當windbg !drvobj擴充指令失效時...

如題，當"!drvobj"指令失效時怎麼辦？調試ddk sample：wdffeatrued驅動時遇到這個問題，現象如下：

kd> lml
start    end        module name
8201e000 82082000   hal        (private pdb symbols)  D:\symbols\win10Rs2x86\halmacpi.pdb\4E9BD9D216E244095545EAFA3EF6563F1\halmacpi.pdb
82082000 82703000   nt         (private pdb symbols)  D:\symbols\win10Rs2x86\ntkrpamp.pdb\70298DDA981447F18AE18C7DF819303A1\ntkrpamp.pdb
85e60000 85f53000   mcupdate_GenuineIntel   (pdb symbols) D:\symbols\win10Rs2x86\mcupdate_GenuineIntel.pdb\FB614FE599FDFA11D5E1125EEC6DF07A1\mcupdate_GenuineIntel.pdb  
a8220000 a822a000   wdffeatured   (private pdb symbols)  c:\winddk\windows-driver-samples-master\general\toaster\toastdrv\kmdf\func\featured\debug\wdffeatured.pdb
           

不要懷疑是符号不比對的原因！lml明确的告訴我，已經加載比對的符号。然而很不幸"!drvobj"的輸出不盡人意：

kd> !drvobj wdffeatured
Driver object (a8220000) is for:
a8220000: is not a driver object
           

起初以為windbg對32位WDF驅動支援不好，就讓同僚幫忙驗證一我的猜測，很顯然，我猜錯了！那怎麼辦？試試間接途徑:!wdfdriverinfo可以顯示驅動程式WDFDRIVER句柄值：

kd> !wdfkd.wdfdriverinfo  wdffeatured
----------------------------------
Default driver image name: wdffeatured
WDF library image name: Wdf01000
 FxDriverGlobals  0xa5bef778
 WdfBindInfo      0xa822404c
   Version        v1.15 build(0000)
----------------------------------
WDFDRIVER: 0x4f59f678  ;<---------句柄值

    !WDFDEVICE 0x5a412d88 (FDO)
        Pnp/Power State: WdfDevStatePnpStarted, WdfDevStatePowerDx, WdfDevStatePwrPolWaitingUnarmed
        context:  dt 0xa5bed400 FDO_DATA (size is 0x28 bytes)
        EvtCleanupCallback a8225380 wdffeatured!ToasterEvtDeviceContextCleanup
           

從句柄值用!wdfhandle獲得架構對象位址:

kd> !wdfhandle 0x4f59f678 ;<----上一步!wdfdriverinfo獲得的句柄值

Dumping WDFHANDLE 0x4f59f678
=============================
Handle type is WDFDRIVER
Refcount: 1
Contexts:
    <no associated contexts or attribute callbacks>

!wdfobject 0xb0a60980 
kd> !wdfobject 0xb0a60980 ;<-----FxDriver對象位址

The type for object 0xb0a60980 is FxDriver
State: FxObjectStateCreated (0x1)
!wdfhandle 0x4f59f678

dt FxDriver 0xb0a60980

Contexts:
    <no associated contexts or attribute callbacks>
           

FxDriver中儲存Driver_Object對象指針，感覺離目标很近了：

kd> dt FxDriver 0xb0a60980
Wdf01000!FxDriver
   +0x044 m_DriverObject   : MxDriverObject ;這兩個成員怎麼看都覺得是DriverEntry的參數！
   +0x048 m_RegistryPath   : _UNICODE_STRING "\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wdffeatured"
  
           

FxDriver+0x44處儲存了Driver_Object對象指針，位址0xb0a60980+0x44處并不是真正的Driver_Object，得再進行一次訪存取位址：

kd> dd 0xb0a60980+0x44 L4
b0a609c4  8e54baf8 00780076 ae984c38 b5bc8801
kd> dt MxDriverObject 8e54baf8 
Wdf01000!MxDriverObject
   +0x000 m_DriverObject   : 0x00a80004 _DRIVER_OBJECT
           

最後在0x8e54baf8 處取到Driver_Object位址(這個位址看着還算靠譜)，再試一下!drvobj指令，總算沒有白費功夫，曲線達成目标:

kd> !drvobj 8e54baf8 7
Driver object (8e54baf8) is for:
 \Driver\wdffeatured
Driver Extension List: (id , addr)
(862ecd8a a4a06068)  
Device Object list:
b0a90390  

DriverEntry:   a82224e0	wdffeatured!FxDriverEntry
DriverStartIo: 00000000	
DriverUnload:  a82225cc	wdffeatured!FxStubDriverUnload
AddDevice:     862b09de	Wdf01000!FxDriver::AddDevice

Dispatch routines:
[00] IRP_MJ_CREATE                      862918a0	Wdf01000!FxDevice::DispatchWithLock
[01] IRP_MJ_CREATE_NAMED_PIPE           862918a0	Wdf01000!FxDevice::DispatchWithLock
[02] IRP_MJ_CLOSE                       862918a0	Wdf01000!FxDevice::DispatchWithLock
[03] IRP_MJ_READ                        862918a0	Wdf01000!FxDevice::DispatchWithLock
[04] IRP_MJ_WRITE                       862918a0	Wdf01000!FxDevice::DispatchWithLock
[05] IRP_MJ_QUERY_INFORMATION           862918a0	Wdf01000!FxDevice::DispatchWithLock
[06] IRP_MJ_SET_INFORMATION             862918a0	Wdf01000!FxDevice::DispatchWithLock
[07] IRP_MJ_QUERY_EA                    862918a0	Wdf01000!FxDevice::DispatchWithLock
[08] IRP_MJ_SET_EA                      862918a0	Wdf01000!FxDevice::DispatchWithLock
[09] IRP_MJ_FLUSH_BUFFERS               862918a0	Wdf01000!FxDevice::DispatchWithLock
[0a] IRP_MJ_QUERY_VOLUME_INFORMATION    862918a0	Wdf01000!FxDevice::DispatchWithLock
[0b] IRP_MJ_SET_VOLUME_INFORMATION      862918a0	Wdf01000!FxDevice::DispatchWithLock
[0c] IRP_MJ_DIRECTORY_CONTROL           862918a0	Wdf01000!FxDevice::DispatchWithLock
[0d] IRP_MJ_FILE_SYSTEM_CONTROL         862918a0	Wdf01000!FxDevice::DispatchWithLock
[0e] IRP_MJ_DEVICE_CONTROL              862918a0	Wdf01000!FxDevice::DispatchWithLock
[0f] IRP_MJ_INTERNAL_DEVICE_CONTROL     862918a0	Wdf01000!FxDevice::DispatchWithLock
[10] IRP_MJ_SHUTDOWN                    862918a0	Wdf01000!FxDevice::DispatchWithLock
[11] IRP_MJ_LOCK_CONTROL                862918a0	Wdf01000!FxDevice::DispatchWithLock
[12] IRP_MJ_CLEANUP                     862918a0	Wdf01000!FxDevice::DispatchWithLock
[13] IRP_MJ_CREATE_MAILSLOT             862918a0	Wdf01000!FxDevice::DispatchWithLock
[14] IRP_MJ_QUERY_SECURITY              862918a0	Wdf01000!FxDevice::DispatchWithLock
[15] IRP_MJ_SET_SECURITY                862918a0	Wdf01000!FxDevice::DispatchWithLock
[16] IRP_MJ_POWER                       862918a0	Wdf01000!FxDevice::DispatchWithLock
[17] IRP_MJ_SYSTEM_CONTROL              862918a0	Wdf01000!FxDevice::DispatchWithLock
[18] IRP_MJ_DEVICE_CHANGE               862918a0	Wdf01000!FxDevice::DispatchWithLock
[19] IRP_MJ_QUERY_QUOTA                 862918a0	Wdf01000!FxDevice::DispatchWithLock
[1a] IRP_MJ_SET_QUOTA                   862918a0	Wdf01000!FxDevice::DispatchWithLock
[1b] IRP_MJ_PNP                         862918a0	Wdf01000!FxDevice::DispatchWithLock

           

下篇預告：

好久沒有更新WDF架構分析了，不是我斷更了，是WDF驅動的WDFIOQUEUE實在太複雜。大家留意一下!drvobj wdffeatured輸出中關于驅動DISPATCH處理函數的原型----齊刷刷統一着裝為:Wdf01000!FxDevice::DispatchWithLock。這是WDF架構中分析IoQueue重要的一環，且聽我下回分解