nt!IoSynchronousPageWrite函數分析之atapi!IdeReadWrite----非常重要

第一部分：預分析

1: kd> g
Breakpoint 7 hit
atapi!IdeReadWrite:
f729cb2a 55????????????? push??? ebp
1: kd> kc
?#
00 atapi!IdeReadWrite
01 atapi!IdeSendCommand
02 atapi!AtapiStartIo
03 atapi!IdeStartIoSynchronized
04 nt!KeSynchronizeExecution
05 atapi!IdePortAllocateAccessToken
06 PCIIDEX!BmReceiveScatterGatherList
07 hal!HalBuildScatterGatherList
08 hal!HalGetScatterGatherList
09 PCIIDEX!BmSetup
0a atapi!IdePortStartIo
0b nt!IoStartPacket
0c atapi!IdePortDispatch
0d nt!IofCallDriver
0e CLASSPNP!SubmitTransferPacket
0f CLASSPNP!ServiceTransferRequest
10 CLASSPNP!ClassReadWrite
11 nt!IofCallDriver
12 PartMgr!PmReadWrite
13 nt!IofCallDriver
14 ftdisk!FtDiskReadWrite
15 nt!IofCallDriver
16 volsnap!VolSnapWrite
17 nt!IofCallDriver
18 Ntfs!NtfsSingleAsync
19 Ntfs!NtfsNonCachedIo
1a Ntfs!NtfsCommonWrite
1b Ntfs!NtfsFsdWrite
1c nt!IofCallDriver
1d nt!IoSynchronousPageWrite
1e nt!MiFlushSectionInternal
1f nt!MmFlushSection
20 nt!CcFlushCache
21 Ntfs!LfsFlushLfcb
22 Ntfs!LfsFlushToLsnPriv
23 Ntfs!LfsWriteLfsRestart
24 Ntfs!LfsWriteRestartArea
25 Ntfs!NtfsCheckpointVolume
26 Ntfs!NtfsCheckpointAllVolumes
27 nt!ExpWorkerThread
28 nt!PspSystemThreadStartup
29 nt!KiThreadStartup

1: kd> dt HW_DEVICE_EXTENSION 0x895e98a8
atapi!HW_DEVICE_EXTENSION
?? +0x000 CurrentSrb?????? : 0x898f9d7c _SCSI_REQUEST_BLOCK
?? +0x004 BaseIoAddress1?? : _IDE_REGISTERS_1
?? +0x028 BaseIoAddress2?? : _IDE_REGISTERS_2
?? +0x034 BaseIoAddress1Length : 8
?? +0x038 BaseIoAddress2Length : 1
?? +0x03c MaxIdeDevice???? : 2
?? +0x040 MaxIdeTargetId?? : 2
?? +0x044 CurrentIdeDevice : 0
?? +0x048 MoreWait???????? : 0
?? +0x04c NoRetry????????? : 0
?? +0x050 NumberOfCylinders : [4] 0x4443
?? +0x060 NumberOfHeads??? : [4] 0xf
?? +0x070 SectorsPerTrack? : [4] 0x3f
?? +0x080 InterruptMode??? : 1
?? +0x084 DataBuffer?????? : 0x894ef000? "FILE0"
?? +0x088 BytesLeft??????? : 0
?? +0x08c ErrorCount?????? : 0
?? +0x090 TimeoutCount???? : [4] 0
?? +0x0a0 LastLun????????? : [4] 0
?? +0x0b0 DeviceFlags????? : [4] 0x30e01
?? +0x0c0 MaximumBlockXfer : [4]? "@"
?? +0x0c4 ExpectingInterrupt : 0 ''
?? +0x0c5 DMAInProgress??? : 0 ''
?? +0x0c6 scsi2atapi?????? : 0 ''
?? +0x0c7 RDP????????????? : 0 ''
?? +0x0c8 DriverMustPoll?? : 0 ''
?? +0x0c9 PrimaryAddress?? : 0x1 ''
?? +0x0ca SecondaryAddress : 0 ''
?? +0x0cb NoPioSetTransferMode : 0 ''
?? +0x0cc OriginalCdb????? : [16]? ""
?? +0x0dc SmartCommand???? : 0 ''
?? +0x0dd ReturningMediaStatus : 0 ''
?? +0x0de IdentifyData???? : [4] _IDENTIFY_DATA
?? +0x8e0 BusMasterInterface : _PCIIDE_BUSMASTER_INTERFACE
?? +0x928 DeviceParameters : [4] _DEVICE_PARAMETERS
?? +0xa18 ResetState?????? : RESET_STATE
1: kd> dx -id 0,0,899a2278 -r1 (*((atapi!_IDE_REGISTERS_1 *)0x895e98ac))
(*((atapi!_IDE_REGISTERS_1 *)0x895e98ac))???????????????? [Type: _IDE_REGISTERS_1]
??? [+0x000] RegistersBaseAddress : 0x1f0 : Unable to read memory at Address 0x1f0 [Type: unsigned char *]
??? [+0x004] Data???????????? : 0x1f0 : Unable to read memory at Address 0x1f0 [Type: unsigned short *]
??? [+0x008] Error??????????? : 0x1f1 : Unable to read memory at Address 0x1f1 [Type: unsigned char *]
??? [+0x00c] BlockCount?????? : 0x1f2 : Unable to read memory at Address 0x1f2 [Type: unsigned char *]
??? [+0x010] BlockNumber????? : 0x1f3 : Unable to read memory at Address 0x1f3 [Type: unsigned char *]
??? [+0x014] CylinderLow????? : 0x1f4 : Unable to read memory at Address 0x1f4 [Type: unsigned char *]
??? [+0x018] CylinderHigh???? : 0x1f5 : Unable to read memory at Address 0x1f5 [Type: unsigned char *]
??? [+0x01c] DriveSelect????? : 0x1f6 : Unable to read memory at Address 0x1f6 [Type: unsigned char *]
??? [+0x020] Command????????? : 0x1f7 : Unable to read memory at Address 0x1f7 [Type: unsigned char *]

1: kd> dx -r1 ((atapi!_SCSI_REQUEST_BLOCK *)0x898f9d7c)
((atapi!_SCSI_REQUEST_BLOCK *)0x898f9d7c)???????????????? : 0x898f9d7c [Type: _SCSI_REQUEST_BLOCK *]
??? [+0x000] Length?????????? : 0x40 [Type: unsigned short]
??? [+0x002] Function???????? : 0x0 [Type: unsigned char]
??? [+0x003] SrbStatus??????? : 0x0 [Type: unsigned char]
??? [+0x004] ScsiStatus?????? : 0x0 [Type: unsigned char]
??? [+0x005] PathId?????????? : 0x0 [Type: unsigned char]
??? [+0x006] TargetId???????? : 0x0 [Type: unsigned char]
??? [+0x007] Lun????????????? : 0x0 [Type: unsigned char]
??? [+0x008] QueueTag???????? : 0x0 [Type: unsigned char]
??? [+0x009] QueueAction????? : 0x20 [Type: unsigned char]
??? [+0x00a] CdbLength??????? : 0xa [Type: unsigned char]
??? [+0x00b] SenseInfoBufferLength : 0x12 [Type: unsigned char]
??? [+0x00c] SrbFlags???????? : 0x40210180 [Type: unsigned long]
??? [+0x010] DataTransferLength : 0x2000 [Type: unsigned long]
??? [+0x014] TimeOutValue???? : 0xa [Type: unsigned long]
??? [+0x018] DataBuffer?????? : 0x89537000 [Type: void *]
??? [+0x01c] SenseInfoBuffer? : 0x898f9d68 [Type: void *]
??? [+0x020] NextSrb????????? : 0x0 [Type: _SCSI_REQUEST_BLOCK *]
??? [+0x024] OriginalRequest? : 0x898f9b38 [Type: void *]
??? [+0x028] SrbExtension???? : 0x2 [Type: void *]
??? [+0x02c] InternalStatus?? : 0x5e3c57 [Type: unsigned long]
??? [+0x02c] QueueSortKey???? : 0x5e3c57 [Type: unsigned long]
??? [+0x030] Cdb????????????? [Type: unsigned char [16]]

1: kd> db 0x89537000
89537000? 52 43 52 44 28 00 09 00-1a 0b 0f 08 00 00 00 00? RCRD(...........
89537010? 01 00 00 00 02 00 01 00-d0 08 00 00 00 00 00 00? ................
89537020? 0f 0b 0f 08 00 00 00 00-dc 0e db 01 00 00 00 00? ................
89537030? 00 00 01 00 00 00 00 00-00 00 00 00 00 00 00 00? ................
89537040? 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00? ................
89537050? 0a 0a 0f 08 00 00 00 00-eb 09 0f 08 00 00 00 00? ................
89537060? eb 09 0f 08 00 00 00 00-98 00 00 00 00 00 00 00? ................
89537070? 01 00 00 00 18 00 00 00-00 00 00 00 00 00 00 00? ................
1: kd> dd 0x89537000
89537000? 44524352 00090028 080f0b1a 00000000
89537010? 00000001 00010002 000008d0 00000000
89537020? 080f0b0f 00000000 01db0edc 00000000
89537030? 00010000 00000000 00000000 00000000
89537040? 00000000 00000000 00000000 00000000
89537050? 080f0a0a 00000000 080f09eb 00000000
89537060? 080f09eb 00000000 00000098 00000000
89537070? 00000001 00000018 00000000 00000000
1: kd> dd c2c45000
c2c45000? 44524352 00090028 080f0b1a 00000000
c2c45010? 00000001 00010002 000008d0 00000000
c2c45020? 080f0b0f 00000000 00000edc 00000000
c2c45030? 00000000 00000000 00000000 00000000
c2c45040? 00000000 00000000 00000000 00000000
c2c45050? 080f0a0a 00000000 080f09eb 00000000
c2c45060? 080f09eb 00000000 00000098 00000000
c2c45070? 00000001 00000018 00000000 00000000

1: kd> dd 0x89538000
89538000? 44524352 00090028 080f0c44 00000000
89538010? 00000001 00020002 00000220 00000000
89538020? 080f0c0c 00000000 00240edd 00000000
89538030? 00000000 0000000c 00000000 00000000
89538040? 00000000 00000000 00000000 00000000
89538050? 00000000 00000000 00000000 00000000
89538060? 080f0c0c 00000000 080f0b1a 00000000
89538070? 080f0b1a 00000000 00000190 00000000
1: kd> dd c2c46000
c2c46000? 44524352 00090028 080f0c44 00000000
c2c46010? 00000001 00020002 00000220 00000000
c2c46020? 080f0c0c 00000000 00000edd 00000000
c2c46030? 00000000 00000000 00000000 00000000
c2c46040? 00000000 00000000 00000000 00000000
c2c46050? 00000000 00000000 00000000 00000000
c2c46060? 080f0c0c 00000000 080f0b1a 00000000
c2c46070? 080f0b1a 00000000 00000190 00000000

??? [+0x010] DataTransferLength : 0x2000 [Type: unsigned long]
??? [+0x014] TimeOutValue???? : 0xa [Type: unsigned long]
??? [+0x018] DataBuffer?????? : 0x89537000 [Type: void *]

??? //
??? // Set data buffer pointer and words left.
??? //

??? deviceExtension->DataBuffer = (PUCHAR)Srb->DataBuffer;
??? deviceExtension->BytesLeft = Srb->DataTransferLength;

第二部分：

??? //
??? // Select device 0 or 1.
??? //
??? SelectIdeDevice(baseIoAddress1, Srb->TargetId, 0);

1: kd> p
atapi!IdeReadWrite+0x20:
f729cb4a 50????????????? push??? eax
1: kd> p
atapi!IdeReadWrite+0x21:
f729cb4b ff7620????????? push??? dword ptr [esi+20h]
1: kd> p
atapi!IdeReadWrite+0x24:
f729cb4e ffd3??????????? call??? ebx
1: kd> r
eax=000000a0 ebx=804f4d68 ecx=00000000 edx=00000001 esi=895e98a8 edi=898f9d7c
eip=f729cb4e esp=f78d1bd8 ebp=f78d1bf4 iopl=0???????? nv up ei ng nz na pe cy
cs=0008? ss=0010? ds=0023? es=0023? fs=0030? gs=0000???????????? efl=00000287
atapi!IdeReadWrite+0x24:
f729cb4e ffd3??????????? call??? ebx {hal!WRITE_PORT_UCHAR (804f4d68)}

cPublicProc _WRITE_PORT_UCHAR ,2
cPublicFpo 2, 0

??????? mov???? edx,[esp+4]???????????? ; (dx) = Port?? ?01f6?? ??? ???? [+0x01c] DriveSelect????? : 0x1f6 :
??????? mov???? al,[esp+8]????????????? ; (al) = Value?? ?a0
??????? out???? dx,al
??????? stdRET??? _WRITE_PORT_UCHAR

stdENDP _WRITE_PORT_UCHAR

1: kd> p
eax=000000a0 ebx=804f4d68 ecx=00000000 edx=000001f6 esi=895e98a8 edi=898f9d7c
eip=804f4d70 esp=f78d1bd4 ebp=f78d1bf4 iopl=0???????? nv up ei ng nz na pe cy
cs=0008? ss=0010? ds=0023? es=0023? fs=0030? gs=0000???????????? efl=00000287
hal!WRITE_PORT_UCHAR+0x8:
804f4d70 ee????????????? out???? dx,al

#define SelectIdeDevice(BaseIoAddress, deviceNumber, additional) {\
??? SelectIdeLine(BaseIoAddress, (deviceNumber) >>1);\
??? WRITE_PORT_UCHAR ((BaseIoAddress)->DriveSelect, (UCHAR)((((deviceNumber) & 0x1) << 4) | 0xA0 | additional));\
??? }

??? //
??? // Select device 0 or 1.
??? //
??? SelectIdeDevice(baseIoAddress1, Srb->TargetId, 0);

[+0x006] TargetId???????? : 0x0 [Type: unsigned char]

如果是[+0x006] TargetId???????? : 0x1 [Type: unsigned char]，則
10000
0x10

0x10 | 0xA0= |0xB0

第三部分：

??? GetStatus(baseIoAddress1, statusByte2);

cPublicProc _READ_PORT_UCHAR ,1
cPublicFpo 1, 0

??????? xor???? eax, eax??????? ; Eliminate partial stall on return to caller

??????? mov???? edx,[esp+4]???????????? ; (dx) = Port?? ?1f7 ?? ?[+0x020] Command????????? : 0x1f7
??????? in????? al,dx?? ??? ??? ??? ?00
??????? stdRET??? _READ_PORT_UCHAR

stdENDP _READ_PORT_UCHAR

1: kd> p
eax=00000000 ebx=804f4d68 ecx=00000000 edx=000001f7 esi=895e98a8 edi=898f9d7c
eip=804f4d06 esp=f78d1bd8 ebp=f78d1bf4 iopl=0???????? nv up ei pl zr na pe nc
cs=0008? ss=0010? ds=0023? es=0023? fs=0030? gs=0000???????????? efl=00000246
hal!READ_PORT_UCHAR+0x6:
804f4d06 ec????????????? in????? al,dx
1: kd> p
eax=00000050 ebx=804f4d68 ecx=00000000 edx=000001f7 esi=895e98a8 edi=898f9d7c
eip=804f4d07 esp=f78d1bd8 ebp=f78d1bf4 iopl=0???????? nv up ei pl zr na pe nc
cs=0008? ss=0010? ds=0023? es=0023? fs=0030? gs=0000???????????? efl=00000246
hal!READ_PORT_UCHAR+0x7:
804f4d07 c20400????????? ret???? 4

eax=00000050?? ?#define IDE_STATUS_IDLE????????????? 0x50

//
// IDE status definitions
//
#define IDE_STATUS_ERROR???????????? 0x01
#define IDE_STATUS_INDEX???????????? 0x02
#define IDE_STATUS_CORRECTED_ERROR?? 0x04
#define IDE_STATUS_DRQ?????????????? 0x08
#define IDE_STATUS_DSC?????????????? 0x10
#define IDE_STATUS_DRDY????????????? 0x40
#define IDE_STATUS_IDLE????????????? 0x50
#define IDE_STATUS_BUSY????????????? 0x80

??? if (statusByte2 & IDE_STATUS_BUSY) {
??????? DebugPrint((DBG_CRASHDUMP | DBG_READ_WRITE,
??????????????????? "IdeReadWrite: Returning BUSY status\n"));
??????? return SRB_STATUS_BUSY;
??? }

第四部分：

??? //
??? // Set data buffer pointer and words left.
??? //

??? deviceExtension->DataBuffer = (PUCHAR)Srb->DataBuffer;
??? deviceExtension->BytesLeft = Srb->DataTransferLength;

?? +0x084 DataBuffer?????? : 0x89537000? "RCRD("
?? +0x088 BytesLeft??????? : 0x2000

第五部分：

1: kd> ?(0x2000 + 0x1FF)/0x200
Evaluate expression: 16 = 00000010

??? //??????????????????????????????????????????????????????? ?
??? // Set up sector count register. Round up to next block.
??? //
??? IdePortOutPortByte (
?????????????????????? baseIoAddress1->BlockCount,
?????????????????????? (UCHAR)((Srb->DataTransferLength + 0x1FF) / 0x200));

cPublicProc _WRITE_PORT_UCHAR ,2
cPublicFpo 2, 0

??????? mov???? edx,[esp+4]???????????? ; (dx) = Port?? ??? ?[+0x00c] BlockCount?????? : 0x1f2 :
??????? mov???? al,[esp+8]????????????? ; (al) = Value?? ??? ?10
??????? out???? dx,al
??????? stdRET??? _WRITE_PORT_UCHAR

stdENDP _WRITE_PORT_UCHAR

1: kd> p
eax=00000010 ebx=804f4d68 ecx=00000000 edx=000001f2 esi=895e98a8 edi=898f9d7c
eip=804f4d70 esp=f78d1bd4 ebp=f78d1bf4 iopl=0???????? nv up ei pl nz na po cy
cs=0008? ss=0010? ds=0023? es=0023? fs=0030? gs=0000???????????? efl=00000203
hal!WRITE_PORT_UCHAR+0x8:
804f4d70 ee????????????? out???? dx,al

第六部分：

??? //
??? // Get starting sector number from CDB.
??? //

??? startingSector = ((PCDB)Srb->Cdb)->CDB10.LogicalBlockByte3 |?? ??? ?0x57
???????????????????? ((PCDB)Srb->Cdb)->CDB10.LogicalBlockByte2 << 8 |?? ??? ?0x3c00
???????????????????? ((PCDB)Srb->Cdb)->CDB10.LogicalBlockByte1 << 16 |?? ??? ?0x5e0000
???????????????????? ((PCDB)Srb->Cdb)->CDB10.LogicalBlockByte0 << 24;

? +0x000 CDB10??????????? : _CDB10
????? +0x000 OperationCode??? : 0x2a '*'
????? +0x001 RelativeAddress? : 0y0
????? +0x001 Reserved1??????? : 0y00
????? +0x001 ForceUnitAccess? : 0y1
????? +0x001 DisablePageOut?? : 0y0
????? +0x001 LogicalUnitNumber : 0y000
????? +0x002 LogicalBlockByte0 : 0 ''
????? +0x003 LogicalBlockByte1 : 0x5e '^'
????? +0x004 LogicalBlockByte2 : 0x3c '<'
????? +0x005 LogicalBlockByte3 : 0x57 'W'
????? +0x006 Reserved2??????? : 0 ''
????? +0x007 TransferBlocksMsb : 0 ''
????? +0x008 TransferBlocksLsb : 0x10 ''
????? +0x009 Control????????? : 0 ''

0x5e3c57

1: kd> p
atapi!IdeReadWrite+0xb7:
f729cbe1 50????????????? push??? eax
1: kd> p
atapi!IdeReadWrite+0xb8:
f729cbe2 682eca29f7????? push??? offset atapi!IdeReadWriteExt+0x35e (f729ca2e)
1: kd> r
eax=005e3c57

第七部分：

?? if (deviceExtension->DeviceFlags[Srb->TargetId] & DFLAGS_LBA) {

1: kd> dt HW_DEVICE_EXTENSION 0x895e98a8

?? +0x0b0 DeviceFlags????? : [4] 0x30e01
1: kd> dx -id 0,0,899a2278 -r1 (*((atapi!unsigned long (*)[4])0x895e9958))
(*((atapi!unsigned long (*)[4])0x895e9958))???????????????? [Type: unsigned long [4]]
??? [0]????????????? : 0x30e01 [Type: unsigned long]
??? [1]????????????? : 0x0 [Type: unsigned long]
??? [2]????????????? : 0x0 [Type: unsigned long]
??? [3]????????????? : 0x0 [Type: unsigned long]

1: kd> db 0x895e98a8+0x0b0
895e9958? 01 0e 03 00 00 00 00 00-00 00 00 00 00 00 00 00? ................

#define DFLAGS_LBA?????????????????? (1 << 10)?? // support LBA addressing

?100 0000 0000

0x400

1110 0000 0001

第八部分：

??? if (deviceExtension->DeviceFlags[Srb->TargetId] & DFLAGS_LBA) {

??????? SelectIdeDevice(baseIoAddress1,
??????????????????????? Srb->TargetId,
??????????????????????? (IDE_LBA_MODE | ((startingSector & 0x0f000000) >> 24)));

??????? IdePortOutPortByte (
?????????????????????????? baseIoAddress1->BlockNumber,
?????????????????????????? (UCHAR) ((startingSector & 0x000000ff) >> 0));
??????? IdePortOutPortByte (
?????????????????????????? baseIoAddress1->CylinderLow,
?????????????????????????? (UCHAR) ((startingSector & 0x0000ff00) >> 8));

??????? IdePortOutPortByte (
?????????????????????????? baseIoAddress1->CylinderHigh,
?????????????????????????? (UCHAR) ((startingSector & 0x00ff0000) >> 16));

#define IDE_LBA_MODE??????????????????????????????????? (1 << 6)

100?? ?0000
0x40

005e3c57 & 0x0f000000

??????? SelectIdeDevice(baseIoAddress1,
??????????????????????? Srb->TargetId,
??????????????????????? (IDE_LBA_MODE | ((startingSector & 0x0f000000) >> 24)));

0x40
0x0| 0xA0 |0x40=0xe0

cPublicProc _WRITE_PORT_UCHAR ,2
cPublicFpo 2, 0

??????? mov???? edx,[esp+4]???????????? ; (dx) = Port?? ?01f6
??????? mov???? al,[esp+8]????????????? ; (al) = Value?? ?e0
??????? out???? dx,al
??????? stdRET??? _WRITE_PORT_UCHAR

stdENDP _WRITE_PORT_UCHAR

1: kd> p
eax=800000e0 ebx=804f4d68 ecx=000000e0 edx=000001f6 esi=895e98a8 edi=898f9d7c
eip=804f4d70 esp=f78d1bd4 ebp=f78d1bf4 iopl=0???????? nv up ei ng nz na po nc
cs=0008? ss=0010? ds=0023? es=0023? fs=0030? gs=0000???????????? efl=00000282
hal!WRITE_PORT_UCHAR+0x8:
804f4d70 ee????????????? out???? dx,al

第九部分：

?[+0x010] BlockNumber????? : 0x1f3 : Unable to read memory at Address 0x1f3 [Type: unsigned char *]
??? [+0x014] CylinderLow????? : 0x1f4 : Unable to read memory at Address 0x1f4 [Type: unsigned char *]
??? [+0x018] CylinderHigh???? : 0x1f5 : Unable to read memory at Address 0x1f5 [Type: unsigned char *]

??????? IdePortOutPortByte (
?????????????????????????? baseIoAddress1->BlockNumber,?? ??? ??? ??? ? [+0x010] BlockNumber????? : 0x1f3
?????????????????????????? (UCHAR) ((startingSector & 0x000000ff) >> 0));?? ??? ?0x57

005e3c57& 0x000000ff=0x57

cPublicProc _WRITE_PORT_UCHAR ,2
cPublicFpo 2, 0

??????? mov???? edx,[esp+4]???????????? ; (dx) = Port
??????? mov???? al,[esp+8]????????????? ; (al) = Value
??????? out???? dx,al
??????? stdRET??? _WRITE_PORT_UCHAR

stdENDP _WRITE_PORT_UCHAR

1: kd> p
eax=80000057 ebx=804f4d68 ecx=000000e0 edx=000001f3 esi=895e98a8 edi=898f9d7c
eip=804f4d70 esp=f78d1bd4 ebp=f78d1bf4 iopl=0???????? nv up ei ng nz na po nc
cs=0008? ss=0010? ds=0023? es=0023? fs=0030? gs=0000???????????? efl=00000282
hal!WRITE_PORT_UCHAR+0x8:
804f4d70 ee????????????? out???? dx,al

第十部分：

??????? IdePortOutPortByte (
?????????????????????????? baseIoAddress1->CylinderLow,?? ??? ??? ?[+0x014] CylinderLow????? : 0x1f4
?????????????????????????? (UCHAR) ((startingSector & 0x0000ff00) >> 8));?? ?3c

cPublicProc _WRITE_PORT_UCHAR ,2
cPublicFpo 2, 0

??????? mov???? edx,[esp+4]???????????? ; (dx) = Port?? ??? ?01f4
??????? mov???? al,[esp+8]????????????? ; (al) = Value?? ??? ?3c
??????? out???? dx,al
??????? stdRET??? _WRITE_PORT_UCHAR

stdENDP _WRITE_PORT_UCHAR

1: kd> p
eax=00005e3c ebx=804f4d68 ecx=000000e0 edx=000001f4 esi=895e98a8 edi=898f9d7c
eip=804f4d70 esp=f78d1bd4 ebp=f78d1bf4 iopl=0???????? nv up ei pl nz na pe nc
cs=0008? ss=0010? ds=0023? es=0023? fs=0030? gs=0000???????????? efl=00000206
hal!WRITE_PORT_UCHAR+0x8:
804f4d70 ee????????????? out???? dx,al

第十一部分：

??????? IdePortOutPortByte (
?????????????????????????? baseIoAddress1->CylinderHigh,?? ??? ??? ?[+0x018] CylinderHigh???? : 0x1f5
?????????????????????????? (UCHAR) ((startingSector & 0x00ff0000) >> 16));?? ?5e
?? ?
cPublicProc _WRITE_PORT_UCHAR ,2
cPublicFpo 2, 0

??????? mov???? edx,[esp+4]???????????? ; (dx) = Port?? ??? ??? ?01f5
??????? mov???? al,[esp+8]????????????? ; (al) = Value?? ??? ??? ?5e
??????? out???? dx,al
??????? stdRET??? _WRITE_PORT_UCHAR

stdENDP _WRITE_PORT_UCHAR

1: kd> p
eax=0000005e ebx=804f4d68 ecx=000000e0 edx=000001f5 esi=895e98a8 edi=898f9d7c
eip=804f4d70 esp=f78d1bd4 ebp=f78d1bf4 iopl=0???????? nv up ei pl nz na po nc
cs=0008? ss=0010? ds=0023? es=0023? fs=0030? gs=0000???????????? efl=00000202
hal!WRITE_PORT_UCHAR+0x8:
804f4d70 ee????????????? out???? dx,al

第十二部分：

//
// SRB Flag Bits
//

#define SRB_FLAGS_QUEUE_ACTION_ENABLE?????? 0x00000002
#define SRB_FLAGS_DISABLE_DISCONNECT??????? 0x00000004
#define SRB_FLAGS_DISABLE_SYNCH_TRANSFER??? 0x00000008

#define SRB_FLAGS_BYPASS_FROZEN_QUEUE?????? 0x00000010
#define SRB_FLAGS_DISABLE_AUTOSENSE???????? 0x00000020
#define SRB_FLAGS_DATA_IN?????????????????? 0x00000040
#define SRB_FLAGS_DATA_OUT????????????????? 0x00000080?? ??? ??? ?#define SRB_FLAGS_DATA_OUT ?? ??? ?
#define SRB_FLAGS_NO_DATA_TRANSFER????????? 0x00000000
#define SRB_FLAGS_UNSPECIFIED_DIRECTION????? (SRB_FLAGS_DATA_IN | SRB_FLAGS_DATA_OUT)

#define SRB_FLAGS_NO_QUEUE_FREEZE?????????? 0x00000100?? ??? ??? ?#define SRB_FLAGS_NO_QUEUE_FREEZE
#define SRB_FLAGS_ADAPTER_CACHE_ENABLE????? 0x00000200
#define SRB_FLAGS_FREE_SENSE_BUFFER???????? 0x00000400

#define SRB_FLAGS_IS_ACTIVE???????????????? 0x00010000?? ??? ??? ?#define SRB_FLAGS_IS_ACTIVE
#define SRB_FLAGS_ALLOCATED_FROM_ZONE?????? 0x00020000
#define SRB_FLAGS_SGLIST_FROM_POOL????????? 0x00040000
#define SRB_FLAGS_BYPASS_LOCKED_QUEUE?????? 0x00080000

#define SRB_FLAGS_NO_KEEP_AWAKE???????????? 0x00100000
#define SRB_FLAGS_PORT_DRIVER_ALLOCSENSE??? 0x00200000?? ??? ?#define SRB_FLAGS_PORT_DRIVER_ALLOCSENSE
#define SRB_FLAGS_PORT_DRIVER_SENSEHASPORT? 0x00400000
#define SRB_FLAGS_DONT_START_NEXT_PACKET??? 0x00800000

#define SRB_FLAGS_PORT_DRIVER_RESERVED????? 0x0F000000
#define SRB_FLAGS_CLASS_DRIVER_RESERVED???? 0xF0000000

??? //
??? // Check if write request.
??? //

??? if (Srb->SrbFlags & SRB_FLAGS_DATA_IN) {?? ??? ?//不是讀操作，是寫操作

第十三部分：

??? } else {

??????? //
??????? // Send write command.
??????? //
??????? if (SRB_USES_DMA(Srb)) {?? ??? ?//符合條件：??? [+0x028] SrbExtension???? : 0x2 [Type: void *]

??????????? IdePortOutPortByte (
?????????????????????????????? baseIoAddress1->Command,
?????????????????????????????? IDE_COMMAND_WRITE_DMA);

#define SRB_USES_DMA(Srb)?????????????? (((ULONG_PTR)Srb->SrbExtension) & 2)

??? [+0x028] SrbExtension???? : 0x2 [Type: void *]

#define IDE_COMMAND_WRITE_DMA?????????????????? 0xCA

cPublicProc _WRITE_PORT_UCHAR ,2
cPublicFpo 2, 0

??????? mov???? edx,[esp+4]???????????? ; (dx) = Port?? ??? ?01f7
??????? mov???? al,[esp+8]????????????? ; (al) = Value?? ??? ?ca
??????? out???? dx,al
??????? stdRET??? _WRITE_PORT_UCHAR

stdENDP _WRITE_PORT_UCHAR

1: kd> p
eax=000000ca ebx=804f4d68 ecx=000000e0 edx=000001f7 esi=895e98a8 edi=898f9d7c
eip=804f4d70 esp=f78d1bd4 ebp=f78d1bf4 iopl=0???????? nv up ei pl nz na po nc
cs=0008? ss=0010? ds=0023? es=0023? fs=0030? gs=0000???????????? efl=00000202
hal!WRITE_PORT_UCHAR+0x8:
804f4d70 ee????????????? out???? dx,al