OT: dissassembly WAS: Re: NT4+IoCancelFileOpen

OSR_Community_User · December 20, 2000, 1:04pm

…and now for a painfully naive question…

Coming from the world of application development (and being rather
new to that, as well) I’ve had little reason or opportunity to ‘disassemble’
code. I have only a passing familiarity with assembler. Sure, occasionally
I’ve needed to step through some dissembled code while debugging, mostly
relying on symbols to keep my bearing, but I’ve never done what you
describe, Maxim. How do you go about doing this sort of thing? In my
naivety, I can imagine stepping into the routine with the debugger and
copying the disassembly into a file, then running it through an assembler
and eventually linking it into my project. Is this what you mean?
In the preface to Inside Windows 2000 David Solomon talks about how
impressed he is about how his co -author Mark Russinovich(sp?) can quickly
research issues by stepping though his ‘custom disassembled kernel’. Ever
since I’ve been wondering if it is common practice for the gurus of the
world to disassemble large binaries and debug them conventionally. If so,
what are some popular ‘disassemblers’?

Thanks,
-Joel

-----Original Message-----
From: Maxim S. Shatskih [mailto:xxxxx@storagecraft.com]
Sent: Wednesday, December 20, 2000 12:07 PM
To: File Systems Developers
Subject: [ntfsd] Re: NT4+IoCancelFileOpen

Anybody knows how to solve this: I’m use IoCancelFileOpen in my code and
also wants to build NT4 version of driver on my Win2k machine, but in the
NT4 DDK there is no such function in headers/libraries. I’m declare

Disassemble it, restore the source and write your own IoCancelFileOpen on
NT4. It is rather small - it just sends CLEANUP and CLOSE IRPs.

Max

You are currently subscribed to ntfsd as: xxxxx@ntpsoftware.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

OSR_Community_User · December 20, 2000, 6:20pm

Joel,

I don’t know if it is common practice but it is really helpful. It helps to
realize how things really work, understand some strange DDK statements,
resolve some checked build assertion failures, find undocumented features,
bugs etc. Everything can be achieved also with debugger but with a good
disassembler it is much easier. Debugger allows to quickly examine actual
implementation of some API (SoftICE is great for this) but dissassembler is
better for more complicated problems where cross references are needed.

The best disassembler I’ve ever seen is IDA Pro:
http://www.datarescue.com/idabase/ida.htm. There is a demo in download
section, try it. Also, examine examples on their site; IDA is very powerful
software and is isn’t very easy to find all useful features for the
beginner.

Michal

Best regards,

Michal Vodicka
Veridicom
(RKK - Skytale)
[WWW: http://www.veridicom.com , http://www.skytale.com]

From: Smith, Joel[SMTP:xxxxx@ntpsoftware.com]
Reply To: File Systems Developers
Sent: Wednesday, December 20, 2000 7:01 PM
To: File Systems Developers
Subject: [ntfsd] OT: dissassembly WAS: Re: NT4+IoCancelFileOpen

…and now for a painfully naive question…

Coming from the world of application development (and being rather
new to that, as well) I’ve had little reason or opportunity to
‘disassemble’ code. I have only a passing familiarity with assembler.
Sure, occasionally I’ve needed to step through some dissembled code while
debugging, mostly relying on symbols to keep my bearing, but I’ve never
done what you describe, Maxim. How do you go about doing this sort of
thing? In my naivety, I can imagine stepping into the routine with the
debugger and copying the disassembly into a file, then running it through
an assembler and eventually linking it into my project. Is this what you
mean?

In the preface to Inside Windows 2000 David Solomon talks about
how impressed he is about how his co -author Mark Russinovich(sp?) can
quickly research issues by stepping though his ‘custom disassembled
kernel’. Ever since I’ve been wondering if it is common practice for the
gurus of the world to disassemble large binaries and debug them
conventionally. If so, what are some popular ‘disassemblers’?

Thanks,
-Joel

-----Original Message-----
From: Maxim S. Shatskih [mailto:xxxxx@storagecraft.com]
Sent: Wednesday, December 20, 2000 12:07 PM
To: File Systems Developers
Subject: [ntfsd] Re: NT4+IoCancelFileOpen

> Anybody knows how to solve this: I’m use IoCancelFileOpen in my code and

> also wants to build NT4 version of driver on my Win2k machine, but in
the
> NT4 DDK there is no such function in headers/libraries. I’m declare

Disassemble it, restore the source and write your own IoCancelFileOpen on
NT4. It is rather small - it just sends CLEANUP and CLOSE IRPs.

Max

You are currently subscribed to ntfsd as: xxxxx@ntpsoftware.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: xxxxx@rkk.cz
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

OSR_Community_User · December 21, 2000, 4:57pm

OT: dissassembly WAS: RE: [ntfsd] Re: NT4+IoCancelFileOpen>How do you go
about doing this sort of thing? In my naivety, I can imagine

stepping into the routine with the debugger and copying the disassembly
into
a file, then running it through an assembler and eventually linking it into
my
project. Is this what you mean?

Yes, get the assembler code from the debugger, then write your own C code
with the same logic. Not as terrific as it seems.

Max

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

OSR_Community_User-104 · December 21, 2000, 6:11pm

> running it through an assembler

Where can I find any commercial pc assembler ?
Thanks.

Cathy

-----Original Message-----
From: Maxim S. Shatskih [mailto:xxxxx@storagecraft.com]
Sent: Thursday, December 21, 2000 1:31 PM
To: File Systems Developers
Subject: [ntfsd] Re: OT: dissassembly WAS: Re: NT4+IoCancelFileOpen

OT: dissassembly WAS: RE: [ntfsd] Re: NT4+IoCancelFileOpen>How do you go
about doing this sort of thing? In my naivety, I can imagine

stepping into the routine with the debugger and copying the disassembly
into
a file, then running it through an assembler and eventually linking it into
my
project. Is this what you mean?

Yes, get the assembler code from the debugger, then write your own C code
with the same logic. Not as terrific as it seems.

Max

You are currently subscribed to ntfsd as: xxxxx@unisys.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

OSR_Community_User · December 21, 2000, 6:24pm

> Where can I find any commercial pc assembler ?

Thanks.

Cathy

Write the C code with the same logic as the ASM one - anyway easier to
maintain in the future

Max

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com