windbg .kdfiles 命令替换驱动程序

How Do I Replace A System File? Try .KDFILES

如何替换系统文件?试试 .kdfiles命令

While the Windows DDK includes numerous buildable driver samples, including a number of "in the box" drivers, any attempt to copy a driver built from the DDK onto an existing version of the driver will be thwarted by "system file protection".

尽管在Win DDK中含有大量可编译的驱动程序示例，包含一些"in box"驱动，但是任何尝试将系统驱动替换为DDK编译出来的驱动，都会以失败告终，并被提示以"系统文件保护"

Windows maintains an extra copy of critical system files including signed drivers, in the %systemroot%\system32\dllcache subdirectory. If you attempt to delete or modify any of the protected files, system file protection will copy the original version from the dllcache to the driver location.  If you attempt to delete or modify the version of the protected file in the dllcache, it will copy the original into the dllcache.

Windows在%systemroot%\system32\dllcache子目录中为系统文件，包含已签名的驱动程序，维护了一个额外的拷贝。如果你尝试删除或者修改任一受保护的文件，系统文件保护机制将从dllcache目录中拷贝原始版本到驱动程序所在目录。如果你尝试在dllcache中删除或者修改受保护的文件，系统仍然会拷贝原始版本驱动到dllcache中。

Note that system file protection isn't perfect - you can copy notepad.exe on ntoskrnl.exe and system file protection will not "fix" your system.  That is because it merely looks to ensure the binary is signed.  This doesn't mean it is the correct binary!

但是，系统文件保护机制并不完美----你能拷贝notepad.exe然后用它替换ntoskrnl.exe，而系统文件保护机制并不会"修复"你的系统。那是因为它仅仅看看二进制文件是不是含有签名。并不关心这是正确的二进制文件

The Windows Debugger provides a mechanism for replacing files on a debugee by using the ".kdfiles" directive.  This is well documented in the debugger documentation, although it doesn't exactly highlight the fact that this feature can be used to bypass system file protection in the process.

Windows调试器提供了一种用".kdfiles"命令来替换文件的机制。这个命令已经归档在调试器的文档中。因为它可以绕过系统的文件保护机制，所以文档中并没有强调这一特性。

If you haven't discovered ".kdfiles" yet, read up on it -- You'll be very glad you did!  This debugger command is one of the best features ever implemented.  It allows you to have the debugger automagically replace an executable image on the target system (the one that you're debugging) with an executable image from your host system (the one from which you're running the debugger).  That means that with this command, there's no longer any need to manually copy you're newly built version of fred.sys (or whatever your driver is) to \windows\system32\drivers\ while you debug.

如果你没有发现".kdfiles"命令，请仔细阅读它！这是所有调试器命令中最好的之一。它让你的调试器从你的机器上(正在运行调试器的机器)获得可执行映像从而自动替换目标机上(正在调试的机器)的可执行文件。这意味着在调试过程中用这个命令，你再也不需要手动拷贝新编译的版本到 \windows\system32\drivers\

Plus, as previously mentioned, a bonus feature of .kdfiles is that it will allow you to replace a system file.  Which is very useful for replacing the supplied version of disk.sys with the checked version built from the sources in the DDK, for example, when you're trying to figure out what's going on in the storage stack.

另外，就如前面提到的，.kdfiles这额外特性允许你替换系统文件。这是一个很有用的功能，比如，当你想查看磁盘堆在干啥时，你可以用DDK源码编译的checked版本替换系统提供的版本。

写在最后：作者只是提到了这个命令，具体怎么实施还需要查看windbg的"Mapping Driver Files"和".kdfiles"章节。最重要的，是"Mapping Driver Files"章节中提到的注意事项:

Warning   The old driver's path and file name must be an exact case-insensitive match for the path and file name that is stored in the Service Control Manager (SCM) database. 
This path frequently begins with \SystemRoot\system32\drivers.
However, several variations are possible (for example, a path that begins with \??\c:\windows\system32\drivers). 
The name in the SCM database is identical to the name that was passed to MmLoadSystemImage.      

kd> .kdfiles C:\Users\Han\Desktop\studio\map\drvmap.ini
KD file associations loaded from 'C:\Users\Han\Desktop\studio\map\drvmap.ini'
kd> g
*******************************************************************************
*
* This is the string you add to your checkin description
* Driver Verifier: Enabled for BBFdoLwr.sys: Entered the Driver Entry
KD: Accessing 'C:\Users\Han\Desktop\studio\bus\objchk_wxp_x86\i386\BusEnum.sys' (\SystemRoot\System32\DRIVERS\busenum.sys)
  File size 39K..............
MmLoadSystemImage: Pulled \SystemRoot\System32\DRIVERS\busenum.sys from kd