Hi,
If you want to track all the IRP_MJ_READs that are
coming to your driver , you can do either of the two
things:
-
Either at the start of your driver set a break
point on the IRP_MJ_READ dispatch routine.
-
Or print some message inside your IRP_MJ_READ
dispatch routine. Then that message will be printed on
your debugger screen.
— D M wrote:
>
> I want to track all IRP_MJ_READ going to a driver,
> from WinDbg. Can someone please tell me the WinDbg
> Command for the same. I tried reading up abt !irp
> but didn’t make much sense to me.
>
> If the driver is say foo.sys and creates a device
> foodev how do I do it?
>
> D M
> —
> You are currently subscribed to windbg as: unknown
> lmsubst tag argument: ‘’
> To unsubscribe send a blank email to
xxxxx@lists.osr.com
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Hi,
If at all possible, post from a different email address that doesn’t attach
image anchor records to your posts. Though I’m sure everyone here is in the
market for a free cell phone, it’s obnoxious.
But, I digress…
If you just want to see the IRP and its ultimate status, IRPTracker is
easier than using the debugger:
http://www.osronline.com/article.cfm?article=199
However, if you really want to watch them in the debugger, you need to find
the target driver’s IRP_MJ_READ entry point.
- Use “!object \driver\foo” to find the target driver’s PDRIVER_OBJECT
- Use “dt nt!_DRIVER_OBJECT Address -b” and get the address of the third
entry in the MajorFunction table (IRP_MJ_READ == 0x3)
- Now you have the address of where all IRP_MJ_READs go, so set a
breakpoint there and start walking.
Note that the target driver might use one common entry point in his major
function table that branches out based on the major function code, so this
quest may vary in annoyance/difficulty.
Good luck,
-scott
–
Scott Noone
Software Engineer
OSR Open Systems Resources, Inc.
http://www.osronline.com
“D M” wrote in message news:xxxxx@windbg…
I think u misinterpreted the question. I dont have the source, just the
memory image of the drive, I am not the author or it, just trying to debug
it.
Hi,
If you want to track all the IRP_MJ_READs that are
coming to your driver , you can do either of the two
things:
1) Either at the start of your driver set a break
point on the IRP_MJ_READ dispatch routine.
2) Or print some message inside your IRP_MJ_READ
dispatch routine. Then that message will be printed on
your debugger screen.
- Huzefa
What command did you type to get that message? If you typed ‘dt nt!A’,
then you’ll get this message. That’s because there is no ‘A’ symbol in
ntoskrnl, regardless of public or private symbols.
Jason
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of D M
Sent: Monday, August 29, 2005 8:05 AM
To: Kernel Debugging Interest List
Subject: Re: Re: Re: Re: Re: Re: [windbg] Irp tracking
hell,
the commans DT doesn’t seem to work with public symbols of windows 2000
available, says
************************************************************************
*
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information.
***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not
***
*** contain the required information. Contact the group that
***
*** provided you with these symbols if you need this command to
***
*** work.
***
*** ***
*** Type referenced: nt!A
***
*** ***
************************************************************************
*
any work arounds???
From: D M
Reply-To: Kernel Debugging Interest List
To: Kernel Debugging Interest List
Date: 29 Aug 2005 13:40:59 -0000
Subject: Re: Re: Re: Re: [windbg] Irp tracking
Scott, thanks for the tip.
By the way I did but understand
>If at all possible, post from a different email address that doesn’t
>attach
>image anchor records to your posts. Though I’m sure everyone here is
>in the
>market for a free cell phone, it’s obnoxious.
Is there anything I need to do about this, please advice. It if has
annoyed you, I am sorry thoough.
I am developing for various platforms, including Windows 2000, Irp
tracker doesn’t seem to work on it.
D M
http:ignature-home.htm/xxxxx@Middle5?PARTNER=3> — You are currently
subscribed to windbg as: unknown lmsubst tag argument: ‘’ To unsubscribe
send a blank email to xxxxx@lists.osr.com</http:>