在Ntfs.sys中找MajorFunction

 

lkd> u ntfs!GsDriverEntry l 100

Ntfs!GsDriverEntry:

ba598184 8bff            mov     edi,edi

ba598186 55              push    ebp

ba598187 8bec            mov     ebp,esp

ba 598189 a 1d82553ba      mov     eax,dword ptr [Ntfs!__security_cookie (ba5325d8)]

ba59818e 85c 0            test    eax,eax

ba598190 b940bb0000      mov     ecx,0BB40h

ba598195 7404            je      Ntfs!GsDriverEntry+0x17 (ba59819b)

ba598197 3bc1            cmp     eax,ecx

ba598199 7520            jne     Ntfs!GsDriverEntry+0x 3a (ba5981bb)

ba59819b 8b1500ae52ba    mov     edx,dword ptr [Ntfs!_imp__KeTickCount (ba52ae00)]

ba 5981a 1 b8d82553ba      mov     eax,offset Ntfs!__security_cookie (ba5325d8)

ba 5981a 6 c 1e808          shr     eax,8

ba 5981a 9 3302            xor     eax,dword ptr [edx]

ba5981ab 25ffff0000      and     eax,0FFFFh

ba5981b 0 a 3d82553ba      mov     dword ptr [Ntfs!__security_cookie (ba5325d8)],eax

ba5981b5 0f 84aa120000    je      Ntfs!GsDriverEntry+0x33 (ba599465)

ba5981bb f7d0            not     eax

ba5981bd a3d42553ba      mov     dword ptr [Ntfs!__security_cookie_complement (ba5325d4)],eax

ba 5981c 2 5d              pop     ebp

ba 5981c 3 90              nop

ba 5981c 4 90              nop

ba 5981c 5 90              nop

ba 5981c 6 90              nop

ba 5981c 7 90              nop

Ntfs!DriverEntry:

ba 5981c 8 8bff            mov     edi,edi

ba5981ca 55              push    ebp

ba5981cb 8bec            mov     ebp,esp

ba5981cd 81ecc8000000    sub     esp, 0C 8h

ba5981d 3 a 1d82553ba      mov     eax,dword ptr [Ntfs!__security_cookie (ba5325d8)]

ba5981d8 53              push    ebx

ba5981d9 56              push    esi

。。。。。。。。。

ba598270 ff154cac52ba    call    dword ptr [Ntfs!_imp__IoCreateDevice (ba 52ac 4c )]

ba598276 3bc3            cmp     eax,ebx

ba598278 0f 8cfb050000    jl      Ntfs!DriverEntry+0x854 (ba598879)

ba59827e c7467ca3ca58ba mov     dword ptr [esi+7Ch],offset Ntfs!NtfsFsdLockControl (ba58caa3)

ba 598285 c 74668bdaf53ba mov     dword ptr [esi+68h],offset Ntfs!NtfsFsdDirectoryControl (ba53afbd)

ba 59828c c74650186651ba mov     dword ptr [esi+50h],offset Ntfs!NtfsFsdSetInformation (ba516618)

ba 598293 c 74638018c 53ba mov     dword ptr [esi+38h],offset Ntfs!NtfsFsdCreate (ba 538c 01)

ba 59829a c74640ea8053ba mov     dword ptr [esi+40h],offset Ntfs!NtfsFsdClose (ba5380ea)

ba 5982a 1 c 746443b 5f 51ba mov     dword ptr [esi+44h],offset Ntfs!NtfsFsdRead (ba 515f 3b)

ba 5982a 8 c 74648574b51ba mov     dword ptr [esi+48h],offset Ntfs!NtfsFsdWrite (ba514b57)

ba5982af c7465cc82e55ba mov     dword ptr [esi+5Ch],offset Ntfs!NtfsFsdFlushBuffers (ba552ec8)

ba5982b 6 c 7466c 58d753ba mov     dword ptr [esi+6Ch],offset Ntfs!NtfsFsdFileSystemControl (ba53d758)

ba5982bd c78680000000b 88a 53ba mov dword ptr [esi+80h],offset Ntfs!NtfsFsdCleanup (ba538ab8)

ba 5982c 7 c 74678af7552ba mov     dword ptr [esi+78h],offset Ntfs!NtfsFsdShutdown (ba5275af)

ba5982ce c 786a 4000000f 05755ba mov dword ptr [esi+ 0A 4h],offset Ntfs!NtfsFsdPnp (ba 5557f 0)

ba5982d 8 c 74628a 02753ba mov     dword ptr [esi+28h],offset Ntfs!NtfsFastIoDispatch (ba 5327a 0)

ba5982df b8b99253ba      mov     eax,offset Ntfs!NtfsFsdDispatchWait (ba5392b9)

ba5982e4 89464c           mov     dword ptr [esi+4Ch],eax

ba5982e7 8986a 0000000    mov     dword ptr [esi+ 0A 0h],eax

ba5982ed 89869c 000000    mov     dword ptr [esi+9Ch],eax

ba 5982f 3 894658          mov     dword ptr [esi+58h],eax

ba 5982f 6 894654          mov     dword ptr [esi+54h],eax

ba 5982f 9 b8049453ba      mov     eax,offset Ntfs!NtfsFsdDispatch (ba539404)

ba5982fe 894664          mov     dword ptr [esi+64h],eax

ba598301 894660          mov     dword ptr [esi+60h],eax

ba598304 89868c 000000    mov     dword ptr [esi+8Ch],eax

ba 59830a 898688000000    mov     dword ptr [esi+88h],eax

ba598310 894670          mov     dword ptr [esi+70h],eax

ba 598313 a 14cad52ba     mov     eax,dword ptr [Ntfs!_imp__FsRtlMdlReadCompleteDev (ba52ad 4c )]