When talking about dispatch routines, you must understand the concept of IRP (I/O Request package), that is, the important data structure of "input/output request package. After ring3 sends an I/O Request to the driver through functions such as deviceiocontrol, the operating system converts the request to the IRP data structure in the kernel and sends the request to the dispatch Letter of the corresponding driver, 21.1.6.
After the ring3 program calls the deviceiocontrol function exported by kernel32.dll, NTDLL is called. the ntdeviceiocontrolfile function exported by DLL, and then calls the service function ntdeviceio controlfile provided by the system kernel module. This function will convert I/O requests to IRP packets, and sent to the dispatch routine function of the corresponding driver. This is also true for other I/O-related functions, such as createfile, readfile, writefile, getfilesize, setfilesize, and closehandle.
| Figure 21.1.6 from ring3's I/O Request to kernel's IRP request package |
Which dispatch routine function should be sent to the driver for an IRP packet is determined by the majorfunction attribute in the IRP structure. The majorfunction attribute value is a series of macros, as shown below.
Majorfunction can have a maximum of 0x1b (27), that is, a maximum of 27 different dispatch routine functions can be set in the driver. In helloworld. C, all dispatch routines are set to the drvdispatch function for simplicity, and the drvdispatch function only performs the simplest processing.
The data structure of IRP is very complex. If all the data is displayed, it may take several pages. "It is better to teach people to fish than to teach people to fish". Therefore, we will focus on the method of learning the IRP data structure.
For beginners, after installing the latest wdk version, you can use the "wdk documentation" document in wdk help to learn the IRP data structure, as shown in 21.1.7.
| (Click to view the big picture) Figure 21.1.7 learn the kernel data structure IRP through the wdk help document |
This document will focus on the meanings and usage of some IRP members used in the driver. In addition, there is a comments at the end of this document, which is also very valuable.
Some members in the IRP structure are omitted in the wdk document. If you read the IRP comments in the document, you will know that these unreceivented members are retained, this is because only I/O manager or fsds can use these members. To better understand the data structure of IRP, you can find the header file defining IRP in the wdk and read the comments. For example, the path of the header file is D: \ winddk \ 7600.16385.0 \ Inc \ DDK \ WDM. H, as shown in 21.1.8.
| Figure 21.1.8 learn the kernel data structure IRP through the wdk header file WDM. h |
To flexibly view the kernel data structure information, you can also use some PDB auxiliary tools. Generally, the kernel data structure is mostly defined in the kernel module. With the kernel module, you also need to obtain the corresponding PDB symbol file. Here we recommend you use the free symboltypeviewer tool to download the symbol file. The tool is very easy to use (download link: http://www.laboskopia.com/download/SymbolTypeViewer_v1.0_beta.zip), as shown in 21.1.9.
| (Click to view the larger image) fig 21.1.9 download the symbol file using the symboltypeviewer free tool |
Start symboltypeviewer, click the "file" button, select the local kernel module File (for example, c: \ windows \ system32 \ ntkrnlpa.exe), and then click the "symbol path" button, select the path of the symbol file to be saved, click "server", select the default Microsoft link, and click "get symbols" to download the symbol. Click the symbol item in the tree control on the left. Information about the symbol is listed in the "info" window on the right. For example, D: \ windows \ symbols \ ntkrpamp. PDB \ 140d20abbc1b433ea7bf82b979b6bf
9d1 \ ntkrpamp. PDB.
The next step is to browse the downloaded PDB file. Although the symboltypeviewer tool also supports browsing internal symbols, it is not convenient to use the link function. It is recommended to use another free tool pdb_explorer (http://blog.titilima.com/wp-content/uploads/attachments/date_200907/pdbexp_v1.10.zip) dedicated to viewing the PDB symbolic information here ).
Start PDB explorer, click "open", select the downloaded PDB file, and enter "_ IRP" in the search box ", on the first matched item "_ IRP" selected, the symbol information shown in 21.1.10 is displayed in the content area on the right.
We can see that PDB Explorer supports forward and backward, that is, in the displayed struct, if there are Members such as union or sub-struct, you can also click to browse more information. In this way, the advantage of browsing is that you will not "eat a big fat man", and gradually master the complex kernel data structures such as IRP.
The above are some ways to learn the kernel data structure. I hope these contents can play the role of "granting people to fish, we hope that readers can gradually understand the meaning and usage of each member in the IRP structure through these methods.
| (Click to view the larger image) Figure 21.1.10 browse the symbol file using the free tools of PDB Explorer |
Dispatch routine and IRP Structure
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
