PipProcessStartPhase3中的PpQueryCompatibleIDs和IopPnPDispatch函数分析以ftdisk.sys为例

sitelist2025-12-27 10:51

PipProcessStartPhase3中的PpQueryCompatibleIDs和IopPnPDispatch函数分析以ftdisk.sys为例

PpQueryHardwareIDs(

DeviceNode,

&hwIds,

&hwIdLength);

PpQueryCompatibleIDs(

DeviceNode,

&compatibleIds,

&compatibleIdLength);

0: kd> dv hwIds

hwIds = 0xe130ced8

0: kd> dx -r1 ((ntkrnlmp!unsigned short *)0xe130ced8)

((ntkrnlmp!unsigned short *)0xe130ced8) : 0xe130ced8 : 0x52 [Type: unsigned short *]

0x52 [Type: unsigned short]

0: kd> db 0xe130ced8

e130ced8 52 00 4f 00 4f 00 54 00-5c 00 46 00 54 00 44 00 R.O.O.T.\.F.T.D.

e130cee8 49 00 53 00 4b 00 00 00-00 00 b2 b2 b2 b2 b2 b2 I.S.K...........

e130cef8 05 06 21 0c 41 72 62 4c-00 00 e0 e6 00 00 00 00 ..!.ArbL........

e130cf08 ff ff ef e6 00 00

0: kd> kc

00 nt!PpIrpQueryID

01 nt!PpQueryID

02 nt!PipProcessStartPhase3

03 nt!PipProcessDevNodeTree

04 nt!PiProcessReenumeration

05 nt!PipDeviceActionWorker

06 nt!PipRequestDeviceAction

07 nt!PipAddDevicesToBootDriverWorker

08 nt!PipApplyFunctionToServiceInstances

09 nt!PipAddDevicesToBootDriver

0a nt!IopInitializeBootDrivers

0b nt!IoInitSystem

0c nt!Phase1Initialization

0d nt!PspSystemThreadStartup

0e nt!KiThreadStartup

0: kd> p

eax=00000000 ebx=f789a2e8 ecx=00000000 edx=e130ced8 esi=804edc6c edi=89986898

eip=80c97a07 esp=f789a244 ebp=f789a274 iopl=0 nv up ei ng nz ac pe cy

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000297

nt!PpIrpQueryID+0x3d:

80c97a07 8b5d0c mov ebx,dword ptr [ebp+0Ch] ss:0010:f789a280=00000002

0: kd> dv

DeviceObject = 0x899869f0 Device for "\Driver\PnpManager"

IDType = BusQueryCompatibleIDs (0n2)

ID = 0xf789a2ec

irpSp = struct _IO_STACK_LOCATION

status = 0n2

seed = {134110998500156250}

0: kd> g

Breakpoint 22 hit

eax=f789a250 ebx=00000002 ecx=00000000 edx=e130ced8 esi=f789a2ec edi=f789a274

eip=80c95c56 esp=f789a234 ebp=f789a274 iopl=0 nv up ei pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246

nt!IopSynchronousCall:

80c95c56 55 push ebp

0: kd> g

Breakpoint 24 hit

eax=0000001b ebx=00000000 ecx=89543958 edx=899bf5b0 esi=899bf5b0 edi=89543530

eip=f738c938 esp=f789a1e8 ebp=f789a200 iopl=0 nv up ei ng nz na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286

ftdisk!FtDiskPnp:

f738c938 55 push ebp

0: kd> kc

00 ftdisk!FtDiskPnp

01 nt!IofCallDriver

02 nt!IopSynchronousCall

03 nt!PpIrpQueryID

04 nt!PpQueryID

05 nt!PipProcessStartPhase3

06 nt!PipProcessDevNodeTree

07 nt!PiProcessReenumeration

08 nt!PipDeviceActionWorker

09 nt!PipRequestDeviceAction

0a nt!PipAddDevicesToBootDriverWorker

0b nt!PipApplyFunctionToServiceInstances

0c nt!PipAddDevicesToBootDriver

0d nt!IopInitializeBootDrivers

0e nt!IoInitSystem

0f nt!Phase1Initialization

10 nt!PspSystemThreadStartup

11 nt!KiThreadStartup

case IRP_MN_QUERY_ID:

status = FtpQueryRootId(rootExtension, Irp);

if (NT_SUCCESS(status) || (status == STATUS_NOT_SUPPORTED)) {

if (NT_SUCCESS(status)) {

Irp->IoStatus.Status = status;

}

IoSkipCurrentIrpStackLocation(Irp);

return IoCallDriver(targetObject, Irp);

}

break;

NTSTATUS

FtpQueryRootId(

IN PROOT_EXTENSION Extension,

IN PIRP Irp

)

{

switch (irpSp->Parameters.QueryId.IdType) {

case BusQueryDeviceID:

RtlInitUnicodeString(&string, L"ROOT\\FTDISK");

break;

case BusQueryHardwareIDs:

RtlInitUnicodeString(&string, L"ROOT\\FTDISK");

break;

case BusQueryInstanceID:

RtlInitUnicodeString(&string, L"0000");

break;

default:

return STATUS_NOT_SUPPORTED ; //这里返回了!!!

这次没有兼容ID,上次有HardwareID

0: kd> p

eax=0000001b ebx=00000000 ecx=899873b0 edx=899bf5b0 esi=899bf5b0 edi=899869f0

eip=80a26758 esp=f789a1a0 ebp=f789a1b4 iopl=0 nv up ei ng nz na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286

nt!IofCallDriver+0x5e:

80a26758 ff548138 call dword ptr [ecx+eax*4+38h] ds:0023:89987454={nt!IopPnPDispatch (80cb0b36)}

0: kd> t

eax=0000001b ebx=00000000 ecx=899873b0 edx=899bf5b0 esi=899bf5b0 edi=899869f0

eip=80cb0b36 esp=f789a19c ebp=f789a1b4 iopl=0 nv up ei ng nz na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286

nt!IopPnPDispatch:

80cb0b36 55 push ebp

0: kd> kc

00 nt!IopPnPDispatch

01 nt!IofCallDriver

02 ftdisk!FtDiskPnp

03 nt!IofCallDriver

04 nt!IopSynchronousCall

05 nt!PpIrpQueryID

06 nt!PpQueryID

07 nt!PipProcessStartPhase3

08 nt!PipProcessDevNodeTree

09 nt!PiProcessReenumeration

0a nt!PipDeviceActionWorker

0b nt!PipRequestDeviceAction

0c nt!PipAddDevicesToBootDriverWorker

0d nt!PipApplyFunctionToServiceInstances

0e nt!PipAddDevicesToBootDriver

0f nt!IopInitializeBootDrivers

10 nt!IoInitSystem

11 nt!Phase1Initialization

12 nt!PspSystemThreadStartup

13 nt!KiThreadStartup

0: kd> dv

DeviceObject = 0x899869f0 Device for "\Driver\PnpManager"

Irp = 0x899bf5b0

information = 0x899869f0

length = 8

uiNumber = 0xf789a1b4

id = 0x00000000

PIOPNP_DEVICE_EXTENSION deviceExtension = DeviceObject->DeviceExtension;

0: kd> dt IOPNP_DEVICE_EXTENSION 0x89986aa8

nt!IOPNP_DEVICE_EXTENSION

+0x000 CompatibleIdList : (null)

+0x004 CompatibleIdListSize : 0

NTSTATUS

IopPnPDispatch(

IN PDEVICE_OBJECT DeviceObject,

IN OUT PIRP Irp

)

{

case IRP_MN_QUERY_ID:

if (DeviceObject != IopRootDeviceNode->PhysicalDeviceObject &&

(!NT_SUCCESS(Irp->IoStatus.Status) || !Irp->IoStatus.Information)) {

deviceNode = (PDEVICE_NODE)DeviceObject->DeviceObjectExtension->DeviceNode;

switch (irpSp->Parameters.QueryId.IdType) {

case BusQueryInstanceID:

case BusQueryDeviceID:

id = (PWCHAR)ExAllocatePool(PagedPool, deviceNode->InstancePath.Length);

if (id) {

ULONG separatorCount = 0;

RtlZeroMemory(id, deviceNode->InstancePath.Length);

information = id;

status = STATUS_SUCCESS;

wp = deviceNode->InstancePath.Buffer;

if (irpSp->Parameters.QueryId.IdType == BusQueryDeviceID) {

while(*wp) {

if (*wp == OBJ_NAME_PATH_SEPARATOR) {

separatorCount++;

if (separatorCount == 2) {

break;

}

}

*id = *wp;

id++;

wp++;

}

} else {

while(*wp) {

if (*wp == OBJ_NAME_PATH_SEPARATOR) {

separatorCount++;

if (separatorCount == 2) {

wp++;

break;

}

}

wp++;

}

while (*wp) {

*id = *wp;

id++;

wp++;

}

}

} else {

status = STATUS_INSUFFICIENT_RESOURCES;

}

break;

case BusQueryCompatibleIDs:

if((Irp->IoStatus.Status != STATUS_NOT_SUPPORTED) ||

(deviceExtension == NULL)) {

//

// Upper driver has given some sort of reply or this device

// object wasn't allocated to handle these requests.

//

status = Irp->IoStatus.Status;

break;

}

if(deviceExtension->CompatibleIdListSize != 0) { 不符合条件!!!

id = ExAllocatePool(PagedPool,

deviceExtension->CompatibleIdListSize);

if(id == NULL) {

status = STATUS_INSUFFICIENT_RESOURCES;

break;

}

RtlCopyMemory(id,

deviceExtension->CompatibleIdList,

deviceExtension->CompatibleIdListSize);

information = id;

status = STATUS_SUCCESS;

break;

}

0: kd> gu

eax=c00000bb ebx=f789a2e8 ecx=00000000 edx=00000000 esi=89986898 edi=89986898

eip=80c8a3a6 esp=f789a288 ebp=f789a29c iopl=0 nv up ei pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246

nt!PpQueryID+0x80:

80c8a3a6 33c9 xor ecx,ecx

0: kd> dv

DeviceNode = 0x89986898

IDType = BusQueryCompatibleIDs (0n2)

ID = 0xf789a2ec

IDLength = 0xf789a2e8

status = 0n-141974808

reason = ""

0: kd> dx -r1 ((ntkrnlmp!unsigned short * *)0xf789a2ec)

((ntkrnlmp!unsigned short * *)0xf789a2ec) : 0xf789a2ec [Type: unsigned short * *]

0x0 [Type: unsigned short *]

0: kd> gu

eax=c00000bb ebx=00000000 ecx=00000000 edx=00000000 esi=804edc6c edi=89986898

eip=80c923b1 esp=f789a2b4 ebp=f789a300 iopl=0 nv up ei pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246

nt!PipProcessStartPhase3+0x8b:

80c923b1 395df0 cmp dword ptr [ebp-10h],ebx ss:0010:f789a2f0=e130ced8

0: kd> dv compatibleIds

compatibleIds = 0x00000000

0: kd> dv compatibleIdLength

compatibleIdLength = 0

热门推荐
01GitHub 镜像站点02Linux下V2Ray安装配置指南032025年大语言模型技术全景报告04安娜的档案(Anna’s Archive) 镜像网站/国内最新可访问入口(持续更新)05Claude Code Skills 实用使用手册06Labelme从安装到标注:零基础完整指南07UV安装并设置国内源08AI 规范驱动开发“三剑客”深度对比:Spec-Kit、Kiro 与 OpenSpec 实战指南09网站改了域名,如何查找?10在VSCode配置Java开发环境的保姆级教程(适配各类AI编程IDE)