SCSI CDB6 Question

Hi,

I am currently analyzing a malware which hooks scsi startio and global
dispatch handlers.
I have no problem parsing CDB10 structure but when it comes to CDB6, i am
not able to
get Sector & Length information from CDB6 structure.

Can someone point me out how to extract Sector & Length information from
this structure?

In CDB10 i am using :

REVERSE_BYTES(&Sector, &pCDB->CDB10.LogicalBlockByte0);
SectorCount = ( pCDB->CDB10.TransferBlocksMsb << 8 ) +
pCDB->CDB10.TransferBlocksLsb;

BTW, how popular is CDB12 and CDB16 in todays harddisks?

Thanks,

-Emre TINAZTEPE

Sector = ((DWORD) pCDB->CDB6READWRITE.LogicalBlockMsb1 << 16)

  • ((DWORD) pCDB->CDB6READWRITE.LogicalBlockMsb0 << 8)
  • pCDB->CDB6READWRITE.LogicalBlockLsb;
    SectorCount = pCDB->CDB6READWRITE.TransferBlocks ?
    pCDB->CDB6READWRITE.TransferBlocks : 256;

Emre Tinaztepe
Sent by: xxxxx@lists.osr.com
02/27/2012 07:33 AM
Please respond to
“Windows File Systems Devs Interest List”

To
“Windows File Systems Devs Interest List”
cc

Subject
[ntfsd] SCSI CDB6 Question

Hi,

I am currently analyzing a malware which hooks scsi startio and global
dispatch handlers.
I have no problem parsing CDB10 structure but when it comes to CDB6, i am
not able to
get Sector & Length information from CDB6 structure.

Can someone point me out how to extract Sector & Length information from
this structure?

In CDB10 i am using :

REVERSE_BYTES(&Sector, &pCDB->CDB10.LogicalBlockByte0);
SectorCount = ( pCDB->CDB10.TransferBlocksMsb << 8 ) +
pCDB->CDB10.TransferBlocksLsb;

BTW, how popular is CDB12 and CDB16 in todays harddisks?

Thanks,

-Emre TINAZTEPE
— NTFSD is sponsored by OSR For our schedule of debugging and file
system seminars visit: http://www.osr.com/seminars To unsubscribe, visit
the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Have you looked at the T10 spec? A 6 byte CDB is completely laid out, as well as all other CDBs in that spec.

Gary Little
H (952) 223-1349
C (952) 454-4629
xxxxx@comcast.net

On Feb 27, 2012, at 6:33 AM, Emre Tinaztepe wrote:

Hi,

I am currently analyzing a malware which hooks scsi startio and global dispatch handlers.
I have no problem parsing CDB10 structure but when it comes to CDB6, i am not able to
get Sector & Length information from CDB6 structure.

Can someone point me out how to extract Sector & Length information from this structure?

In CDB10 i am using :

REVERSE_BYTES(&Sector, &pCDB->CDB10.LogicalBlockByte0);
SectorCount = ( pCDB->CDB10.TransferBlocksMsb << 8 ) + pCDB->CDB10.TransferBlocksLsb;

BTW, how popular is CDB12 and CDB16 in todays harddisks?

Thanks,

-Emre TINAZTEPE
— NTFSD is sponsored by OSR For our schedule of debugging and file system seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Thank you very much for the information jmasker.

On Mon, Feb 27, 2012 at 3:14 PM, wrote:

>
> Sector = ((DWORD) pCDB->CDB6READWRITE.LogicalBlockMsb1 << 16)
> + ((DWORD) pCDB->CDB6READWRITE.LogicalBlockMsb0 << 8)
> + pCDB->CDB6READWRITE.LogicalBlockLsb;
> SectorCount = pCDB->CDB6READWRITE.TransferBlocks ?
> pCDB->CDB6READWRITE.TransferBlocks : 256;
>
>
>
>
> Emre Tinaztepe
> Sent by: xxxxx@lists.osr.com
>
> 02/27/2012 07:33 AM
> Please respond to
> “Windows File Systems Devs Interest List”
>
> To
> “Windows File Systems Devs Interest List”
> cc
> Subject
> [ntfsd] SCSI CDB6 Question
>
>
>
>
> Hi,
>
> I am currently analyzing a malware which hooks scsi startio and global
> dispatch handlers.
> I have no problem parsing CDB10 structure but when it comes to CDB6, i am
> not able to
> get Sector & Length information from CDB6 structure.
>
> Can someone point me out how to extract Sector & Length information from
> this structure?
>
> In CDB10 i am using :
>
> REVERSE_BYTES(&Sector, &pCDB->CDB10.LogicalBlockByte0);
> SectorCount = ( pCDB->CDB10.TransferBlocksMsb << 8 ) +
> pCDB->CDB10.TransferBlocksLsb;
>
> BTW, how popular is CDB12 and CDB16 in todays harddisks?
>
> Thanks,
>
> -Emre TINAZTEPE
> — NTFSD is sponsored by OSR For our schedule of debugging and file
> system seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
> — NTFSD is sponsored by OSR For our schedule of debugging and file
> system seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

>

Have you looked at the T10 spec? A 6 byte CDB is completely laid out, as
well as all other CDBs in that spec.

Thanks for participation Gary, I have not looked at T10. In order to
support widest range of drivers, i need to
support all CDB structures. VMWare XP uses atapi.sys and i am coming across
CDB6 structures in each
request.

Weird thing is that, when i check OperationCode of CDB, all i see is
SCSIOP_TEST_UNIT_READY and SCSIOP_REQUEST_SENSE.
There is no READ/WRITE request. Am ı missing something?

Thanks for your help.

-Emre TINAZTEPE

On Mon, Feb 27, 2012 at 3:27 PM, Gary Little wrote:

> Have you looked at the T10 spec? A 6 byte CDB is completely laid out, as
> well as all other CDBs in that spec.
>
> Gary Little
> H (952) 223-1349
> C (952) 454-4629
> xxxxx@comcast.net
>
>
> On Feb 27, 2012, at 6:33 AM, Emre Tinaztepe wrote:
>
> Hi,
>
> I am currently analyzing a malware which hooks scsi startio and global
> dispatch handlers.
> I have no problem parsing CDB10 structure but when it comes to CDB6, i am
> not able to
> get Sector & Length information from CDB6 structure.
>
> Can someone point me out how to extract Sector & Length information from
> this structure?
>
> In CDB10 i am using :
>
> REVERSE_BYTES(&Sector, &pCDB->CDB10.LogicalBlockByte0);
> SectorCount = ( pCDB->CDB10.TransferBlocksMsb << 8 ) +
> pCDB->CDB10.TransferBlocksLsb;
>
> BTW, how popular is CDB12 and CDB16 in todays harddisks?
>
> Thanks,
>
> -Emre TINAZTEPE
> — NTFSD is sponsored by OSR For our schedule of debugging and file
> system seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

You need a copy of the T10 information … in point of fact, that is the document where you should have started. That spec lays out ALL of the CDB structures that have been or will be used. As to why no READ/WRITE, have you sent a READ/WRITE?

Gary Little
H (952) 223-1349
C (952) 454-4629
xxxxx@comcast.net

On Feb 27, 2012, at 7:37 AM, Emre Tinaztepe wrote:

Have you looked at the T10 spec? A 6 byte CDB is completely laid out, as well as all other CDBs in that spec.

Thanks for participation Gary, I have not looked at T10. In order to support widest range of drivers, i need to
support all CDB structures. VMWare XP uses atapi.sys and i am coming across CDB6 structures in each
request.

Weird thing is that, when i check OperationCode of CDB, all i see is SCSIOP_TEST_UNIT_READY and SCSIOP_REQUEST_SENSE.
There is no READ/WRITE request. Am ı missing something?

Thanks for your help.

-Emre TINAZTEPE

On Mon, Feb 27, 2012 at 3:27 PM, Gary Little wrote:
> Have you looked at the T10 spec? A 6 byte CDB is completely laid out, as well as all other CDBs in that spec.
>
> Gary Little
> H (952) 223-1349
> C (952) 454-4629
> xxxxx@comcast.net
>
>
> On Feb 27, 2012, at 6:33 AM, Emre Tinaztepe wrote:
>
>> Hi,
>>
>> I am currently analyzing a malware which hooks scsi startio and global dispatch handlers.
>> I have no problem parsing CDB10 structure but when it comes to CDB6, i am not able to
>> get Sector & Length information from CDB6 structure.
>>
>> Can someone point me out how to extract Sector & Length information from this structure?
>>
>> In CDB10 i am using :
>>
>> REVERSE_BYTES(&Sector, &pCDB->CDB10.LogicalBlockByte0);
>> SectorCount = ( pCDB->CDB10.TransferBlocksMsb << 8 ) + pCDB->CDB10.TransferBlocksLsb;
>>
>> BTW, how popular is CDB12 and CDB16 in todays harddisks?
>>
>> Thanks,
>>
>> -Emre TINAZTEPE
>> — NTFSD is sponsored by OSR For our schedule of debugging and file system seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
> — NTFSD is sponsored by OSR For our schedule of debugging and file system seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Thanks Gary,

I am just analyzing the requests sent to miniport driver, so i am not
sending any requests.

Everything is okey with CDB10 but with CDB6 it doesn’t work.
What i am doing is :

  1. Get CdbLength from SRB
  2. Test OperationCode against SCSIOP_WRITE

On an idle system, i frequently come across CDB10 requests but in one of my
virtual machines which is using atapi.sys (using CDB6)
there seems no SCSIOP_WRITE requests. I only see two requests :
SCSIOP_TEST_UNIT_READY && SCSIOP_REQUEST_SENSE.
May it be related to something about CACHING?

I have Friedhelm Schmidts “SCSI Bus & IDE Interface” and “The Programmers
Guide to SCSI” but I will also have a look at T10 spesification.

-Emre TINAZTEPE

On Mon, Feb 27, 2012 at 3:49 PM, Gary Little wrote:

> You need a copy of the T10 information … in point of fact, that is the
> document where you should have started. That spec lays out ALL of the CDB
> structures that have been or will be used. As to why no READ/WRITE, have
> you sent a READ/WRITE?
>
> Gary Little
> H (952) 223-1349
> C (952) 454-4629
> xxxxx@comcast.net
>
>
> On Feb 27, 2012, at 7:37 AM, Emre Tinaztepe wrote:
>
> Have you looked at the T10 spec? A 6 byte CDB is completely laid out, as
>> well as all other CDBs in that spec.
>>
>
> Thanks for participation Gary, I have not looked at T10. In order to
> support widest range of drivers, i need to
> support all CDB structures. VMWare XP uses atapi.sys and i am coming
> across CDB6 structures in each
> request.
>
> Weird thing is that, when i check OperationCode of CDB, all i see is
> SCSIOP_TEST_UNIT_READY and SCSIOP_REQUEST_SENSE.
> There is no READ/WRITE request. Am ı missing something?
>
> Thanks for your help.
>
> -Emre TINAZTEPE
>
>
> On Mon, Feb 27, 2012 at 3:27 PM, Gary Little wrote:
>
>> Have you looked at the T10 spec? A 6 byte CDB is completely laid out, as
>> well as all other CDBs in that spec.
>>
>> Gary Little
>> H (952) 223-1349
>> C (952) 454-4629
>> xxxxx@comcast.net
>>
>>
>> On Feb 27, 2012, at 6:33 AM, Emre Tinaztepe wrote:
>>
>> Hi,
>>
>> I am currently analyzing a malware which hooks scsi startio and global
>> dispatch handlers.
>> I have no problem parsing CDB10 structure but when it comes to CDB6, i am
>> not able to
>> get Sector & Length information from CDB6 structure.
>>
>> Can someone point me out how to extract Sector & Length information from
>> this structure?
>>
>> In CDB10 i am using :
>>
>> REVERSE_BYTES(&Sector, &pCDB->CDB10.LogicalBlockByte0);
>> SectorCount = ( pCDB->CDB10.TransferBlocksMsb << 8 ) +
>> pCDB->CDB10.TransferBlocksLsb;
>>
>> BTW, how popular is CDB12 and CDB16 in todays harddisks?
>>
>> Thanks,
>>
>> -Emre TINAZTEPE
>> — NTFSD is sponsored by OSR For our schedule of debugging and file
>> system seminars visit: http://www.osr.com/seminars To unsubscribe, visit
>> the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>>
>>
>> —
>> NTFSD is sponsored by OSR
>>
>> For our schedule of debugging and file system seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> — NTFSD is sponsored by OSR For our schedule of debugging and file
> system seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

I have found the problem. It was because i was checking the wrond device
object:(

But still need some help :

Which way is the safest way of getting Sector and Transfer length in a SCSI
Request?

A. Sector = pSrb->QueueSortKey;
SectorCount = pSrb->DataTransferLength / 512;
B. REVERSE_BYTES(&Sector, &pCDB->CDB10.LogicalBlockByte0)
SectorCount = ( pCDB->CDB10.TransferBlocksMsb << 8 ) +
pCDB->CDB10.TransferBlocksLsb;

Thanks,

-Emre TINAZTEPE

On Mon, Feb 27, 2012 at 4:42 PM, Emre Tinaztepe
wrote:

> Thanks Gary,
>
> I am just analyzing the requests sent to miniport driver, so i am not
> sending any requests.
>
> Everything is okey with CDB10 but with CDB6 it doesn’t work.
> What i am doing is :
>
> 1. Get CdbLength from SRB
> 2. Test OperationCode against SCSIOP_WRITE
>
> On an idle system, i frequently come across CDB10 requests but in one of
> my virtual machines which is using atapi.sys (using CDB6)
> there seems no SCSIOP_WRITE requests. I only see two requests :
> SCSIOP_TEST_UNIT_READY && SCSIOP_REQUEST_SENSE.
> May it be related to something about CACHING?
>
> I have Friedhelm Schmidts “SCSI Bus & IDE Interface” and “The Programmers
> Guide to SCSI” but I will also have a look at T10 spesification.
>
> -Emre TINAZTEPE
>
>
> On Mon, Feb 27, 2012 at 3:49 PM, Gary Little wrote:
>
>> You need a copy of the T10 information … in point of fact, that is the
>> document where you should have started. That spec lays out ALL of the CDB
>> structures that have been or will be used. As to why no READ/WRITE, have
>> you sent a READ/WRITE?
>>
>> Gary Little
>> H (952) 223-1349
>> C (952) 454-4629
>> xxxxx@comcast.net
>>
>>
>> On Feb 27, 2012, at 7:37 AM, Emre Tinaztepe wrote:
>>
>> Have you looked at the T10 spec? A 6 byte CDB is completely laid out, as
>>> well as all other CDBs in that spec.
>>>
>>
>> Thanks for participation Gary, I have not looked at T10. In order to
>> support widest range of drivers, i need to
>> support all CDB structures. VMWare XP uses atapi.sys and i am coming
>> across CDB6 structures in each
>> request.
>>
>> Weird thing is that, when i check OperationCode of CDB, all i see is
>> SCSIOP_TEST_UNIT_READY and SCSIOP_REQUEST_SENSE.
>> There is no READ/WRITE request. Am ı missing something?
>>
>> Thanks for your help.
>>
>> -Emre TINAZTEPE
>>
>>
>> On Mon, Feb 27, 2012 at 3:27 PM, Gary Little wrote:
>>
>>> Have you looked at the T10 spec? A 6 byte CDB is completely laid out, as
>>> well as all other CDBs in that spec.
>>>
>>> Gary Little
>>> H (952) 223-1349
>>> C (952) 454-4629
>>> xxxxx@comcast.net
>>>
>>>
>>> On Feb 27, 2012, at 6:33 AM, Emre Tinaztepe wrote:
>>>
>>> Hi,
>>>
>>> I am currently analyzing a malware which hooks scsi startio and global
>>> dispatch handlers.
>>> I have no problem parsing CDB10 structure but when it comes to CDB6, i
>>> am not able to
>>> get Sector & Length information from CDB6 structure.
>>>
>>> Can someone point me out how to extract Sector & Length information from
>>> this structure?
>>>
>>> In CDB10 i am using :
>>>
>>> REVERSE_BYTES(&Sector, &pCDB->CDB10.LogicalBlockByte0);
>>> SectorCount = ( pCDB->CDB10.TransferBlocksMsb << 8 ) +
>>> pCDB->CDB10.TransferBlocksLsb;
>>>
>>> BTW, how popular is CDB12 and CDB16 in todays harddisks?
>>>
>>> Thanks,
>>>
>>> -Emre TINAZTEPE
>>> — NTFSD is sponsored by OSR For our schedule of debugging and file
>>> system seminars visit: http://www.osr.com/seminars To unsubscribe,
>>> visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>>
>>>
>>> —
>>> NTFSD is sponsored by OSR
>>>
>>> For our schedule of debugging and file system seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>> — NTFSD is sponsored by OSR For our schedule of debugging and file
>> system seminars visit: http://www.osr.com/seminars To unsubscribe, visit
>> the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>>
>>
>> —
>> NTFSD is sponsored by OSR
>>
>> For our schedule of debugging and file system seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>