Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.More Info on Driver Writing and Debugging
The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
WinDbg dt help
I'm trying to view the data structure of _DEVICE_OBJECT > DeviceExtension ... As seen below.
But how would i now go about getting the structure of DeviceExtension?
(I tried to do "dt nt!_DEVICE_OBJECT -b" but It doesn't get the structure of DeviceExtension)
Howdy, Stranger!
| Upcoming OSR Seminars | ||
|---|---|---|
| OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead! | ||
| Kernel Debugging | 16-20 October 2023 | Live, Online |
| Developing Minifilters | 13-17 November 2023 | Live, Online |
| Internals & Software Drivers | 4-8 Dec 2023 | Live, Online |
| Writing WDF Drivers | 10-14 July 2023 | Live, Online |
Comments
The type of the DeviceExtension is up to each individual driver. The DEVICE_OBJECT holds an opaque pointer to it as a convenience, but there's no standard for what it contains. That's why it is shown as a void*.
If this is your driver, then you know the type of the device extension, and you can use "dt yourdriver!MY_DEVICE_CONTEXT" to view it.
Tim Roberts, [email protected]
Providenza & Boekelheide, Inc.
How would I get the structure if it wasn't my driver? For example: "dt somedriver!X" then what should x be if I had no insight to how the driver was written?
As seen here:
Well, you don't. The data structure definition isn't even necessarily public.
Peter
Peter Viscarola
OSR
@OSRDrivers
What if you knew the type of the device (+0x048 DeviceType : Uint4B) would it then be possible to somehow reverse the structure of DeviceExtension?
For example: #define FILE_DEVICE_DISK 0x00000007 (https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/specifying-device-types)
Absolutely not. You have to have the symbols for the driver. There is no other way.
Tim Roberts, [email protected]
Providenza & Boekelheide, Inc.
But, then I'm right back to my second question: How can I get the DeviceExtension of a driver that isn't mine in windbg (look at second screenshot i posted).
Is there something unclear about "you don't" and "there is no other way"?
Tim Roberts, [email protected]
Providenza & Boekelheide, Inc.
You can not. The content and format of a DeviceExtension is up to the developer who writes the driver. It’s not standard. It’s not documented. It’s not available. It’s private.
Have a nice day.
Peter
Peter Viscarola
OSR
@OSRDrivers