from what i'm seeing in the trace log there is a diffrent behavior when returning from the DeviceIoControl when using the CD and when using the CD Image :
With CD:
Code:
004B415F Main PUSH EAX
004B4160 Main PUSH 50
004B4162 Main PUSH ECX
004B4163 Main PUSH 50
004B4165 Main PUSH ECX
004B4166 Main PUSH 4D014 // IOCTL_SCSI_PASS_THROUGH_DIRECT
004B416B Main MOV ECX,Copy_of_.004B398B ; ECX=004B398B
004B4170 Main ADD ECX,16D ; ECX=004B3AF8
004B4176 Main PUSH DWORD PTR DS:[ECX]
004B4178 Main MOV ECX,Copy_of_.004B398B ; ECX=004B398B
004B417D Main ADD ECX,2FB ; ECX=004B3C86
004B4183 Main CALL DWORD PTR DS:[ECX]
DeviceIoControl PUSH 14
7C801627 Main PUSH kernel32.7C810CC8
.....
......
7C801662 Main PUSH DWORD PTR SS:[EBP+8]
7C801665 Main JE kernel32.7C801743
7C80166B Main CALL DWORD PTR DS:[<&ntdll.NtDeviceIoControlFile>]
ZwDeviceIoControl>MOV EAX,42 ; EAX=00000042
7C90D8E8 Main MOV EDX,7FFE0300 ; EDX=7FFE0300
....
....
7C802519 Main LEAVE ; EBP=0012FF08
7C80251A Main PUSH ECX
7C80251B Main RETN
7C801694 Main RETN 20
004B4185 Main POP ECX ; ECX=00149988
004B4186 Main POP EDX ; EDX=004B3CD5
004B4187 Main MOV ECX,Copy_of_.004B398B ; ECX=004B398B
004B418C Main ADD ECX,18C ; ECX=004B3B17
004B4192 Main MOV ECX,DWORD PTR DS:[ECX] ; ECX=00149988
004B4194 Main OR EAX,EAX
004B4196 Main MOV AL,BYTE PTR DS:[ECX+2] ; EAX=00000000
004B4199 Main JE SHORT Copy_of_.004B41A1
004B419B Main OR AL,AL
004B419D Main JNZ SHORT Copy_of_.004B41A1 -> HERE WILL NOT JMP
004B419F Main MOV AL,1 ; EAX=00000001
and with Image CD:
Code:
004B4150 Main PUSH 0
004B4152 Main MOV EDX,Copy_of_.004B398B ; EDX=004B398B
004B4157 Main ADD EDX,17D ; EDX=004B3B08
004B415D Main MOV EAX,EDX ; EAX=004B3B08
004B415F Main PUSH EAX
004B4160 Main PUSH 50
004B4162 Main PUSH ECX
004B4163 Main PUSH 50
004B4165 Main PUSH ECX
004B4166 Main PUSH 4D014 // IOCTL_SCSI_PASS_THROUGH_DIRECT
004B416B Main MOV ECX,Copy_of_.004B398B ; ECX=004B398B
004B4170 Main ADD ECX,16D ; ECX=004B3AF8
004B4176 Main PUSH DWORD PTR DS:[ECX]
004B4178 Main MOV ECX,Copy_of_.004B398B ; ECX=004B398B
004B417D Main ADD ECX,2FB ; ECX=004B3C86
004B4183 Main CALL DWORD PTR DS:[ECX]
DeviceIoControl PUSH 14
7C801627 Main PUSH kernel32.7C810CC8
7C80162C Main CALL kernel32.7C8024CB
7C8024CB Main PUSH kernel32.7C8399F3
....
....
7C801660 Main PUSH EBX
7C801661 Main PUSH EBX
7C801662 Main PUSH DWORD PTR SS:[EBP+8]
7C801665 Main JE kernel32.7C801743
7C80166B Main CALL DWORD PTR DS:[<&ntdll.NtDeviceIoControlFile>]
ZwDeviceIoControl>MOV EAX,42 ; EAX=00000042
7C90D8E8 Main MOV EDX,7FFE0300 ; EDX=7FFE0300
.....
.....
7C802516 Main POP EDI
7C802517 Main POP ESI ; ESI=00591D60
7C802518 Main POP EBX ; EBX=00000010
7C802519 Main LEAVE ; EBP=0012FF08
7C80251A Main PUSH ECX
7C80251B Main RETN
7C801694 Main RETN 20
004B4185 Main POP ECX ; ECX=00149988
004B4186 Main POP EDX ; EDX=004B3CD5
004B4187 Main MOV ECX,Copy_of_.004B398B ; ECX=004B398B
004B418C Main ADD ECX,18C ; ECX=004B3B17
004B4192 Main MOV ECX,DWORD PTR DS:[ECX] ; ECX=00149988
004B4194 Main OR EAX,EAX
004B4196 Main MOV AL,BYTE PTR DS:[ECX+2] ; EAX=00000002
004B4199 Main JE SHORT Copy_of_.004B41A1
004B419B Main OR AL,AL
004B419D Main JNZ SHORT Copy_of_.004B41A1 ->HERE WILL JUMP
the DeviceIoControl uses : IOCTL_SCSI_PASS_THROUGH_DIRECT
as we can see with CD
004B4196 Main MOV AL,BYTE PTR DS:[ECX+2] ; EAX=00000000
and without CD but with CD Image
004B4196 Main MOV AL,BYTE PTR DS:[ECX+2] ; EAX=00000002
we get diffrent values...
i'm currently debugging it to see what is the cause for this deffrent values
any help will be appreciated.
Regards,
LaBBa