Re: need help in conditional breakpoint iofcalldriver

WINDBG
1

you would need some convoluted byte parsing to compare the strings in
your case as iirc
this is a NON NULL TERMINATED _UNICODE_STRING * and both the $scmp and $sicmp
would return a 1 or -1 because they assume the string to be NULL TERMINATED
and would parse past the end of your driver name

there is no $snicmp so you cannot stop comparing only upto a certain length

i am not in front of windbg so cant check right now

your second posts output is right

_UNICODE_STRING is defined as

USHORT Length
USHORT MaximumLength
USHORT * Buffer

so 24 and 24 is len and maxlen if you add 4 to your expression you
will get an address
like 0xexxxxx (@pagedpool)

which would contain a non null terminated wide char string

On 11/1/12, xxxxx@gmail.com
wrote:
> well missed out something in the post
>
> kd> dd poi(poi(ecx + 0x08)+0x01c) l1
> 00240024 ???
>
> is not showing me the value of drivername . Not able to figure out what I a
> nissing
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

2

I tried the following (on a differnet drivername)
I get the correct name
kd>du poi((poi(ecx + 0x08)+0x01c)+4)
e213a4b0 “\Driver\FILEMON701”

It worked thanks.

I tried to put coditional breakpoint using following but VM hangs.
Windbg neither breaks nor throws any error

bp nt!iofcalldriver “as /mu ${/v:drvname} poi((poi(ecx + 0x08)+0x01c)+4); .if ( $spat("${drvname}","*FILEMON*") != 0 ) { .echo ‘iofcondbphit’ } .else { gc }”

instead of compaing the whole driver string I am trying to match the pattern. I think $spat should work in this case. Please let me know where I am wrong.

3

tried another command
bp nt!iofcalldriver “as /mu ${/v:drvname} poi((poi(ecx + 0x08)+0x01c)+4); .echo ‘drvname’;gc”

windbg prints a driver nmae in loop but vm hangs

kd> bp nt!iofcalldriver “as /mu ${/v:drvname} poi((poi(ecx + 0x08)+0x01c)+4); .echo ‘drvname’;gc”
kd> g
‘Driverusbuhci’
‘Driverusbuhci’
‘Driverusbuhci’
‘Driverusbuhci’
‘Driverusbuhci’


why is it so. is it due to iofcalldriver called lot of times?

4

well like i posted the string is non null unicode_string
so $scmp and $sicmp both are uselss for comparison

kd> bp nt!IofCallDriver “du @@c++(( (nt!_Device_OBJECT
*)@@masm(@ecx))->DriverObject->DriverName.Buffer);gc”
kd> bl
0 e 804e37c5 0001 (0001) nt!IofCallDriver “du @@c++((
(nt!_Device_OBJECT
*)@@masm(@ecx))->DriverObject->DriverName.Buffer);gc”

kd> g
e161e288 “\Driver\VolSnap”
e15b7dc8 “\Driver\Ftdisk”
e1622de8 “\Driver\diskperf”
e161eb48 “\Driver\PartMgr”
e15bcc98 “\Driver\Disk”
e15bdc98 “\Driver\ACPI”
e161e8f0 “\Driver\atapi”
e161e288 “\Driver\VolSnap”
e15b7dc8 “\Driver\Ftdisk”
e1622de8 “\Driver\diskperf”
e161eb48 “\Driver\PartMgr”
e15bcc98 “\Driver\Disk”
e15bdc98 “\Driver\ACPI”
e161e8f0 “\Driver\atapi”
e16231d8 “\FileSystem\Ntfs”
e16233c8 “\FileSystem\sr”
e16231d8 “\FileSystem\Ntfs”
e16231d8 “\FileSystem\Ntfs”
e161e288 “\Driver\VolSnap”
e15b7dc8 “\Driver\Ftdisk”
e1622de8 “\Driver\diskperf”
e161eb48 “\Driver\PartMgr”
e15bcc98 “\Driver\Disk”
e15bdc98 “\Driver\ACPI”
Couldn’t resolve error at ‘nt!_Device_OBJECT
*)@@masm(@ecx))->DriverObject->DriverName.Buffer);gc’
nt!IofCallDriver:
804e37c5 ff2580345580 jmp dword ptr [nt!pIofCallDriver (80553480)]

$spat seemed to be broken or behaved erratically if i remember right
(mostly it would be my problem not sure but you have to experiment
with it

kd> du @@c++(( (nt!_Device_OBJECT
*)@@masm(@ecx))->DriverObject->DriverName.Buffer)
e15bdc98 “\Driver\ACPI”

kd> as /mu foo @@c++(( (nt!_Device_OBJECT
*)@@masm(@ecx))->DriverObject->DriverName.Buffer)

kd> foo
^ Syntax error in ‘\Driver\ACPI’

kd> ? “foo”
Syntax error at ‘“\Driver\ACPI”’

kd> al
Alias Value

foo \Driver\ACPI

kd> ? $scmp ( “foo” , “\Driver”)
Evaluate expression: 1 = 00000001
kd> ? $scmp ( “foo” , “\Driver\B”)
Evaluate expression: -1 = ffffffff
kd> ? $scmp ( “foo” , “\Driver\C”)
Evaluate expression: -1 = ffffffff
kd> ? $scmp ( “foo” , “\Driver\F”)
Evaluate expression: -1 = ffffffff
kd> ? $scmp ( “foo” , “\Driver\A”)
Evaluate expression: 1 = 00000001
kd> ? $scmp ( “foo” , “\Driver\Ac”)
Evaluate expression: -1 = ffffffff
kd> ? $scmp ( “foo” , “\Driver\AC”)
Evaluate expression: 1 = 00000001
kd> ? $sicmp ( “foo” , “\Driver\AC”)
Evaluate expression: 112 = 00000070
kd> ? $sicmp ( “foo” , “\Driver\Ac”)
Evaluate expression: 112 = 00000070
kd> ? $sicmp ( “foo” , “\Driver\Acn”)
Evaluate expression: 2 = 00000002
kd> ? $sicmp ( “foo” , “\Driver\AcP”)
Evaluate expression: 105 = 00000069
kd> ? $sicmp ( “foo” , “\Driver\ACP”)
Evaluate expression: 105 = 00000069
kd> ? $sicmp ( “foo” , “\Driver\ACPI”)
Evaluate expression: 0 = 00000000
kd> ? $spat ( “\Driver\ACPI”,“foo”)
Evaluate expression: 1 = 00000001
kd> ? $spat ( “\Driver\A”,“foo”)
Evaluate expression: 0 = 00000000
kd> ? $spat ( “\Driver\Ac”,“foo”)
Evaluate expression: 0 = 00000000
kd> ? $spat ( “\Driver",“foo”)
Syntax error at '( “\Driver",”\Driver\ACPI”)’
kd> ? $spat ( “\Driver”,“foo”)
Evaluate expression: 0 = 00000000

and putting this in a bp condition is another big headache for
escaping quotes and backslashes is royal pita

recently i made a thread and scott noone made some nice points in it
regarding string operators pl check that thread iirc title is does
$scmp take expressions

On 11/1/12, xxxxx@gmail.com
wrote:
> tried another command
> bp nt!iofcalldriver “as /mu ${/v:drvname} poi((poi(ecx + 0x08)+0x01c)+4);
> .echo ‘drvname’;gc”
>
> windbg prints a driver nmae in loop but vm hangs
>
> kd> bp nt!iofcalldriver “as /mu ${/v:drvname} poi((poi(ecx +
> 0x08)+0x01c)+4); .echo ‘drvname’;gc”
> kd> g
> ‘Driverusbuhci’
> ‘Driverusbuhci’
> ‘Driverusbuhci’
> ‘Driverusbuhci’
> ‘Driverusbuhci’
> …
> …
> why is it so. is it due to iofcalldriver called lot of times?
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

5

thanks it worked for me

6

np
btw if it worked and what i posted helped
posting a final version of your command may help
future searchers like you :slight_smile:

On 11/1/12, xxxxx@gmail.com
wrote:
> thanks it worked for me
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

7

Sorry I meant the following worked for me.
bp nt!IofCallDriver “du @@c++(( (nt!_Device_OBJECT *)@@masm(@ecx))->DriverObject->DriverName.Buffer);gc”

Still trying to figure out the the other conditional breakpoint but getting some errors

As per your previous reply
Evaluate expression: 2 = 00000002
kd> ? $sicmp ( “foo” , “\Driver\AcP”)
Evaluate expression: 105 = 00000069
kd> ? $sicmp ( “foo” , “\Driver\ACP”)
Evaluate expression: 105 = 00000069

$sicmp should work
I framed the following command
bp nt!iofcalldriver “as /mu ${/v:drvname} @@c++(( (nt!_Device_OBJECT *)@@masm(@ecx))->DriverObject->DriverName.Buffer);.if($sicmp ( ${drvname} , “\Driver\FILEMON701”)! = -1){.echo ‘drvname’} .else {gc}”

getting some syntax error on this . Tying to figure this out. I am bit new to windbg commands so making mistakes . Thanks for ur help.

8

ah i thought you nailed it

well if i get a few minutes i will try breaking

but some points “as } , “
so 701” this would either be a malformed quote error or would pair with {gc}”

so you may need to esacpe them too also

r\F

this escape probably wont work and windbg
might keep on complaining syntax whatever @#$@$#@%$%$

better condense them into a script file and run the script on every break

the url of the thread i posted earlier for your referance

http://www.osronline.com/showthread.cfm?link=233096

On 11/1/12, xxxxx@gmail.com
wrote:
> Sorry I meant the following worked for me.
> bp nt!IofCallDriver “du @@c++(( (nt!_Device_OBJECT
> *)@@masm(@ecx))->DriverObject->DriverName.Buffer);gc”
>
> Still trying to figure out the the other conditional breakpoint but getting
> some errors
>
> As per your previous reply
> Evaluate expression: 2 = 00000002
> kd> ? $sicmp ( “foo” , “\Driver\AcP”)
> Evaluate expression: 105 = 00000069
> kd> ? $sicmp ( “foo” , “\Driver\ACP”)
> Evaluate expression: 105 = 00000069
>
> $sicmp should work
> I framed the following command
> bp nt!iofcalldriver “as /mu ${/v:drvname} @@c++(( (nt!_Device_OBJECT
> *)@@masm(@ecx))->DriverObject->DriverName.Buffer);.if($sicmp ( ${drvname} ,
> “\Driver\FILEMON701”)! = -1){.echo ‘drvname’} .else {gc}”
>
> getting some syntax error on this . Tying to figure this out. I am bit new
> to windbg commands so making mistakes . Thanks for ur help.
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

9

ok i got a few minutes to play and it seems $sicmp has an interesting
property of returning back the next char that is different as hex and
on certain bytes that follows as next char
it seems to return 0

so i made a script and it seems i can break on my required driver object
but for this to work it seems you need to use

$$< or $< and cant use $$>a< i like the last because there is no
clutter of commands echoed back that were executed in each break but
somehow it doesnt work on that no idea why

here is a working version

kd> bl

kd> al
No aliases
kd> bp nt!IofCallDriver “$$< iofcd.txt”
kd> bl
0 e 804e37c5 0001 (0001) nt!IofCallDriver “$$< iofcd.txt”

kd> al
No aliases
kd> g
kd> as /msu fraw @@c++( (nt!_unicode_string *) @@masm( ( poi ( @ecx+8)+1c) ))
kd> .if ( $sicmp( “fraw”,“\Driver\MouClass”) == 0 ) {du
poi((poi(@ecx+8) + 0x1c)+0x4)} .else {gc}
kd> as /msu fraw @@c++( (nt!_unicode_string *) @@masm( ( poi ( @ecx+8)+1c) ))
kd> .if ( $sicmp( “fraw”,“\Driver\MouClass”) == 0 ) {du
poi((poi(@ecx+8) + 0x1c)+0x4)} .else {gc}
kd> as /msu fraw @@c++( (nt!_unicode_string *) @@masm( ( poi ( @ecx+8)+1c) ))
kd> .if ( $sicmp( “fraw”,“\Driver\MouClass”) == 0 ) {du
poi((poi(@ecx+8) + 0x1c)+0x4)} .else {gc}
kd> as /msu fraw @@c++( (nt!_unicode_string *) @@masm( ( poi ( @ecx+8)+1c) ))
kd> .if ( $sicmp( “fraw”,“\Driver\MouClass”) == 0 ) {du
poi((poi(@ecx+8) + 0x1c)+0x4)} .else {gc}

======================= cut =========================

kd> as /msu fraw @@c++( (nt!_unicode_string *) @@masm( ( poi ( @ecx+8)+1c) ))
kd> .if ( $sicmp( “fraw”,“\Driver\MouClass”) == 0 ) {du
poi((poi(@ecx+8) + 0x1c)+0x4)} .else {gc}
e1714bc8 “\Driver\Mouclassȅ.潉济ȁఐ卆浩.”
nt!IofCallDriver:
804e37c5 ff2580345580 jmp dword ptr [nt!pIofCallDriver (80553480)]

kd> dt nt!_DEVICE_OBJECT DriverObject->DriverName @ecx
+0x008 DriverObject :
+0x01c DriverName : _UNICODE_STRING “\Driver\Mouclass”

kd> r ecx
ecx=811353f0
kd> ? poi(@ecx+8)
Evaluate expression: -2129476872 = 8112c2f8
kd> ? (poi(@ecx+8)+1c)
Evaluate expression: -2129476844 = 8112c314
kd> ? poi(poi(@ecx+8)+1c)
Evaluate expression: 2097184 = 00200020
kd> du poi(poi(@ecx+8)+1c+4)
e1714bc8 “\Driver\Mouclassȅ.潉济ȁఐ卆浩.”
kd> !ustr (poi(@ecx+8)+1c)
String(32,32) at 8112c314: \Driver\Mouclass

kd> db poi(poi(@ecx+8)+1c+4)
e1714bc8 5c 00 44 00 72 00 69 00-76 00 65 00 72 00 5c 00 .D.r.i.v.e.r..
e1714bd8 4d 00 6f 00 75 00 63 00-6c 00 61 00 73 00 73 00 M.o.u.c.l.a.s.s.
e1714be8 05 02 01 00 49 6f 4e 6d-01 02 10 0c 46 53 69 6d …IoNm…FSim
e1714bf8 01 00 00 00 60 12 0b 00-01 00 04 80 00 00 00 00 …`…
e1714c08 00 00 00 00 00 00 00 00-14 00 00 00 02 00 5c 00 ….
e1714c18 04 00 00 00 00 00 14 00-00 00 00 20 01 01 00 00 … …
e1714c28 00 00 00 01 00 00 00 00-00 00 14 00 00 00 00 10 …
e1714c38 01 01 00 00 00 00 00 05-12 00 00 00 00 00 18 00 …

it seems to work on different inputs as well so you probably have your answer

kd> as /msu fraw @@c++( (nt!_unicode_string *) @@masm( ( poi ( @ecx+8)+1c) ))
kd> .if ( $sicmp( “fraw”, “\Driver\KbdClass” ) == 0 ) {du
poi((poi(@ecx+8) + 0x1c)+0x4)} .else {gc}
e1718548 “\Driver\Kbdclassȅ.潉济ȁః扏济NdisWan”
nt!IofCallDriver:
804e37c5 ff2580345580 jmp dword ptr [nt!pIofCallDriver (80553480)]

as /msu fraw @@c++( (nt!_unicode_string *) @@masm( ( poi ( @ecx+8)+1c) ))
.if ( $sicmp( “fraw”, “\Driver\VolSnap” ) == 0 ) {du poi((poi(@ecx+8)

  • 0x1c)+0x4)} .else {gc}

kd> !ustr (poi(@ecx+8)+1c)
String(30,30) at 812633bc: \Driver\VolSnap
kd> kb
ChildEBP RetAddr Args to Child
fc8e70e0 fc32a1c3 fc8e74d8 ff95e008 fc8e72d0 nt!IofCallDriver
fc8e70f0 fc329d26 fc8e74d8 8123bcd8 bc61a000 Ntfs!NtfsSingleAsync+0x6d
fc8e72d0 fc32afbc fc8e74d8 ff95e008 81297058 Ntfs!NtfsNonCachedIo+0x2f8
fc8e74c8 fc32ac18 fc8e74d8 ff95e008 0110070a Ntfs!NtfsCommonWrite+0x1821
fc8e763c 804e37f7 81208030 ff95e008 8123ae10 Ntfs!NtfsFsdWrite+0xf3
fc8e764c fc3cd3ca 81253f68 81209ab0 fc8e7680 nt!IopfCallDriver+0x31
fc8e765c 804e37f7 81209ab0 ff95e008 0061c000 sr!SrWrite+0xaa
fc8e766c 804ef195 fc8e76a8 fc8e789c 00000000 nt!IopfCallDriver+0x31
fc8e7680 804eed5c 81253f0a fc8e76a8 fc8e773c nt!IoSynchronousPageWrite+0xaf
fc8e775c 804eeb13 e164b870 e164b884 e164b884 nt!MiFlushSectionInternal+0x38b
fc8e7798 804ef420 00000000 e164b870 0000061c nt!MmFlushSection+0x1e0
fc8e7820 fc34b007 00005000 fc8e78c0 00005000 nt!CcFlushCache+0x386
fc8e78e8 fc34b089 e15bc008 e186dd30 e111a000 Ntfs!LfsFlushLfcb+0x227
fc8e790c fc34c51f e15bc008 e186dd30 81208320 Ntfs!LfsFlushLbcb+0x81
fc8e7964 fc34bcf8 e15bc008 000000e0 00000001 Ntfs!LfsWriteLfsRestart+0x16a
fc8e79b0 fc34c278 e15bda60 00000068 fc8e7a18 Ntfs!LfsWriteRestartArea+0x158
fc8e7be0 fc34c174 fc8e7c14 81208110 00000000 Ntfs!NtfsCheckpointVolume+0xe0a
fc8e7d74 804e426b 00000000 00000000 8128eda8 Ntfs!NtfsCheckpointAllVolumes+0xd2
fc8e7dac 8057aeff 00000000 00000000 00000000 nt!ExpWorkerThread+0x100
fc8e7ddc 804f88ea 804e4196 00000000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

On 11/1/12, raj_r wrote:
> ah i thought you nailed it
>
> well if i get a few minutes i will try breaking
>
> but some points “as } , “
> so 701” this would either be a malformed quote error or would pair with
> {gc}”
>
> so you may need to esacpe them too also
>
> r\F
>
> this escape probably wont work and windbg
> might keep on complaining syntax whatever @#$@$#@%$%$
>
> better condense them into a script file and run the script on every break
>
> the url of the thread i posted earlier for your referance
>
> http://www.osronline.com/showthread.cfm?link=233096
>
>
>
>
>
> On 11/1/12, xxxxx@gmail.com
> wrote:
>> Sorry I meant the following worked for me.
>> bp nt!IofCallDriver “du @@c++(( (nt!_Device_OBJECT
>> *)@@masm(@ecx))->DriverObject->DriverName.Buffer);gc”
>>
>> Still trying to figure out the the other conditional breakpoint but
>> getting
>> some errors
>>
>> As per your previous reply
>> Evaluate expression: 2 = 00000002
>> kd> ? $sicmp ( “foo” , “\Driver\AcP”)
>> Evaluate expression: 105 = 00000069
>> kd> ? $sicmp ( “foo” , “\Driver\ACP”)
>> Evaluate expression: 105 = 00000069
>>
>> $sicmp should work
>> I framed the following command
>> bp nt!iofcalldriver “as /mu ${/v:drvname} @@c++(( (nt!_Device_OBJECT
>> *)@@masm(@ecx))->DriverObject->DriverName.Buffer);.if($sicmp ( ${drvname}
>> ,
>> “\Driver\FILEMON701”)! = -1){.echo ‘drvname’} .else {gc}”
>>
>> getting some syntax error on this . Tying to figure this out. I am bit
>> new
>> to windbg commands so making mistakes . Thanks for ur help.
>>
>> —
>> WINDBG is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>

10

Why not base the conditional on the driver object address? You can translate
a driver object name to an address with !object.

This requires an additional manual step, but probably much easier. Though,
in either case, I’m dubious that a conditional breakpoint on IofCallDriver
won’t cripple the system to the point of being unusable (I use a target side
assist for this kind of thing).

-scott
OSR

“raj_r” wrote in message news:xxxxx@windbg…

ok i got a few minutes to play and it seems $sicmp has an interesting
property of returning back the next char that is different as hex and
on certain bytes that follows as next char
it seems to return 0

so i made a script and it seems i can break on my required driver object
but for this to work it seems you need to use

$$< or $< and cant use $$>a< i like the last because there is no
clutter of commands echoed back that were executed in each break but
somehow it doesnt work on that no idea why

here is a working version

kd> bl

kd> al
No aliases
kd> bp nt!IofCallDriver “$$< iofcd.txt”
kd> bl
0 e 804e37c5 0001 (0001) nt!IofCallDriver “$$< iofcd.txt”

kd> al
No aliases
kd> g
kd> as /msu fraw @@c++( (nt!_unicode_string *) @@masm( ( poi (
@ecx+8)+1c) ))
kd> .if ( $sicmp( “fraw”,“\Driver\MouClass”) == 0 ) {du
poi((poi(@ecx+8) + 0x1c)+0x4)} .else {gc}
kd> as /msu fraw @@c++( (nt!_unicode_string *) @@masm( ( poi (
@ecx+8)+1c) ))
kd> .if ( $sicmp( “fraw”,“\Driver\MouClass”) == 0 ) {du
poi((poi(@ecx+8) + 0x1c)+0x4)} .else {gc}
kd> as /msu fraw @@c++( (nt!_unicode_string *) @@masm( ( poi (
@ecx+8)+1c) ))
kd> .if ( $sicmp( “fraw”,“\Driver\MouClass”) == 0 ) {du
poi((poi(@ecx+8) + 0x1c)+0x4)} .else {gc}
kd> as /msu fraw @@c++( (nt!_unicode_string *) @@masm( ( poi (
@ecx+8)+1c) ))
kd> .if ( $sicmp( “fraw”,“\Driver\MouClass”) == 0 ) {du
poi((poi(@ecx+8) + 0x1c)+0x4)} .else {gc}

======================= cut =========================

kd> as /msu fraw @@c++( (nt!_unicode_string *) @@masm( ( poi (
@ecx+8)+1c) ))
kd> .if ( $sicmp( “fraw”,“\Driver\MouClass”) == 0 ) {du
poi((poi(@ecx+8) + 0x1c)+0x4)} .else {gc}
e1714bc8 “\Driver\MouclassÈ….潉济ȁఐ卆浩.”
nt!IofCallDriver:
804e37c5 ff2580345580 jmp dword ptr [nt!pIofCallDriver (80553480)]

kd> dt nt!_DEVICE_OBJECT DriverObject->DriverName @ecx
+0x008 DriverObject :
+0x01c DriverName : _UNICODE_STRING “\Driver\Mouclass”

kd> r ecx
ecx=811353f0
kd> ? poi(@ecx+8)
Evaluate expression: -2129476872 = 8112c2f8
kd> ? (poi(@ecx+8)+1c)
Evaluate expression: -2129476844 = 8112c314
kd> ? poi(poi(@ecx+8)+1c)
Evaluate expression: 2097184 = 00200020
kd> du poi(poi(@ecx+8)+1c+4)
e1714bc8 “\Driver\MouclassÈ….潉济ȁఐ卆浩.”
kd> !ustr (poi(@ecx+8)+1c)
String(32,32) at 8112c314: \Driver\Mouclass

kd> db poi(poi(@ecx+8)+1c+4)
e1714bc8 5c 00 44 00 72 00 69 00-76 00 65 00 72 00 5c 00 .D.r.i.v.e.r..
e1714bd8 4d 00 6f 00 75 00 63 00-6c 00 61 00 73 00 73 00 M.o.u.c.l.a.s.s.
e1714be8 05 02 01 00 49 6f 4e 6d-01 02 10 0c 46 53 69 6d …IoNm…FSim
e1714bf8 01 00 00 00 60 12 0b 00-01 00 04 80 00 00 00 00 …`…
e1714c08 00 00 00 00 00 00 00 00-14 00 00 00 02 00 5c 00 ….
e1714c18 04 00 00 00 00 00 14 00-00 00 00 20 01 01 00 00 … …
e1714c28 00 00 00 01 00 00 00 00-00 00 14 00 00 00 00 10 …
e1714c38 01 01 00 00 00 00 00 05-12 00 00 00 00 00 18 00 …

it seems to work on different inputs as well so you probably have your
answer

kd> as /msu fraw @@c++( (nt!_unicode_string *) @@masm( ( poi (
@ecx+8)+1c) ))
kd> .if ( $sicmp( “fraw”, “\Driver\KbdClass” ) == 0 ) {du
poi((poi(@ecx+8) + 0x1c)+0x4)} .else {gc}
e1718548 “\Driver\KbdclassÈ….潉济ȁః扏济NdisWan”
nt!IofCallDriver:
804e37c5 ff2580345580 jmp dword ptr [nt!pIofCallDriver (80553480)]

as /msu fraw @@c++( (nt!_unicode_string *) @@masm( ( poi ( @ecx+8)+1c) ))
.if ( $sicmp( “fraw”, “\Driver\VolSnap” ) == 0 ) {du poi((poi(@ecx+8)

  • 0x1c)+0x4)} .else {gc}

kd> !ustr (poi(@ecx+8)+1c)
String(30,30) at 812633bc: \Driver\VolSnap
kd> kb
ChildEBP RetAddr Args to Child
fc8e70e0 fc32a1c3 fc8e74d8 ff95e008 fc8e72d0 nt!IofCallDriver
fc8e70f0 fc329d26 fc8e74d8 8123bcd8 bc61a000 Ntfs!NtfsSingleAsync+0x6d
fc8e72d0 fc32afbc fc8e74d8 ff95e008 81297058 Ntfs!NtfsNonCachedIo+0x2f8
fc8e74c8 fc32ac18 fc8e74d8 ff95e008 0110070a Ntfs!NtfsCommonWrite+0x1821
fc8e763c 804e37f7 81208030 ff95e008 8123ae10 Ntfs!NtfsFsdWrite+0xf3
fc8e764c fc3cd3ca 81253f68 81209ab0 fc8e7680 nt!IopfCallDriver+0x31
fc8e765c 804e37f7 81209ab0 ff95e008 0061c000 sr!SrWrite+0xaa
fc8e766c 804ef195 fc8e76a8 fc8e789c 00000000 nt!IopfCallDriver+0x31
fc8e7680 804eed5c 81253f0a fc8e76a8 fc8e773c nt!IoSynchronousPageWrite+0xaf
fc8e775c 804eeb13 e164b870 e164b884 e164b884 nt!MiFlushSectionInternal+0x38b
fc8e7798 804ef420 00000000 e164b870 0000061c nt!MmFlushSection+0x1e0
fc8e7820 fc34b007 00005000 fc8e78c0 00005000 nt!CcFlushCache+0x386
fc8e78e8 fc34b089 e15bc008 e186dd30 e111a000 Ntfs!LfsFlushLfcb+0x227
fc8e790c fc34c51f e15bc008 e186dd30 81208320 Ntfs!LfsFlushLbcb+0x81
fc8e7964 fc34bcf8 e15bc008 000000e0 00000001 Ntfs!LfsWriteLfsRestart+0x16a
fc8e79b0 fc34c278 e15bda60 00000068 fc8e7a18 Ntfs!LfsWriteRestartArea+0x158
fc8e7be0 fc34c174 fc8e7c14 81208110 00000000 Ntfs!NtfsCheckpointVolume+0xe0a
fc8e7d74 804e426b 00000000 00000000 8128eda8
Ntfs!NtfsCheckpointAllVolumes+0xd2
fc8e7dac 8057aeff 00000000 00000000 00000000 nt!ExpWorkerThread+0x100
fc8e7ddc 804f88ea 804e4196 00000000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

On 11/1/12, raj_r wrote:
> ah i thought you nailed it
>
> well if i get a few minutes i will try breaking
>
> but some points “as } , “
> so 701” this would either be a malformed quote error or would pair with
> {gc}”
>
> so you may need to esacpe them too also
>
> r\F
>
> this escape probably wont work and windbg
> might keep on complaining syntax whatever @#$@$#@%$%$
>
> better condense them into a script file and run the script on every break
>
> the url of the thread i posted earlier for your referance
>
> http://www.osronline.com/showthread.cfm?link=233096
>
>
>
>
>
> On 11/1/12, xxxxx@gmail.com
> wrote:
>> Sorry I meant the following worked for me.
>> bp nt!IofCallDriver “du @@c++(( (nt!_Device_OBJECT
>> *)@@masm(@ecx))->DriverObject->DriverName.Buffer);gc”
>>
>> Still trying to figure out the the other conditional breakpoint but
>> getting
>> some errors
>>
>> As per your previous reply
>> Evaluate expression: 2 = 00000002
>> kd> ? $sicmp ( “foo” , “\Driver\AcP”)
>> Evaluate expression: 105 = 00000069
>> kd> ? $sicmp ( “foo” , “\Driver\ACP”)
>> Evaluate expression: 105 = 00000069
>>
>> $sicmp should work
>> I framed the following command
>> bp nt!iofcalldriver “as /mu ${/v:drvname} @@c++(( (nt!_Device_OBJECT
>> *)@@masm(@ecx))->DriverObject->DriverName.Buffer);.if($sicmp ( ${drvname}
>> ,
>> “\Driver\FILEMON701”)! = -1){.echo ‘drvname’} .else {gc}”
>>
>> getting some syntax error on this . Tying to figure this out. I am bit
>> new
>> to windbg commands so making mistakes . Thanks for ur help.
>>
>> —
>> WINDBG is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>

11

Though, in either case, I’m dubious that a conditional breakpoint on
IofCallDriver won’t cripple the system to the point of being unusable

yes that is absolutely right Breaking on IofCalldriver is like
breaking on MessageLoop in usermode it is on hotpath and will break
millions if not trillions/ gazillion times and should not be used
unless you have a very very pressing reason and are willing to wait
for long time

choose something a bit forward or a bit backward in the flow

On 11/3/12, Scott Noone wrote:
> Why not base the conditional on the driver object address? You can translate
>
> a driver object name to an address with !object.
>
> This requires an additional manual step, but probably much easier. Though,
> in either case, I’m dubious that a conditional breakpoint on IofCallDriver
> won’t cripple the system to the point of being unusable (I use a target side
>
> assist for this kind of thing).
>
> -scott
> OSR
>
> “raj_r” wrote in message news:xxxxx@windbg…
>
> ok i got a few minutes to play and it seems $sicmp has an interesting
> property of returning back the next char that is different as hex and
> on certain bytes that follows as next char
> it seems to return 0
>
> so i made a script and it seems i can break on my required driver object
> but for this to work it seems you need to use
>
> $$< or $< and cant use $$>a< i like the last because there is no
> clutter of commands echoed back that were executed in each break but
> somehow it doesnt work on that no idea why
>
> here is a working version
>
>
>
> kd> bl
>
> kd> al
> No aliases
> kd> bp nt!IofCallDriver “$$< iofcd.txt”
> kd> bl
> 0 e 804e37c5 0001 (0001) nt!IofCallDriver “$$< iofcd.txt”
>
> kd> al
> No aliases
> kd> g
> kd> as /msu fraw @@c++( (nt!_unicode_string *) @@masm( ( poi (
> @ecx+8)+1c) ))
> kd> .if ( $sicmp( “fraw”,“\Driver\MouClass”) == 0 ) {du
> poi((poi(@ecx+8) + 0x1c)+0x4)} .else {gc}
> kd> as /msu fraw @@c++( (nt!_unicode_string *) @@masm( ( poi (
> @ecx+8)+1c) ))
> kd> .if ( $sicmp( “fraw”,“\Driver\MouClass”) == 0 ) {du
> poi((poi(@ecx+8) + 0x1c)+0x4)} .else {gc}
> kd> as /msu fraw @@c++( (nt!_unicode_string *) @@masm( ( poi (
> @ecx+8)+1c) ))
> kd> .if ( $sicmp( “fraw”,“\Driver\MouClass”) == 0 ) {du
> poi((poi(@ecx+8) + 0x1c)+0x4)} .else {gc}
> kd> as /msu fraw @@c++( (nt!_unicode_string *) @@masm( ( poi (
> @ecx+8)+1c) ))
> kd> .if ( $sicmp( “fraw”,“\Driver\MouClass”) == 0 ) {du
> poi((poi(@ecx+8) + 0x1c)+0x4)} .else {gc}
>
>
> ======================= cut =========================
>
> kd> as /msu fraw @@c++( (nt!_unicode_string *) @@masm( ( poi (
> @ecx+8)+1c) ))
> kd> .if ( $sicmp( “fraw”,“\Driver\MouClass”) == 0 ) {du
> poi((poi(@ecx+8) + 0x1c)+0x4)} .else {gc}
> e1714bc8 “\Driver\Mouclassȅ.潉济ȁఐ卆浩.”
> nt!IofCallDriver:
> 804e37c5 ff2580345580 jmp dword ptr [nt!pIofCallDriver (80553480)]
>
> kd> dt nt!_DEVICE_OBJECT DriverObject->DriverName @ecx
> +0x008 DriverObject :
> +0x01c DriverName : _UNICODE_STRING “\Driver\Mouclass”
>
> kd> r ecx
> ecx=811353f0
> kd> ? poi(@ecx+8)
> Evaluate expression: -2129476872 = 8112c2f8
> kd> ? (poi(@ecx+8)+1c)
> Evaluate expression: -2129476844 = 8112c314
> kd> ? poi(poi(@ecx+8)+1c)
> Evaluate expression: 2097184 = 00200020
> kd> du poi(poi(@ecx+8)+1c+4)
> e1714bc8 “\Driver\Mouclassȅ.潉济ȁఐ卆浩.”
> kd> !ustr (poi(@ecx+8)+1c)
> String(32,32) at 8112c314: \Driver\Mouclass
>
> kd> db poi(poi(@ecx+8)+1c+4)
> e1714bc8 5c 00 44 00 72 00 69 00-76 00 65 00 72 00 5c 00 .D.r.i.v.e.r..
> e1714bd8 4d 00 6f 00 75 00 63 00-6c 00 61 00 73 00 73 00 M.o.u.c.l.a.s.s.
> e1714be8 05 02 01 00 49 6f 4e 6d-01 02 10 0c 46 53 69 6d …IoNm…FSim
> e1714bf8 01 00 00 00 60 12 0b 00-01 00 04 80 00 00 00 00 …`…
> e1714c08 00 00 00 00 00 00 00 00-14 00 00 00 02 00 5c 00 ….
> e1714c18 04 00 00 00 00 00 14 00-00 00 00 20 01 01 00 00 … …
> e1714c28 00 00 00 01 00 00 00 00-00 00 14 00 00 00 00 10 …
> e1714c38 01 01 00 00 00 00 00 05-12 00 00 00 00 00 18 00 …
>
> it seems to work on different inputs as well so you probably have your
> answer
>
> kd> as /msu fraw @@c++( (nt!_unicode_string *) @@masm( ( poi (
> @ecx+8)+1c) ))
> kd> .if ( $sicmp( “fraw”, “\Driver\KbdClass” ) == 0 ) {du
> poi((poi(@ecx+8) + 0x1c)+0x4)} .else {gc}
> e1718548 “\Driver\Kbdclassȅ.潉济ȁః扏济NdisWan”
> nt!IofCallDriver:
> 804e37c5 ff2580345580 jmp dword ptr [nt!pIofCallDriver (80553480)]
>
>
> as /msu fraw @@c++( (nt!_unicode_string *) @@masm( ( poi ( @ecx+8)+1c) ))
> .if ( $sicmp( “fraw”, “\Driver\VolSnap” ) == 0 ) {du poi((poi(@ecx+8)
> + 0x1c)+0x4)} .else {gc}
>
> kd> !ustr (poi(@ecx+8)+1c)
> String(30,30) at 812633bc: \Driver\VolSnap
> kd> kb
> ChildEBP RetAddr Args to Child
> fc8e70e0 fc32a1c3 fc8e74d8 ff95e008 fc8e72d0 nt!IofCallDriver
> fc8e70f0 fc329d26 fc8e74d8 8123bcd8 bc61a000 Ntfs!NtfsSingleAsync+0x6d
> fc8e72d0 fc32afbc fc8e74d8 ff95e008 81297058 Ntfs!NtfsNonCachedIo+0x2f8
> fc8e74c8 fc32ac18 fc8e74d8 ff95e008 0110070a Ntfs!NtfsCommonWrite+0x1821
> fc8e763c 804e37f7 81208030 ff95e008 8123ae10 Ntfs!NtfsFsdWrite+0xf3
> fc8e764c fc3cd3ca 81253f68 81209ab0 fc8e7680 nt!IopfCallDriver+0x31
> fc8e765c 804e37f7 81209ab0 ff95e008 0061c000 sr!SrWrite+0xaa
> fc8e766c 804ef195 fc8e76a8 fc8e789c 00000000 nt!IopfCallDriver+0x31
> fc8e7680 804eed5c 81253f0a fc8e76a8 fc8e773c nt!IoSynchronousPageWrite+0xaf
> fc8e775c 804eeb13 e164b870 e164b884 e164b884
> nt!MiFlushSectionInternal+0x38b
> fc8e7798 804ef420 00000000 e164b870 0000061c nt!MmFlushSection+0x1e0
> fc8e7820 fc34b007 00005000 fc8e78c0 00005000 nt!CcFlushCache+0x386
> fc8e78e8 fc34b089 e15bc008 e186dd30 e111a000 Ntfs!LfsFlushLfcb+0x227
> fc8e790c fc34c51f e15bc008 e186dd30 81208320 Ntfs!LfsFlushLbcb+0x81
> fc8e7964 fc34bcf8 e15bc008 000000e0 00000001 Ntfs!LfsWriteLfsRestart+0x16a
> fc8e79b0 fc34c278 e15bda60 00000068 fc8e7a18 Ntfs!LfsWriteRestartArea+0x158
> fc8e7be0 fc34c174 fc8e7c14 81208110 00000000
> Ntfs!NtfsCheckpointVolume+0xe0a
> fc8e7d74 804e426b 00000000 00000000 8128eda8
> Ntfs!NtfsCheckpointAllVolumes+0xd2
> fc8e7dac 8057aeff 00000000 00000000 00000000 nt!ExpWorkerThread+0x100
> fc8e7ddc 804f88ea 804e4196 00000000 00000000 nt!PspSystemThreadStartup+0x34
> 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
>
>
>
>
>
>
>
> On 11/1/12, raj_r wrote:
>> ah i thought you nailed it
>>
>> well if i get a few minutes i will try breaking
>>
>> but some points “as } , “
>> so 701” this would either be a malformed quote error or would pair with
>> {gc}”
>>
>> so you may need to esacpe them too also
>>
>> r\F
>>
>> this escape probably wont work and windbg
>> might keep on complaining syntax whatever @#$@$#@%$%$
>>
>> better condense them into a script file and run the script on every break
>>
>> the url of the thread i posted earlier for your referance
>>
>> http://www.osronline.com/showthread.cfm?link=233096
>>
>>
>>
>>
>>
>> On 11/1/12, xxxxx@gmail.com
>> wrote:
>>> Sorry I meant the following worked for me.
>>> bp nt!IofCallDriver “du @@c++(( (nt!_Device_OBJECT
>>> *)@@masm(@ecx))->DriverObject->DriverName.Buffer);gc”
>>>
>>> Still trying to figure out the the other conditional breakpoint but
>>> getting
>>> some errors
>>>
>>> As per your previous reply
>>> Evaluate expression: 2 = 00000002
>>> kd> ? $sicmp ( “foo” , “\Driver\AcP”)
>>> Evaluate expression: 105 = 00000069
>>> kd> ? $sicmp ( “foo” , “\Driver\ACP”)
>>> Evaluate expression: 105 = 00000069
>>>
>>> $sicmp should work
>>> I framed the following command
>>> bp nt!iofcalldriver “as /mu ${/v:drvname} @@c++(( (nt!_Device_OBJECT
>>> *)@@masm(@ecx))->DriverObject->DriverName.Buffer);.if($sicmp (
>>> ${drvname}
>>> ,
>>> “\Driver\FILEMON701”)! = -1){.echo ‘drvname’} .else {gc}”
>>>
>>> getting some syntax error on this . Tying to figure this out. I am bit
>>> new
>>> to windbg commands so making mistakes . Thanks for ur help.
>>>
>>> —
>>> WINDBG is sponsored by OSR
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

12

thanks guys it was helpful to me.