2005年06月06日

这段时间真是颓废,又被自己打败了,,想找地方发泄有没有,也不能,,,心里想着临渊羡鱼不如退而结网,却迟迟没有行动,,,,我知道快到期末了,,不能每次都被打败,,!!

废话不多说了

对了,明天就是高考了,,,,我已经过来了2年了

2005年06月03日

准备用TDI来做一个后门,

在上面看到的:

So that networking API drivers don’t need to employ various interfaces for each transport protocol they might want to use, Microsoft established the Transport Driver Interface (TDI) standard. As mentioned earlier in this chapter, a TDI interface is essentially a convention for the way network requests format into IRPs and for the way network addresses and communications are allocated. Transport protocols that adhere to the TDI standard export the TDI interface to their clients, which include networking API drivers such as AFD and the redirector. A transport protocol implemented as a Windows device driver is known as a TDI transport. Because TDI transports are device drivers, they format requests they receive from clients as IRPs.

Support functions in the \Windows\System32\Drivers\Tdi.sys library, along with definitions developers include in their drivers, make up the TDI interface. The TDI programming model is very similar to that of Winsock. A TDI client executes the following steps to establish a connection with a remote server:

  1. The client allocates and formats an address open TDI IRP to allocate an address. The TDI transport returns a file object, which is known as an address object, that represents the address. This step is the equivalent of using the bind Winsock function.

  2. The client then allocates and formats a connection open TDI IRP, and the TDI transport returns a file object, which is known as a connection object, that represents the connection. This step is the equivalent of the use of the Winsock socket function.

  3. The client associates the connection object to the address object with an associate address TDI IRP. (There’s no equivalent to this step in Winsock.)

  4. A TDI client that accepts remote connections issues a listen TDI IRP specifying the number of connections supported for a connection object and then issues an accept TDI IRP, which completes when a remote system establishes a connection (or an error occurs). These operations are equivalent to the use of the Winsock listen and accept functions.

  5. A TDI client that wants to establish a connection with a remote server issues a connect TDI IRP, specifying the connection object, that the TDI transport completes when a connection is established (or an error occurs). Issuing a connect TDI IRP is the equivalent of using the connect Winsock function.

TDI also supports connectionless communications for connectionless protocols such as UDP. In addition, TDI provides a means whereby a TDI client can register event callbacks (that is, functions that are directly invoked) with TDI transports. When it receives data from across the network, a TDI transport can invoke a registered client receive callback, for example. This event-based callback feature of TDI allows the TDI transport to notify its clients of network events, and clients that rely on event callbacks don’t need to preallocate resources such as buffers when receiving network data because they can view the contents of the buffers supplied by a TDI protocol driver.

回头再找ddk上看看有没有例子再,这两天郁闷..

2005年05月18日

    靠,这个任务可真长,拖拖拉拉的快几个月了,,中间停下来学别的去了就把linux的事放下了,,直到见到了RAlf Brown’ Interrupt List,,,不过这次装的结果怎样,自己的目的始终就是学习linux,,下一步就是要更多更努力的学习,,还有网络部分,争取把linux1.0的网络部分安到0.11上 :>
我感谢下午的自己没像往常那么懒,,拆机箱把硬盘由slAve换到mAster,其实linux0.11的内核并不需要怎么修改就可以用了,,当然是从结果上看 :>
这两天郁闷主要是因为硬盘是slAve,mAster的是块坏的,导致像port 0×1f1发reset返回是7f,总是不对,,换过来后就好多了
其实就是改了if (drive>1 || heAd>15)
                  panic("Trying to write bAd sector");
因为硬盘大了heAd肯定会大于15,,而且硬盘要用NORMAL mode,,可我不明白,NORMAL的不是只能访问520(还是512)mb的硬盘范围吗,,而我的minix分区明显已经超过了,,,,要继续学习!!
    linux0.11的execve()只能执行那种最老的A.out的文件,开始的时候/bin/sh拷的是rh9里的bAsh,,是ELF格式的,导致无法用
    再学习东西的时候一定要笔记,,要不过不了多久就会郁闷第2遍.

前几天查的RAlf Brown’ Interrupt List中和IDE相关的部分:

—————————————————————————–
zmba,您好!

    是我错了,原来看linux0.11并不明白其目的在于通过0.11而了解内核,了解现在的内核,,当时就这样过去了,,又是一次机会,被放过去了….
    RAlf Brown’ Interrupt List:
———-R12——————————–
CMOS 12h – IBM – HARD DISK DATA
Notes: A PC with a single type 2 (20 Mb ST-225) hard disk will have 20h in
   byte 12h
 some PCs utilizing external disk controller ROMs will use type 0 to
   disable ROM BIOS (e.g. Zenith 248 with Plus HardCard).

Bitfields for IBM hard disk data:
Bit(s) Description (Table C0014)
 7-4 First Hard Disk Drive
 00 No drive

01-0Eh Hard drive Type 1-14
 0Fh Hard Disk Type 16-255
  (actual Hard Drive Type is in CMOS RAM 19h)
 3-0 Second Hard Disk Drive Type
 (same as first except extrnded type will be found in 1Ah).
———-R12——————————–
CMOS 12h – IBM PS/2 – SECOND FIXED DISK DRIVE TYPE (00-FFh)
SeeAlso: CMOS 11h"IBM PS/2"


Copied from Ralf Brown’s Interrupt List


heAd  sect         cyl     wpcom            lzone   ctl
磁头数   每磁道扇区数    柱面数     写前预补偿柱面号     磁头着陆区柱面号   控制字节

 

03F6  rW  FIXED disk controller data register (see #P0871)

Copied from Ralf Brown’s Interrupt List

Bitfields for fixed disk controller data register:
Bit(s) Description (Table P0871)
 7-4 reserved
 3 =0  reduce write current
 =1  head select 3 enable
 2 disk reset enable
 1 disk initialization disable
 0 reserved
SeeAlso: #P0862,#P0872

Bitfields for hard disk controller:
Bit(s) Description (Table P0872)
 6 FIXED DISK write gate
 5 FIXED DISK head select 3 / reduced write current

 4 FIXED DISK head select 2
 3 FIXED DISK head select 1
 2 FIXED DISK head select 0
 1 FIXED DISK drive 1 select
 0 FIXED DISK drive 0 select
SeeAlso: #P0871

Copied from Ralf Brown’s Interrupt List


Bitfields for diskette controller main status register:
Bit(s) Description (Table P0865)
 7 =1  RQM  data register is ready
 =0  no access is permitted
 6 =1  transfer is from controller to system
 =0  transfer is from system to controller
 5 non-DMA mode
 4 diskette controller is busy
 3 drive 3 busy (reserved on PS/2)
 2 drive 2 busy (reserved on PS/2)
 1 drive 1 busy (= drive is in seek mode)
 0 drive 0 busy (= drive is in seek mode)
SeeAlso: #P0862

Copied from Ralf Brown’s Interrupt List


Bitfields for Hard Disk Controller error register:
Bit(s) Description (Table P0512)
—diagnostic mode errors—
 7 which drive failed (0 = master, 1 = slave)
 6-3 reserved
 2-0 error code
 001 no error detected
 010 formatter device error
 011 sector buffer error
 100 ECC circuitry error

101 controlling microprocessor error
—operation mode—
 7 bad block detected
 6 uncorrectable ECC error
 5 reserved
 4 ID found
 3 reserved
 2 command aborted prematurely
 1 track 000 not found
 0 DAM not found (always 0 for CP-3022)
SeeAlso: #P0513,#P0514

Bitfields for hard disk controller drive/head specifier:
Bit(s) Description (Table P0513)
 7 =1
 6 LBA mode enabled, rather than default CHS mode
 5 =1
 4 drive select (0 = drive 0, 1 = drive 1)

 3-0 head select bits (CHS mode)
 logical block address, bits 27-24 (LBA mode)
SeeAlso: #P0512,#P0514

Bitfields for hard disk controller status register:
Bit(s) Description (Table P0514)
 7 controller is executing a command
 6 drive is ready
 5 write fault
 4 seek complete
 3 sector buffer requires servicing
 2 disk data read successfully corrected
 1 index – set to 1 each disk revolution
 0 previous command ended in an error
SeeAlso: #P0512,#P0515

(Table P0515)
Values for hard disk controller command codes:
Command  Spec Type Proto Description   class:
 00h  opt nondata NOP
 08h    device reset
 1xh  opt nondata recalibrate     1
 20h  req PIOin read sectors with retry    1
 21h  req PIOin read sectors without retry   1
 22h  req PIOin read long with retry    1
 23h  req PIOin read long without retry    1
 30h  req PIOout write sectors with retry   2
 31h  req PIOout write sectors without retry   2

 32h  req PIOout write long with retry    2
 33h  req PIOout write long without retry   2
 3Ch  IDE opt PIOout write verify     3
 40h  req nondata read verify sectors with retry   1
 41h  req nondata read verify sectors without retry 1
 50h  req vend format track     2
 7xh  req nondata seek      1
 8xh  IDE vendor vend vendor unique 3
 90h  req nondata execute drive diagnostics   1
 91h  req nondata initialize drive parameters   1

 92h  opt PIOout download microcode
 94h E0h IDE opt nondata standby immediate    1
 95h E1h IDE opt nondata idle immediate     1
 96h E2h IDE opt nondata standby      1
 97h E3h IDE opt nondata idle      1
 98h E5h IDE opt nondata check power mode    1
 99h E6h IDE opt nondata set sleep mode     1
 9Ah  IDE vendor vend vendor unique 1
 A0h  ATAPI   packet command
 A1h  ATAPI opt PIOin ATAPI Identify   (see #P0524)

 B0h  SMART opt  Self Mon., Analysis, Rept. Tech. (see #P0527)
 C0h-C3h IDE vendor vend vendor unique 2
 C4h  IDE opt PIOin read multiple     1
 C5h  IDE opt PIOout write multiple     3
 C6h  IDE opt nondata set multiple mode    1
 C7h  ATA-4   Read DMA O/Q
 C8h  IDE opt DMA read DMA with retry    1
 C9h  IDE opt DMA read DMA without retry    1
 CAh  IDE opt DMA write DMA with retry    3
 CBh  IDE opt DMA write DMA w/out retry    3

 CCh  ATA-4   Write DMA O/Q
 DAh    get media status
 DBh  ATA-2 opt vend acknowledge media chng  [Removable]
 DCh  ATA-2 opt vend Boot / Post-Boot  [Removable]
 DDh  ATA-2 opt vend Boot / Pre-Boot (ATA-2)  [Removable]
 DEh  ATA-2 opt vend door lock   [Removable]
 DFh  ATA-2 opt vend door unlock   [Removable]
 E0h-E3h   (second half of commands 94h-96h)
 E4h  IDE opt PIOin read buffer     1
 E5h-E6h   (second half of commands 98h-99h)

 E8h  IDE opt PIOout write buffer     2
 E9h  IDE opt PIOout write same     3
 EAh  ATA-3 opt  Secure Disable   [Security Mode]
 EAh  ATA-3 opt  Secure Lock   [Security Mode]
 EAh  ATA-3 opt  Secure State   [Security Mode]
 EAh  ATA-3 opt  Secure Enable WriteProt  [Security Mode]
 EBh  ATA-3 opt  Secure Enable   [Security Mode]
 EBh  ATA-3 opt  Secure Unlock   [Security Mode]
 ECh  IDE req PIOin identify drive     1 (see #P0516)

 EDh  ATA-2 opt nondata media eject   [Removable]
 EEh  ATA-3 opt  identify device DMA      (see #P0516)
 EFh  IDE opt nondata set features     1 (see #P0535)
 F0h-F4h IDE  vend EATA standard
 F1h    Security Set Password
 F2h    Security Unlock
 F3h    Security Erase Prepare
 F4h    Security Erase Unit
 F5h-FFh IDE vendor vend vendor unique 4
 F5h    Security Freeze Lock
 F6h    Security Disable Password
SeeAlso: #P0512,#P0514

Copied from Ralf Brown’s Interrupt List

        致
礼!
     

        uty
        zmba@tom.com
          2005-05-12

——————————————————————————————

郁闷了3天,,,开始是MAkefile不会弄,,连个helloworld都编译不成.o,,后来在网上看到了一份,,拿来主义了,,最主要的的就是include的路径要是在内核源码里的include目录,这样才能编出和当前内核版本一样的module来,然后说是要-O2,这样才可以把一些内嵌的函数给加进去
CC = gcc
CINCLU = /usr/src/linux-2.4/include
CFLAGES = -DLINUX  -c -O2 -Wall -I$(CINCLU)
all:mydrv1.o
mydrv1.o:mydrv1.c
 $(CC) $(CFLAGES) $<
clean:
 rm -f *.o
注意在编译的命令前一定要有TAB键

    这个module的目的是要列出所有进程和所有的module,,在用内核全局变量current的时候,说没这个变量,,嘿嘿,其实是我忘了include <linux/sched.h>
 current是struct tAsk_list类型的指针,,可不知什么时候里面没有了struct tAsk_list *next_tAsk,*prev_tAsk;这两个成员变量,很多module都要修改了才能用了,不过在sched.h中找到了next_tAsk(p)这个宏 :>
    最让人心烦的是当要用module_list的时候,总说没有,,快2天都郁闷在这了,,咋试都不行,,要不就不要定义MODULE这个宏,那样的话module_list到是有了,可也不是module了,肯定没法用.网上的和书里的很多地方都是说用module_list,,在邮件列表里也有个老外有同样的问题,不过没被解决,好象是linux kernel mAilling list里的哦,固定啊,那种地方谁会去看这种问题啊,后来发现module_list根本就不能用了,2.6.0里就没有module_list了,,
在sched.h里
#if defined(MODULE) && !defined(__GENKSYMS__)
.
extern struct module __this_dodule;
.
#else /*MODULE*/
.
#ifndef __GENKSYMS__
.
extern struct module* module_list;
.
#endif /*!__GENKSYMS__*/
.
#endif /*MODULE*/

明显是不给用,,,害死我了,,用__this_module代替好了
#ifndef __GENKSYMS__

#define THIS_MODULE  NULL
#define MOD_INC_USE_COUNT do { } while (0)
#define MOD_DEC_USE_COUNT do { } while (0)
#define MOD_IN_USE  1

extern struct module *module_list;

#endif /* !__GENKSYMS__ */
其他很多宏也不可用了,,全都是假的

ksyms -A 列出来的的确没有module_list
在/boot/System.mAp里看到module_list的地址,拿回来这样用 struct module* temp = (struct module*)0xC03064C0;这样用也不行,,看来module_list是真的挂了

把module贴在这,,insmod 的时候列出所有process,rmmod 的时候列出所有module

/*********************************************
 * simple work like the ps -A And lsmod
 * but reference As module
 *    writen by uty@uaty
 *********************************************/
#define __KERNEL__
#define MODULE
//#undef __GENKSYMS__
#ifdef MODVERSIONS
#include <linux/modversions.h>
#endif
//#define __NO_VERSIONS__

#include <linux/config.h>
#include <linux/module.h>

#include <linux/kernel.h>
#include <linux/sched.h>

int init_module(void)
{
  struct task_struct* temp;
  for_each_process(temp){  /*hAhA :>  see the sched.h  this is the better wAy thAn belows*/
    printk("%d    %s\n",temp->pid,temp->comm);
  }
  /* printk("<5>init mydrv\n"); 
  printk("%d    %s\n",current->pid,current->comm);
  temp = current;
  temp = next_task(temp);
  printk("%d    %s\n",current->pid,current->comm);
   while(1){
     temp = next_task(temp);
     if (temp->pid == 0) break; 
     printk("%d    %s\n",temp->pid,temp->comm);
   }
  */
  return 0;
}
void cleanup_module(void)
{
  struct module* temp;
  int i=0;
  /*temp = (struct module*)0xc030b4c0;
    printk("%s\n",temp->name);*/   /*i get the module_list’s Address from the System.mAp*/
  printk("%s\n",__this_module.name);/*but seems doesn’t work*/
  temp = &__this_module;
  while(i<30){
    i++;
    if (temp->next != NULL){
      temp = temp->next;
    }else{
      break;
    }
    printk("%s\n",temp->name);
  }
  printk("<5>cleAnup mydrv\n");

}