Hey, guys! Need ur help. Write tool for raw reading/writing data from/to disk using DeviceIoControl with IOCTL_SCSI_PASS_THROUGH_DIRECT. And have the next problem: when i tested it ona real machine, it works fine, but on virtual VmWare it doesnt work correct. There are no any errors, but buffer, that should contain readed data, not filled. It contains zeroes (i zero it before passing to driver). I try use a physical drive volume as a virtual machine drive (feature of VmWare), but its unsuccessfull. Maybe u have any idea about solving this problem?
A forum for reverse engineering, OS internals and malware analysis
Show us the code
The base of my tool is open source nt sector reader (http://www.kernelmode.info/forum/viewto ... ader#p7934 - thanks to its deveopers), So i use the same code for reading. Btw, orig nt sector reader doesnt work on virtual machine too. Only run its compiled binary on VmWare.
Check disk driver/device stack on unwanted filters that process your request and look all it's versions.
With OSR tool DeviceTree found the address of \Device\Harddisk0\DR0 device (if you know, how i could make it without on, tell me please). Then:
I can set breakpoint to partmgr!PmGlobalDispatch, but count of IRPs is large and i can not tracing all of them for finding my IRPs. Maybe there is another ways monitoring my IRPs?
Code: Select all
It seems that all ok. My host machine has the same stack. kd> !devstack 0xFFFFFa800205d790
!DevObj !DrvObj !DevExt ObjectName
fffffa800205d2c0 \Driver\partmgr fffffa800205d410
> fffffa800205d790 \Driver\Disk fffffa800205d8e0 DR0
fffffa8001fd0530 \Driver\LSI_SAS fffffa8001fd0680 0000009d
!DevNode fffffa8001f7a6e0 :
DeviceInst is "SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S\5&22be343f&0&000000"
ServiceName is "disk"
I can set breakpoint to partmgr!PmGlobalDispatch, but count of IRPs is large and i can not tracing all of them for finding my IRPs. Maybe there is another ways monitoring my IRPs?
Can you upload kernel memory dump and share link?
Full kernel dump is about 1,4 Gb and it's problematic to upload. Did you mean small kernel dump maybe?
But i think, that any VmWare virtual machines has this features. (I use VmWare workstation 8.0)
But i think, that any VmWare virtual machines has this features. (I use VmWare workstation 8.0)
Small dump contains a very little information, useless in this case.
This code works fine on real machine, may be simple to stop solve this problem. I saw some anomaly with low-level disk I/O implement in various VMs and, probably, do not approach their decision so seriously.
This code works fine on real machine, may be simple to stop solve this problem. I saw some anomaly with low-level disk I/O implement in various VMs and, probably, do not approach their decision so seriously.
Do you know, TDL 4 infect virtual machine? It uses the same technics as I know...
TDL4 uses usual SRB-based method with sending it to port driver as well as other internal tools or anti-rootkits and all it works fine under vmware. If you send your request to port-driver you can debug this situation with bp on irp_mj_scsi dispatch func (lsi_sas in your case).