понедельник, 25 февраля 2013 г.

HW_INITIALIZATION_DATA in storport driver extensions

Function StorPortInitialize has struct HW_INITIALIZATION_DATA as third args, but where this structure is stored ?
Run wincheck.exe -alldrv -dext -f dext.log and see dext.log for storport.sys driver extensions:


Driver \Driver\LSI_SCSI extensions:
 8389AA78 Key 80738711 \SystemRoot\system32\drivers\storport.sys
Check address 8389AA78 in windbg:

воскресенье, 24 февраля 2013 г.

HW_INITIALIZATION_DATA in scsiport driver extensions

Function ScsiPortInitialize has struct HW_INITIALIZATION_DATA as third args, but where this structure is stored ?
Run wincheck.exe -alldrv -dext -f dext.log and see dext.log for scsiport.sys driver extensions:
Driver \Driver\viamraid extensions:
 8658FAC0 Key F7415F74 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS

пятница, 22 февраля 2013 г.

wincheck rc8.41

Download mirror
Changelog:
  • add -dext option to dump all driver extensions
  • add checking of  (Fdo|Pdo)PnpDispatchTable, (Fdo|Pdo)PowerDispatchTable & (Fdo|Pdo)WmiDispatchTable in pciidex.sys
  • checking of CLASS_DRIVER_EXTENSION now works under w2k
  • some other bugs were fixed

среда, 13 февраля 2013 г.

wincheck rc8.40

Download mirror

Add checking & dumping of CLASS_INIT_DATA & CLASS_DRIVER_EXTENSION. Output sample:
Driver Disk DrvObj FFFFFA8007F15640:
...
CLASS_DRIVER_EXTENSION: FFFFFA8007F15090
 Fdo.ClassError: FFFFF88001B4F430 \SystemRoot\system32\DRIVERS\disk.sys
 Fdo.ClassReadWriteVerification: FFFFF88001B4F010 \SystemRoot\system32\DRIVERS\disk.sys
 Fdo.ClassDeviceControl: FFFFF88001B4F1F0 \SystemRoot\system32\DRIVERS\disk.sys
 Fdo.ClassShutdownFlush: FFFFF88001B57010 \SystemRoot\system32\DRIVERS\disk.sys
 Fdo.ClassInitDevice:    FFFFF88001B5DCE0 \SystemRoot\system32\DRIVERS\disk.sys
 Fdo.ClassStartDevice:   FFFFF88001B5C4F0 \SystemRoot\system32\DRIVERS\disk.sys
 Fdo.ClassPowerDevice:   FFFFF88001B4FA94 \SystemRoot\system32\DRIVERS\disk.sys
 Fdo.ClassStopDevice:    FFFFF88001B503F0 \SystemRoot\system32\DRIVERS\disk.sys
 Fdo.ClassRemoveDevice:  FFFFF88001B5AF10 \SystemRoot\system32\DRIVERS\disk.sys
 Fdo.ClassWmiInfo.ClassQueryWmiRegInfo:   FFFFF88001B57B60 \SystemRoot\system32\DRIVERS\disk.sys
 Fdo.ClassWmiInfo.ClassQueryWmiDataBlock: FFFFF88001B5C9D0 \SystemRoot\system32\DRIVERS\disk.sys
 Fdo.ClassWmiInfo.ClassSetWmiDataBlock:   FFFFF88001B5C7F0 \SystemRoot\system32\DRIVERS\disk.sys
 Fdo.ClassWmiInfo.ClassSetWmiDataItem:   FFFFF88001B58850 \SystemRoot\system32\DRIVERS\disk.sys
 Fdo.ClassWmiInfo.ClassExecuteWmiMethod: FFFFF88001B5D3A0 \SystemRoot\system32\DRIVERS\disk.sys
 Fdo.ClassWmiInfo.ClassWmiFunctionControl: FFFFF88001B5D900 \SystemRoot\system32\DRIVERS\disk.sys
 ClassAddDevice: FFFFF88001B5B000 \SystemRoot\system32\DRIVERS\disk.sys
 ClassUnload:  FFFFF88001B5AD10 \SystemRoot\system32\DRIVERS\disk.sys
 

пятница, 8 февраля 2013 г.

wincheck rc8.39

Download mirror
Changelog:
  • add checking of callbacks registered with IoRegisterIoTracking (w8 only)
  • add checking of advapi32.dll!g_ActivationStateCallback
  • lots of GUID names was added for PoRegisterPowerSettingCallback
  • fixed error "Cannot resolve WdfFunctions for tpm.sys"
  • some other bugs were fixed