 struct __unnamed29 SetQuota
04 uint32 Length
04 struct __unnamed39 QueryDeviceRelations
04 int32 Type
04 struct __unnamed40 QueryInterface
04 struct _GUID *InterfaceType
08 uint16 Size
0a uint16 Version
0c struct _INTERFACE *Interface
10 void *InterfaceSpecificData
04 struct __unnamed41 DeviceCapabilities
04 struct _DEVICE_CAPABILITIES *Capabilities
04 struct __unnamed42 FilterResourceRequirements
04 struct _IO_RESOURCE_REQUIREMENTS_LIST *IoResourceRequirementList
04 struct __unnamed51 ReadWriteConfig
04 uint32 WhichSpace
08 void *Buffer
0c uint32 Offset
10 uint32 Length
04 struct __unnamed52 SetLock
04 byte Lock
04 struct __unnamed53 QueryId
04 int32 IdType
04 struct __unnamed54 QueryDeviceText
04 int32 DeviceTextType
08 uint32 LocaleId
04 struct __unnamed55 UsageNotification
04 byte InPath
05 byte Reserved[3]
08 int32 Type
04 struct __unnamed56 WaitWake
04 int32 PowerState
04 struct __unnamed57 PowerSequence
04 struct _POWER_SEQUENCE *PowerSequence
04 struct __unnamed58 Power
04 uint32 SystemContext
08 int32 Type
0c union _POWER_STATE State
0c int32 SystemState
0c int32 DeviceState
10 int32 ShutdownType
04 struct __unnamed59 StartDevice
04 struct _CM_RESOURCE_LIST *AllocatedResources
08 struct _CM_RESOURCE_LIST *AllocatedR
文章来自: 
Tags: 评论: 0 | 查看次数: 7014
