PipProcessStartPhase3中的PpQueryCompatibleIDs和IopPnPDispatch函数分析以ftdisk.sys为例

PipProcessStartPhase3中的PpQueryCompatibleIDs和IopPnPDispatch函数分析以ftdisk.sys为例

PpQueryHardwareIDs(
DeviceNode,
&hwIds,
&hwIdLength);

PpQueryCompatibleIDs(
DeviceNode,
&compatibleIds,
&compatibleIdLength);

0: kd> dv hwIds
hwIds = 0xe130ced8
0: kd> dx -r1 ((ntkrnlmp!unsigned short *)0xe130ced8)
((ntkrnlmp!unsigned short *)0xe130ced8) : 0xe130ced8 : 0x52 [Type: unsigned short *]
0x52 [Type: unsigned short]
0: kd> db 0xe130ced8
e130ced8 52 00 4f 00 4f 00 54 00-5c 00 46 00 54 00 44 00 R.O.O.T.\.F.T.D.
e130cee8 49 00 53 00 4b 00 00 00-00 00 b2 b2 b2 b2 b2 b2 I.S.K...........
e130cef8 05 06 21 0c 41 72 62 4c-00 00 e0 e6 00 00 00 00 ..!.ArbL........
e130cf08 ff ff ef e6 00 00

0: kd> kc
#
00 nt!PpIrpQueryID
01 nt!PpQueryID
02 nt!PipProcessStartPhase3
03 nt!PipProcessDevNodeTree
04 nt!PiProcessReenumeration
05 nt!PipDeviceActionWorker
06 nt!PipRequestDeviceAction
07 nt!PipAddDevicesToBootDriverWorker
08 nt!PipApplyFunctionToServiceInstances
09 nt!PipAddDevicesToBootDriver
0a nt!IopInitializeBootDrivers
0b nt!IoInitSystem
0c nt!Phase1Initialization
0d nt!PspSystemThreadStartup
0e nt!KiThreadStartup

0: kd> p
eax=00000000 ebx=f789a2e8 ecx=00000000 edx=e130ced8 esi=804edc6c edi=89986898
eip=80c97a07 esp=f789a244 ebp=f789a274 iopl=0 nv up ei ng nz ac pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000297
nt!PpIrpQueryID+0x3d:
80c97a07 8b5d0c mov ebx,dword ptr [ebp+0Ch] ss:0010:f789a280=00000002
0: kd> dv
DeviceObject = 0x899869f0 Device for "\Driver\PnpManager"
IDType = BusQueryCompatibleIDs (0n2)
ID = 0xf789a2ec
irpSp = struct _IO_STACK_LOCATION
status = 0n2
seed = {134110998500156250}

0: kd> g
Breakpoint 22 hit
eax=f789a250 ebx=00000002 ecx=00000000 edx=e130ced8 esi=f789a2ec edi=f789a274
eip=80c95c56 esp=f789a234 ebp=f789a274 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!IopSynchronousCall:
80c95c56 55 push ebp
0: kd> g
Breakpoint 24 hit
eax=0000001b ebx=00000000 ecx=89543958 edx=899bf5b0 esi=899bf5b0 edi=89543530
eip=f738c938 esp=f789a1e8 ebp=f789a200 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286
ftdisk!FtDiskPnp:
f738c938 55 push ebp
0: kd> kc
#
00 ftdisk!FtDiskPnp
01 nt!IofCallDriver
02 nt!IopSynchronousCall
03 nt!PpIrpQueryID
04 nt!PpQueryID
05 nt!PipProcessStartPhase3
06 nt!PipProcessDevNodeTree
07 nt!PiProcessReenumeration
08 nt!PipDeviceActionWorker
09 nt!PipRequestDeviceAction
0a nt!PipAddDevicesToBootDriverWorker
0b nt!PipApplyFunctionToServiceInstances
0c nt!PipAddDevicesToBootDriver
0d nt!IopInitializeBootDrivers
0e nt!IoInitSystem
0f nt!Phase1Initialization
10 nt!PspSystemThreadStartup
11 nt!KiThreadStartup

case IRP_MN_QUERY_ID:
status = FtpQueryRootId(rootExtension, Irp);

if (NT_SUCCESS(status) || (status == STATUS_NOT_SUPPORTED)) {
if (NT_SUCCESS(status)) {
Irp->IoStatus.Status = status;
}

IoSkipCurrentIrpStackLocation(Irp);
return IoCallDriver(targetObject, Irp);
}
break;

NTSTATUS
FtpQueryRootId(
IN PROOT_EXTENSION Extension,
IN PIRP Irp
)
{

switch (irpSp->Parameters.QueryId.IdType) {

case BusQueryDeviceID:
RtlInitUnicodeString(&string, L"ROOT\\FTDISK");
break;

case BusQueryHardwareIDs:
RtlInitUnicodeString(&string, L"ROOT\\FTDISK");
break;

case BusQueryInstanceID:
RtlInitUnicodeString(&string, L"0000");
break;

default:
return STATUS_NOT_SUPPORTED ; //这里返回了！！！

这次没有兼容ID，上次有HardwareID

0: kd> p
eax=0000001b ebx=00000000 ecx=899873b0 edx=899bf5b0 esi=899bf5b0 edi=899869f0
eip=80a26758 esp=f789a1a0 ebp=f789a1b4 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286
nt!IofCallDriver+0x5e:
80a26758 ff548138 call dword ptr [ecx+eax*4+38h] ds:0023:89987454={nt!IopPnPDispatch (80cb0b36)}

0: kd> t
eax=0000001b ebx=00000000 ecx=899873b0 edx=899bf5b0 esi=899bf5b0 edi=899869f0
eip=80cb0b36 esp=f789a19c ebp=f789a1b4 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286
nt!IopPnPDispatch:
80cb0b36 55 push ebp
0: kd> kc
#
00 nt!IopPnPDispatch
01 nt!IofCallDriver
02 ftdisk!FtDiskPnp
03 nt!IofCallDriver
04 nt!IopSynchronousCall
05 nt!PpIrpQueryID
06 nt!PpQueryID
07 nt!PipProcessStartPhase3
08 nt!PipProcessDevNodeTree
09 nt!PiProcessReenumeration
0a nt!PipDeviceActionWorker
0b nt!PipRequestDeviceAction
0c nt!PipAddDevicesToBootDriverWorker
0d nt!PipApplyFunctionToServiceInstances
0e nt!PipAddDevicesToBootDriver
0f nt!IopInitializeBootDrivers
10 nt!IoInitSystem
11 nt!Phase1Initialization
12 nt!PspSystemThreadStartup
13 nt!KiThreadStartup
0: kd> dv
DeviceObject = 0x899869f0 Device for "\Driver\PnpManager"
Irp = 0x899bf5b0
information = 0x899869f0
length = 8
uiNumber = 0xf789a1b4
id = 0x00000000

PIOPNP_DEVICE_EXTENSION deviceExtension = DeviceObject->DeviceExtension;

0: kd> dt IOPNP_DEVICE_EXTENSION 0x89986aa8
nt!IOPNP_DEVICE_EXTENSION
+0x000 CompatibleIdList : (null)
+0x004 CompatibleIdListSize : 0

NTSTATUS
IopPnPDispatch(
IN PDEVICE_OBJECT DeviceObject,
IN OUT PIRP Irp
)
{

case IRP_MN_QUERY_ID:
if (DeviceObject != IopRootDeviceNode->PhysicalDeviceObject &&
(!NT_SUCCESS(Irp->IoStatus.Status) || !Irp->IoStatus.Information)) {

deviceNode = (PDEVICE_NODE)DeviceObject->DeviceObjectExtension->DeviceNode;
switch (irpSp->Parameters.QueryId.IdType) {

case BusQueryInstanceID:
case BusQueryDeviceID:

id = (PWCHAR)ExAllocatePool(PagedPool, deviceNode->InstancePath.Length);
if (id) {
ULONG separatorCount = 0;

RtlZeroMemory(id, deviceNode->InstancePath.Length);
information = id;
status = STATUS_SUCCESS;
wp = deviceNode->InstancePath.Buffer;
if (irpSp->Parameters.QueryId.IdType == BusQueryDeviceID) {
while(*wp) {
if (*wp == OBJ_NAME_PATH_SEPARATOR) {
separatorCount++;
if (separatorCount == 2) {
break;
}
}
*id = *wp;
id++;
wp++;
}
} else {
while(*wp) {
if (*wp == OBJ_NAME_PATH_SEPARATOR) {
separatorCount++;
if (separatorCount == 2) {
wp++;
break;
}
}
wp++;
}
while (*wp) {
*id = *wp;
id++;
wp++;
}
}
} else {
status = STATUS_INSUFFICIENT_RESOURCES;
}
break;

case BusQueryCompatibleIDs:

if((Irp->IoStatus.Status != STATUS_NOT_SUPPORTED) ||
(deviceExtension == NULL)) {

//
// Upper driver has given some sort of reply or this device
// object wasn't allocated to handle these requests.
//

status = Irp->IoStatus.Status;
break;
}

if(deviceExtension->CompatibleIdListSize != 0) { 不符合条件！！！

id = ExAllocatePool(PagedPool,
deviceExtension->CompatibleIdListSize);

if(id == NULL) {
status = STATUS_INSUFFICIENT_RESOURCES;
break;
}

RtlCopyMemory(id,
deviceExtension->CompatibleIdList,
deviceExtension->CompatibleIdListSize);

information = id;
status = STATUS_SUCCESS;
break;
}

0: kd> gu
eax=c00000bb ebx=f789a2e8 ecx=00000000 edx=00000000 esi=89986898 edi=89986898
eip=80c8a3a6 esp=f789a288 ebp=f789a29c iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!PpQueryID+0x80:
80c8a3a6 33c9 xor ecx,ecx
0: kd> dv
DeviceNode = 0x89986898
IDType = BusQueryCompatibleIDs (0n2)
ID = 0xf789a2ec
IDLength = 0xf789a2e8
status = 0n-141974808
reason = ""
0: kd> dx -r1 ((ntkrnlmp!unsigned short * *)0xf789a2ec)
((ntkrnlmp!unsigned short * *)0xf789a2ec) : 0xf789a2ec [Type: unsigned short * *]
0x0 [Type: unsigned short *]

0: kd> gu
eax=c00000bb ebx=00000000 ecx=00000000 edx=00000000 esi=804edc6c edi=89986898
eip=80c923b1 esp=f789a2b4 ebp=f789a300 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!PipProcessStartPhase3+0x8b:
80c923b1 395df0 cmp dword ptr [ebp-10h],ebx ss:0010:f789a2f0=e130ced8
0: kd> dv compatibleIds
compatibleIds = 0x00000000
0: kd> dv compatibleIdLength
compatibleIdLength = 0