giveio.sysDriverEntry proc pDriverObject:PDRIVER_OBJECT,pusRegistryPath:PUNICODE_STRING
...
int 3
invoke DbgPrint,$CTA0("giveio: Entering DriverEntry\n")
...
end DriverEntry
WinDbgBreak instruction exception - code 80000003 (first chance)
f8a7e266 cc int 3
1: kd> u
f8a7e266 cc int 3
f8a7e267 6870e4a7f8 push 0F8A7E470h
f8a7e26c e8bf010000 call f8a7e430
f8a7e271 83c404 add esp,4
f8a7e274 c745fc820100c0 mov dword ptr [ebp-4],0C0000182h
f8a7e27b 8d4de4 lea ecx,[ebp-1Ch]
f8a7e27e c70118000000 mov dword ptr [ecx],18h
f8a7e284 83610400 and dword ptr [ecx+4],0
1: kd> lm
start end module name
7c800000 7c8c0000 ntdll (pdb symbols) c:\symbols\ntdll.pdb\DCE823FCF71A4BF5AA489994520EA18F2\ntdll.pdb
80800000 80a42000 nt (private pdb symbols) c:\symbols\wrkx86.pdb\BF45F0E3EBE84D2890362A91F9DB949C1\wrkx86.pdb
80a42000 80a6e000 hal (deferred)
ba10b000 ba11e000 sysaudio (deferred)
ba11e000 ba139000 wdmaud (no symbols)
ba133000 ba146000 sysaudio_ba133000 (deferred)
ba146000 ba161000 wdmaud_ba146000 (deferred)
ba6d9000 ba738000 srv (no symbols)
ba701000 ba760000 srv_ba701000 (deferred)
baad0000 baad9000 ndisuio (deferred)
baaf0000 baaf9000 ndisuio_baaf0000 (deferred)
bab20000 bab31000 dump_symmpi (deferred)
bab31000 bab46000 Cdfs (deferred)
bab6e000 bab7f000 Fips (deferred)
bab7f000 babf5000 mrxsmb (deferred)
babf5000 bac25000 rdbss (deferred)
bac25000 bac42b80 vmhgfs (deferred)
bac43000 bac6d000 afd (deferred)
bac6d000 bac9e000 netbt (no symbols)
bac95000 bacc6000 netbt_bac95000 (deferred)
bac9e000 bacff000 tcpip (deferred)
bacc6000 bad27000 tcpip_bacc6000 (deferred)
bacff000 bad18000 ipsec (deferred)
bad27000 bad40000 ipsec_bad27000 (deferred)
bf800000 bf9cf000 win32k (deferred)
bf9cf000 bf9e5000 dxg (deferred)
bf9e5000 bfa18880 vmx_fb (deferred)
f7c15000 f7c55000 update_f7c15000 (deferred)
f7c26000 f7c66000 update (deferred)
f7c7d000 f7cb4000 rdpdr_f7c7d000 (deferred)
f7c8e000 f7cc5000 rdpdr (deferred)
f7cf4000 f7cfe000 Dxapi_f7cf4000 (deferred)
f7d04000 f7d0e000 dump_diskdump_f7d04000 (deferred)
f7d05000 f7d0f000 Dxapi (deferred)
f7d15000 f7d1f000 dump_diskdump (deferred)
f7d45000 f7d4e000 vmdebug (deferred)
f7d54000 f7d67000 raspptp_f7d54000 (deferred)
f7d55000 f7d62000 netbios (deferred)
f7d65000 f7d78000 raspptp (deferred)
f7d67000 f7d81000 ndiswan_f7d67000 (deferred)
f7d78000 f7d92000 ndiswan (deferred)
f7d81000 f7d96000 rasl2tp_f7d81000 (deferred)
f7d92000 f7da7000 rasl2tp (deferred)
f7d96000 f7dab000 drmk_f7d96000 (deferred)
f7dab000 f7dd4000 portcls (deferred)
f7dbf000 f7dd4000 drmk (deferred)
f7dd4000 f7def000 VIDEOPRT_f7dd4000 (deferred)
f7dfd000 f7e18000 VIDEOPRT (no symbols)
f7e07000 f7e2f000 ks_f7e07000 (deferred)
f7e18000 f7e40000 ks (deferred)
f7e2f000 f7e43000 redbook_f7e2f000 (deferred)
f7e40000 f7e54000 redbook (deferred)
f7e43000 f7e58000 cdrom_f7e43000 (deferred)
f7e54000 f7e69000 cdrom (deferred)
f7e58000 f7e6d000 serial_f7e58000 (deferred)
f7e69000 f7e7e000 serial (deferred)
f7e6d000 f7e85000 parport_f7e6d000 (deferred)
f7e7e000 f7e96000 parport (deferred)
f7e85000 f7e98000 i8042prt_f7e85000 (deferred)
f7e96000 f7ea9000 i8042prt (deferred)
f81c2000 f81e1000 Mup (deferred)
f81e1000 f8217000 NDIS (deferred)
f8217000 f82ac000 Ntfs (deferred)
f82ac000 f82d3000 KSecDD (deferred)
f82d3000 f82f8000 fltMgr (deferred)
f82f8000 f830b000 CLASSPNP (deferred)
f830b000 f832a000 SCSIPORT (deferred)
f832a000 f833b000 symmpi (deferred)
f833b000 f8357000 atapi (deferred)
f8357000 f8381000 volsnap (deferred)
f8381000 f83ad000 dmio (deferred)
f83ad000 f83d4000 ftdisk (deferred)
f83d4000 f83ea000 pci (deferred)
f83ea000 f841e000 ACPI (deferred)
f843f000 f8448000 WMILIB (deferred)
f844f000 f845e000 isapnp (deferred)
f845f000 f846c000 PCIIDEX (deferred)
f846f000 f847f000 MountMgr (deferred)
f847f000 f848a000 PartMgr (deferred)
f848f000 f849f000 disk (deferred)
f849f000 f84ab000 Dfs (deferred)
f84af000 f84bf000 agp440 (deferred)
f84bf000 f84c9000 crcdisk (deferred)
f84ef000 f84f8000 ndistapi (deferred)
f84ff000 f850a000 TDI (deferred)
f850f000 f851e000 termdd_f850f000 (deferred)
f851f000 f852c000 Npfs_f851f000 (deferred)
f852f000 f853e000 intelppm_f852f000 (deferred)
f853f000 f854d000 msgpc_f853f000 (deferred)
f854f000 f855c000 netbios_f854f000 (deferred)
f856f000 f8579000 mouclass_f856f000 (deferred)
f857f000 f858a000 ptilink_f857f000 (deferred)
f858f000 f859d000 NDProxy_f858f000 (deferred)
f859f000 f85aa000 fdc_f859f000 (deferred)
f85af000 f85b8000 vmdebug_f85af000 (deferred)
f85bf000 f85c8000 raspti (deferred)
f85cf000 f85da000 Msfs (deferred)
f85df000 f85ec600 vmci_f85df000 (deferred)
f85ef000 f85f9000 serenum_f85ef000 (deferred)
f85ff000 f860b000 vga (deferred)
f860f000 f8618000 watchdog_f860f000 (deferred)
f861f000 f8628000 ws2ifsl (deferred)
f862f000 f8638000 mssmbios_f862f000 (deferred)
f863f000 f8649000 kbdclass_f863f000 (deferred)
f864f000 f865c600 vmci (deferred)
f865f000 f866c000 wanarp (deferred)
f866f000 f8679000 flpydisk_f866f000 (deferred)
f867f000 f868e000 raspppoe (deferred)
f869f000 f86a8000 mssmbios (deferred)
f86af000 f86b8000 ws2ifsl_f86af000 (deferred)
f86bf000 f86c7000 kdcom (deferred)
f86c7000 f86cf000 BOOTVID (deferred)
f86cf000 f86d6000 intelide (deferred)
f86d7000 f86de000 dmload (deferred)
f871f000 f8724380 vmx_svga_f871f000 (deferred)
f8727000 f872b800 vmaudio_f8727000 (deferred)
f872f000 f8734380 vmx_svga (deferred)
f8737000 f873f000 fsvga_f8737000 (deferred)
f873f000 f8747000 audstub_f873f000 (deferred)
f874f000 f8757000 Fs_Rec_f874f000 (deferred)
f8757000 f875e000 Null_f8757000 (deferred)
f875f000 f8767000 mnmdd_f875f000 (deferred)
f8767000 f876f000 RDPCDD_f8767000 (deferred)
f876f000 f8777000 rasacd_f876f000 (deferred)
f8777000 f877f000 mnmdd (deferred)
f877f000 f8787000 RDPCDD (deferred)
f8787000 f878f000 rasacd (deferred)
f879f000 f87a6000 dxgthk_f879f000 (deferred)
f87b7000 f87be000 dxgthk (deferred)
f87ef000 f87f6000 parvdm (deferred)
f87f7000 f87fe000 parvdm_f87f7000 (deferred)
f884f000 f8851800 compbatt (deferred)
f8853000 f8856900 BATTC (deferred)
f8917000 f891a500 CmBatt_f8917000 (deferred)
f891f000 f8922500 CmBatt (deferred)
f894f000 f8950280 vmmouse (deferred)
f8951000 f8952280 vmmouse_f8951000 (deferred)
f8955000 f8956280 swenum (deferred)
f8959000 f895a280 swenum_f8959000 (deferred)
f8995000 f8996e00 vmmemctl_f8995000 (deferred)
f89ab000 f89ace00 vmmemctl (deferred)
f8adb000 f8adb740 giveio (no symbols)
Unloaded modules:
b9f6d000 b9f9d000 kmixer.sys
b9f5c000 b9f8c000 kmixer.sys
f87a7000 f87af000 drmkaud.sys
ba08d000 ba0bd000 kmixer.sys
ba0bd000 ba0cf000 DMusic.sys
ba0cf000 ba0e3000 swmidi.sys
ba0e3000 ba10b000 aec.sys
f8965000 f8967000 splitter.sys
f855f000 f856d000 imapi.sys
f8747000 f874f000 Sfloppy.SYS
1: kd> r
eax=0000000e ebx=00000000 ecx=00000000 edx=000001c8 esi=e15e75c6 edi=81d9b840
eip=f8a7e266 esp=f88a6c50 ebp=f88a6c88 iopl=0 nv up ei ng nz ac pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000297
f8a7e266 cc int 3
1: kd> t
f8a7e267 6870e4a7f8 push 0F8A7E470h
1: kd> t
f8a7e26c e8bf010000 call f8a7e430
1: kd> dc F8A7E470
f8a7e470 65766967 203a6f69 65746e45 676e6972 giveio: Entering
f8a7e480 69724420 45726576 7972746e 00000a0d DriverEntry....
f8a7e490 00720050 0063006f 00730065 00490073 P.r.o.c.e.s.s.I.
f8a7e4a0 00000064 00140012 f8a7e490 65766967 d...........give
f8a7e4b0 203a6f69 636f7250 20737365 203a4449 io: Process ID:
f8a7e4c0 0a0d5825 76696700 3a6f6965 52545020 %X...giveio: PTR
f8a7e4d0 52504b20 5345434f 25203a53 0d583830 KPROCESS: %08X.
f8a7e4e0 6967000a 6f696576 2f49203a 6570204f ..giveio: I/O pe
1: kd> .reload
Connected to Windows Server 2003 3800 x86 compatible target at (Thu Feb 4 15:52:13.329 2010 (GMT+8)), ptr64 FALSE
Loading Kernel Symbols
...............................................................
........................................
Loading User Symbols
Loading unloaded module list
..........
*** ERROR: Module load completed but symbols could not be loaded for giveio.sys
1: kd> r
eax=0000000e ebx=00000000 ecx=00000000 edx=000001c8 esi=e15e75c6 edi=81d9b840
eip=f8a7e26c esp=f88a6c4c ebp=f88a6c88 iopl=0 nv up ei ng nz ac pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000297
giveio+0x26c:
f8a7e26c e8bf010000 call giveio+0x430 (f8a7e430)
1: kd> u
giveio+0x26c:
f8a7e26c e8bf010000 call giveio+0x430 (f8a7e430)
f8a7e271 83c404 add esp,4
f8a7e274 c745fc820100c0 mov dword ptr [ebp-4],0C0000182h
f8a7e27b 8d4de4 lea ecx,[ebp-1Ch]
f8a7e27e c70118000000 mov dword ptr [ecx],18h
f8a7e284 83610400 and dword ptr [ecx+4],0
f8a7e288 83610c00 and dword ptr [ecx+0Ch],0
f8a7e28c 83611000 and dword ptr [ecx+10h],0
1: kd> t
giveio+0x430:
f8a7e430 ff2568e4a7f8 jmp dword ptr [giveio+0x468 (f8a7e468)]
1: kd> t
nt!DbgPrint:
80861f10 55 push ebp
Help:
f8a7e26c e8bf010000 call f8a7e430
I can't see DbgPrint?
What's Wrong with the WinDbg?
Somebody must help me!
In your example, you only trace into the first couple lines of the DbgPrint function, at which point the string hasn't been sent yet; use 'p' to execute the entire call and see what it gives you.
-r
f8aa23bc e84b000000 call giveio+0x40c (f8aa240c):0: kd> t
giveio+0x3b4:
f8aa23b4 6800200000 push 2000h
0: kd> u
giveio+0x3b4:
f8aa23b4 6800200000 push 2000h
f8aa23b9 ff75cc push dword ptr [ebp-34h]
f8aa23bc e84b000000 call giveio+0x40c (f8aa240c)
f8aa23c1 eb14 jmp giveio+0x3d7 (f8aa23d7)
f8aa23c3 683425aaf8 push offset giveio+0x534 (f8aa2534)
f8aa23c8 e863000000 call giveio+0x430 (f8aa2430)
f8aa23cd 83c404 add esp,4
f8aa23d0 c745fc9a0000c0 mov dword ptr [ebp-4],0C000009Ah
0: kd> u f8aa240c
giveio+0x40c:
f8aa240c ff255024aaf8 jmp dword ptr [giveio+0x450 (f8aa2450)]
f8aa2412 ff255424aaf8 jmp dword ptr [giveio+0x454 (f8aa2454)]
f8aa2418 ff255824aaf8 jmp dword ptr [giveio+0x458 (f8aa2458)]
f8aa241e ff255c24aaf8 jmp dword ptr [giveio+0x45c (f8aa245c)]
f8aa2424 ff256024aaf8 jmp dword ptr [giveio+0x460 (f8aa2460)]
f8aa242a ff256424aaf8 jmp dword ptr [giveio+0x464 (f8aa2464)]
f8aa2430 ff256824aaf8 jmp dword ptr [giveio+0x468 (f8aa2468)]
f8aa2436 0000 add byte ptr [eax],al
0: kd> dd f8aa2450
f8aa2450 808f714a 80868808 809338e6 8082c02c
f8aa2460 8082c7d4 8082cc84 80861f10 00000000
f8aa2470 65766967 203a6f69 65746e45 676e6972
f8aa2480 69724420 45726576 7972746e 00000a0d
f8aa2490 00720050 0063006f 00730065 00490073
f8aa24a0 00000064 00140012 f8aa2490 65766967
f8aa24b0 203a6f69 636f7250 20737365 203a4449
f8aa24c0 0a0d5825 76696700 3a6f6965 52545020
0: kd> u 808f714a
nt!MmFreeNonCachedMemory [c:\wrk\wrk-v1.2\base\ntos\mm\iosup.c @ 12369]:
808f714a 55 push ebp
808f714b 8bec mov ebp,esp
808f714d 8b4508 mov eax,dword ptr [ebp+8]
808f7150 c1e80a shr eax,0Ah
808f7153 25fcff3f00 and eax,3FFFFCh
808f7158 56 push esi
808f7159 2d00000040 sub eax,40000000h
808f715e 57 push edi
0: kd>
so, it's:call nt!MmFreeNonCachedMemory
so, i really hate WinDbg :(. oh my OllyDbg, i miss you so much...