nt!PipProcessStartPhase3函数分析之nt!PipSetDevNodeState

sitelist2025-12-28 14:51

nt!PipProcessStartPhase3函数分析之nt!PipSetDevNodeState

0: kd> p

eax=00000000 ebx=00000000 ecx=80b1f6f8 edx=00000000 esi=89986898 edi=80b1f6f8

eip=80a2ece0 esp=f789a294 ebp=f789a2a0 iopl=0 nv up ei ng nz na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286

nt!PipSetDevNodeState+0x6c:

80a2ece0 8b5e18 mov ebx,dword ptr [esi+18h] ds:0023:899868b0=00000307

0: kd> dt _device_node 89986898

nt!_DEVICE_NODE

+0x000 Sibling : 0x89986648 _DEVICE_NODE

+0x004 Child : (null)

+0x008 Parent : 0x899c5bc8 _DEVICE_NODE

+0x00c LastChild : (null)

+0x010 Level : 1

+0x014 Notify : (null)

+0x018 State : 307 ( DeviceNodeStartPostWork )

+0x01c PreviousState : 302 ( DeviceNodeInitialized )

+0x020 StateHistory : [20] 301 ( DeviceNodeUninitialized )
+0x070 StateHistoryEntry : 2

+0x074 CompletionStatus : 0n0

+0x078 PendingIrp : (null)

+0x07c Flags : 0x139

+0x080 UserFlags : 0xa

+0x084 Problem : 0

+0x088 PhysicalDeviceObject : 0x899869f0 _DEVICE_OBJECT

+0x08c ResourceList : (null)

+0x090 ResourceListTranslated : (null)

+0x094 InstancePath : _UNICODE_STRING "Root\ftdisk\0000"

+0x09c ServiceName : _UNICODE_STRING "ftdisk"

+0x0a4 DuplicatePDO : (null)

+0x0a8 ResourceRequirements : (null)

+0x0ac InterfaceType : 0xffffffff (No matching name)

+0x0b0 BusNumber : 0xffffffff

+0x0b4 ChildInterfaceType : 0xffffffff (No matching name)

+0x0b8 ChildBusNumber : 0xffffffff

+0x0bc ChildBusTypeIndex : 0xffff

+0x0be RemovalPolicy : 0 ''

+0x0bf HardwareRemovalPolicy : 0 ''

+0x0c0 TargetDeviceNotify : _LIST_ENTRY [ 0x89986958 - 0x89986958 ]

+0x0c8 DeviceArbiterList : _LIST_ENTRY [ 0x89986960 - 0x89986960 ]

+0x0d0 DeviceTranslatorList : _LIST_ENTRY [ 0x89986968 - 0x89986968 ]

+0x0d8 NoTranslatorMask : 0

+0x0da QueryTranslatorMask : 0

+0x0dc NoArbiterMask : 0

+0x0de QueryArbiterMask : 0

+0x0e0 OverUsed1 : __unnamed

+0x0e4 OverUsed2 : __unnamed

+0x0e8 BootResources : (null)

+0x0ec CapabilityFlags : 0x180

+0x0f0 DockInfo : __unnamed

+0x100 DisableableDepends : 1

+0x104 PendedSetInterfaceState : _LIST_ENTRY [ 0x8998699c - 0x8998699c ]

+0x10c LegacyBusListEntry : _LIST_ENTRY [ 0x899869a4 - 0x899869a4 ]

0: kd> dv

DeviceNode = 0x89986898

State = DeviceNodeStarted (0n776)

OldState = 0x00000000

oldIrql = 0x89 ''

0: kd> dx -id 0,0,899a2278 -r1 (*((ntkrnlmp!_PNP_DEVNODE_STATE (*)[20])0x899868b8))

(*((ntkrnlmp!_PNP_DEVNODE_STATE (*)[20])0x899868b8)) [Type: _PNP_DEVNODE_STATE [20]]

0\] : DeviceNodeUninitialized (769) \[Type: _PNP_DEVNODE_STATE

1\] : DeviceNodeInitialized (770) \[Type: _PNP_DEVNODE_STATE

2\] : 0 \[Type: _PNP_DEVNODE_STATE

3\] : 0 \[Type: _PNP_DEVNODE_STATE

4\] : 0 \[Type: _PNP_DEVNODE_STATE

5\] : 0 \[Type: _PNP_DEVNODE_STATE

6\] : 0 \[Type: _PNP_DEVNODE_STATE

7\] : 0 \[Type: _PNP_DEVNODE_STATE

8\] : 0 \[Type: _PNP_DEVNODE_STATE

9\] : 0 \[Type: _PNP_DEVNODE_STATE

10\] : 0 \[Type: _PNP_DEVNODE_STATE

11\] : 0 \[Type: _PNP_DEVNODE_STATE

12\] : 0 \[Type: _PNP_DEVNODE_STATE

13\] : 0 \[Type: _PNP_DEVNODE_STATE

14\] : 0 \[Type: _PNP_DEVNODE_STATE

15\] : 0 \[Type: _PNP_DEVNODE_STATE

16\] : 0 \[Type: _PNP_DEVNODE_STATE

17\] : 0 \[Type: _PNP_DEVNODE_STATE

18\] : 0 \[Type: _PNP_DEVNODE_STATE

19\] : 0 \[Type: _PNP_DEVNODE_STATE

0: kd> kc

00 nt!PipSetDevNodeState

01 nt!PipProcessStartPhase3

02 nt!PipProcessDevNodeTree

03 nt!PiProcessReenumeration

04 nt!PipDeviceActionWorker

05 nt!PipRequestDeviceAction

06 nt!PipAddDevicesToBootDriverWorker

07 nt!PipApplyFunctionToServiceInstances

08 nt!PipAddDevicesToBootDriver

09 nt!IopInitializeBootDrivers

0a nt!IoInitSystem

0b nt!Phase1Initialization

0c nt!PspSystemThreadStartup

0d nt!KiThreadStartup

0: kd> dv

DeviceNode = 0x89986898
State = DeviceNodeStarted (0n776)

OldState = 0x00000000

oldIrql = 0x89 ''

if (DeviceNode->State != State) {

//

// Update the devnode's current and previous state.

//

DeviceNode->State = State;

DeviceNode->PreviousState = previousState;

//

// Push prior state onto the history stack.

//

DeviceNode->StateHistory[DeviceNode->StateHistoryEntry] = previousState;

DeviceNode->StateHistoryEntry++;

DeviceNode->StateHistoryEntry %= STATE_HISTORY_SIZE;

}

0: kd> dt _device_node 89986898

nt!_DEVICE_NODE

+0x000 Sibling : 0x89986648 _DEVICE_NODE

+0x004 Child : (null)

+0x008 Parent : 0x899c5bc8 _DEVICE_NODE

+0x00c LastChild : (null)

+0x010 Level : 1

+0x014 Notify : (null)

+0x018 State : 307 ( DeviceNodeStartPostWork )

+0x01c PreviousState : 302 ( DeviceNodeInitialized )

+0x020 StateHistory : [20] 301 ( DeviceNodeUninitialized )

+0x070 StateHistoryEntry : 2

IopDbgPrint((IOP_INFO_LEVEL,

"%wZ: %s => %s\n",

&DeviceNode->InstancePath,

PP_DEVNODESTATE_NAME(previousState),

PP_DEVNODESTATE_NAME(State)));

0: kd> dt _device_node 89986898

nt!_DEVICE_NODE

+0x000 Sibling : 0x89986648 _DEVICE_NODE

+0x004 Child : (null)

+0x008 Parent : 0x899c5bc8 _DEVICE_NODE

+0x00c LastChild : (null)

+0x010 Level : 1

+0x014 Notify : (null)

+0x018 State : 308 ( DeviceNodeStarted )

+0x01c PreviousState : 307 ( DeviceNodeStartPostWork )

+0x020 StateHistory : [20] 301 ( DeviceNodeUninitialized )
+0x070 StateHistoryEntry : 3

+0x074 CompletionStatus : 0n0

+0x078 PendingIrp : (null)

+0x07c Flags : 0x139

+0x080 UserFlags : 0xa

+0x084 Problem : 0

+0x088 PhysicalDeviceObject : 0x899869f0 _DEVICE_OBJECT

+0x08c ResourceList : (null)

+0x090 ResourceListTranslated : (null)

+0x094 InstancePath : _UNICODE_STRING "Root\ftdisk\0000"

+0x09c ServiceName : _UNICODE_STRING "ftdisk"

+0x0a4 DuplicatePDO : (null)

+0x0a8 ResourceRequirements : (null)

+0x0ac InterfaceType : 0xffffffff (No matching name)

+0x0b0 BusNumber : 0xffffffff

+0x0b4 ChildInterfaceType : 0xffffffff (No matching name)

+0x0b8 ChildBusNumber : 0xffffffff

+0x0bc ChildBusTypeIndex : 0xffff

+0x0be RemovalPolicy : 0 ''

+0x0bf HardwareRemovalPolicy : 0 ''

+0x0c0 TargetDeviceNotify : _LIST_ENTRY [ 0x89986958 - 0x89986958 ]

+0x0c8 DeviceArbiterList : _LIST_ENTRY [ 0x89986960 - 0x89986960 ]

+0x0d0 DeviceTranslatorList : _LIST_ENTRY [ 0x89986968 - 0x89986968 ]

+0x0d8 NoTranslatorMask : 0

+0x0da QueryTranslatorMask : 0

+0x0dc NoArbiterMask : 0

+0x0de QueryArbiterMask : 0

+0x0e0 OverUsed1 : __unnamed

+0x0e4 OverUsed2 : __unnamed

+0x0e8 BootResources : (null)

+0x0ec CapabilityFlags : 0x180

+0x0f0 DockInfo : __unnamed

+0x100 DisableableDepends : 1

+0x104 PendedSetInterfaceState : _LIST_ENTRY [ 0x8998699c - 0x8998699c ]

+0x10c LegacyBusListEntry : _LIST_ENTRY [ 0x899869a4 - 0x899869a4 ]

0: kd> dx -id 0,0,899a2278 -r1 (*((ntkrnlmp!_PNP_DEVNODE_STATE (*)[20])0x899868b8))

(*((ntkrnlmp!_PNP_DEVNODE_STATE (*)[20])0x899868b8)) [Type: _PNP_DEVNODE_STATE [20]]
**[0] : DeviceNodeUninitialized (769) [Type: _PNP_DEVNODE_STATE]

1\] : DeviceNodeInitialized (770) \[Type: _PNP_DEVNODE_STATE

2\] : DeviceNodeStartPostWork (775) \[Type: _PNP_DEVNODE_STATE\]** \[3\] : 0 \[Type: _PNP_DEVNODE_STATE

4\] : 0 \[Type: _PNP_DEVNODE_STATE

热门推荐
01GitHub 镜像站点02从快手“12·22”直播攻击事件看:一次教科书式的业务层饱和攻击03电脑检测软件—图吧工具箱04Web安全中SQL注入绕过WAF的具体手法和实战案例05Linux下V2Ray安装配置指南063D 圣诞树网页代码07UV安装并设置国内源08SQLmap 完整使用指南:环境搭建 + 命令详解 + 实操案例09jdk21下载、安装(Windows、Linux、macOS)10在VSCode配置Java开发环境的保姆级教程(适配各类AI编程IDE)