well i wrote
btw if you had # defined DBG then you can get the traces too in a
thread and i thought it must be simple like choosing the checked build
to build the driver
but it seems it isnt that simple
basically i built the cdo sample in wdk again with checked build and
reloaded it but i didnt see any msgs in windbg
***** buildchk_win7_x86.log
1> /DDEVL=1
1> /DDBG=1
1> /D__BUILDMACHINE__=WinDDK
***** BUILDFRE_WIN7_X86.LOG
1> /DDEVL=1
1> /D__BUILDMACHINE__=WinDDK
*****
loading the cdo as dumpfile and disassembling it i can see the strings
compiled into the driver when i built it as checked
0:000> !grep -e “string” -c “uf cdo!CdoUnload”
291 0001502d 68b06a0100 push offset cdo! ??
::NNGAKEGL::string' (00016ab0) 296 0001504a 68906a0100 push offset cdo! ?? ::NNGAKEGL::
string’ (00016a90)
309 0001507e 68406a0100 push offset cdo! ??
::NNGAKEGL::`string’ (00016a40)
0:000> da 00016ab0
00016ab0 “EX: Pageable code called at IRQL”
00016ad0 " %d."
0:000> da 00016a90
00016a90 “[Cdo]: Unloading driver.”
0:000> da 00016a40
00016a40 “[Cdo]: Fail unloading driver sin”
00016a60 “ce the unload is optional and th”
00016a80 “e CDO is open.”
but dbgprint doesnt happen because some dword at
cdo!Globals+0x48 isnt set properly
how can i set it ??
cdo!CdoUnload+0x2f
[c:\winddk\7600.16385.1\src\filesys\minifilter\cdo\cdoinit.c @ 296]:
296 0001503f 8b15c8400100 mov edx,dword ptr [cdo!Globals+0x48
(000140c8)]
296 00015045 83e202 and edx,2
296 00015048 740d je cdo!CdoUnload+0x47 (00015057)
so i started looking around and i see people calling it moron
is it so ?
http://www.osronline.com/showThread.cfm?link=57594
i tried fltkd!traceflags and windbg says it cant find the global
Could not GetExpression for “FltMgr!WPP_Global_Control”
i can see fltkd! other args though
lkd> !grep -e FLT_F -c !filters
FLT_FILTER: 86b73788 “aswFsBlk” “388400”
FLT_FILTER: 86bcc5c0 “aswSnx” “137600”
lkd> !filter 86b73788
FLT_FILTER: 86b73788 “aswFsBlk” “388400”
FLT_OBJECT: 86b73788 [02000000] Filter
RundownRef : 0x0000000e (7)
PointerCount : 0x00000002
PrimaryLink : [86bcc5cc-8640005c]
isnt this working for xp (docs sems to say wpp is avl from windows 2000
can someone enumerate the simple steps to make this work?
i tried tracepdb and fed the pdb but it says cant find some magic in it
i opened up the traceview and set a new logging session
(it doesnt even find the pdb which i select in the file selection box
:)) says file cannot be found
so just tried to log all the kernel logs using system.tmf
and filtered messages that had cdo in it to be colored brown
i see some cdo messages in registry operations
but no load unload messages
how can i get to see the
DebugTrace( DEBUG_TRACE_LOAD_UNLOAD,
(“[Cdo]: Driver being loaded\n”) );
or
this message in windbg if at all
DebugTrace( DEBUG_TRACE_LOAD_UNLOAD,
(“[Cdo]: Unloading driver\n”) );
in cdo sample