cdenable.sys windows cd access driver decompiled

Anything about Mac emulation that does not belong in the above categories.

Moderators: Cat_7, Ronald P. Regensburg

Post Reply
User avatar
Cat_7
Expert User
Posts: 6145
Joined: Fri Feb 13, 2004 8:59 am
Location: Sittard, The Netherlands

cdenable.sys windows cd access driver decompiled

Post by Cat_7 »

//This is the disassembled code of the cdenable.sys driver as used for cd access in windows for BasiliskII and SheepShaver. It is intended for anyone who wants to try and reconstruct the driver for use in 64 bit windows systems. I've added links to the documentation from the MSDN documentation of the functions the driver calls.

//Some overall driver information:
//http://four-f.webs.com/KmdTut/kmd05.html#k5d11

#include <windows.h>
//#include <defs.h> //default include from the disassembler to include function declarations. Needs to be reconstructed.
//Other includes also need to be reconstructed.
//The original driver was created with the windows ddk in 1998/9?


//-------------------------------------------------------------------------
// Data declarations

extern _UNKNOWN _ImageBase; // weak
// extern POBJECT_TYPE *IoFileObjectType;
//http://msdn.microsoft.com/en-us/library ... 85%29.aspx
extern wchar_t _SG6236[17]; // weak
extern wchar_t _SG6240[21]; // weak
extern wchar_t _SG6316[21]; // weak

//-------------------------------------------------------------------------
// Function declarations

#define __thiscall __cdecl // Test compile in C mode

// PMDL __stdcall IoAllocateMdl(PVOID VirtualAddress, ULONG Length, BOOLEAN SecondaryBuffer, BOOLEAN ChargeQuota, PIRP Irp);
//http://msdn.microsoft.com/en-us/library ... 85%29.aspx

// NTSTATUS __stdcall IoCreateSymbolicLink(PUNICODE_STRING SymbolicLinkName, PUNICODE_STRING DeviceName);
//http://msdn.microsoft.com/en-us/library ... 85%29.aspx

// NTSTATUS __stdcall IoCreateDevice(PDRIVER_OBJECT DriverObject, ULONG DeviceExtensionSize, PUNICODE_STRING DeviceName, ULONG DeviceType, ULONG DeviceCharacteristics, BOOLEAN Exclusive, PDEVICE_OBJECT *DeviceObject);
//http://msdn.microsoft.com/en-us/library ... 85%29.aspx

// void __stdcall RtlInitUnicodeString(PUNICODE_STRING DestinationString, PCWSTR SourceString);
//http://msdn.microsoft.com/en-us/library ... 85%29.aspx

// int __thiscall ObfDereferenceObject(_DWORD); weak
// ?

// void __stdcall ExFreePool(PVOID P);
//http://msdn.microsoft.com/en-us/library ... 85%29.aspx

// void __stdcall IoFreeMdl(PMDL Mdl);
//http://msdn.microsoft.com/en-us/library ... 85%29.aspx

// NTSTATUS __stdcall KeWaitForSingleObject(PVOID Object, KWAIT_REASON WaitReason, KPROCESSOR_MODE WaitMode, BOOLEAN Alertable, PLARGE_INTEGER Timeout);
//http://msdn.microsoft.com/en-us/library ... 85%29.aspx

// int __fastcall IofCallDriver(_DWORD, _DWORD); weak
//http://valhalla.bofh.pl/~l4mer/WDM/IoCallDriver.htm
// remark: IoCallDriver
//http://msdn.microsoft.com/en-us/library ... 85%29.aspx

// void __stdcall MmBuildMdlForNonPagedPool(PMDL MemoryDescriptorList);
//http://msdn.microsoft.com/en-us/library ... 85%29.aspx

// void __stdcall IoDeleteDevice(PDEVICE_OBJECT DeviceObject);
//http://msdn.microsoft.com/en-us/library ... 85%29.aspx

// PVOID __stdcall ExAllocatePoolWithTag(POOL_TYPE PoolType, SIZE_T NumberOfBytes, ULONG Tag);
//http://msdn.microsoft.com/en-us/library ... 85%29.aspx

// PIRP __stdcall IoAllocateIrp(CCHAR StackSize, BOOLEAN ChargeQuota);
//http://msdn.microsoft.com/en-us/library ... 85%29.aspx

// void __stdcall KeInitializeEvent(PRKEVENT Event, EVENT_TYPE Type, BOOLEAN State);
//http://msdn.microsoft.com/en-us/library ... 85%29.aspx

// NTSTATUS __stdcall ObReferenceObjectByHandle(HANDLE Handle, ACCESS_MASK DesiredAccess, POBJECT_TYPE ObjectType, KPROCESSOR_MODE AccessMode, PVOID *Object, POBJECT_HANDLE_INFORMATION HandleInformation);
//http://msdn.microsoft.com/en-us/library ... 85%29.aspx

// void __stdcall IoFreeIrp(PIRP Irp);
//http://msdn.microsoft.com/en-us/library ... 85%29.aspx

// LONG __stdcall KeSetEvent(PRKEVENT Event, KPRIORITY Increment, BOOLEAN Wait);
//http://msdn.microsoft.com/en-us/library ... 85%29.aspx

// int __fastcall IofCompleteRequest(_DWORD, _DWORD); weak
// ?
// remark: IoCompleteRequest
//http://msdn.microsoft.com/en-us/library ... 85%29.aspx

// NTSTATUS __stdcall IoDeleteSymbolicLink(PUNICODE_STRING SymbolicLinkName);
//http://msdn.microsoft.com/en-us/library ... 85%29.aspx

NTSTATUS __stdcall DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath);
int __stdcall direct_read(HANDLE Object, int a2, unsigned int a3, void *a4);
int __stdcall CDenableIoCompletion(int, PIRP Irp, int); // idb
int __stdcall cdenableDispatch(int, int); // weak
void __stdcall cdenableUnload(int a1);
// PKTHREAD __stdcall KeGetCurrentThread();
int __cdecl _global_unwind2(int a1);
int __cdecl gu_return(int); // weak
signed int __cdecl _unwind_handler(int a1, int a2, int a3, int a4);
int __cdecl _local_unwind2(int a1, int a2);
int _abnormal_termination(void);
// void __usercall ___00009(int a1<eax>, char a2<dh>, int a3<esi>);
// signed int __usercall _except_handler3<eax>(int a1<ebp>);
int __stdcall _seh_longjmp_unwind(int a1);
// int __stdcall RtlUnwind(_DWORD, _DWORD, _DWORD, _DWORD); weak


//----- (00010312) --------------------------------------------------------
NTSTATUS __stdcall DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
NTSTATUS v2; // ebx@1
char v4; // [sp+Ch] [bp-64h]@1
wchar_t v5; // [sp+34h] [bp-3Ch]@1
const WCHAR SourceString; // [sp+38h] [bp-38h]@1
wchar_t v7; // [sp+58h] [bp-18h]@1
UNICODE_STRING SymbolicLinkName; // [sp+5Ch] [bp-14h]@2
UNICODE_STRING DestinationString; // [sp+64h] [bp-Ch]@1
PDEVICE_OBJECT DeviceObject; // [sp+6Ch] [bp-4h]@1

memcpy((void *)&SourceString, L"\\Device\\cdenable", 0x20u);
v7 = _SG6236[16];
DeviceObject = 0;
memcpy(&v4, L"\\DosDevices\\cdenable", 0x28u);
v5 = _SG6240[20];
RtlInitUnicodeString(&DestinationString, &SourceString);
v2 = IoCreateDevice(DriverObject, 4u, &DestinationString, 0x8301u, 0, 1u, &DeviceObject);
if ( v2 < 0
|| (RtlInitUnicodeString(&SymbolicLinkName, (PCWSTR)&v4),
v2 = IoCreateSymbolicLink(&SymbolicLinkName, &DestinationString),
DriverObject->MajorFunction[14] = (PDRIVER_DISPATCH)cdenableDispatch,
DriverObject->MajorFunction[2] = (PDRIVER_DISPATCH)cdenableDispatch,
DriverObject->MajorFunction[0] = (PDRIVER_DISPATCH)cdenableDispatch,
DriverObject->DriverUnload = (PDRIVER_UNLOAD)cdenableUnload,
v2 < 0) )
{
if ( DeviceObject )
IoDeleteDevice(DeviceObject);
}
return v2;
}
// 102C4: using guessed type wchar_t $SG6236[17];
// 102E8: using guessed type wchar_t $SG6240[21];
// 10542: using guessed type int __stdcall cdenableDispatch(int, int);

//----- (000103BC) --------------------------------------------------------
int __stdcall direct_read(HANDLE Object, int a2, unsigned int a3, void *a4)
{
int v4; // edi@2
PIRP v5; // esi@2
PVOID v6; // eax@3
int v7; // eax@4
int v8; // ecx@4
struct _KEVENT Event; // [sp+4h] [bp-24h]@2
int v11; // [sp+14h] [bp-14h]@1
int v12; // [sp+1Ch] [bp-Ch]@1
PVOID P; // [sp+20h] [bp-8h]@3
PMDL Mdl; // [sp+24h] [bp-4h]@4

v11 = 0;
v12 = 0;
if ( ObReferenceObjectByHandle(Object, 1u, (POBJECT_TYPE)IoFileObjectType, 0, &Object, 0) >= 0 )
{
v4 = *((_DWORD *)Object + 1);
KeInitializeEvent(&Event, SynchronizationEvent, 0);
v5 = IoAllocateIrp(*(_BYTE *)(v4 + 48), 0);
if ( v5 )
{
v6 = ExAllocatePoolWithTag(0, (SIZE_T)&_ImageBase, 0x43446C70u);
P = v6;
if ( v6 )
{
Mdl = IoAllocateMdl(v6, (ULONG)&_ImageBase, 0, 1u, 0);
MmBuildMdlForNonPagedPool(Mdl);
v5->MdlAddress = Mdl;
v5->UserEvent = &Event;
v5->UserIosb = (PIO_STATUS_BLOCK)&v11;
v5->Tail.Overlay.Thread = (PETHREAD)KeGetCurrentThread();
v5->Tail.Overlay.OriginalFileObject = (PFILE_OBJECT)Object;
v7 = (int)((char *)v5->Tail.Overlay.CurrentStackLocation - 36);
v5->RequestorMode = 0;
v5->Flags = 256;
*(_BYTE *)v7 = 3;
*(_BYTE *)(v7 + 1) = 0;
*(_DWORD *)(v7 + 20) = v4;
*(_DWORD *)(v7 + 24) = Object;
v8 = (int)((char *)v5->Tail.Overlay.CurrentStackLocation - 36);
*(_DWORD *)(v8 + 28) = CDenableIoCompletion;
*(_DWORD *)(v8 + 32) = 0;
*(_BYTE *)(v8 + 3) = -32;
*(_DWORD *)(v7 + 4) = a3;
*(_DWORD *)(v7 + 12) = a2;
*(_DWORD *)(v7 + 16) = 0;
IofCallDriver(v4, v5);
KeWaitForSingleObject(&Event, 0, 0, 1u, 0);
if ( v11 >= 0 )
{
v12 = 1;
memcpy(a4, P, a3);
}
IoFreeMdl(Mdl);
ExFreePool(P);
}
}
ObfDereferenceObject(Object);
}
return v12;
}
// 10210: using guessed type int __thiscall ObfDereferenceObject(_DWORD);
// 10220: using guessed type int __fastcall IofCallDriver(_DWORD, _DWORD);

//----- (00010512) --------------------------------------------------------
signed int __stdcall CDenableIoCompletion(int a1, PIRP Irp, int a3)
{
PIO_STATUS_BLOCK v4; // eax@1

v4 = Irp->UserIosb;
v4->Status = Irp->IoStatus.Status;
v4->Information = Irp->IoStatus.Information;
KeSetEvent(Irp->UserEvent, 0, 0);
IoFreeIrp(Irp);
return -1073741802;
}

//----- (00010542) --------------------------------------------------------
#error "FFFFFFFF: variables would overlap: edx/4 and edx/8 (funcsize=74)"

//----- (00010652) --------------------------------------------------------
void __stdcall cdenableUnload(int a1)
{
const WCHAR SourceString; // [sp+8h] [bp-34h]@1
wchar_t v2; // [sp+30h] [bp-Ch]@1
UNICODE_STRING DestinationString; // [sp+34h] [bp-8h]@1

memcpy((void *)&SourceString, L"\\DosDevices\\cdenable", 0x28u);
v2 = _SG6316[20];
RtlInitUnicodeString(&DestinationString, &SourceString);
IoDeleteSymbolicLink(&DestinationString);
IoDeleteDevice(*(PDEVICE_OBJECT *)(a1 + 4));
}
// 10628: using guessed type wchar_t $SG6316[21];

//----- (0001069C) --------------------------------------------------------
int __cdecl _global_unwind2(int a1)
{
return RtlUnwind(a1, gu_return, 0, 0);
}
// 106B4: using guessed type int __cdecl gu_return(int);
// 1082E: using guessed type int __stdcall RtlUnwind(_DWORD, _DWORD, _DWORD, _DWORD);

//----- (000106BC) --------------------------------------------------------
signed int __cdecl _unwind_handler(int a1, int a2, int a3, int a4)
{
signed int result; // eax@1

result = 1;
if ( *(_DWORD *)(a1 + 4) & 6 )
{
*(_DWORD *)a4 = a2;
result = 3;
}
return result;
}

//----- (000106DE) --------------------------------------------------------
int __cdecl _local_unwind2(int a1, int a2) //http://www.winehq.org/pipermail/wine-cv ... 77757.html
{
int result; // eax@1
int v3; // ebx@1
int v4; // esi@1
int v5; // esi@3

while ( 1 )
{
result = a1;
v3 = *(_DWORD *)(a1 + 8);
v4 = *(_DWORD *)(a1 + 12);
if ( v4 == -1 )
break;
if ( v4 == a2 )
break;
v5 = 3 * v4;
*(_DWORD *)(a1 + 12) = *(_DWORD *)(v3 + 4 * v5);
if ( !*(_DWORD *)(v3 + 4 * v5 + 4) )
(*(void (**)(void))(v3 + 4 * v5 + 8))();
}
return result;
}

//----- (00010738) --------------------------------------------------------
int _abnormal_termination(void)
{
int result; // eax@1
int v1; // ecx@1
int v2; // ecx@2

result = 0;
if ( *(signed int (__cdecl **)(int, int, int, int))(v1 + 4) == _unwind_handler )
{
if ( *(_DWORD *)(v2 + 8) == *(_DWORD *)(*(_DWORD *)(v2 + 12) + 12) )
result = 1;
}
return result;
}

//----- (0001075B) --------------------------------------------------------
void __usercall ___00009(int a1<eax>, char a2<dh>, int a3<esi>)
{
__asm { int 3 ; Trap to Debugger }
*(_BYTE *)a3 ^= *(_BYTE *)a1 ^ a2;
JUMPOUT(*(int *)_except_handler3);
}

//----- (00010764) --------------------------------------------------------
signed int __usercall _except_handler3<eax>(int a1<ebp>)
{
int v1; // eax@1
int v2; // ebx@1
int v3; // edi@2
int v4; // esi@2
int v5; // eax@5
int v6; // edi@7
signed int result; // eax@9
int v8; // [sp-8h] [bp-20h]@5

v2 = *(_DWORD *)(a1 + 12);
v1 = *(_DWORD *)(a1 + 8);
if ( *(_DWORD *)(v1 + 4) & 6 )
{
_local_unwind2(v2, -1);
result = 1;
}
else
{
*(_DWORD *)(a1 - 8) = v1;
*(_DWORD *)(a1 - 4) = *(_DWORD *)(a1 + 16);
*(_DWORD *)(v2 - 4) = a1 - 8;
v4 = *(_DWORD *)(v2 + 12);
v3 = *(_DWORD *)(v2 + 8);
while ( v4 != -1 )
{
if ( *(_DWORD *)(v3 + 12 * v4 + 4) )
{
v8 = a1;
v5 = (*(int (__thiscall **)(int))(v3 + 12 * v4 + 4))(3 * v4);
a1 = v8;
v2 = *(_DWORD *)(v8 + 12);
if ( v5 )
{
if ( v5 < 0 )
return 0;
v6 = *(_DWORD *)(v2 + 8);
_global_unwind2(*(_DWORD *)(v8 + 12));
a1 = v2 + 16;
_local_unwind2(v2, v4);
*(_DWORD *)(v2 + 12) = *(_DWORD *)(v6 + 12 * v4);
(*(void (__thiscall **)(int))(v6 + 12 * v4 + 8))(3 * v4);
}
}
v3 = *(_DWORD *)(v2 + 8);
v4 = *(_DWORD *)(v3 + 12 * v4);
}
result = 1;
}
return result;
}

//----- (00010812) --------------------------------------------------------
int __stdcall _seh_longjmp_unwind(int a1)
{
return _local_unwind2(*(_DWORD *)(a1 + 24), *(_DWORD *)(a1 + 28));
}

#error "There were 1 decompilation failure(s) on 12 function(s)"
Last edited by Cat_7 on Sun Apr 15, 2012 1:01 pm, edited 1 time in total.
Post Reply