A very weird problem on IoCompleteRequest()'s unassembled code!

Hello all,

IoCompleteRequest is a most frequently used routine in driver
development. So I wanted to dig its implementation by unassembling
with WinDBG. The unassembled code is as follows. The target machine is
running on Windows XP + SP2.

================== Code Begin ==================

kd> u IoCompleteRequest
nt!IoCompleteRequest:
8052efc1 8bff mov edi,edi
8052efc3 55 push ebp
8052efc4 8bec mov ebp,esp
8052efc6 8a550c mov dl,[ebp+0xc]
8052efc9 8b4d08 mov ecx,[ebp+0x8]
8052efcc ff15043e5580 call dword ptr [nt!pIofCompleteRequest
(80553e04)]
8052efd2 5d pop ebp
8052efd3 c20800 ret 0x8
kd> u 80553e04
nt!pIofCompleteRequest:
80553e04 95 xchg eax,ebp
80553e05 51 push ecx
80553e06 4e dec esi
80553e07 80f89c cmp al,0x9c
80553e0a 4e dec esi
80553e0b 80389c cmp byte ptr [eax],0x9c
80553e0e 4e dec esi
80553e0f 800000 add byte ptr [eax],0x0
kd> u
nt!IopPostPadding+0x2:
80553e12 0000 add [eax],al
80553e14 0000 add [eax],al
80553e16 0000 add [eax],al
80553e18 0000 add [eax],al
80553e1a 0000 add [eax],al
80553e1c 0000 add [eax],al
80553e1e 0000 add [eax],al
80553e20 0000 add [eax],al

================== Code End ==================

As shown above, IoCompleteRequest is implemented by
pIofCompleteRequest located at 0x80553e04. However, the assembled code
seems not to be a normal routine. Because it doesn't have the ret
instruction.

What's the cause?

Don
Fri Aug 31 05:20:08 PDT 2007

You are disassembling things wrong, IoCompleteRequest does a call through a
pointer so that either the internal code or a version with the verifier
runs. Try single stepping through a call from your driver.


--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply

"xmllmx" <xmllmx@gmail.com> wrote in message
news:1188561871.918879.55490@i38g2000prf.googlegroups.com...
> Hello all,
>
> IoCompleteRequest is a most frequently used routine in driver
> development. So I wanted to dig its implementation by unassembling
> with WinDBG. The unassembled code is as follows. The target machine is
> running on Windows XP + SP2.
>
> ================== Code Begin ==================
>
> kd> u IoCompleteRequest
> nt!IoCompleteRequest:
> 8052efc1 8bff mov edi,edi
> 8052efc3 55 push ebp
> 8052efc4 8bec mov ebp,esp
> 8052efc6 8a550c mov dl,[ebp+0xc]
> 8052efc9 8b4d08 mov ecx,[ebp+0x8]
> 8052efcc ff15043e5580 call dword ptr [nt!pIofCompleteRequest
> (80553e04)]
> 8052efd2 5d pop ebp
> 8052efd3 c20800 ret 0x8
> kd> u 80553e04
> nt!pIofCompleteRequest:
> 80553e04 95 xchg eax,ebp
> 80553e05 51 push ecx
> 80553e06 4e dec esi
> 80553e07 80f89c cmp al,0x9c
> 80553e0a 4e dec esi
> 80553e0b 80389c cmp byte ptr [eax],0x9c
> 80553e0e 4e dec esi
> 80553e0f 800000 add byte ptr [eax],0x0
> kd> u
> nt!IopPostPadding+0x2:
> 80553e12 0000 add [eax],al
> 80553e14 0000 add [eax],al
> 80553e16 0000 add [eax],al
> 80553e18 0000 add [eax],al
> 80553e1a 0000 add [eax],al
> 80553e1c 0000 add [eax],al
> 80553e1e 0000 add [eax],al
> 80553e20 0000 add [eax],al
>
> ================== Code End ==================
>
> As shown above, IoCompleteRequest is implemented by
> pIofCompleteRequest located at 0x80553e04. However, the assembled code
> seems not to be a normal routine. Because it doesn't have the ret
> instruction.
>
> What's the cause?
>

xmllmx
Fri Aug 31 05:31:00 PDT 2007

On Aug 31, 8:20 pm, "Don Burn" <b...@stopspam.windrvr.com> wrote:
> You are disassembling things wrong, IoCompleteRequest does a call through a
> pointer so that either the internal code or a version with the verifier
> runs. Try single stepping through a call from your driver.
>
> --
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> Website:http://www.windrvr.com
> Blog:http://msmvps.com/blogs/WinDrvr
> Remove StopSpam to reply
>

What a stupid error!

Thank you very much, Don.

Vladimir
Fri Aug 31 05:30:42 PDT 2007

nt!pIofCompleteRequest is a global variable. It's pointer to a function.

kd> dd nt!pIofCompleteRequest
805a7804 8077c6a8 8077c536 8077c022 00000000
805a7814 00000000 00000000 00000000 00000000
805a7824 00000000 00000000 00000000 00000000
805a7834 00000000 00000000 00000000 00000000
805a7844 00000000 00000000 00000000 00000000
805a7854 00000000 00000000 00000000 00000000
805a7864 00000000 00000000 00000000 00000000
805a7874 00000000 00000000 00000000 00000000

kd> ln 8077c6a8
(8077c6a8) nt!IovCompleteRequest | (8077c7d6) nt!IovUnloadDrivers
Exact matches:
nt!IovCompleteRequest = <no type information>

--
Best regards,
Vladimir Zinin
mailto:vzinin@gmail.com


xmllmx wrote:
> Hello all,
>
> IoCompleteRequest is a most frequently used routine in driver
> development. So I wanted to dig its implementation by unassembling
> with WinDBG. The unassembled code is as follows. The target machine is
> running on Windows XP + SP2.
>
> ================== Code Begin ==================
>
> kd> u IoCompleteRequest
> nt!IoCompleteRequest:
> 8052efc1 8bff mov edi,edi
> 8052efc3 55 push ebp
> 8052efc4 8bec mov ebp,esp
> 8052efc6 8a550c mov dl,[ebp+0xc]
> 8052efc9 8b4d08 mov ecx,[ebp+0x8]
> 8052efcc ff15043e5580 call dword ptr [nt!pIofCompleteRequest
> (80553e04)]
> 8052efd2 5d pop ebp
> 8052efd3 c20800 ret 0x8
> kd> u 80553e04
> nt!pIofCompleteRequest:
> 80553e04 95 xchg eax,ebp
> 80553e05 51 push ecx
> 80553e06 4e dec esi
> 80553e07 80f89c cmp al,0x9c
> 80553e0a 4e dec esi
> 80553e0b 80389c cmp byte ptr [eax],0x9c
> 80553e0e 4e dec esi
> 80553e0f 800000 add byte ptr [eax],0x0
> kd> u
> nt!IopPostPadding+0x2:
> 80553e12 0000 add [eax],al
> 80553e14 0000 add [eax],al
> 80553e16 0000 add [eax],al
> 80553e18 0000 add [eax],al
> 80553e1a 0000 add [eax],al
> 80553e1c 0000 add [eax],al
> 80553e1e 0000 add [eax],al
> 80553e20 0000 add [eax],al
>
> ================== Code End ==================
>
> As shown above, IoCompleteRequest is implemented by
> pIofCompleteRequest located at 0x80553e04. However, the assembled code
> seems not to be a normal routine. Because it doesn't have the ret
> instruction.
>
> What's the cause?
>