BY SUDAMI

為了能夠除錯多點還原軟體"雨過天晴"的啟動程式碼,目前有2種方式:

引用:(1) 在Bochs偵錯程式上裝Windows XP系統,然後用Bochs單步除錯. 不過光安裝作業系統就得花20個小時以上(2) 用Wnhex克隆整個磁碟,配置Bochs的*.bxrc檔案.用這個克隆的磁碟來除錯MBR

 方案二較簡單,故我選擇此方式除錯. 在一個乾淨的Vmvare上裝上雨過天晴,用Winhex克隆整個磁碟,Bochs調起來,發現根本沒有進入ygtq的MBR,而是原始的引導程式碼. 這才意識到ygtq在驅動中做了手腳,對MBR的讀寫操作進行了重定向.於是開始分析起來. 經過幾小時的戰鬥,終於搞定. 下面是一些除錯分析的細節,希望對各位有所幫助!----------------------------------------------------------------------- 雨過天晴攔截了對磁碟扇區的讀寫操作,會重新定位MBR,使得Winhex讀取的MBR是原始的.這樣用Bochs就沒法除錯ygtq的啟動過程程式碼了.我們在偵錯程式中恢復掉其在disk.sys 和 atapi.sys上的HOOK,再進行磁碟克隆. 雨過天晴在Shdbus.sys的分發例程中會檢測disk.sys上的 0x4 和 0xf號派遣函式是否被恢復.若是,則恢復disk.sys的0x4 & 0xf為自己的地址,並全部替換掉atapi.sys的分發例程.#define IRP_MJ_INTERNAL_DEVICE_CONTROL 0x0f#define IRP_MJ_WRITE 0x04 在Windbg中觀察:kd> !drvobj /driver/disk 3

Driver object (81b7df38) is for:/Driver/DiskDriver Extension List: (id , addr)(f99e33be 81b7dd38) Device Object list:81b7a7b0 81b7a030 81bc4030  DriverEntry: f99d38ab    disk!GsDriverEntryDriverStartIo: 00000000    DriverUnload: f99e353a    CLASSPNP!ClassUnloadAddDevice: f99e4ec0    CLASSPNP!ClassAddDevice Dispatch routines:[00] IRP_MJ_CREATE f9785cd6    Shield+0x3cd6[01] IRP_MJ_CREATE_NAMED_PIPE f9785cd6    Shield+0x3cd6[02] IRP_MJ_CLOSE f9785cd6    Shield+0x3cd6[03] IRP_MJ_READ f9785cd6    Shield+0x3cd6[04] IRP_MJ_WRITE f9785cd6    Shield+0x3cd6[05] IRP_MJ_QUERY_INFORMATION f9785cd6    Shield+0x3cd6[06] IRP_MJ_SET_INFORMATION f9785cd6    Shield+0x3cd6[07] IRP_MJ_QUERY_EA f9785cd6    Shield+0x3cd6[08] IRP_MJ_SET_EA f9785cd6    Shield+0x3cd6[09] IRP_MJ_FLUSH_BUFFERS f9785cd6    Shield+0x3cd6[0a] IRP_MJ_QUERY_VOLUME_INFORMATION f9785cd6    Shield+0x3cd6[0b] IRP_MJ_SET_VOLUME_INFORMATION f9785cd6    Shield+0x3cd6[0c] IRP_MJ_DIRECTORY_CONTROL f9785cd6    Shield+0x3cd6[0d] IRP_MJ_FILE_SYSTEM_CONTROL f9785cd6    Shield+0x3cd6[0e] IRP_MJ_DEVICE_CONTROL f9785cd6    Shield+0x3cd6[0f] IRP_MJ_INTERNAL_DEVICE_CONTROL f9785cd6    Shield+0x3cd6[10] IRP_MJ_SHUTDOWN f9785cd6    Shield+0x3cd6[11] IRP_MJ_LOCK_CONTROL f9785cd6    Shield+0x3cd6[12] IRP_MJ_CLEANUP f9785cd6    Shield+0x3cd6[13] IRP_MJ_CREATE_MAILSLOT f9785cd6    Shield+0x3cd6[14] IRP_MJ_QUERY_SECURITY f9785cd6    Shield+0x3cd6[15] IRP_MJ_SET_SECURITY f9785cd6    Shield+0x3cd6[16] IRP_MJ_POWER f9785cd6    Shield+0x3cd6[17] IRP_MJ_SYSTEM_CONTROL f9785cd6    Shield+0x3cd6[18] IRP_MJ_DEVICE_CHANGE f9785cd6    Shield+0x3cd6[19] IRP_MJ_QUERY_QUOTA f9785cd6    Shield+0x3cd6[1a] IRP_MJ_SET_QUOTA f9785cd6    Shield+0x3cd6[1b] IRP_MJ_PNP f99e2d15    CLASSPNP!ClassDispatchPnp 而原始的地址函式名如下:Dispatch routines:[00] IRP_MJ_CREATE f7668c30    CLASSPNP!ClassCreateClose[01] IRP_MJ_CREATE_NAMED_PIPE 804f5282    nt!IopInvalidDeviceRequest[02] IRP_MJ_CLOSE f7668c30    CLASSPNP!ClassCreateClose[03] IRP_MJ_READ f7662d9b    CLASSPNP!ClassReadWrite[04] IRP_MJ_WRITE f7662d9b    CLASSPNP!ClassReadWrite //[05] IRP_MJ_QUERY_INFORMATION 804f5282    nt!IopInvalidDeviceRequest[06] IRP_MJ_SET_INFORMATION 804f5282    nt!IopInvalidDeviceRequest[07] IRP_MJ_QUERY_EA 804f5282    nt!IopInvalidDeviceRequest[08] IRP_MJ_SET_EA 804f5282    nt!IopInvalidDeviceRequest[09] IRP_MJ_FLUSH_BUFFERS f7663366    CLASSPNP!ClassShutdownFlush[0a] IRP_MJ_QUERY_VOLUME_INFORMATION 804f5282    nt!IopInvalidDeviceRequest[0b] IRP_MJ_SET_VOLUME_INFORMATION 804f5282    nt!IopInvalidDeviceRequest[0c] IRP_MJ_DIRECTORY_CONTROL 804f5282    nt!IopInvalidDeviceRequest[0d] IRP_MJ_FILE_SYSTEM_CONTROL 804f5282    nt!IopInvalidDeviceRequest[0e] IRP_MJ_DEVICE_CONTROL f766344d    CLASSPNP!ClassDeviceControlDispatch[0f] IRP_MJ_INTERNAL_DEVICE_CONTROL f7666fc3    CLASSPNP!ClassInternalIoControl     //    [10] IRP_MJ_SHUTDOWN f7663366    CLASSPNP!ClassShutdownFlush[11] IRP_MJ_LOCK_CONTROL 804f5282    nt!IopInvalidDeviceRequest[12] IRP_MJ_CLEANUP 804f5282    nt!IopInvalidDeviceRequest[13] IRP_MJ_CREATE_MAILSLOT 804f5282    nt!IopInvalidDeviceRequest[14] IRP_MJ_QUERY_SECURITY 804f5282    nt!IopInvalidDeviceRequest[15] IRP_MJ_SET_SECURITY 804f5282    nt!IopInvalidDeviceRequest[16] IRP_MJ_POWER f7664ef3    CLASSPNP!ClassDispatchPower[17] IRP_MJ_SYSTEM_CONTROL f7669a24    CLASSPNP!ClassSystemControl[18] IRP_MJ_DEVICE_CHANGE 804f5282    nt!IopInvalidDeviceRequest[19] IRP_MJ_QUERY_QUOTA 804f5282    nt!IopInvalidDeviceRequest[1a] IRP_MJ_SET_QUOTA 804f5282    nt!IopInvalidDeviceRequest[1b] IRP_MJ_PNP f7668d15    CLASSPNP!ClassDispatchPnp 現在在偵錯程式中手工修改函式地址:kd> ln CLASSPNP!ClassInternalIoControl(f99e0fc3) CLASSPNP!ClassInternalIoControl | (f99e0fc3) CLASSPNP!ClassInternalIoControlExact matches:CLASSPNP!ClassInternalIoControl = <no type information>kd> ed 81b7dfac f99e0fc3kd> !drvobj /driver/disk 3Driver object (81b7df38) is for:/Driver/DiskDriver Extension List: (id , addr)(f99e33be 81b7dd38) Device Object list:81b7a7b0 81b7a030 81bc4030  DriverEntry: f99d38ab    disk!GsDriverEntryDriverStartIo: 00000000    DriverUnload: f99e353a    CLASSPNP!ClassUnloadAddDevice: f99e4ec0    CLASSPNP!ClassAddDevice Dispatch routines:[00] IRP_MJ_CREATE f9785cd6    Shield+0x3cd6[01] IRP_MJ_CREATE_NAMED_PIPE f9785cd6    Shield+0x3cd6[02] IRP_MJ_CLOSE f9785cd6    Shield+0x3cd6[03] IRP_MJ_READ f9785cd6    Shield+0x3cd6[04] IRP_MJ_WRITE f9785cd6    Shield+0x3cd6[05] IRP_MJ_QUERY_INFORMATION f9785cd6    Shield+0x3cd6[06] IRP_MJ_SET_INFORMATION f9785cd6    Shield+0x3cd6[07] IRP_MJ_QUERY_EA f9785cd6    Shield+0x3cd6[08] IRP_MJ_SET_EA f9785cd6    Shield+0x3cd6[09] IRP_MJ_FLUSH_BUFFERS f9785cd6    Shield+0x3cd6[0a] IRP_MJ_QUERY_VOLUME_INFORMATION f9785cd6    Shield+0x3cd6[0b] IRP_MJ_SET_VOLUME_INFORMATION f9785cd6    Shield+0x3cd6[0c] IRP_MJ_DIRECTORY_CONTROL f9785cd6    Shield+0x3cd6[0d] IRP_MJ_FILE_SYSTEM_CONTROL f9785cd6    Shield+0x3cd6[0e] IRP_MJ_DEVICE_CONTROL f9785cd6    Shield+0x3cd6[0f] IRP_MJ_INTERNAL_DEVICE_CONTROL f99e0fc3    CLASSPNP!ClassInternalIoControl // 更改後[10] IRP_MJ_SHUTDOWN f9785cd6    Shield+0x3cd6[11] IRP_MJ_LOCK_CONTROL f9785cd6    Shield+0x3cd6[12] IRP_MJ_CLEANUP f9785cd6    Shield+0x3cd6[13] IRP_MJ_CREATE_MAILSLOT f9785cd6    Shield+0x3cd6[14] IRP_MJ_QUERY_SECURITY f9785cd6    Shield+0x3cd6[15] IRP_MJ_SET_SECURITY f9785cd6    Shield+0x3cd6[16] IRP_MJ_POWER f9785cd6    Shield+0x3cd6[17] IRP_MJ_SYSTEM_CONTROL f9785cd6    Shield+0x3cd6[18] IRP_MJ_DEVICE_CHANGE f9785cd6    Shield+0x3cd6[19] IRP_MJ_QUERY_QUOTA f9785cd6    Shield+0x3cd6[1a] IRP_MJ_SET_QUOTA f9785cd6    Shield+0x3cd6[1b] IRP_MJ_PNP f99e2d15    CLASSPNP!ClassDispatchPnp 然後下斷點觀察:kd> ba w 4 81b7dfac kd> bl0 e 81b7dfac w 4 0001 (0001) kd> gBreakpoint 0 hitShdbus+0x56e:f9ea056e a1200eeaf9 mov eax,dword ptr [Shdbus+0xe20 (f9ea0e20)] kd> kvn# ChildEBP RetAddr Args to Child00 f9e2fb3c 804eedf9 81b7d8b8 81b7c828 81731530 Shdbus+0x56e01 f9e2fb4c f99dd061 81bc5000 81439500 81731530 nt!IopfCallDriver+0x31 02 81b7d8b8 00000000 81b7f888 81bd6040 81bc4030 CLASSPNP!SubmitTransferPacket+0x82 kd> !threadTHREAD 81bc4da8 Cid 0004.006c Teb: 00000000 Win32Thread: 00000000 RUNNING on processor 0Not impersonatingDeviceMap e1006008Owning Process 81bbd7c0 Image: SystemWait Start TickCount 18821 Ticks: 3 (0:00:00:00.046)Context Switch Count 12678 UserTime 00:00:00.000KernelTime 00:00:02.281Start Address Shield (0xf9782886)Stack Init f9e30000 Current f9e2fd38 Base f9e30000 Limit f9e2d000 Call 0Priority 16 BasePriority 8 PriorityDecrement 0 DecrementCount 0ChildEBP RetAddr Args to Childf9e2fb3c 804eedf9 81b7d8b8 81b7c828 81731530 Shdbus+0x56ef9e2fb4c f99dd061 81bc5000 81439500 81731530 nt!IopfCallDriver+0x31 (FPO: [0,0,0])81b7d8b8 00000000 81b7f888 81bd6040 81bc4030 CLASSPNP!SubmitTransferPacket+0x82 (FPO: [Non-Fpo]) IDA開啟雨過天晴的boot0驅動shdbus.sys,定位到+0x1056e處,位於分發函式IrpInternalDeviceControl內,程式碼如下: 

程式碼:

NTSTATUS IrpInternalDeviceControl(int DeviceObject, PIRP Irp){  int DeviceExtension, srb, atapi_driver_object, disk_driver_object, srb_cdb, IoControlCode ;    HANDLE CurrentTID;     struct _IRP::$::$::$::$A02EC6A2CE86544F716F4825015773AC::_IO_STACK_LOCATION *CurrentStackLocation;   char OperationCode;    DeviceExtension = *(DWORD *)(DeviceObject + 0x28);  CurrentTID = PsGetCurrentThreadId();  PsGetCurrentProcessId();  srb = 0;  if ( g_disk_internal_device_control_dispatch )  {    disk_driver_object = *(DWORD *)(g_disk_device_object + 8);    if ( *(DWORD *)(disk_driver_object + 0x74) != g_disk_internal_device_control_dispatch      || *(DWORD *)(disk_driver_object + 0x48) != g_disk_internal_device_control_dispatch        )    {//      // #define IRP_MJ_INTERNAL_DEVICE_CONTROL    0x0f     // #define IRP_MJ_SCSI                       0x0f     // 雨過天晴會不斷檢查自己的HOOK點,並恢復之.若2個程式同時在同一點     // 迴圈檢查並恢復自己的鉤子,會導致系統啟動後及其緩慢. 而且"雨過天晴"會結束     // 掉與其競爭的系統執行緒,導致系統出現異常錯誤.BSOD.     //       *(DWORD *)(disk_driver_object + 0x74) = g_disk_internal_device_control_dispatch;      *(DWORD *)(disk_driver_object + 0x48) = g_disk_internal_device_control_dispatch;// disk分發例程往下發的時候,起擴充套件裝置偏移+0x008的地方是atapi.sys的裝置物件,"雨過天晴"在此進行驗證.      if ( *(DWORD *)(DeviceExtension + 8) == g_atapi_device_object )      {        if ( g_allowed_TID_1_0000006c          && CurrentTID != *(HANDLE *)g_allowed_TID_1_0000006c          && g_allowed_TID_2_ffffffff          && CurrentTID != *(HANDLE *)g_allowed_TID_2_ffffffff          && g_allowed_TID_3_00000070          && CurrentTID != *(HANDLE *)g_allowed_TID_3_00000070          && g_allowed_TID_4_00000240          && CurrentTID != *(HANDLE *)g_allowed_TID_4_00000240 )        {// 不是以上4個系統執行緒,便會被"雨過"結束掉,並且阻止當前IRP的下發.於是就BSOD了.          ZwTerminateProcess((HANDLE)0xFFFFFFFF, 0);            denny:          Irp->IoStatus.Status = 0;          IofCompleteRequest(Irp, 0);          return 0;        }      }    }    atapi_driver_object = *(DWORD *)(g_atapi_device_object + 8);if ( *(DWORD *)(atapi_driver_object + 0x74) != (DWORD)atapi_Proxy_dispatch ) // 在此處恢復對atapi.sys分發例程的HOOK      memset((void *)(atapi_driver_object + 0x38), (int)atapi_Proxy_dispatch, 0x6Cu);  }  CurrentStackLocation = Irp->Tail.Overlay.CurrentStackLocation;  IoControlCode = *((DWORD *)CurrentStackLocation + 3);  srb_cdb = 0;  if ( IoControlCode == 0x1B0012 || IoControlCode == 0x1B0011 )  {    srb = *((DWORD *)CurrentStackLocation + 1);    srb_cdb = srb + 0x30;  }  if ( *(DWORD *)(DeviceExtension + 8) == g_atapi_device_object )  {    if ( g_allowed_TID_1_0000006c )    {      if ( CurrentTID != *(HANDLE *)g_allowed_TID_1_0000006c )      {        if ( !g_allowed_TID_2_ffffffff || CurrentTID != *(HANDLE *)g_allowed_TID_2_ffffffff )        {          if ( !g_allowed_TID_3_00000070 || CurrentTID != *(HANDLE *)g_allowed_TID_3_00000070 )          {            if ( !g_allowed_TID_4_00000240 || CurrentTID != *(HANDLE *)g_allowed_TID_4_00000240 )            {              if ( srb )              {                if ( !*(BYTE *)(srb + 2) )                {                  if ( srb_cdb )                  {                    OperationCode = *(BYTE *)srb_cdb;                    if ( *(BYTE *)srb_cdb == SCSIOP_WRITE                      || OperationCode == SCSIOP_SEND                      || OperationCode == SCSIOP_FLUSH_BUFFER                      || OperationCode == SCSIOP_WRITE_VERIFY                      || OperationCode == SCSIOP_READ                      || OperationCode == SCSIOP_RECEIVE )                      goto denny;                  }                }              }            }          }        }      }    }  }  return IrpReadWrite_dep(DeviceObject, Irp);}

 (1) 現在偵錯程式中將jnz 改成 Jmp, 即 0F 84à90 E9 (2) 經過初步分析,雨過天晴大致在Disk.sys和Atapi.sys層做了過濾,為了驗證這一想法,我恢復掉其鉤子後,自己寫程式不經過檔案系統層,構建IRP發到DR0上讀取MBR,看是否成功.現要恢復Disk.sys的IRP_MJ_READ & IRP_MJ_INTERNAL_DEVICE_CONTROL例程 和 Atapi.sys的IRP_MJ_INTERNAL_DEVICE_CONTROL例程: (因為我的程式是自己構建IRP,填充0xf號控制碼,即isl->MajorFunction =   IRP_MJ_SCSI,然後傳送到DR0裝置上, 那麼IRP往下走的過程中就會呼叫DR0對應的驅動物件的分發例程,也就是Disk.sys的0xf號分發例程,而非IRP_MJ_READ,所以根據我的程式特性,應該恢復Disk.sys的IRP_MJ_INTERNAL_DEVICE_CONTROL歷程) kd> ln CLASSPNP!ClassInternalIoControl(f99e0fc3)   CLASSPNP!ClassInternalIoControl   |  (f99e0fc3)   CLASSPNP!ClassInternalIoControlExact matches:CLASSPNP!ClassInternalIoControl = <no type information> kd> ln CLASSPNP!ClassReadWrite(f99dcd9b)   CLASSPNP!ClassReadWrite   |  (f99dcd9b)   CLASSPNP!ClassReadWriteExact matches:    CLASSPNP!ClassReadWrite = <no type information>kd> ed 81b7df38+0x38+0x3c f99e0fc3kd> ed 81b7df38+0x38+0xc f99dcd9bkd> !drvobj /driver/disk 3…Dispatch routines:[00] IRP_MJ_CREATE                      f9785cd6      Shield+0x3cd6[01] IRP_MJ_CREATE_NAMED_PIPE           f9785cd6 Shield+0x3cd6[02] IRP_MJ_CLOSE                       f9785cd6      Shield+0x3cd6[03] IRP_MJ_READ                        f99dcd9b    CLASSPNP!ClassReadWrite[04] IRP_MJ_WRITE                       f9785cd6      Shield+0x3cd6…[0f] IRP_MJ_INTERNAL_DEVICE_CONTROL     f99e0fc3       CLASSPNP!ClassInternalIoControl… 原始的Atapi.sys的分發例程如下:Dispatch routines:[00] IRP_MJ_CREATE                      bae6d572      atapi!IdePortAlwaysStatusSuccessIrp[01] IRP_MJ_CREATE_NAMED_PIPE           804f5282 nt!IopInvalidDeviceRequest[02] IRP_MJ_CLOSE                       bae6d572      atapi!IdePortAlwaysStatusSuccessIrp[03] IRP_MJ_READ                        804f5282      nt!IopInvalidDeviceRequest[04] IRP_MJ_WRITE                       804f5282      nt!IopInvalidDeviceRequest[05] IRP_MJ_QUERY_INFORMATION           804f5282 nt!IopInvalidDeviceRequest[06] IRP_MJ_SET_INFORMATION             804f5282   nt!IopInvalidDeviceRequest[07] IRP_MJ_QUERY_EA                    804f5282    nt!IopInvalidDeviceRequest[08] IRP_MJ_SET_EA                      804f5282      nt!IopInvalidDeviceRequest[09] IRP_MJ_FLUSH_BUFFERS               804f5282   nt!IopInvalidDeviceRequest[0a] IRP_MJ_QUERY_VOLUME_INFORMATION    804f5282    nt!IopInvalidDeviceRequest[0b] IRP_MJ_SET_VOLUME_INFORMATION      804f5282     nt!IopInvalidDeviceRequest[0c] IRP_MJ_DIRECTORY_CONTROL           804f5282 nt!IopInvalidDeviceRequest[0d] IRP_MJ_FILE_SYSTEM_CONTROL         804f5282 nt!IopInvalidDeviceRequest[0e] IRP_MJ_DEVICE_CONTROL              bae6d592  atapi!IdePortDispatchDeviceControl[0f] IRP_MJ_INTERNAL_DEVICE_CONTROL     bae697b4      atapi!IdePortDispatch[10] IRP_MJ_SHUTDOWN                    804f5282  nt!IopInvalidDeviceRequest[11] IRP_MJ_LOCK_CONTROL                804f5282   nt!IopInvalidDeviceRequest[12] IRP_MJ_CLEANUP                     804f5282     nt!IopInvalidDeviceRequest[13] IRP_MJ_CREATE_MAILSLOT             804f5282  nt!IopInvalidDeviceRequest[14] IRP_MJ_QUERY_SECURITY              804f5282  nt!IopInvalidDeviceRequest[15] IRP_MJ_SET_SECURITY                804f5282    nt!IopInvalidDeviceRequest[16] IRP_MJ_POWER                       bae6d5bc     atapi!IdePortDispatchPower[17] IRP_MJ_SYSTEM_CONTROL              bae74164 atapi!IdePortDispatchSystemControl[18] IRP_MJ_DEVICE_CHANGE               804f5282  nt!IopInvalidDeviceRequest[19] IRP_MJ_QUERY_QUOTA                 804f5282  nt!IopInvalidDeviceRequest[1a] IRP_MJ_SET_QUOTA                   804f5282     nt!IopInvalidDeviceRequest[1b] IRP_MJ_PNP                         bae74130       atapi!IdePortDispatchPnp kd> ln atapi!IdePortDispatch(f97d87b4)   atapi!IdePortDispatch   |  (f97d8ccc)   atapi!IdePortTickHandlerExact matches:    atapi!IdePortDispatch = <no type information>kd>ed 81b87b30+0x38+0x3c f97d87b4kd> !drvobj /driver/atapi 3Driver object (81b87b30) is for: /Driver/atapiDriver Extension List: (id , addr)(f97e68d8 81bef140)  Device Object list:81b7e030  81b872f8  81b85030  81b86030DriverEntry:   f97e75f7      atapi!GsDriverEntryDriverStartIo: f97d97c6 atapi!IdePortStartIoDriverUnload:  f97e3204     atapi!IdePortUnloadAddDevice:     f97e1300   atapi!ChannelAddDevice Dispatch routines:[00] IRP_MJ_CREATE                      f97dc572      atapi!IdePortAlwaysStatusSuccessIrp[01] IRP_MJ_CREATE_NAMED_PIPE        f9ea0c14       Shdbus+0xc14[02] IRP_MJ_CLOSE                       f9ea0c14       Shdbus+0xc14[03] IRP_MJ_READ                        f9ea0c14      Shdbus+0xc14[04] IRP_MJ_WRITE                       f9ea0c14       Shdbus+0xc14[05] IRP_MJ_QUERY_INFORMATION        f9ea0c14       Shdbus+0xc14[06] IRP_MJ_SET_INFORMATION           f9ea0c14       Shdbus+0xc14[07] IRP_MJ_QUERY_EA                   f9ea0c14       Shdbus+0xc14[08] IRP_MJ_SET_EA                      f9ea0c14       Shdbus+0xc14[09] IRP_MJ_FLUSH_BUFFERS             f9ea0c14       Shdbus+0xc14[0a] IRP_MJ_QUERY_VOLUME_INFORMATION   f9ea0c14      Shdbus+0xc14[0b] IRP_MJ_SET_VOLUME_INFORMATION      f9ea0c14      Shdbus+0xc14[0c] IRP_MJ_DIRECTORY_CONTROL             f9ea0c14     Shdbus+0xc14[0d] IRP_MJ_FILE_SYSTEM_CONTROL           f9ea0c14     Shdbus+0xc14[0e] IRP_MJ_DEVICE_CONTROL                 f9ea0c14     Shdbus+0xc14[0f] IRP_MJ_INTERNAL_DEVICE_CONTROL    f97d87b4    atapi!IdePortDispatch[10] IRP_MJ_SHUTDOWN                       f9ea0c14     Shdbus+0xc14[11] IRP_MJ_LOCK_CONTROL                   f9ea0c14     Shdbus+0xc14[12] IRP_MJ_CLEANUP                         f9ea0c14     Shdbus+0xc14[13] IRP_MJ_CREATE_MAILSLOT               f9ea0c14       Shdbus+0xc14[14] IRP_MJ_QUERY_SECURITY                f9ea0c14       Shdbus+0xc14[15] IRP_MJ_SET_SECURITY                   f9ea0c14       Shdbus+0xc14[16] IRP_MJ_POWER                          f9ea0c14       Shdbus+0xc14[17] IRP_MJ_SYSTEM_CONTROL               f9ea0c14       Shdbus+0xc14[18] IRP_MJ_DEVICE_CHANGE                f9ea0c14 Shdbus+0xc14[19] IRP_MJ_QUERY_QUOTA                  f9ea0c14 Shdbus+0xc14[1a] IRP_MJ_SET_QUOTA                     f9ea0c14  Shdbus+0xc14[1b] IRP_MJ_PNP                             f9ea0c14 Shdbus+0xc14 (3) 經過以下3步終於成功.步驟一: 廢掉ygtq對disk & atapi分發例程的迴圈保護步驟二: 恢復disk.sys 和atapi.sys的0xf號分發例程步驟三: 自己構建IRP,傳送到DR0裝置物件上,<