发布时间:2025-12-09 16:23:45 浏览次数:12
有人问,前面的博文,分别列出了USB xHCI, USB3 HUB, UCX01000的符号有什么用?
答案是,虽然我们不能看到MICROSOFT 的源代码,但通过这些符号,可以帮助我们调试USB子系统。
于是,切换到10栈帧,看当时的寄存器情况:
3: kd> .frame /r 0x10
10 00000000`0377f6b0 00000000`00cc45d6 WinUsb_7ffb16570000!WinUsb_WritePipe+0x10d
rax=0000000000000000 rbx=000000000038dc30 rcx=ffffe0019085fe60
rdx=ffffe001908bdf84 rsi=0000000000000000 rdi=0000000000ef3110
rip=00007ffb16572cbd rsp=000000000377f6b0 rbp=000000000377f7b0
r8=00001ffe6ca109a8 r9=ffffd000234c6420 r10=000000000000001c
r11=ffffe001908bd080 r12=0000000000300040 r13=00000000038830b8
r14=000000000377f764 r15=0000000000380580
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000286
WinUsb_7ffb16570000!WinUsb_WritePipe+0x10d:
00007ffb`16572cbd 8bd8 mov ebx,eax
我们看到视频数据BUFFER指针与长度分别由以下寄存器传递:
r13=00000000038830b8
r12=0000000000300040
而
rcx=ffffe0019085fe60
rdx=ffffe001908bdf84
r8=00001ffe6ca109a8
r9=ffffd000234c6420
这四个寄存中,既没有看到正确的长度值,也没有BUFFER指针。
笔者得出初步的结论,可能X64的函数调用方式,在新型的计算机中,使用了别的寄存器(r12,13),取代了rcx, rdx, r8, and r9。
The first two DWORD-or-smaller arguments are passed in the ecx andedx registers. The remaining parameters are passed on the stack, pushed right to left. The callee cleans the stack.
__cdecl
Function parameters are passed on the stack, pushed right to left, and the caller cleans the stack. The__cdecl calling convention is used for all functions with variable-length parameters.
最新更新:
经过别人指点,知道X64参数传递与理论不符合的原因了。
在断点
8 e fffff800`08781a04 0001 (0001) WinUSB!WinUSB_WritePipe
HIT时,我们已经知道,0帧是内核态,10帧是用户态
3: kd> kvn
# Child-SP RetAddr : Args to Child : Call Site
00 ffffd000`227083d8 fffff800`0877b0f1 : ffffe000`0eae9080 ffffd000`22708430 00001fff`f1516f78 00000000`00000000 : WinUSB!WinUSB_WritePipe
01 ffffd000`227083e0 fffff800`0647f9ce : ffffe000`0eae9080 00001fff`f1516f78 00000000`03508021 fffff800`064f4748 : WinUSB!WinUSB_DeviceControl+0x3a5
02 ffffd000`22708460 fffff800`0647f123 : ffffe000`0d97d000 ffffd000`22708500 ffffe000`0e4d2100 00000000`00000001 : Wdf01000!FxIoQueue::DispatchRequestToDriver+0x1be
03 ffffd000`22708530 fffff800`0648b279 : ffffe000`0d97d080 ffffe000`0eae9000 00000000`00000000 ffffd000`227086d9 : Wdf01000!FxIoQueue::DispatchEvents+0x363
04 ffffd000`227085f0 fffff800`06483d93 : ffffcf80`ab3ca900 ffffe000`0eae9080 ffffcf80`ab3ca990 ffffcf80`ab3ca990 : Wdf01000!FxIoQueue::QueueRequest+0x8d
05 ffffd000`22708660 fffff800`0630a832 : 00000000`00020000 ffffd000`22708700 ffffe000`0ee167e0 fffff800`06483240 : Wdf01000!FxDevice::DispatchWithLock+0xb51
06 ffffd000`22708740 fffff801`4e485911 : ffffcf80`ab3ca990 00000000`00000002 ffffe000`0ee981e0 00000000`00000000 : VerifierExt!xdv_IRP_MJ_DEVICE_CONTROL_wrapper+0xfe
07 ffffd000`227087a0 fffff801`4e4a1ec9 : ffffcf80`ab3ca990 ffffe000`0e459410 00000000`00000002 ffffe000`0aff93b0 : nt!IovCallDriver+0x3cd
08 ffffd000`227087f0 fffff801`4e485911 : ffffe000`0e459560 ffffcf80`ab3ca990 ffffe000`0e459410 00000000`00000001 : nt!ViFilterDispatchGeneric+0xd1
09 ffffd000`22708830 fffff801`4e1d315f : 00000000`00000000 ffffd000`22708b80 ffffcf80`ab3ca990 ffffe000`0aff99d0 : nt!IovCallDriver+0x3cd
0a ffffd000`22708880 fffff801`4e1d4a76 : 00000000`00000000 00000000`0421b174 00000000`00000000 00000000`00a63168 : nt!IopXxxControlFile+0xa4f
0b ffffd000`22708a20 fffff801`4df699b3 : 00000000`00000004 00000000`0000000c ffffe000`0947f200 ffffd000`22708b80 : nt!NtDeviceIoControlFile+0x56
0c ffffd000`22708a90 00007ffc`5ce216ea : 00007ffc`5a50b805 00000000`000003e5 00000000`0287bb90 00000000`029ef504 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ ffffd000`22708b00)
0d 00000000`029ef4d8 00007ffc`5a50b805 : 00000000`000003e5 00000000`0287bb90 00000000`029ef504 00000000`00000000 : ntdll!NtDeviceIoControlFile+0xa
0e 00000000`029ef4e0 00007ffc`5ab22470 : 00000000`03508021 00007ffc`00000103 00000000`00a60000 00000000`0000000a : KERNELBASE!DeviceIoControl+0x103
0f 00000000`029ef550 00007ffc`53dc2cbd : 00000000`0084d630 00007ffc`5a504f4f 00000000`029ef6a0 00000000`00000000 : KERNEL32!DeviceIoControlImplementation+0x74
10 00000000`029ef5a0 00000000`00d845d6 : 00000000`00a60200 00000000`029ef602 00000000`00a62ec0 00000000`03f1b138 : WinUsb_7ffc53dc0000!WinUsb_WritePipe+0x10d
11 00000000`029ef620 00000000`00d84c1f : 00000000`00000000 00000003`03000400 000096b0`c90de0d4 00000000`00a62ec0 : xxmgr+0x145d6
12 00000000`029ef6e0 00000000`00d90e45 : 00000000`0287b4d0 00000000`00000000 00000000`00000001 00000000`00000000 : xxmgr+0x14c1f
13 00000000`029ef740 00000000`00d8e23d : 00000000`00a614c0 00000000`029ef809 00000000`00020d00 00000000`0038a0cc : xxmgr+0x20e45
14 00000000`029ef780 00000000`00d928c7 : 00000000`00000300 00000000`00000020 00000000`00000004 00000000`0287b398 : xxmgr+0x1e23d
15 00000000`029ef870 00000000`00d8f42f : 00000000`00000000 00000000`00a62dd0 00000000`00000000 00000000`00a614c0 : xxmgr+0x228c7
16 00000000`029ef8d0 00000000`00d8c72b : 00000000`0287bc80 00000000`00000000 00000000`00000000 00000000`00000000 : xxmgr+0x1f42f
17 00000000`029ef930 00000000`00d82744 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : xxmgr+0x1c72b
18 00000000`029ef970 00007ffc`5ab216ad : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : xxmgr+0x12744
19 00000000`029ef9b0 00007ffc`5cde4409 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0xd
1a 00000000`029ef9e0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d
数据指针是在私有驱动调用用户态的时侯传递的,即10帧的时候
所以,要看rcx, rdx, r8, r9是否包含相应的参数,应该在用户态的函数开始处,而不是第10帧的0x10d处,
于是根据以上栈回溯,再设一个断点:
3: kd> bp WinUsb_7ffc53dc0000!WinUsb_WritePipe
当这个用户态的WinUsb_WritePipe断点HIT时,我们看到,参数确实是使用rcx, rdx, r8, r9来传递的!!!
3: kd> kvn
# Child-SP RetAddr : Args to Child : Call Site
00 00000000`029ef618 00000000`00d845d6 : 00000000`00a62ec0 00000000`029ef6a0 00000000`0391b0b8 00000000`000003e0 : WinUsb_7ffc53dc0000!WinUsb_WritePipe
01 00000000`029ef620 00000000`00d84c1f : 00000000`00000000 00000003`03000400 000096b0`c90de0d4 00000000`00a62ec0 : xxmgr+0x145d6
02 00000000`029ef6e0 00000000`00d90e45 : 00000000`0287b4d0 00000000`00000000 00000000`00000001 00000000`00000000 : xxmgr+0x14c1f
03 00000000`029ef740 00000000`00d8e23d : 00000000`00a614c0 00000000`029ef809 00000000`00020d00 00000000`0038a0cc : xxmgr+0x20e45
04 00000000`029ef780 00000000`00d928c7 : 00000000`00000300 00000000`00000020 00000000`00000004 00000000`0287b398 : xxmgr+0x1e23d
05 00000000`029ef870 00000000`00d8f42f : 00000000`00000000 00000000`00a62dd0 00000000`00000000 00000000`00a614c0 : xxmgr+0x228c7
06 00000000`029ef8d0 00000000`00d8c72b : 00000000`0287bc80 00000000`00000000 00000000`00000000 00000000`00000000 : xxmgr+0x1f42f
07 00000000`029ef930 00000000`00d82744 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : xxmgr+0x1c72b
08 00000000`029ef970 00007ffc`5ab216ad : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : xxmgr+0x12744
09 00000000`029ef9b0 00007ffc`5cde4409 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0xd
0a 00000000`029ef9e0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d
3: kd> r
rax=0000000000a60870 rbx=0000000000a62ec0 rcx=000000000084d630
rdx=0000000000000002 rsi=000000000391b0b8 rdi=0000000000a63108
rip=00007ffc53dc2bb0 rsp=00000000029ef618 rbp=00000000029ef6a0
r8=000000000391b0b8 r9=0000000000300040 r10=0000000000000001
r11=0000000003ca5184 r12=0000000000300040 r13=0000000000300040
r14=0000000002870890 r15=0000000000000002
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
WinUsb_7ffc53dc0000!WinUsb_WritePipe:
0033:00007ffc`53dc2bb0 488bc4 mov rax,rsp
免责声明:本站内容(文字信息+图片素材)来源于互联网公开数据整理或转载,仅用于学习参考,如有侵权问题,请及时联系本站删除,我们将在5个工作日内处理。联系邮箱:303555158#qq.com(把#换成@)
微信便捷交流