DiskPerf.sys

 
Is it possibale to change the Diskperf.sys source in order for it to be loaded
properly
without rebooting on NT4?
 


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

No! You must attach before any file systems attach to the disks.

-----Original Message-----
From: Danny [mailto:xxxxx@neptune.co.il]
Sent: Monday, March 12, 2001 8:31 AM
To: File Systems Developers
Subject: [ntfsd] DiskPerf.sys

The Microsoft Exchange Server received an Internet message that could
not be processed. To view the original message content, open the
attached message. <<message.txt>>
>


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com</message.txt>

Thanks !
Do you know way ?
can’t I use IoAttachDeviceByPointer(surce,terget) ?
Thanks Again,
Daniel.

Jamey Kirby wrote:

No! You must attach before any file systems attach to the disks.

Daniel wrote:
Is it possible to change the Diskperf.sys source in order for it to be
loaded
properly without rebooting on NT4?
 
 


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

> ?

Is it possibale to change the Diskperf.sys source in order for it to be loaded
properly
without rebooting on NT4?
?

It seems that one can append disk filter to the chain on the
fly. Dismount the volume first (use ioctl), then open the Disk
properly (FILE_READ_DATA flag). This would not work with
volumes that could not be dismounted (containing swap file,
other opened files - images currently running).???y˫???+.n?+???~?Z?˛??^r*D???kN???r??zǧu??jy???^j??? 0?j?b??(??(

 
Lets say I rewrite the source of diskperf and force my device to be layered right after the phyisical device
(by using IoAttachDeviceByPointer() ),is that possible, why do I have to dismount ?
excuse me if I am asking silly Questions , I relay need to know ,this is something I never tried - to be pushed in the middle of the
chain right above the phyisical device , is it possible with out dismounting , I know I will have open file all the time on the
partition I would like to attach to?
Thanks Again,
Daniel.
 

Daniel wrote:

> š
> Is it possibale to change the Diskperf.sys source in order for it to be loaded
> properly
> without rebooting on NT4?
> š
Alexei Chentsov wrote:
   It seems that one can append disk filter to the chain on the
fly. Dismount the volume first (use ioctl), then open the Disk
properly (FILE_READ_DATA flag). This would not work with
volumes that could not be dismounted (containing swap file,
other opened files - images currently running).b‹š­ç.®·§¶\¬¹»®&ÞvÚ’µûjÇZž|§z›nç(ŠTèº{.nÇ+‰·¬zwZnV§‘隊[h•æ¯z{_±ÝöãaåŠËl¢ÊÜom==


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Hello Danny,

The IoAttach* functions attaches you to the highest device in the
device stack. Meaning if you are not attaching as the first driver
you’ll be second or even higher in the chain. There is no way (hacks
appart) to attach into the middle of a device stack for that simple
reason that each driver is responsible for maintaining information
about who is the next-lower device in the stack.

If you want to look into the hack the way it goes is you use the
DeviceObject you wish to layer above to find the associated DriverObject.In this
driver object you patch the DriverEntries to point to your code and you then chain
to the old entries when you’re done treating an IRP.
I would never consider making people pay for a driver that utillized
such ugly hacks - but for testing it’s great fun :wink:

Best regards,
Anders Fogh

Tuesday, March 13, 2001, 5:24:13 AM, you wrote:

D>  
D> Lets say I rewrite the source of diskperf and force my device to be layered right after the phyisical device
D> (by using IoAttachDeviceByPointer() ),is that possible, why do I have to dismount ?
D> excuse me if I am asking silly Questions , I relay need to know ,this is something I never tried - to be pushed in the middle of the
D> chain right above the phyisical device , is it possible with out dismounting , I know I will have open file all the time on the
D> partition I would like to attach to?
D> Thanks Again,
D> Daniel.
D>  

D> Daniel wrote:

> > š
> > Is it possibale to change the Diskperf.sys source in order for it to be loaded
> > properly
> > without rebooting on NT4?
> > š
> Alexei Chentsov wrote:
>    It seems that one can append disk filter to the chain on the
> fly. Dismount the volume first (use ioctl), then open the Disk
> properly (FILE_READ_DATA flag). This would not work with
> volumes that could not be dismounted (containing swap file,
> other opened files - images currently running).b‹š­ç.®·§¶\¬¹»®&ÞvÚ’µûjÇZž|§z›nç(ŠTèº{.nÇ+‰·¬zwZnV§‘隊[h•æ¯z{_±ÝöãaåŠËl¢ÊÜom==

D> —
D> You are currently subscribed to ntfsd as: xxxxx@flaffer.com
D> To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com


Best regards,
Anders mailto:xxxxx@flaffer.com


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Do not use IoAttachDeviceByPointer. Use IoAttachDeviceToDeviceStack.
IoAttachDeviceToDeviceStack is much cleaner because it returns to you the
device to which you should be passing the IRPs. Otherwise, it is far too
easy to send it to the WRONG device (like the one at the BOTTOM of the
device stack).

You cannot insert yourself into an existing chain. The problem is that
driver ‘X’ has a pointer to the device object for driver ‘Y’. Thus, even
if you layer on top, driver ‘X’ will do
“IoCallDriver(DeviceObjectForDriverY, Irp);” - and it is going to be passed
to driver ‘y’.

File System filters are unique in that the I/O Manager calls
“IoGetRelatedDeviceObject” each time it prepares to send the IRP down the
stack, so that if you layer a file system filter driver on dynamically, the
I/O request gets passed along to the top filter on the stack (which is why
many people believe that you can add - and remove - a file system filter
driver to/from the stack safely.)

I say “believe” because as recently as a few hours ago I was discussing this
issue with someone with respect to how Dfs processes this - it does NOT call
IoGetRelatedDeviceObject and thus it will skip a file system filter driver
that attaches AFTER Dfs loads and finds the redirectors.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: Danny [mailto:xxxxx@neptune.co.il]
Sent: Tuesday, March 13, 2001 8:24 AM
To: File Systems Developers
Subject: [ntfsd] Re: DiskPerf.sys

?
Lets say I rewrite the source of diskperf and force my device to be layered
right after the phyisical device
(by using IoAttachDeviceByPointer() ),is that possible, why do I have to
dismount ?
excuse me if I am asking silly Questions , I relay need to know ,this is
something I never tried - to be pushed in the middle of the
chain right above the phyisical device , is it possible with out dismounting
, I know I will have open file all the time on the
partition I would like to attach to?
Thanks Again,
Daniel.
?

Daniel wrote:

> ?
> Is it possibale to change the Diskperf.sys source in order for it to be
loaded
> properly
> without rebooting on NT4?
> ?
Alexei Chentsov wrote:
?? It seems that one can append disk filter to the chain on the
fly. Dismount the volume first (use ioctl), then open the Disk
properly (FILE_READ_DATA flag). This would not work with
volumes that could not be dismounted (containing swap file,
other opened files - images currently
running).b???.???????&?v?'??j?Z?|?z?n??(?T??{.n?+???zwZnV??隊[h???z{_?
???a???l???om==


You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Daniel. I’m sorry.

Apparently I mismatched the message I have replied to.
The only thing I meant the mounted filesystem on the volume
is not the problem.

Filters chain is the stack. You could push, not insert in the middle.

About the connection to the file system filters chain
and disk filter chain one can see relnote.htm in latest
Win2k DDK.

Alex

Daniel wrote:

Lets say I rewrite the source of diskperf and force my device to be layered right after the phyisical device
(by using IoAttachDeviceByPointer() ),is that possible, why do I have to dismount ?
excuse me if I am asking silly Questions , I relay need to know ,this is something I never tried - to be pushed in the middle of the
chain right above the phyisical device , is it possible with out dismounting , I know I will have open file all the time on the
partition I would like to attach to?


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Hello Tony,

TM> Do not use IoAttachDeviceByPointer. Use IoAttachDeviceToDeviceStack.
TM> IoAttachDeviceToDeviceStack is much cleaner because it returns to you the
TM> device to which you should be passing the IRPs. Otherwise, it is far too
TM> easy to send it to the WRONG device (like the one at the BOTTOM of the
TM> device stack).

far from real problem in the case.
IoAttachDeviceByPointer and IoAttachDeviceToDeviceStack are the same
for NT 4 atleast on sp4,5,6. W2k also has following code for
IoAttachDeviceByPointer.

xxxxx@8 proc near

arg_0 = dword ptr 4
arg_4 = dword ptr 8

push [esp+arg_4]
push [esp+4+arg_0]
call _IoAttachDeviceToDeviceStack@8
neg eax
sbb eax, eax
and eax, 3FFFFFF2h
add eax, 0C000000Eh
retn 8
xxxxx@8 endp

TM> -----Original Message-----
TM> From: Danny [mailto:xxxxx@neptune.co.il]
TM> Sent: Tuesday, March 13, 2001 8:24 AM
TM> To: File Systems Developers
TM> Subject: [ntfsd] Re: DiskPerf.sys

TM>  
TM> Lets say I rewrite the source of diskperf and force my device to be layered
TM> right after the phyisical device
TM> (by using IoAttachDeviceByPointer() ),is that possible, why do I have to
TM> dismount ?
TM> excuse me if I am asking silly Questions , I relay need to know ,this is
TM> something I never tried - to be pushed in the middle of the
TM> chain right above the phyisical device , is it possible with out dismounting
TM> , I know I will have open file all the time on the
TM> partition I would like to attach to?
TM> Thanks Again,
TM> Daniel.
TM>  

TM> Daniel wrote:

> > š
> > Is it possibale to change the Diskperf.sys source in order for it to be
TM> loaded
> > properly
> > without rebooting on NT4?
> > š
> Alexei Chentsov wrote:
>    It seems that one can append disk filter to the chain on the
> fly. Dismount the volume first (use ioctl), then open the Disk
> properly (FILE_READ_DATA flag). This would not work with
> volumes that could not be dismounted (containing swap file,
> other opened files - images currently

Best regards,
Andrey mailto:xxxxx@sandy.ru


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

> Hello Tony,

TM> Do not use IoAttachDeviceByPointer. Use IoAttachDeviceToDeviceStack.
TM> IoAttachDeviceToDeviceStack is much cleaner because it returns to you
the
TM> device to which you should be passing the IRPs. Otherwise, it is far
too
TM> easy to send it to the WRONG device (like the one at the BOTTOM of the
TM> device stack).

far from real problem in the case.
IoAttachDeviceByPointer and IoAttachDeviceToDeviceStack are the same
for NT 4 atleast on sp4,5,6. W2k also has following code for
IoAttachDeviceByPointer.

Did u tried in MP system ?

Regards,
Satish K.S


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

There is at least one difference - in the IoAttachDeviceByPointer case the
information about WHAT you should call is lost; instead you get back an
essentially useless status code (it is interesting to see how they construct
that status code, mind you, but that’s all.)

For example, if you have an attached device (DeviceObject->AttachedDevice
points to something)

And you call IoAttachDevicebyPointer(DeviceObject) or
IoAttachDeviceByPointer(DeviceObject->AttachedDevice) the effect is the
same.

SO, suppose that on one CPU you are calling IoAttachDeviceByPointer but
between the time you retrieved your pointer to the device and the time you
attach, someone ELSE attached to the device. You now think that IRPs should
be sent to DeviceObject when in fact they should be sent to
DeviceObject->AttachedDevice. YOU have just broken the stack.

Is this a bug you will see frequently? No. But it IS a bug that you could
eventually see. We actually used to work around this: first you attach,
then you walk the list looking for the device object preceeding your device
object in the AttachedDevice chain, just to make sure we never broke the
layering.

I’ve reviewed my original statement, and I still believe it is correct - you
should NOT use IoAttachDeviceByPointer. I would note that it is also listed
as an obsolete function. And, as I understand it, this means that drivers
using it may not build properly in future releases of the Windows XP DDK.

Regards,

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: Andrey Kolishak [mailto:xxxxx@sandy.ru]
Sent: Friday, April 06, 2001 9:38 AM
To: File Systems Developers
Subject: [ntfsd] Re: DiskPerf.sys

Hello Tony,

TM> Do not use IoAttachDeviceByPointer. Use IoAttachDeviceToDeviceStack.
TM> IoAttachDeviceToDeviceStack is much cleaner because it returns to you
the
TM> device to which you should be passing the IRPs. Otherwise, it is far
too
TM> easy to send it to the WRONG device (like the one at the BOTTOM of the
TM> device stack).

far from real problem in the case.
IoAttachDeviceByPointer and IoAttachDeviceToDeviceStack are the same
for NT 4 atleast on sp4,5,6. W2k also has following code for
IoAttachDeviceByPointer.

xxxxx@8 proc near

arg_0 = dword ptr 4
arg_4 = dword ptr 8

push [esp+arg_4]
push [esp+4+arg_0]
call _IoAttachDeviceToDeviceStack@8
neg eax
sbb eax, eax
and eax, 3FFFFFF2h
add eax, 0C000000Eh
retn 8
xxxxx@8 endp

TM> -----Original Message-----
TM> From: Danny [mailto:xxxxx@neptune.co.il]
TM> Sent: Tuesday, March 13, 2001 8:24 AM
TM> To: File Systems Developers
TM> Subject: [ntfsd] Re: DiskPerf.sys

TM> ?
TM> Lets say I rewrite the source of diskperf and force my device to be
layered
TM> right after the phyisical device
TM> (by using IoAttachDeviceByPointer() ),is that possible, why do I have to
TM> dismount ?
TM> excuse me if I am asking silly Questions , I relay need to know ,this is
TM> something I never tried - to be pushed in the middle of the
TM> chain right above the phyisical device , is it possible with out
dismounting
TM> , I know I will have open file all the time on the
TM> partition I would like to attach to?
TM> Thanks Again,
TM> Daniel.
TM> ?

TM> Daniel wrote:

> > ?
> > Is it possibale to change the Diskperf.sys source in order for it to be
TM> loaded
> > properly
> > without rebooting on NT4?
> > ?
> Alexei Chentsov wrote:
> ?? It seems that one can append disk filter to the chain on the
> fly. Dismount the volume first (use ioctl), then open the Disk
> properly (FILE_READ_DATA flag). This would not work with
> volumes that could not be dismounted (containing swap file,
> other opened files - images currently

Best regards,
Andrey mailto:xxxxx@sandy.ru


You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Hi,

Check the following :

****************************************************************************
**************
Dis-assembled by IDA Disassembler ( Win2000 SP1 ):

public IoAttachDeviceByPointer
IoAttachDeviceByPointer proc near

arg_0 = dword ptr 4
arg_4 = dword ptr 8

push [esp+arg_4]
push [esp+4+arg_0]
call IoAttachDeviceToDeviceStack
neg eax
sbb eax, eax
and eax, 3FFFFFF2h
add eax, 0C000000Eh
retn 8
IoAttachDeviceByPointer endp

public IoAttachDeviceToDeviceStack
IoAttachDeviceToDeviceStack proc near ; CODE XREF:
IoAttachDeviceByPointer+8p
; IoAttachDevice+75p

arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch

push esi
mov esi, [esp+arg_0]
push edi
mov edi, [esi+0B0h]
cli
cmp byte_471B6C, 0
jz short loc_41F037
push [esp+4+arg_4]
push esi
call sub_425ACA

loc_41F037: ; CODE XREF:
IoAttachDeviceToDeviceStack+14j
push [esp+4+arg_4]
call IoGetAttachedDevice
test byte ptr [eax+1Ch], 80h
jnz short loc_41F097
mov ecx, [eax+0B0h]
test byte ptr [ecx+10h], 0Fh
jnz short loc_41F097
mov cl, [eax+30h]
inc word ptr [eax+0AEh]
inc cl
mov [eax+10h], esi
mov [esi+30h], cl
mov ecx, [eax+5Ch]
mov [esi+5Ch], ecx
mov cx, [eax+0ACh]
mov [esi+0ACh], cx
mov ecx, [eax+0B0h]
test byte ptr [ecx+10h], 10h
jz short loc_41F08E
mov esi, [esi+0B0h]
or dword ptr [esi+10h], 10h

loc_41F08E: ; CODE XREF:
IoAttachDeviceToDeviceStack+6Bj
mov [edi+18h], eax

loc_41F091: ; CODE XREF:
IoAttachDeviceToDeviceStack+82j
sti
pop edi
pop esi
retn 8

****************************************************************************
**************
Dis-assembled by SoftICE Debugger ( NT 4.0 SP6 ):

IoAttachDeviceByPointer :

PUSH ESI
CLI
PUSH DWORD PTR [ESP+0C]
CALL ntoskrnl!IoGetAttachDevice
TEST BYTE PTR [EAX+1C],80
JNZ 801116A6
MOV ECX, [EAX+000000B0]
TEST BYTE PTR [ECX+08],03
JNZ 801116A6
XOR ESI,ESI
MOV EDX,[ESP+08]
MOV [EAX+10],EDX
MOV CL,[EAX+30]
INC CL
MOV [EDX+30],CL
MOV ECX,[EAX+5C]
MOV [EDX+5C],ECX
MOV AX,[EAX+000000AC]
MOV [EDX+000000AC],AX
JMP 801116AB
801116A6: MOV ESI,C000000E
801116AB: STI
MOV EAX,ESI
POP ESI
RET 0008

IoAttachDeviceToDeviceStack :

CLI
PUSH DWORD PTR [ESP+08]
CALL ntoskrnl!IoGetAttachDevice
TEST BYTE PTR [EAX+1C],80
JNZ 801116F3
MOV ECX, [EAX+000000B0]
TEST BYTE PTR [ECX+08],03
JNZ 801116F3
MOV EDX,[ESP+04]
MOV [EAX+10],EDX
MOV CL,[EAX+30]
INC CL
MOV [EDX+30],CL
MOV ECX,[EAX+5C]
MOV [EDX+5C],ECX
MOV AX,[EAX+000000AC]
MOV [EDX+000000AC],AX
JMP 801116F5
801116F3: XOR EAX,EAX
801116F5: STI
RET 0008

  1. Above I have Disassembled in NT4.0 with SP6 and Win2000 with SP1. ( It
    is different )
  2. Why only small amount code is their in IoAttachDeviceByPointer in Win
    2000 why not in NT ?. They have moved to IoAttachDeviceToDeviceStack coz
    IoAttachDeviceByPointer is Absolute function
  3. Do u feel no use from the return value of IoAttachDeviceToDeviceStack ?
    ( Tony mason has mentioned the use ). For still about use Dis-assemble using
    Debugger in NT 4.0.

Final thing : This shows U never Dis-assembled in NT 4.0 :wink:

Regards,
Satish K.S

****************************************************************************
******
-----Original Message-----
From: Andrey Kolishak [mailto:xxxxx@sandy.ru]
Sent: Friday, April 06, 2001 9:38 AM
To: File Systems Developers
Subject: [ntfsd] Re: DiskPerf.sys

Hello Tony,

TM> Do not use IoAttachDeviceByPointer. Use IoAttachDeviceToDeviceStack.
TM> IoAttachDeviceToDeviceStack is much cleaner because it returns to you
the
TM> device to which you should be passing the IRPs. Otherwise, it is far
too
TM> easy to send it to the WRONG device (like the one at the BOTTOM of the
TM> device stack).

far from real problem in the case.
IoAttachDeviceByPointer and IoAttachDeviceToDeviceStack are the same
for NT 4 atleast on sp4,5,6. W2k also has following code for
IoAttachDeviceByPointer.

xxxxx@8 proc near

arg_0 = dword ptr 4
arg_4 = dword ptr 8

push [esp+arg_4]
push [esp+4+arg_0]
call _IoAttachDeviceToDeviceStack@8
neg eax
sbb eax, eax
and eax, 3FFFFFF2h
add eax, 0C000000Eh
retn 8
xxxxx@8 endp

TM> -----Original Message-----
TM> From: Danny [mailto:xxxxx@neptune.co.il]
TM> Sent: Tuesday, March 13, 2001 8:24 AM
TM> To: File Systems Developers
TM> Subject: [ntfsd] Re: DiskPerf.sys

TM>
TM> Lets say I rewrite the source of diskperf and force my device to be
layered
TM> right after the phyisical device
TM> (by using IoAttachDeviceByPointer() ),is that possible, why do I have to
TM> dismount ?
TM> excuse me if I am asking silly Questions , I relay need to know ,this is
TM> something I never tried - to be pushed in the middle of the
TM> chain right above the phyisical device , is it possible with out
dismounting
TM> , I know I will have open file all the time on the
TM> partition I would like to attach to?
TM> Thanks Again,
TM> Daniel.
TM>


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

dear Satish,

S> 1) Above I have Disassembled in NT4.0 with SP6 and Win2000 with SP1. ( It
S> is different )
This are my words:
“IoAttachDeviceByPointer and IoAttachDeviceToDeviceStack are the same
for NT 4 atleast on sp4,5,6. W2k also has following code for
IoAttachDeviceByPointer”
Please point here where I specify that these functions are the same
for NT4.0 and Win2000.

S> 2) Why only small amount code is their in IoAttachDeviceByPointer in Win
S> 2000 why not in NT ?. They have moved to IoAttachDeviceToDeviceStack coz
S> IoAttachDeviceByPointer is Absolute function
Thank you for very useful info!

S> 3) Do u feel no use from the return value of IoAttachDeviceToDeviceStack ?
S> ( Tony mason has mentioned the use ). For still about use Dis-assemble using
S> Debugger in NT 4.0.
Yes I feel so, because I wrote:
“far from real problem in the case.”

Final thing: This shows you never understoond (and probably read) my
original message :wink:

Best regards,
Andrey mailto:xxxxx@sandy.ru

S> Hi,

S> Check the following :

S> ****************************************************************************
S> **************
S> Dis-assembled by IDA Disassembler ( Win2000 SP1 ):

S> public IoAttachDeviceByPointer
S> IoAttachDeviceByPointer proc near

S> arg_0 = dword ptr 4
S> arg_4 = dword ptr 8

S> push [esp+arg_4]
S> push [esp+4+arg_0]
S> call IoAttachDeviceToDeviceStack
S> neg eax
S> sbb eax, eax
S> and eax, 3FFFFFF2h
S> add eax, 0C000000Eh
S> retn 8
S> IoAttachDeviceByPointer endp

S> public IoAttachDeviceToDeviceStack
S> IoAttachDeviceToDeviceStack proc near ; CODE XREF:
S> IoAttachDeviceByPointer+8p
S> ; IoAttachDevice+75p

S> arg_0 = dword ptr 8
S> arg_4 = dword ptr 0Ch

S> push esi
S> mov esi, [esp+arg_0]
S> push edi
S> mov edi, [esi+0B0h]
S> cli
S> cmp byte_471B6C, 0
S> jz short loc_41F037
S> push [esp+4+arg_4]
S> push esi
S> call sub_425ACA

S> loc_41F037: ; CODE XREF:
S> IoAttachDeviceToDeviceStack+14j
S> push [esp+4+arg_4]
S> call IoGetAttachedDevice
S> test byte ptr [eax+1Ch], 80h
S> jnz short loc_41F097
S> mov ecx, [eax+0B0h]
S> test byte ptr [ecx+10h], 0Fh
S> jnz short loc_41F097
S> mov cl, [eax+30h]
S> inc word ptr [eax+0AEh]
S> inc cl
S> mov [eax+10h], esi
S> mov [esi+30h], cl
S> mov ecx, [eax+5Ch]
S> mov [esi+5Ch], ecx
S> mov cx, [eax+0ACh]
S> mov [esi+0ACh], cx
S> mov ecx, [eax+0B0h]
S> test byte ptr [ecx+10h], 10h
S> jz short loc_41F08E
S> mov esi, [esi+0B0h]
S> or dword ptr [esi+10h], 10h

S> loc_41F08E: ; CODE XREF:
S> IoAttachDeviceToDeviceStack+6Bj
S> mov [edi+18h], eax

S> loc_41F091: ; CODE XREF:
S> IoAttachDeviceToDeviceStack+82j
S> sti
S> pop edi
S> pop esi
S> retn 8

S> ****************************************************************************
S> **************
S> Dis-assembled by SoftICE Debugger ( NT 4.0 SP6 ):

S> IoAttachDeviceByPointer :

S> PUSH ESI
S> CLI
S> PUSH DWORD PTR [ESP+0C]
S> CALL ntoskrnl!IoGetAttachDevice
S> TEST BYTE PTR [EAX+1C],80
S> JNZ 801116A6
S> MOV ECX, [EAX+000000B0]
S> TEST BYTE PTR [ECX+08],03
S> JNZ 801116A6
S> XOR ESI,ESI
S> MOV EDX,[ESP+08]
S> MOV [EAX+10],EDX
S> MOV CL,[EAX+30]
S> INC CL
S> MOV [EDX+30],CL
S> MOV ECX,[EAX+5C]
S> MOV [EDX+5C],ECX
S> MOV AX,[EAX+000000AC]
S> MOV [EDX+000000AC],AX
S> JMP 801116AB
S> 801116A6: MOV ESI,C000000E
S> 801116AB: STI
S> MOV EAX,ESI
S> POP ESI
S> RET 0008

S> IoAttachDeviceToDeviceStack :

S> CLI
S> PUSH DWORD PTR [ESP+08]
S> CALL ntoskrnl!IoGetAttachDevice
S> TEST BYTE PTR [EAX+1C],80
S> JNZ 801116F3
S> MOV ECX, [EAX+000000B0]
S> TEST BYTE PTR [ECX+08],03
S> JNZ 801116F3
S> MOV EDX,[ESP+04]
S> MOV [EAX+10],EDX
S> MOV CL,[EAX+30]
S> INC CL
S> MOV [EDX+30],CL
S> MOV ECX,[EAX+5C]
S> MOV [EDX+5C],ECX
S> MOV AX,[EAX+000000AC]
S> MOV [EDX+000000AC],AX
S> JMP 801116F5
S> 801116F3: XOR EAX,EAX
S> 801116F5: STI
S> RET 0008

S> 1) Above I have Disassembled in NT4.0 with SP6 and Win2000 with SP1. ( It
S> is different )
S> 2) Why only small amount code is their in IoAttachDeviceByPointer in Win
S> 2000 why not in NT ?. They have moved to IoAttachDeviceToDeviceStack coz
S> IoAttachDeviceByPointer is Absolute function
S> 3) Do u feel no use from the return value of IoAttachDeviceToDeviceStack ?
S> ( Tony mason has mentioned the use ). For still about use Dis-assemble using
S> Debugger in NT 4.0.

S> Final thing : This shows U never Dis-assembled in NT 4.0 :wink:

S> Regards,
S> Satish K.S

S> ****************************************************************************
S> ******
S> -----Original Message-----
S> From: Andrey Kolishak [mailto:xxxxx@sandy.ru]
S> Sent: Friday, April 06, 2001 9:38 AM
S> To: File Systems Developers
S> Subject: [ntfsd] Re: DiskPerf.sys

S> Hello Tony,

TM>> Do not use IoAttachDeviceByPointer. Use IoAttachDeviceToDeviceStack.
TM>> IoAttachDeviceToDeviceStack is much cleaner because it returns to you
S> the
TM>> device to which you should be passing the IRPs. Otherwise, it is far
S> too
TM>> easy to send it to the WRONG device (like the one at the BOTTOM of the
TM>> device stack).

S> far from real problem in the case.
S> IoAttachDeviceByPointer and IoAttachDeviceToDeviceStack are the same
S> for NT 4 atleast on sp4,5,6. W2k also has following code for
S> IoAttachDeviceByPointer.

S> xxxxx@8 proc near

S> arg_0 = dword ptr 4
S> arg_4 = dword ptr 8

S> push [esp+arg_4]
S> push [esp+4+arg_0]
S> call _IoAttachDeviceToDeviceStack@8
S> neg eax
S> sbb eax, eax
S> and eax, 3FFFFFF2h
S> add eax, 0C000000Eh
S> retn 8
S> xxxxx@8 endp


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Dear satish,

I’m terrible sorry.
Now I see that I also did not understand your message :wink:
I thought that you wrote about different binary for w2k and nt4
Now I see that you think that two bellow code fragments are different.
If you still thing they are different in their results I have no comments :slight_smile:
After it you can claim that snow is black and I will agree with you
:slight_smile:

S> Dis-assembled by SoftICE Debugger ( NT 4.0 SP6 ):

S> IoAttachDeviceByPointer :

S> PUSH ESI
S> CLI
S> PUSH DWORD PTR [ESP+0C]
S> CALL ntoskrnl!IoGetAttachDevice
S> TEST BYTE PTR [EAX+1C],80
S> JNZ 801116A6
S> MOV ECX, [EAX+000000B0]
S> TEST BYTE PTR [ECX+08],03
S> JNZ 801116A6
S> XOR ESI,ESI
S> MOV EDX,[ESP+08]
S> MOV [EAX+10],EDX
S> MOV CL,[EAX+30]
S> INC CL
S> MOV [EDX+30],CL
S> MOV ECX,[EAX+5C]
S> MOV [EDX+5C],ECX
S> MOV AX,[EAX+000000AC]
S> MOV [EDX+000000AC],AX
S> JMP 801116AB
S> 801116A6: MOV ESI,C000000E
S> 801116AB: STI
S> MOV EAX,ESI
S> POP ESI
S> RET 0008

S> IoAttachDeviceToDeviceStack :

S> CLI
S> PUSH DWORD PTR [ESP+08]
S> CALL ntoskrnl!IoGetAttachDevice
S> TEST BYTE PTR [EAX+1C],80
S> JNZ 801116F3
S> MOV ECX, [EAX+000000B0]
S> TEST BYTE PTR [ECX+08],03
S> JNZ 801116F3
S> MOV EDX,[ESP+04]
S> MOV [EAX+10],EDX
S> MOV CL,[EAX+30]
S> INC CL
S> MOV [EDX+30],CL
S> MOV ECX,[EAX+5C]
S> MOV [EDX+5C],ECX
S> MOV AX,[EAX+000000AC]
S> MOV [EDX+000000AC],AX
S> JMP 801116F5
S> 801116F3: XOR EAX,EAX
S> 801116F5: STI
S> RET 0008

Best regards,
Andrey mailto:xxxxx@sandy.ru

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3ia

mQCNAzeUFgIAAAEEAOB2de/sEiBRVDNtMLxgS6fbS7x1MI24fDcjWh+njp7ywSe3
H0MmrMaKJx5Xx//7AINqJU3Nxm6hKxXCWmuu153ir0xgpgJuA6QSY0CgW/2WVbW9
8gY59eBrJdRQdm9qw2VIsTlAiYU06lonukPdRW3WwfuBpLDy2PVTaiqpF8flAAUR
tA1hbmRyQHNhbmR5LnJ1iQCVAwUQN5QWA/VTaiqpF8flAQFrDwQAt4e0/XxF9TBu
UnMBQzBQHK7vfFZWyHjU8kzLH9oXEZi3X07d7TCXXaBAFkboqayDHvGKpic0YvuV
hrKu8ANv7ZHMeU8EG5XGJGVV2DV+iqi2CyfYP1is1ncLZ2+Iy1YlqEu2l5XOf6pa
rl4HpwzHVSuoWjmC7X2rRR9m+tf5XWA=
=rFX3
-----END PGP PUBLIC KEY BLOCK-----


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

I am not intersted to tell Snow is black :-).
Both binaries are different in Return value cases.

Regards,
Satish K.S

Dear satish,

I’m terrible sorry.
Now I see that I also did not understand your message :wink:
I thought that you wrote about different binary for w2k and nt4
Now I see that you think that two bellow code fragments are different.
If you still thing they are different in their results I have no comments
:slight_smile:
After it you can claim that snow is black and I will agree with you
:slight_smile:

S> Dis-assembled by SoftICE Debugger ( NT 4.0 SP6 ):

S> IoAttachDeviceByPointer :

S> PUSH ESI
S> CLI
S> PUSH DWORD PTR [ESP+0C]
S> CALL ntoskrnl!IoGetAttachDevice
S> TEST BYTE PTR [EAX+1C],80
S> JNZ 801116A6
S> MOV ECX, [EAX+000000B0]
S> TEST BYTE PTR [ECX+08],03
S> JNZ 801116A6
S> XOR ESI,ESI
S> MOV EDX,[ESP+08]
S> MOV [EAX+10],EDX
S> MOV CL,[EAX+30]
S> INC CL
S> MOV [EDX+30],CL
S> MOV ECX,[EAX+5C]
S> MOV [EDX+5C],ECX
S> MOV AX,[EAX+000000AC]
S> MOV [EDX+000000AC],AX
S> JMP 801116AB
S> 801116A6: MOV ESI,C000000E
S> 801116AB: STI
S> MOV EAX,ESI
S> POP ESI
S> RET 0008

S> IoAttachDeviceToDeviceStack :

S> CLI
S> PUSH DWORD PTR [ESP+08]
S> CALL ntoskrnl!IoGetAttachDevice
S> TEST BYTE PTR [EAX+1C],80
S> JNZ 801116F3
S> MOV ECX, [EAX+000000B0]
S> TEST BYTE PTR [ECX+08],03
S> JNZ 801116F3
S> MOV EDX,[ESP+04]
S> MOV [EAX+10],EDX
S> MOV CL,[EAX+30]
S> INC CL
S> MOV [EDX+30],CL
S> MOV ECX,[EAX+5C]
S> MOV [EDX+5C],ECX
S> MOV AX,[EAX+000000AC]
S> MOV [EDX+000000AC],AX
S> JMP 801116F5
S> 801116F3: XOR EAX,EAX
S> 801116F5: STI
S> RET 0008


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Some one sent me the source for IoAttachDeviceByPointer and
IoAttachDeviceToDeviceStack API’s.
After that i dont want to continue discussion on this coz If he is already
source code he can customize in his own way :slight_smile:

Regards,
Satish K.S

----- Original Message -----
From: “Andrey Kolishak”
To: “File Systems Developers”
Sent: Monday, April 16, 2001 7:26 PM
Subject: [ntfsd] Re: DiskPerf.sys

> dear Satish,
>
> S> 1) Above I have Disassembled in NT4.0 with SP6 and Win2000 with SP1.
It
> S> is different )
> This are my words:
> “IoAttachDeviceByPointer and IoAttachDeviceToDeviceStack are the same
> for NT 4 atleast on sp4,5,6. W2k also has following code for
> IoAttachDeviceByPointer”
> Please point here where I specify that these functions are the same
> for NT4.0 and Win2000.
>
> S> 2) Why only small amount code is their in IoAttachDeviceByPointer in
Win
> S> 2000 why not in NT ?. They have moved to IoAttachDeviceToDeviceStack
coz
> S> IoAttachDeviceByPointer is Absolute function
> Thank you for very useful info!
>
> S> 3) Do u feel no use from the return value of
IoAttachDeviceToDeviceStack ?
> S> ( Tony mason has mentioned the use ). For still about use Dis-assemble
using
> S> Debugger in NT 4.0.
> Yes I feel so, because I wrote:
> “far from real problem in the case.”
>
> Final thing: This shows you never understoond (and probably read) my
> original message :wink:
>
>
> Best regards,
> Andrey mailto:xxxxx@sandy.ru
>
> S> Hi,
>
> S> Check the following :
>
> S>
**************************************************************
> S>

> S> Dis-assembled by IDA Disassembler ( Win2000 SP1 ):
>
> S> public IoAttachDeviceByPointer
> S> IoAttachDeviceByPointer proc near
>
> S> arg_0 = dword ptr 4
> S> arg_4 = dword ptr 8
>
> S> push [esp+arg_4]
> S> push [esp+4+arg_0]
> S> call IoAttachDeviceToDeviceStack
> S> neg eax
> S> sbb eax, eax
> S> and eax, 3FFFFFF2h
> S> add eax, 0C000000Eh
> S> retn 8
> S> IoAttachDeviceByPointer endp
>
> S> public IoAttachDeviceToDeviceStack
> S> IoAttachDeviceToDeviceStack proc near ; CODE XREF:
> S> IoAttachDeviceByPointer+8p
> S> ; IoAttachDevice+75p
>
> S> arg_0 = dword ptr 8
> S> arg_4 = dword ptr 0Ch
>
> S> push esi
> S> mov esi, [esp+arg_0]
> S> push edi
> S> mov edi, [esi+0B0h]
> S> cli
> S> cmp byte_471B6C, 0
> S> jz short loc_41F037
> S> push [esp+4+arg_4]
> S> push esi
> S> call sub_425ACA
>
> S> loc_41F037: ; CODE XREF:
> S> IoAttachDeviceToDeviceStack+14j
> S> push [esp+4+arg_4]
> S> call IoGetAttachedDevice
> S> test byte ptr [eax+1Ch], 80h
> S> jnz short loc_41F097
> S> mov ecx, [eax+0B0h]
> S> test byte ptr [ecx+10h], 0Fh
> S> jnz short loc_41F097
> S> mov cl, [eax+30h]
> S> inc word ptr [eax+0AEh]
> S> inc cl
> S> mov [eax+10h], esi
> S> mov [esi+30h], cl
> S> mov ecx, [eax+5Ch]
> S> mov [esi+5Ch], ecx
> S> mov cx, [eax+0ACh]
> S> mov [esi+0ACh], cx
> S> mov ecx, [eax+0B0h]
> S> test byte ptr [ecx+10h], 10h
> S> jz short loc_41F08E
> S> mov esi, [esi+0B0h]
> S> or dword ptr [esi+10h], 10h
>
> S> loc_41F08E: ; CODE XREF:
> S> IoAttachDeviceToDeviceStack+6Bj
> S> mov [edi+18h], eax
>
> S> loc_41F091: ; CODE XREF:
> S> IoAttachDeviceToDeviceStack+82j
> S> sti
> S> pop edi
> S> pop esi
> S> retn 8
>
>
> S>
**************************************************************
> S>

> S> Dis-assembled by SoftICE Debugger ( NT 4.0 SP6 ):
>
> S> IoAttachDeviceByPointer :
>
> S> PUSH ESI
> S> CLI
> S> PUSH DWORD PTR [ESP+0C]
> S> CALL ntoskrnl!IoGetAttachDevice
> S> TEST BYTE PTR [EAX+1C],80
> S> JNZ 801116A6
> S> MOV ECX, [EAX+000000B0]
> S> TEST BYTE PTR [ECX+08],03
> S> JNZ 801116A6
> S> XOR ESI,ESI
> S> MOV EDX,[ESP+08]
> S> MOV [EAX+10],EDX
> S> MOV CL,[EAX+30]
> S> INC CL
> S> MOV [EDX+30],CL
> S> MOV ECX,[EAX+5C]
> S> MOV [EDX+5C],ECX
> S> MOV AX,[EAX+000000AC]
> S> MOV [EDX+000000AC],AX
> S> JMP 801116AB
> S> 801116A6: MOV ESI,C000000E
> S> 801116AB: STI
> S> MOV EAX,ESI
> S> POP ESI
> S> RET 0008
>
>
> S> IoAttachDeviceToDeviceStack :
>
> S> CLI
> S> PUSH DWORD PTR [ESP+08]
> S> CALL ntoskrnl!IoGetAttachDevice
> S> TEST BYTE PTR [EAX+1C],80
> S> JNZ 801116F3
> S> MOV ECX, [EAX+000000B0]
> S> TEST BYTE PTR [ECX+08],03
> S> JNZ 801116F3
> S> MOV EDX,[ESP+04]
> S> MOV [EAX+10],EDX
> S> MOV CL,[EAX+30]
> S> INC CL
> S> MOV [EDX+30],CL
> S> MOV ECX,[EAX+5C]
> S> MOV [EDX+5C],ECX
> S> MOV AX,[EAX+000000AC]
> S> MOV [EDX+000000AC],AX
> S> JMP 801116F5
> S> 801116F3: XOR EAX,EAX
> S> 801116F5: STI
> S> RET 0008
>
>
> S> 1) Above I have Disassembled in NT4.0 with SP6 and Win2000 with SP1.
It
> S> is different )
> S> 2) Why only small amount code is their in IoAttachDeviceByPointer in
Win
> S> 2000 why not in NT ?. They have moved to IoAttachDeviceToDeviceStack
coz
> S> IoAttachDeviceByPointer is Absolute function
> S> 3) Do u feel no use from the return value of
IoAttachDeviceToDeviceStack ?
> S> ( Tony mason has mentioned the use ). For still about use Dis-assemble
using
> S> Debugger in NT 4.0.
>
> S> Final thing : This shows U never Dis-assembled in NT 4.0 :wink:
>
> S> Regards,
> S> Satish K.S
>
>
> S>
**********************************************************************
> S>

> S> -----Original Message-----
> S> From: Andrey Kolishak [mailto:xxxxx@sandy.ru]
> S> Sent: Friday, April 06, 2001 9:38 AM
> S> To: File Systems Developers
> S> Subject: [ntfsd] Re: DiskPerf.sys
>
>
> S> Hello Tony,
>
> TM>> Do not use IoAttachDeviceByPointer. Use IoAttachDeviceToDeviceStack.
> TM>> IoAttachDeviceToDeviceStack is much cleaner because it returns to you
> S> the
> TM>> device to which you should be passing the IRPs. Otherwise, it is far
> S> too
> TM>> easy to send it to the WRONG device (like the one at the BOTTOM of
the
> TM>> device stack).
>
> S> far from real problem in the case.
> S> IoAttachDeviceByPointer and IoAttachDeviceToDeviceStack are the same
> S> for NT 4 atleast on sp4,5,6. W2k also has following code for
> S> IoAttachDeviceByPointer.
>
> S> xxxxx@8 proc near
>
> S> arg_0 = dword ptr 4
> S> arg_4 = dword ptr 8
>
> S> push [esp+arg_4]
> S> push [esp+4+arg_0]
> S> call _IoAttachDeviceToDeviceStack@8
> S> neg eax
> S> sbb eax, eax
> S> and eax, 3FFFFFF2h
> S> add eax, 0C000000Eh
> S> retn 8
> S> xxxxx@8 endp
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@aalayance.com
> To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com