dear Satish,
S> 1) Above I have Disassembled in NT4.0 with SP6 and Win2000 with SP1. ( It
S> is different )
This are my words:
“IoAttachDeviceByPointer and IoAttachDeviceToDeviceStack are the same
for NT 4 atleast on sp4,5,6. W2k also has following code for
IoAttachDeviceByPointer”
Please point here where I specify that these functions are the same
for NT4.0 and Win2000.
S> 2) Why only small amount code is their in IoAttachDeviceByPointer in Win
S> 2000 why not in NT ?. They have moved to IoAttachDeviceToDeviceStack coz
S> IoAttachDeviceByPointer is Absolute function
Thank you for very useful info!
S> 3) Do u feel no use from the return value of IoAttachDeviceToDeviceStack ?
S> ( Tony mason has mentioned the use ). For still about use Dis-assemble using
S> Debugger in NT 4.0.
Yes I feel so, because I wrote:
“far from real problem in the case.”
Final thing: This shows you never understoond (and probably read) my
original message
Best regards,
Andrey mailto:xxxxx@sandy.ru
S> Hi,
S> Check the following :
S> ****************************************************************************
S> **************
S> Dis-assembled by IDA Disassembler ( Win2000 SP1 ):
S> public IoAttachDeviceByPointer
S> IoAttachDeviceByPointer proc near
S> arg_0 = dword ptr 4
S> arg_4 = dword ptr 8
S> push [esp+arg_4]
S> push [esp+4+arg_0]
S> call IoAttachDeviceToDeviceStack
S> neg eax
S> sbb eax, eax
S> and eax, 3FFFFFF2h
S> add eax, 0C000000Eh
S> retn 8
S> IoAttachDeviceByPointer endp
S> public IoAttachDeviceToDeviceStack
S> IoAttachDeviceToDeviceStack proc near ; CODE XREF:
S> IoAttachDeviceByPointer+8p
S> ; IoAttachDevice+75p
S> arg_0 = dword ptr 8
S> arg_4 = dword ptr 0Ch
S> push esi
S> mov esi, [esp+arg_0]
S> push edi
S> mov edi, [esi+0B0h]
S> cli
S> cmp byte_471B6C, 0
S> jz short loc_41F037
S> push [esp+4+arg_4]
S> push esi
S> call sub_425ACA
S> loc_41F037: ; CODE XREF:
S> IoAttachDeviceToDeviceStack+14j
S> push [esp+4+arg_4]
S> call IoGetAttachedDevice
S> test byte ptr [eax+1Ch], 80h
S> jnz short loc_41F097
S> mov ecx, [eax+0B0h]
S> test byte ptr [ecx+10h], 0Fh
S> jnz short loc_41F097
S> mov cl, [eax+30h]
S> inc word ptr [eax+0AEh]
S> inc cl
S> mov [eax+10h], esi
S> mov [esi+30h], cl
S> mov ecx, [eax+5Ch]
S> mov [esi+5Ch], ecx
S> mov cx, [eax+0ACh]
S> mov [esi+0ACh], cx
S> mov ecx, [eax+0B0h]
S> test byte ptr [ecx+10h], 10h
S> jz short loc_41F08E
S> mov esi, [esi+0B0h]
S> or dword ptr [esi+10h], 10h
S> loc_41F08E: ; CODE XREF:
S> IoAttachDeviceToDeviceStack+6Bj
S> mov [edi+18h], eax
S> loc_41F091: ; CODE XREF:
S> IoAttachDeviceToDeviceStack+82j
S> sti
S> pop edi
S> pop esi
S> retn 8
S> ****************************************************************************
S> **************
S> Dis-assembled by SoftICE Debugger ( NT 4.0 SP6 ):
S> IoAttachDeviceByPointer :
S> PUSH ESI
S> CLI
S> PUSH DWORD PTR [ESP+0C]
S> CALL ntoskrnl!IoGetAttachDevice
S> TEST BYTE PTR [EAX+1C],80
S> JNZ 801116A6
S> MOV ECX, [EAX+000000B0]
S> TEST BYTE PTR [ECX+08],03
S> JNZ 801116A6
S> XOR ESI,ESI
S> MOV EDX,[ESP+08]
S> MOV [EAX+10],EDX
S> MOV CL,[EAX+30]
S> INC CL
S> MOV [EDX+30],CL
S> MOV ECX,[EAX+5C]
S> MOV [EDX+5C],ECX
S> MOV AX,[EAX+000000AC]
S> MOV [EDX+000000AC],AX
S> JMP 801116AB
S> 801116A6: MOV ESI,C000000E
S> 801116AB: STI
S> MOV EAX,ESI
S> POP ESI
S> RET 0008
S> IoAttachDeviceToDeviceStack :
S> CLI
S> PUSH DWORD PTR [ESP+08]
S> CALL ntoskrnl!IoGetAttachDevice
S> TEST BYTE PTR [EAX+1C],80
S> JNZ 801116F3
S> MOV ECX, [EAX+000000B0]
S> TEST BYTE PTR [ECX+08],03
S> JNZ 801116F3
S> MOV EDX,[ESP+04]
S> MOV [EAX+10],EDX
S> MOV CL,[EAX+30]
S> INC CL
S> MOV [EDX+30],CL
S> MOV ECX,[EAX+5C]
S> MOV [EDX+5C],ECX
S> MOV AX,[EAX+000000AC]
S> MOV [EDX+000000AC],AX
S> JMP 801116F5
S> 801116F3: XOR EAX,EAX
S> 801116F5: STI
S> RET 0008
S> 1) Above I have Disassembled in NT4.0 with SP6 and Win2000 with SP1. ( It
S> is different )
S> 2) Why only small amount code is their in IoAttachDeviceByPointer in Win
S> 2000 why not in NT ?. They have moved to IoAttachDeviceToDeviceStack coz
S> IoAttachDeviceByPointer is Absolute function
S> 3) Do u feel no use from the return value of IoAttachDeviceToDeviceStack ?
S> ( Tony mason has mentioned the use ). For still about use Dis-assemble using
S> Debugger in NT 4.0.
S> Final thing : This shows U never Dis-assembled in NT 4.0
S> Regards,
S> Satish K.S
S> ****************************************************************************
S> ******
S> -----Original Message-----
S> From: Andrey Kolishak [mailto:xxxxx@sandy.ru]
S> Sent: Friday, April 06, 2001 9:38 AM
S> To: File Systems Developers
S> Subject: [ntfsd] Re: DiskPerf.sys
S> Hello Tony,
TM>> Do not use IoAttachDeviceByPointer. Use IoAttachDeviceToDeviceStack.
TM>> IoAttachDeviceToDeviceStack is much cleaner because it returns to you
S> the
TM>> device to which you should be passing the IRPs. Otherwise, it is far
S> too
TM>> easy to send it to the WRONG device (like the one at the BOTTOM of the
TM>> device stack).
S> far from real problem in the case.
S> IoAttachDeviceByPointer and IoAttachDeviceToDeviceStack are the same
S> for NT 4 atleast on sp4,5,6. W2k also has following code for
S> IoAttachDeviceByPointer.
S> xxxxx@8 proc near
S> arg_0 = dword ptr 4
S> arg_4 = dword ptr 8
S> push [esp+arg_4]
S> push [esp+4+arg_0]
S> call _IoAttachDeviceToDeviceStack@8
S> neg eax
S> sbb eax, eax
S> and eax, 3FFFFFF2h
S> add eax, 0C000000Eh
S> retn 8
S> xxxxx@8 endp
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com