x64.moe

Finding IRP dispatch routine

October 12, 2019

Environment

  • Windows 10
  • In VM
  • Attached Windbg

How to finding

First, show deviceobject structures

kd> !drvobj DeviceObj 7
Driver object (ffffa3828a49b060) is for:
 \Driver\DeviceObj

Driver Extension List: (id , addr)

Device Object list:
ffffa3828c2869f0

DriverEntry:   fffff80043a55064 DeviceObj
DriverStartIo: 00000000
DriverUnload:  fffff800439d1950 DeviceObj
AddDevice:     00000000

Dispatch routines:
[00] IRP_MJ_CREATE                      fffff800439d4ff0        DeviceObj+0x4ff0
[01] IRP_MJ_CREATE_NAMED_PIPE           fffff800439d4ff0        DeviceObj+0x4ff0
[02] IRP_MJ_CLOSE                       fffff800439d4ff0        DeviceObj+0x4ff0
[03] IRP_MJ_READ                        fffff800439d4ff0        DeviceObj+0x4ff0
[04] IRP_MJ_WRITE                       fffff800439d4ff0        DeviceObj+0x4ff0
[05] IRP_MJ_QUERY_INFORMATION           fffff800439d4ff0        DeviceObj+0x4ff0
[06] IRP_MJ_SET_INFORMATION             fffff800439d4ff0        DeviceObj+0x4ff0
[07] IRP_MJ_QUERY_EA                    fffff800439d4ff0        DeviceObj+0x4ff0
[08] IRP_MJ_SET_EA                      fffff800439d4ff0        DeviceObj+0x4ff0
[09] IRP_MJ_FLUSH_BUFFERS               fffff800439d4ff0        DeviceObj+0x4ff0
[0a] IRP_MJ_QUERY_VOLUME_INFORMATION    fffff800439d4ff0        DeviceObj+0x4ff0
[0b] IRP_MJ_SET_VOLUME_INFORMATION      fffff800439d4ff0        DeviceObj+0x4ff0
[0c] IRP_MJ_DIRECTORY_CONTROL           fffff800439d4ff0        DeviceObj+0x4ff0
[0d] IRP_MJ_FILE_SYSTEM_CONTROL         fffff800439d4ff0        DeviceObj+0x4ff0
[0e] IRP_MJ_DEVICE_CONTROL              fffff800439d5020        DeviceObj+0x5020
[0f] IRP_MJ_INTERNAL_DEVICE_CONTROL     fffff800439d4ff0        DeviceObj+0x4ff0
[10] IRP_MJ_SHUTDOWN                    fffff800439d4ff0        DeviceObj+0x4ff0
[11] IRP_MJ_LOCK_CONTROL                fffff800439d4ff0        DeviceObj+0x4ff0
[12] IRP_MJ_CLEANUP                     fffff800439d4ff0        DeviceObj+0x4ff0
[13] IRP_MJ_CREATE_MAILSLOT             fffff800439d4ff0        DeviceObj+0x4ff0
[14] IRP_MJ_QUERY_SECURITY              fffff800439d4ff0        DeviceObj+0x4ff0
[15] IRP_MJ_SET_SECURITY                fffff800439d4ff0        DeviceObj+0x4ff0
[16] IRP_MJ_POWER                       fffff800439d4ff0        DeviceObj+0x4ff0
[17] IRP_MJ_SYSTEM_CONTROL              fffff800439d4ff0        DeviceObj+0x4ff0
[18] IRP_MJ_DEVICE_CHANGE               fffff800439d4ff0        DeviceObj+0x4ff0
[19] IRP_MJ_QUERY_QUOTA                 fffff800439d4ff0        DeviceObj+0x4ff0
[1a] IRP_MJ_SET_QUOTA                   fffff800439d4ff0        DeviceObj+0x4ff0
[1b] IRP_MJ_PNP                         fffff800463238f0        nt!IopInvalidDeviceRequest


Device Object stacks:

!devstack ffffa3828c2869f0 :
  !DevObj           !DrvObj            !DevExt           ObjectName
> ffffa3828c2869f0  \Driver\DeviceObj   00000000  DeviceObj

IRPMJDEVICECONTROL is IRPDispatchRoutine. IRPMJDEVICECONTROL is IOSTACK_LOCATION IOCTL dispatch routine defined in the follow structre.

NTSTATES Dispatch DeviceControl {
  __in struct _DEVICE_OBJECT *DeviceObject,
  __in struct _IRP *Irp
}

_IRP is structure of IRP(I/O request packet) structures pointer.

kd> dt -v -r 3 _IRP
nt!_IRP
struct _IRP, 23 elements, 0xd0 bytes
   +0x000 Type             : ??
   +0x002 Size             : ??
   +0x004 AllocationProcessorNumber : ??
   +0x006 Reserved         : ??
   +0x008 MdlAddress       : ???? 
   +0x010 Flags            : ??
   +0x018 AssociatedIrp    : union <anonymous-tag>, 3 elements, 0x8 bytes
      +0x000 MasterIrp        : ???? 
      +0x000 IrpCount         : ??
      +0x000 SystemBuffer     : ???? 
   +0x020 ThreadListEntry  : struct _LIST_ENTRY, 2 elements, 0x10 bytes
      +0x000 Flink            : ???? 
      +0x008 Blink            : ???? 
   +0x030 IoStatus         : struct _IO_STATUS_BLOCK, 3 elements, 0x10 bytes
      +0x000 Status           : ??
      +0x000 Pointer          : ???? 
      +0x008 Information      : ??
   +0x040 RequestorMode    : ??
   +0x041 PendingReturned  : ??
   +0x042 StackCount       : ??
   +0x043 CurrentLocation  : ??
   +0x044 Cancel           : ??
   +0x045 CancelIrql       : ??
   +0x046 ApcEnvironment   : ??
   +0x047 AllocationFlags  : ??
   +0x048 UserIosb         : ???? 
   +0x050 UserEvent        : ???? 
   +0x058 Overlay          : union <anonymous-tag>, 2 elements, 0x10 bytes
      +0x000 AsynchronousParameters : struct <anonymous-tag>, 3 elements, 0x10 bytes
         +0x000 UserApcRoutine   : ???? 
         +0x000 IssuingProcess   : ???? 
         +0x008 UserApcContext   : ???? 
      +0x000 AllocationSize   : union _LARGE_INTEGER, 4 elements, 0x8 bytes
         +0x000 LowPart          : ??
         +0x004 HighPart         : ??
         +0x000 u                : struct <anonymous-tag>, 2 elements, 0x8 bytes
         +0x000 QuadPart         : ??
   +0x068 CancelRoutine    : ???? 
   +0x070 UserBuffer       : ???? 
   +0x078 Tail             : union <anonymous-tag>, 3 elements, 0x58 bytes
      +0x000 Overlay          : struct <anonymous-tag>, 9 elements, 0x58 bytes
         +0x000 DeviceQueueEntry : struct _KDEVICE_QUEUE_ENTRY, 3 elements, 0x18 bytes
         +0x000 DriverContext    : [4] ???? 
         +0x020 Thread           : ???? 
         +0x028 AuxiliaryBuffer  : ???? 
         +0x030 ListEntry        : struct _LIST_ENTRY, 2 elements, 0x10 bytes
         +0x040 CurrentStackLocation : ???? 
         +0x040 PacketType       : ??
         +0x048 OriginalFileObject : ???? 
         +0x050 IrpExtension     : ???? 
      +0x000 Apc              : struct _KAPC, 17 elements, 0x58 bytes
         +0x000 Type             : ??
         +0x001 SpareByte0       : ??
         +0x002 Size             : ??
         +0x003 SpareByte1       : ??
         +0x004 SpareLong0       : ??
         +0x008 Thread           : ???? 
         +0x010 ApcListEntry     : struct _LIST_ENTRY, 2 elements, 0x10 bytes
         +0x020 KernelRoutine    : ???? 
         +0x028 RundownRoutine   : ???? 
         +0x030 NormalRoutine    : ???? 
         +0x020 Reserved         : [3] ???? 
         +0x038 NormalContext    : ???? 
         +0x040 SystemArgument1  : ???? 
         +0x048 SystemArgument2  : ???? 
         +0x050 ApcStateIndex    : ??
         +0x051 ApcMode          : ??
         +0x052 Inserted         : ??
      +0x000 CompletionKey    : ???? 
Memory read error 000000000000007b

offset 0xb8 (=0x078+0x40), this location stored CurrentStackLocation. CurrentStackLocation’s type is IOSTACK_LOCATION

kd> dt -v -r 3 _IO_STACK_LOCATION
nt!_IO_STACK_LOCATION
struct _IO_STACK_LOCATION, 9 elements, 0x48 bytes
   +0x000 MajorFunction    : ??
   +0x001 MinorFunction    : ??
   +0x002 Flags            : ??
   +0x003 Control          : ??
   +0x008 Parameters       : union <anonymous-tag>, 39 elements, 0x20 bytes
      +0x000 Create           : struct <anonymous-tag>, 5 elements, 0x20 bytes
         +0x000 SecurityContext  : ???? 
         +0x008 Options          : ??
         +0x010 FileAttributes   : ??
         +0x012 ShareAccess      : ??
         +0x018 EaLength         : ??
      +0x000 CreatePipe       : struct <anonymous-tag>, 5 elements, 0x20 bytes
         +0x000 SecurityContext  : ???? 
         +0x008 Options          : ??
         +0x010 Reserved         : ??
         +0x012 ShareAccess      : ??
         +0x018 Parameters       : ???? 
      +0x000 CreateMailslot   : struct <anonymous-tag>, 5 elements, 0x20 bytes
         +0x000 SecurityContext  : ???? 
         +0x008 Options          : ??
         +0x010 Reserved         : ??
         +0x012 ShareAccess      : ??
         +0x018 Parameters       : ???? 
      +0x000 Read             : struct <anonymous-tag>, 4 elements, 0x18 bytes
         +0x000 Length           : ??
         +0x008 Key              : ??
         +0x00c Flags            : ??
         +0x010 ByteOffset       : union _LARGE_INTEGER, 4 elements, 0x8 bytes
      +0x000 Write            : struct <anonymous-tag>, 4 elements, 0x18 bytes
         +0x000 Length           : ??
         +0x008 Key              : ??
         +0x00c Flags            : ??
         +0x010 ByteOffset       : union _LARGE_INTEGER, 4 elements, 0x8 bytes
      +0x000 QueryDirectory   : struct <anonymous-tag>, 4 elements, 0x20 bytes
         +0x000 Length           : ??
         +0x008 FileName         : ???? 
         +0x010 FileInformationClass : Enum _FILE_INFORMATION_CLASS,  76 total enums
??
         +0x018 FileIndex        : ??
      +0x000 NotifyDirectory  : struct <anonymous-tag>, 2 elements, 0x10 bytes
         +0x000 Length           : ??
         +0x008 CompletionFilter : ??
      +0x000 NotifyDirectoryEx : struct <anonymous-tag>, 3 elements, 0x18 bytes
         +0x000 Length           : ??
         +0x008 CompletionFilter : ??
         +0x010 DirectoryNotifyInformationClass : Enum _DIRECTORY_NOTIFY_INFORMATION_CLASS,  2 total enums
??
      +0x000 QueryFile        : struct <anonymous-tag>, 2 elements, 0x10 bytes
         +0x000 Length           : ??
         +0x008 FileInformationClass : Enum _FILE_INFORMATION_CLASS,  76 total enums
??
      +0x000 SetFile          : struct <anonymous-tag>, 7 elements, 0x20 bytes
         +0x000 Length           : ??
         +0x008 FileInformationClass : Enum _FILE_INFORMATION_CLASS,  76 total enums
??
         +0x010 FileObject       : ???? 
         +0x018 ReplaceIfExists  : ??
         +0x019 AdvanceOnly      : ??
         +0x018 ClusterCount     : ??
         +0x018 DeleteHandle     : ???? 
      +0x000 QueryEa          : struct <anonymous-tag>, 4 elements, 0x20 bytes
         +0x000 Length           : ??
         +0x008 EaList           : ???? 
         +0x010 EaListLength     : ??
         +0x018 EaIndex          : ??
      +0x000 SetEa            : struct <anonymous-tag>, 1 elements, 0x4 bytes
         +0x000 Length           : ??
      +0x000 QueryVolume      : struct <anonymous-tag>, 2 elements, 0x10 bytes
         +0x000 Length           : ??
         +0x008 FsInformationClass : Enum _FSINFOCLASS,  15 total enums
??
      +0x000 SetVolume        : struct <anonymous-tag>, 2 elements, 0x10 bytes
         +0x000 Length           : ??
         +0x008 FsInformationClass : Enum _FSINFOCLASS,  15 total enums
??
      +0x000 FileSystemControl : struct <anonymous-tag>, 4 elements, 0x20 bytes
         +0x000 OutputBufferLength : ??
         +0x008 InputBufferLength : ??
         +0x010 FsControlCode    : ??
         +0x018 Type3InputBuffer : ???? 
      +0x000 LockControl      : struct <anonymous-tag>, 3 elements, 0x18 bytes
         +0x000 Length           : ???? 
         +0x008 Key              : ??
         +0x010 ByteOffset       : union _LARGE_INTEGER, 4 elements, 0x8 bytes
      +0x000 DeviceIoControl  : struct <anonymous-tag>, 4 elements, 0x20 bytes
         +0x000 OutputBufferLength : ??
         +0x008 InputBufferLength : ??
         +0x010 IoControlCode    : ??
         +0x018 Type3InputBuffer : ???? 
      +0x000 QuerySecurity    : struct <anonymous-tag>, 2 elements, 0x10 bytes
         +0x000 SecurityInformation : ??
         +0x008 Length           : ??
      +0x000 SetSecurity      : struct <anonymous-tag>, 2 elements, 0x10 bytes
         +0x000 SecurityInformation : ??
         +0x008 SecurityDescriptor : ???? 
      +0x000 MountVolume      : struct <anonymous-tag>, 2 elements, 0x10 bytes
         +0x000 Vpb              : ???? 
         +0x008 DeviceObject     : ???? 
      +0x000 VerifyVolume     : struct <anonymous-tag>, 2 elements, 0x10 bytes
         +0x000 Vpb              : ???? 
         +0x008 DeviceObject     : ???? 
      +0x000 Scsi             : struct <anonymous-tag>, 1 elements, 0x8 bytes
         +0x000 Srb              : ???? 
      +0x000 QueryQuota       : struct <anonymous-tag>, 4 elements, 0x20 bytes
         +0x000 Length           : ??
         +0x008 StartSid         : ???? 
         +0x010 SidList          : ???? 
         +0x018 SidListLength    : ??
      +0x000 SetQuota         : struct <anonymous-tag>, 1 elements, 0x4 bytes
         +0x000 Length           : ??
      +0x000 QueryDeviceRelations : struct <anonymous-tag>, 1 elements, 0x4 bytes
         +0x000 Type             : Enum _DEVICE_RELATION_TYPE,  7 total enums
??
      +0x000 QueryInterface   : struct <anonymous-tag>, 5 elements, 0x20 bytes
         +0x000 InterfaceType    : ???? 
         +0x008 Size             : ??
         +0x00a Version          : ??
         +0x010 Interface        : ???? 
         +0x018 InterfaceSpecificData : ???? 
      +0x000 DeviceCapabilities : struct <anonymous-tag>, 1 elements, 0x8 bytes
         +0x000 Capabilities     : ???? 
      +0x000 FilterResourceRequirements : struct <anonymous-tag>, 1 elements, 0x8 bytes
         +0x000 IoResourceRequirementList : ???? 
      +0x000 ReadWriteConfig  : struct <anonymous-tag>, 4 elements, 0x20 bytes
         +0x000 WhichSpace       : ??
         +0x008 Buffer           : ???? 
         +0x010 Offset           : ??
         +0x018 Length           : ??
      +0x000 SetLock          : struct <anonymous-tag>, 1 elements, 0x1 bytes
         +0x000 Lock             : ??
      +0x000 QueryId          : struct <anonymous-tag>, 1 elements, 0x4 bytes
         +0x000 IdType           : Enum BUS_QUERY_ID_TYPE,  6 total enums
??
      +0x000 QueryDeviceText  : struct <anonymous-tag>, 2 elements, 0x10 bytes
         +0x000 DeviceTextType   : Enum DEVICE_TEXT_TYPE,  2 total enums
??
         +0x008 LocaleId         : ??
      +0x000 UsageNotification : struct <anonymous-tag>, 3 elements, 0x10 bytes
         +0x000 InPath           : ??
         +0x001 Reserved         : [3]  "--- memory read error at address 0x00000000`0000000c ---"
         +0x008 Type             : Enum _DEVICE_USAGE_NOTIFICATION_TYPE,  7 total enums
??
      +0x000 WaitWake         : struct <anonymous-tag>, 1 elements, 0x4 bytes
         +0x000 PowerState       : Enum _SYSTEM_POWER_STATE,  8 total enums
??
      +0x000 PowerSequence    : struct <anonymous-tag>, 1 elements, 0x8 bytes
         +0x000 PowerSequence    : ???? 
      +0x000 Power            : struct <anonymous-tag>, 5 elements, 0x20 bytes
         +0x000 SystemContext    : ??
         +0x000 SystemPowerStateContext : struct _SYSTEM_POWER_STATE_CONTEXT, 10 elements, 0x4 bytes
         +0x008 Type             : Enum _POWER_STATE_TYPE,  2 total enums
??
         +0x010 State            : union _POWER_STATE, 2 elements, 0x4 bytes
         +0x018 ShutdownType     : Enum POWER_ACTION,  9 total enums
??
      +0x000 StartDevice      : struct <anonymous-tag>, 2 elements, 0x10 bytes
         +0x000 AllocatedResources : ???? 
         +0x008 AllocatedResourcesTranslated : ???? 
      +0x000 WMI              : struct <anonymous-tag>, 4 elements, 0x20 bytes
         +0x000 ProviderId       : ??
         +0x008 DataPath         : ???? 
         +0x010 BufferSize       : ??
         +0x018 Buffer           : ???? 
      +0x000 Others           : struct <anonymous-tag>, 4 elements, 0x20 bytes
         +0x000 Argument1        : ???? 
         +0x008 Argument2        : ???? 
         +0x010 Argument3        : ???? 
         +0x018 Argument4        : ???? 
   +0x028 DeviceObject     : ???? 
   +0x030 FileObject       : ???? 
   +0x038 CompletionRoutine : ???? 
   +0x040 Context          : ???? 
Memory read error 0000000000000043

IOSTACK_LOCATION is stored IoControlCode, inputBuffer, inputBufferSize, outputBuffer and outputBufferSize.

If you are finding IOCTL dispatch routine, please refer to this article :)


FAMASoon

Written by FAMASoon. Twitter/GitHub