How to hook WDDM dispatch functions

Yorath_Wang · March 29, 2012, 10:49pm

I wanna hook these functions, so that I can get some useful data such as framebuffer address. Marcel Ruedinger has mentioned in this list before that i can hook DxgkDdiSetVidPnSourceAddress to get the address.
These functions are all in the DRIVER_INITIALIZATION_DATA, and then it is passed to function DxgkInitialize. (http://msdn.microsoft.com/en-us/library/windows/hardware/ff560824(v=vs.85).aspx). In order to see the details of the function DxgkInitialize, i disassembled it, find that it called the function DpiInitialize in dxgkrnl.sys. In that function, the driver calls IoAllocateDriverObjectExtension, and copy DRIVER_INITIALIZATION_DATA to the DriverObjectExtension.
In order to get DRIVER_INITIALIZATION_DATA, I wrote the codes below:

WCHAR deviceNameBuffer = L"\Device\DxgKrnl";
RtlInitUnicodeString(&deviceUnicodeString, deviceNameBuffer);
status = IoGetDeviceObjectPointer(&deviceUnicodeString, FILE_READ_DATA, &pFileObject, &pDeviceObject);
pDriverObject = pDeviceObject->DriverObject;
pDriverObjectExtension = IoGetDriverObjectExtension(pDriverObject, (PVOID)pDriverObject);

But pDriverObjectExtension is always NULL, does it mean I can’t get DriverObjectExtension in another driver?
Anyone knows how to get the addresses of these functions?

Sergey_Pisarev · March 30, 2012, 7:02am

i don’t know if it’s ok to use hooks in video drivers (guess not)

but are you sure that second parameter of IoGetDriverObjectExtension is
driver address ?

http://msdn.microsoft.com/en-us/library/windows/hardware/ff548233(v=vs.85).aspx
*ClientIdentificationAddress* [in]

Specifies a unique identifier for the context area to be allocated.

On Fri, Mar 30, 2012 at 6:48 AM, wrote:

> I wanna hook these functions, so that I can get some useful data such as
> framebuffer address. Marcel Ruedinger has mentioned in this list before
> that i can hook DxgkDdiSetVidPnSourceAddress to get the address.
> These functions are all in the DRIVER_INITIALIZATION_DATA, and then it is
> passed to function DxgkInitialize. (
> http://msdn.microsoft.com/en-us/library/windows/hardware/ff560824(v=vs.85).aspx).
> In order to see the details of the function DxgkInitialize, i disassembled
> it, find that it called the function DpiInitialize in dxgkrnl.sys. In that
> function, the driver calls IoAllocateDriverObjectExtension, and copy
> DRIVER_INITIALIZATION_DATA to the DriverObjectExtension.
> In order to get DRIVER_INITIALIZATION_DATA, I wrote the codes below:
>
> WCHAR deviceNameBuffer = L"\Device\DxgKrnl";
> RtlInitUnicodeString(&deviceUnicodeString, deviceNameBuffer);
> status = IoGetDeviceObjectPointer(&deviceUnicodeString,
> FILE_READ_DATA, &pFileObject, &pDeviceObject);
> pDriverObject = pDeviceObject->DriverObject;
> pDriverObjectExtension = IoGetDriverObjectExtension(pDriverObject,
> (PVOID)pDriverObject);
>
> But pDriverObjectExtension is always NULL, does it mean I can’t get
> DriverObjectExtension in another driver?
> Anyone knows how to get the addresses of these functions?
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Yorath_Wang · March 30, 2012, 7:18am

yes, i am sure. When it use IoAllocateDriverObjectExtension, the *
ClientIdentificationAddress* is pDriverObject.

On Fri, Mar 30, 2012 at 7:01 PM, Sergey Pisarev wrote:

> i don’t know if it’s ok to use hooks in video drivers (guess not)
>
> but are you sure that second parameter of IoGetDriverObjectExtension is
> driver address ?
>
>
> http://msdn.microsoft.com/en-us/library/windows/hardware/ff548233(v=vs.85).aspx
> ClientIdentificationAddress [in]
>
> Specifies a unique identifier for the context area to be allocated.
>
> On Fri, Mar 30, 2012 at 6:48 AM, wrote:
>
>> I wanna hook these functions, so that I can get some useful data such as
>> framebuffer address. Marcel Ruedinger has mentioned in this list before
>> that i can hook DxgkDdiSetVidPnSourceAddress to get the address.
>> These functions are all in the DRIVER_INITIALIZATION_DATA, and then it is
>> passed to function DxgkInitialize. (
>> http://msdn.microsoft.com/en-us/library/windows/hardware/ff560824(v=vs.85).aspx).
>> In order to see the details of the function DxgkInitialize, i disassembled
>> it, find that it called the function DpiInitialize in dxgkrnl.sys. In that
>> function, the driver calls IoAllocateDriverObjectExtension, and copy
>> DRIVER_INITIALIZATION_DATA to the DriverObjectExtension.
>> In order to get DRIVER_INITIALIZATION_DATA, I wrote the codes below:
>>
>> WCHAR deviceNameBuffer = L"\Device\DxgKrnl";
>> RtlInitUnicodeString(&deviceUnicodeString, deviceNameBuffer);
>> status = IoGetDeviceObjectPointer(&deviceUnicodeString,
>> FILE_READ_DATA, &pFileObject, &pDeviceObject);
>> pDriverObject = pDeviceObject->DriverObject;
>> pDriverObjectExtension = IoGetDriverObjectExtension(pDriverObject,
>> (PVOID)pDriverObject);
>>
>> But pDriverObjectExtension is always NULL, does it mean I can’t get
>> DriverObjectExtension in another driver?
>> Anyone knows how to get the addresses of these functions?
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

–
Regards
Yaoyao

Sergey_Pisarev · March 30, 2012, 7:35am

pDriverObjectExtension = IoGetDriverObjectExtension(pDriverObject,
(PVOID)pDriverObject);

pDriverObject - address of dxgkrnl.sys or address of video miniport driver ?

On Fri, Mar 30, 2012 at 3:17 PM, Yorath Wang wrote:

> yes, i am sure. When it use IoAllocateDriverObjectExtension, the
> ClientIdentificationAddress is pDriverObject.
>
>
> On Fri, Mar 30, 2012 at 7:01 PM, Sergey Pisarev wrote:
>
>> i don’t know if it’s ok to use hooks in video drivers (guess not)
>>
>> but are you sure that second parameter of IoGetDriverObjectExtension is
>> driver address ?
>>
>>
>> http://msdn.microsoft.com/en-us/library/windows/hardware/ff548233(v=vs.85).aspx
>> ClientIdentificationAddress [in]
>>
>> Specifies a unique identifier for the context area to be allocated.
>>
>> On Fri, Mar 30, 2012 at 6:48 AM, wrote:
>>
>>> I wanna hook these functions, so that I can get some useful data such as
>>> framebuffer address. Marcel Ruedinger has mentioned in this list before
>>> that i can hook DxgkDdiSetVidPnSourceAddress to get the address.
>>> These functions are all in the DRIVER_INITIALIZATION_DATA, and then it
>>> is passed to function DxgkInitialize. (
>>> http://msdn.microsoft.com/en-us/library/windows/hardware/ff560824(v=vs.85).aspx).
>>> In order to see the details of the function DxgkInitialize, i disassembled
>>> it, find that it called the function DpiInitialize in dxgkrnl.sys. In that
>>> function, the driver calls IoAllocateDriverObjectExtension, and copy
>>> DRIVER_INITIALIZATION_DATA to the DriverObjectExtension.
>>> In order to get DRIVER_INITIALIZATION_DATA, I wrote the codes below:
>>>
>>> WCHAR deviceNameBuffer = L"\Device\DxgKrnl";
>>> RtlInitUnicodeString(&deviceUnicodeString, deviceNameBuffer);
>>> status = IoGetDeviceObjectPointer(&deviceUnicodeString,
>>> FILE_READ_DATA, &pFileObject, &pDeviceObject);
>>> pDriverObject = pDeviceObject->DriverObject;
>>> pDriverObjectExtension =
>>> IoGetDriverObjectExtension(pDriverObject, (PVOID)pDriverObject);
>>>
>>> But pDriverObjectExtension is always NULL, does it mean I can’t get
>>> DriverObjectExtension in another driver?
>>> Anyone knows how to get the addresses of these functions?
>>>
>>> —
>>> NTDEV is sponsored by OSR
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
>> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
>> the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>
>
> –
> Regards
> Yaoyao
>
> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Yorath_Wang · March 30, 2012, 12:13pm

through IoGetDeviceObjectPointer i can get pDeviceObject , this is the
pointer to the device L"\Device\DxgKrnl", pDriverObject =
pDeviceObject->DriverObject; so pDriverObject points to the driver of the
device.

On Fri, Mar 30, 2012 at 7:35 PM, Sergey Pisarev wrote:

> pDriverObjectExtension = IoGetDriverObjectExtension(pDriverObject,
> (PVOID)pDriverObject);
>
> pDriverObject - address of dxgkrnl.sys or address of video miniport
> driver ?
>
>
> On Fri, Mar 30, 2012 at 3:17 PM, Yorath Wang wrote:
>
>> yes, i am sure. When it use IoAllocateDriverObjectExtension, the
>> ClientIdentificationAddress is pDriverObject.
>>
>>
>> On Fri, Mar 30, 2012 at 7:01 PM, Sergey Pisarev >> > wrote:
>>
>>> i don’t know if it’s ok to use hooks in video drivers (guess not)
>>>
>>> but are you sure that second parameter of IoGetDriverObjectExtension is
>>> driver address ?
>>>
>>>
>>> http://msdn.microsoft.com/en-us/library/windows/hardware/ff548233(v=vs.85).aspx
>>> ClientIdentificationAddress [in]
>>>
>>> Specifies a unique identifier for the context area to be allocated.
>>>
>>> On Fri, Mar 30, 2012 at 6:48 AM, wrote:
>>>
>>>> I wanna hook these functions, so that I can get some useful data such
>>>> as framebuffer address. Marcel Ruedinger has mentioned in this list before
>>>> that i can hook DxgkDdiSetVidPnSourceAddress to get the address.
>>>> These functions are all in the DRIVER_INITIALIZATION_DATA, and then it
>>>> is passed to function DxgkInitialize. (
>>>> http://msdn.microsoft.com/en-us/library/windows/hardware/ff560824(v=vs.85).aspx).
>>>> In order to see the details of the function DxgkInitialize, i disassembled
>>>> it, find that it called the function DpiInitialize in dxgkrnl.sys. In that
>>>> function, the driver calls IoAllocateDriverObjectExtension, and copy
>>>> DRIVER_INITIALIZATION_DATA to the DriverObjectExtension.
>>>> In order to get DRIVER_INITIALIZATION_DATA, I wrote the codes below:
>>>>
>>>> WCHAR deviceNameBuffer = L"\Device\DxgKrnl";
>>>> RtlInitUnicodeString(&deviceUnicodeString, deviceNameBuffer);
>>>> status = IoGetDeviceObjectPointer(&deviceUnicodeString,
>>>> FILE_READ_DATA, &pFileObject, &pDeviceObject);
>>>> pDriverObject = pDeviceObject->DriverObject;
>>>> pDriverObjectExtension =
>>>> IoGetDriverObjectExtension(pDriverObject, (PVOID)pDriverObject);
>>>>
>>>> But pDriverObjectExtension is always NULL, does it mean I can’t get
>>>> DriverObjectExtension in another driver?
>>>> Anyone knows how to get the addresses of these functions?
>>>>
>>>> —
>>>> NTDEV is sponsored by OSR
>>>>
>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>> http://www.osr.com/seminars
>>>>
>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>
>>>
>>> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging
>>> and other seminars visit: http://www.osr.com/seminars To unsubscribe,
>>> visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>>
>>
>> –
>> Regards
>> Yaoyao
>>
>> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
>> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
>> the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

–
Regards
Yaoyao

Sergey_Pisarev · March 30, 2012, 12:24pm

well as i can see this driver does not have driver object extension

0: kd> !devobj \Device\DxgKrnl
Device object (fffffa8004d6e060) is for:
DxgKrnl \Driver\DXGKrnl DriverObject fffffa8004d6ea70
Current Irp 00000000 RefCount 4 Type 00000022 Flags 00000040
Dacl fffff9a100408821 DevExt 00000000 DevObjExt fffffa8004d6e1b0
ExtensionFlags (0000000000)
Device queue is not busy.
0: kd> !drvobj fffffa8004d6ea70
Driver object (fffffa8004d6ea70) is for:
\Driver\DXGKrnl
Driver Extension List: (id , addr)

Device Object list:
fffffa8004d6e060

i think you need miniport driver address and not *Dxgkrnl.sys*

On Fri, Mar 30, 2012 at 8:12 PM, Yorath Wang wrote:

> through IoGetDeviceObjectPointer i can get pDeviceObject , this is the
> pointer to the device L"\Device\DxgKrnl", pDriverObject =
> pDeviceObject->DriverObject; so pDriverObject points to the driver of
> the device.
>
>
> On Fri, Mar 30, 2012 at 7:35 PM, Sergey Pisarev wrote:
>
>> pDriverObjectExtension = IoGetDriverObjectExtension(pDriverObject,
>> (PVOID)pDriverObject);
>>
>> pDriverObject - address of dxgkrnl.sys or address of video miniport
>> driver ?
>>
>>
>> On Fri, Mar 30, 2012 at 3:17 PM, Yorath Wang wrote:
>>
>>> yes, i am sure. When it use IoAllocateDriverObjectExtension, the
>>> ClientIdentificationAddress is pDriverObject.
>>>
>>>
>>> On Fri, Mar 30, 2012 at 7:01 PM, Sergey Pisarev <
>>> xxxxx@gmail.com> wrote:
>>>
>>>> i don’t know if it’s ok to use hooks in video drivers (guess not)
>>>>
>>>> but are you sure that second parameter of IoGetDriverObjectExtension is
>>>> driver address ?
>>>>
>>>>
>>>> http://msdn.microsoft.com/en-us/library/windows/hardware/ff548233(v=vs.85).aspx
>>>> ClientIdentificationAddress [in]
>>>>
>>>> Specifies a unique identifier for the context area to be allocated.
>>>>
>>>> On Fri, Mar 30, 2012 at 6:48 AM, wrote:
>>>>
>>>>> I wanna hook these functions, so that I can get some useful data such
>>>>> as framebuffer address. Marcel Ruedinger has mentioned in this list before
>>>>> that i can hook DxgkDdiSetVidPnSourceAddress to get the address.
>>>>> These functions are all in the DRIVER_INITIALIZATION_DATA, and then it
>>>>> is passed to function DxgkInitialize. (
>>>>> http://msdn.microsoft.com/en-us/library/windows/hardware/ff560824(v=vs.85).aspx).
>>>>> In order to see the details of the function DxgkInitialize, i disassembled
>>>>> it, find that it called the function DpiInitialize in dxgkrnl.sys. In that
>>>>> function, the driver calls IoAllocateDriverObjectExtension, and copy
>>>>> DRIVER_INITIALIZATION_DATA to the DriverObjectExtension.
>>>>> In order to get DRIVER_INITIALIZATION_DATA, I wrote the codes below:
>>>>>
>>>>> WCHAR deviceNameBuffer = L"\Device\DxgKrnl";
>>>>> RtlInitUnicodeString(&deviceUnicodeString, deviceNameBuffer);
>>>>> status = IoGetDeviceObjectPointer(&deviceUnicodeString,
>>>>> FILE_READ_DATA, &pFileObject, &pDeviceObject);
>>>>> pDriverObject = pDeviceObject->DriverObject;
>>>>> pDriverObjectExtension =
>>>>> IoGetDriverObjectExtension(pDriverObject, (PVOID)pDriverObject);
>>>>>
>>>>> But pDriverObjectExtension is always NULL, does it mean I can’t get
>>>>> DriverObjectExtension in another driver?
>>>>> Anyone knows how to get the addresses of these functions?
>>>>>
>>>>> —
>>>>> NTDEV is sponsored by OSR
>>>>>
>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>> http://www.osr.com/seminars
>>>>>
>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>
>>>>
>>>> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging
>>>> and other seminars visit: http://www.osr.com/seminars To unsubscribe,
>>>> visit the List Server section of OSR Online at
>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>
>>>
>>>
>>>
>>> –
>>> Regards
>>> Yaoyao
>>>
>>> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging
>>> and other seminars visit: http://www.osr.com/seminars To unsubscribe,
>>> visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
>> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
>> the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>
>
> –
> Regards
> Yaoyao
>
> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Francois_Dimitri · March 31, 2012, 2:04am

Visit Anshul Makkar’s blog (http://www.justkernel.com/articles/) for some info on WDDM display driver development. He posted his initial kernel mode miniport hook driver code at “http://code.google.com/p/wddm-desktop-extension/source/browse/#svn%2Ftrunk”. It will get you started on WDDM display driver development.