Driving target device target device stack of chaos Zatan: JIURL Home: http://jiurl.yeah.net
It is impossible to build a limited sentence to build the concept of the driver object and device object. Just starting to be blurred, more understanding, slowly clear. The following content will make you understand what they understand. For the later narrative, the structure of the drive object and the device object is first listed.
Driven structure DRIVER_OBJECT, defined as follows struct _DRIVER_OBJECT (sizeof = 168) 00 int16 Type 02 int16 Size 04 struct _DEVICE_OBJECT * DeviceObject 08 uint32 Flags 0c void * DriverStart 10 uint32 DriverSize 14 void * DriverSection 18 struct _DRIVER_EXTENSION * DriverExtension 1c struct _UNICODE_STRING DriverName 1c uint16 Length 1e uint16 MaximumLength 20 uint16 * Buffer 24 struct _UNICODE_STRING * HardwareDatabase 28 struct _FAST_IO_DISPATCH * FastIoDispatch 2c function * DriverInit 30 function * DriverStartIo 34 function * DriverUnload 38 function * MajorFunction [28] DDK there to illustrate some fields [00] IRP_MJ_CREATE [01] IRP_MJ_CREATE_NAMED_PIPE [02] IRP_MJ_CLOSE [03] IRP_MJ_READ [04] IRP_MJ_WRITE [05] IRP_MJ_QUERY_INFORMATION [06] IRP_MJ_SET_INFORMATION [07] IRP_MJ_QUERY_EA [08] IRP_MJ_SET_EA [ 09] IRP_MJ_FLUSH_BUFFERS [0a] IRP_MJ_QUERY_VOLUME_INFORMATION [0b] IRP_MJ_SET_VOLUME_INFORMATION [0c] IRP_MJ_DIRECTORY_CONTROL [0d] IRP_MJ_FILE_SYSTEM_CONTROL [0e] IRP_MJ_DEVICE_CONTROL [0f] IRP_MJ_INTERNAL_DEVICE_CONTROL [10] IRP_MJ_SHUTDOWN [11] IRP_MJ_LO CK_CONTROL [12] IRP_MJ_CLEANUP [13] IRP_MJ_CREATE_MAILSLOT [14] IRP_MJ_QUERY_SECURITY [15] IRP_MJ_SET_SECURITY [16] IRP_MJ_POWER [17] IRP_MJ_SYSTEM_CONTROL [18] IRP_MJ_DEVICE_CHANGE [19] IRP_MJ_QUERY_QUOTA [1a] IRP_MJ_SET_QUOTA [1b] IRP_MJ_PNPstruct _DRIVER_EXTENSION (sizeof = 24) 00 struct _DRIVER_OBJECT * DriverObject 04 function * AddDevice 08 uint32 Count 0c struct _UNICODE_STRING ServiceKeyName 0c uint16 Length 0e uint16 MaximumLength 10 uint16 * Buffer 14 struct _IO_CLIENT_EXTENSION * ClientDriverExtension device object structure DEVICE_OBJECT, defined as follows struct _DEVICE_OBJECT (sizeof = 184) 00 INT16 TYPE 02 UINT16 SIZE
04 int32 ReferenceCount 08 struct _DRIVER_OBJECT * DriverObject 0c struct _DEVICE_OBJECT * NextDevice 10 struct _DEVICE_OBJECT * AttachedDevice 14 struct _IRP * CurrentIrp 18 struct _IO_TIMER * Timer 1c uint32 Flags 20 uint32 Characteristics 24 struct _VPB * Vpb 28 void * DeviceExtension 2c uint32 DeviceType 30 char StackSize 34 union __unnamed62 Queue 34 struct _LIST_ENTRY ListEntry 34 struct _LIST_ENTRY * Flink 38 struct _LIST_ENTRY * Blink 34 struct _WAIT_CONTEXT_BLOCK Wcb 34 struct _KDEVICE_QUEUE_ENTRY WaitQueueEntry 34 struct _LIST_ENTRY DeviceListEntry 34 struct _LIST_ENTRY * Flink 38 struct _LIST_ENTRY * Blink 3c uint32 SortKey 40 byte Inserted 44 function * DeviceRoutine 48 void * DeviceContext 4c uint32 NumberOfMapRegisters 50 void * DeviceObject 54 void * CurrentIrp 58 struct _KDPC * BufferChainingDpc 5c uint32 AlignmentRequirement 60 struct _KDEVICE_QUEUE DeviceQueue 60 int16 Type 62 int16 Size 64 struct _LIST_ENTRY DeviceListHead 64 struct _LIST_ENTRY * Flink 68 struct _LIST_ENTRY * Blink 6c uint32 Lock 70 byte Busy 74 struct _KDPC Dpc 74 int16 Type 76 byte Number 77 byte Importance 78 struct _LIST_ENTRY DpcListEntry 78 struct _LIST_ENTRY * Flink 7c struct _LIST_ENTRY * Blink 80 function * DeferredRoutine 84 void * DeferredContext 88 void * SystemArgument1 8c void * SystemArgument2 90 uint32 * Lock 94 uint32 ActiveThreadCount 98 void * SecurityDescriptor 9c struct _KEVENT DeviceLock 9c struct _DISPATCHER_HEADER Header 9c byte Type 9d byte Absolute 9e byte Size 9f byte Inserted A0 INT32 SIGNALSTATE
a4 struct _LIST_ENTRY WaitListHead a4 struct _LIST_ENTRY * Flink a8 struct _LIST_ENTRY * Blink ac uint16 SectorSize ae uint16 Spare1 b0 struct _DEVOBJ_EXTENSION * DeviceObjectExtension b4 void * ReservedDDK There are some fields Description struct _DEVOBJ_EXTENSION (sizeof = 36) 00 int16 Type 02 uint16 Size 04 struct _DEVICE_OBJECT * DeviceObject 08 uint32 PowerFlags 0c * Dope 10 uint32 ExtensionFlags 14 void * deviceNode 18 struct _DEVICE_OBJECT * AttachedTo 1c struct _LIST_ENTRY FileObjectList 1c struct _LIST_ENTRY * Flink 20 struct _LIST_ENTRY * Blink has a driver file loaded into the memory, there will be a driver_Object. For example, the driver I8042PRT is in the system initialization phase, and the IO Manager call function NT! IOPLOADDRIVER is loaded. NT! IOPLOADDRIVER reads the registry, get the path to the driver file I8042PRT.SYS, load this file into memory. Then the NT! ObcreateObject will then create a driver object and initialize this driver object. The device object (Device_Object) is created by the driver. A driver can create multiple device objects (device_Object). By driving objects (driver_Object), you can find all device objects (Device_Object) created by the driver. A driver created all device objects (Device_Object) chain into a chain, which can find this chain (driver_Object). A device object (Device_Object) can also find the driver object (Driver_Object) that creates it. Below we use Windbg to actually observe the drive I8042PRT, i8042PRT is a driver that completes the primary function of the PS / 2 keyboard drive. Here we first make a description, on the computer where the PS / 2 keyboard and the PS / 2 mouse is inserted, I8042PRT creates two device objects, one for the keyboard, one for the mouse.
First, we from the named object address space, find DRIVER_OBJECT of i8042prt address kd> object / driver / i8042prtObject:! Fe4f69f0 Type: (fe4ec3e0) DriverObjectHeader: fe4f69d8HandleCount: 0 PointerCount: 5Directory Object: fe51bf30 Name: i8042prt Here we look DRIVER_OBJECT in i8042prt of content kd>! strct driver_object fe4f69f0struct _DRIVER_OBJECT (sizeof = 168) 00 int16 Type = 0004 02 int16 Size = 00a8 04 struct _DEVICE_OBJECT * DeviceObject = first device object on the FE4D3BA0 // Note DeviceObject chain 08 uint32 Flags = 00000012 0c void * DriverStart = FE1BD000 10 uint32 DriverSize = 00021000 14 void * DriverSection = FE4F6CC8 18 struct _DRIVER_EXTENSION * DriverExtension = FE4F6A98 1c struct _UNICODE_STRING DriverName 1c uint16 Length = 0020 1e uint16 MaximumLength = 0020 20 uint16 * Buffer = E127FE88 24 struct _UNICODE_STRING * HardwareDatabase = 80541FC0 28 struct _FAST_IO_DISPATCH * FastIoDispatch = 00000000 2c function * DriverInit = FE1D8000 30 function * DriverStartIo = FE1BF444 34 function * DriverUnload = FE1CB920 38 function * MajorFunction [28] = FE1CB00080425 354FE1CB14E804253548042535480425354804253548042535480425354FE1BE55880425354804253548042535480425354FE1CB243FE1BE667804253548042535480425354804253548042535480425354FE1D2C63FE1D3633804253548042535480425354FE1D1BFB we see the first device address FE4D3BA0 object on DeviceObject, we use the WinDbg! Devobj order to get some information kd>
! Devobj FE4D3BA0Device object (fe4d3ba0) is for: / Driver / i8042prt DriverObject fe4f69f0Current Irp 00000000 RefCount 0 Type 00000027 Flags 00002004DevExt fe4d3c58 DevObjExt fe4d3ed8 ExtensionFlags (0xc0000000) Unknown flags 0xc0000000AttachedDevice (Upper) fe4d3a60 / Driver / vmmouseAttachedTo (Lower) fe4dd610 / Driver / ACPIDevice Queue is not busy. From the information obtained, this is the device object for the mouse. Let's see the specific content of this device object device_Object Kd>! strCT device_Object Fe4d3ba0struct _Device_object (sizeof = 184) 00 INT16 TYPE = 0003 02 uint16 Size = 0338 04 int32 ReferenceCount = 00000000 08 struct _DRIVER_OBJECT * DriverObject = FE4F69F0 // is driven / driver / i8042prt an address 0c struct _DEVICE_OBJECT * NextDevice = FE4F5020 // next DeviceObject chain 10 struct _DEVICE_OBJECT * AttachedDevice = FE4D3A60 14 struct _IRP * CurrentIrp = 00000000 ... we see the device object 0c struct _DEVICE_OBJECT * NextDevice is the address of the next object on the device DeviceObject chain is FE4F5020, we use the WinDbg DEVOBJ command, get some information KD>! Devobj Fe4f5020Device Object (Fe4f5020) is for: / driver / i8042prt DriverObject Fe4f69 f0Current Irp 00000000 RefCount 0 Type 00000027 Flags 00002004DevExt fe4f50d8 DevObjExt fe4f5358 ExtensionFlags (0xc0000000) Unknown flags 0xc0000000AttachedDevice (Upper) fe4f5df0 / Driver / KbdclassAttachedTo (Lower) fe4dd730 / Driver / ACPIDevice queue is not busy. From the information obtained, this is a keyboard device object to that, let's look at the specific content of this kd DEVICE_OBJECT device object in>! strct device_object FE4F5020struct _DEVICE_OBJECT (sizeof = 184) 00 int16 Type = 0003 02 uint16 Size = 0338 04 int32 ReferenceCount = 00000000 08 Struct_driver_object * driverObject = Fe4f69f0 正 正 对 对 地址 地址 地址 地址 地址 地址 地址 地址 地址 地址 地址 地址 地址 地址 地址 地址 地址 地址 地址 地址
00000000 // is empty, indicating the end of the chain. 10 struct _DEVICE_OBJECT * AttachedDevice = FE4F5DF0 14 struct _IRP * CurrentIrp = 00000000 ... when we observe initialization, see i8042prt call IoCreateDevice create a device object, and the device will IoCreateDevice newly created object, the chain into the chain-driven equipment in. Now we have a summary between the driver object and the device object, and the driver calls IOCREATEVICE Create a device object, and all device objects created by a driver chain into a chain. This chain is empty. Drive objects can be found by 04 struct _device_object * deviceObject. The device object is set with the 0c struct _device_object * nextdevice chain. The device object can be found to create the driver of the driver that creates its driver via 08 struct _driver_object * driverObject. Let's talk about the equipment stack. The drive task of a physical device is usually completed by a layer of driver layer. One device object each layer, they associate together, form a device stack. A device object on a device stack, from above, link together. From bottom to top, also link together. We use Windbg to observe its equipment stack as an example, use Windbg to observe its equipment stack, and how they contact them. ps / 2 keyboard-driven device stack, probably like kd> devstack fe4f5020 DevObj DrvObj DevExt ObjectNamefe4f5df0 / Driver / Kbdclass fe4f5ea8 KeyboardClass0> fe4f5020 / Driver / i8042prt fe4f50d8 fe4dd730 / Driver / ACPI fe507468 0000000e DevNode fe4fed68:!!!!! DeviceInst is "ACPI / PNP0303 / 4 & 5289e18 & 0" ServiceName is "i8042prt" top DEVICE_OBJECT address fe4f5df0, belonging to the drive intermediate / driver / Kbdclass DEVICE_OBJECT address fe4f5020, belonging to the drive / driver / i8042prt lowermost DEVICE_OBJECT address fe4dd730, belonging to the drive / Driver / ACPI Let's see these 3 device objects, how to contact.
The top layer of DEVICE_OBJECTkd> devobj fe4f5df0Device object (fe4f5df0) is for:! KeyboardClass0 / Driver / Kbdclass DriverObject fe4f6330Current Irp fe43a1c8 RefCount 0 Type 0000000b Flags 00002044DevExt fe4f5ea8 DevObjExt fe4f5fd8 ExtensionFlags (0000000000) AttachedTo (Lower) fe4f5020 / Driver / i8042prtDevice queue is busy -.! Queue empty to see the device object has a name, called KeyboardClass0, belonging to the drive Kbdclasskd> strct device_object fe4f5df0struct _DEVICE_OBJECT (sizeof = 184) 00 int16 Type = 0003 02 uint16 Size = 01e8 04 int32 ReferenceCount = 00000000 08 struct _DRIVER_OBJECT * DriverObject = FE4F6330 // address is kbdclass of DRIVER_OBJECT 0c struct _DEVICE_OBJECT * NextDevice = 00000000 10 struct _DEVICE_OBJECT * AttachedDevice = 00000000 // empty end, the above indicates that no other device object of 14 struct _IRP * CurrentIrp = FE43A1C8 ... ae uint16 Spare1 = 0000 b0 struct _DEVOBJ_EXTENSION * DeviceObjectExtension = FE4F5FD8 // its DEVOBJ_EXTENSION in FE4F5FD8 b4 void * Reserved = 00000000kd>! strct DEVOBJ_EXTENSION FE4F5FD8struct _DEVOBJ_EXTENSION (sizeof = 36) 00 int16 Type = 0 00d 02 uint16 Size = 0000 04 struct _DEVICE_OBJECT * DeviceObject = FE4F5DF0 08 uint32 PowerFlags = 00000010 0c * Dope = 00000000 10 uint32 ExtensionFlags = 00000000 14 void * DeviceNode = 00000000 18 struct _DEVICE_OBJECT * AttachedTo = FE4F5020 // The following layers of equipment objects are Fe4F5020 1c struct_1c strunt _list_entry * flink = 00000000 20 struct _List_ENTRY * Blink = 00000000 intermediate layer Device_Objectkd>
! Devobj fe4f5020Device object (fe4f5020) is for: / Driver / i8042prt DriverObject fe4f69f0Current Irp 00000000 RefCount 0 Type 00000027 Flags 00002004DevExt fe4f50d8 DevObjExt fe4f5358 ExtensionFlags (0xc0000000) Unknown flags 0xc0000000AttachedDevice (Upper) fe4f5df0 / Driver / KbdclassAttachedTo (Lower) fe4dd730 / Driver / ACPIDevice queue is not busy. see this device object has no name, belonging to the drive i8042prtkd>! strct device_object fe4f5020struct _DEVICE_OBJECT (sizeof = 184) 00 int16 Type = 0003 02 uint16 Size = 0338 04 int32 ReferenceCount = 00000000 08 struct _DRIVER_OBJECT * It DRIVER_OBJECT DriverObject = FE4F69F0 // address of i8042prt 0c struct _DEVICE_OBJECT * NextDevice = 00000000 10 struct _DEVICE_OBJECT * AttachedDevice = FE4F5DF0 // layer above the device object 14 struct _IRP * CurrentIrp = 00000000 ... ae uint16 spare1 = 0001 b0 struct _DEVOBJ_EXTENSION * DeviceObjectExtension = FE4F5358 // its DEVOBJ_EXTENSION in FE4F5358 b4 void * Reserved = 00000000kd>! strct DEVOBJ_EXTENSION FE4F5358struct _DEVOBJ_EXTENSION (sizeof = 36) 00 int16 Type = 000d 02 u int16 Size = 0000 04 struct _DEVICE_OBJECT * DeviceObject = FE4F5020 08 uint32 PowerFlags = 00000000 0c * Dope = 00000000 10 uint32 ExtensionFlags = c0000000 14 void * DeviceNode = 00000000 18 struct _DEVICE_OBJECT * AttachedTo = FE4DD730 // layer below Equipment object 1c struct _List_entry fileobjectList 1c struct _list_entry * flink = 00000000 20 struct _list_entry * blink = 00000000 The bottom layer Device_Objectkd>
! Devobj fe4dd730Device object (fe4dd730) is for: 0000000e / Driver / ACPI DriverObject fe4e8ad0Current Irp 00000000 RefCount 1 Type 00000032 Flags 00001040DevExt fe507468 DevObjExt fe4dd7e8 DevNode fe4fed68 ExtensionFlags (0000000000) AttachedDevice (Upper) fe4f5020 / Driver / i8042prtDevice queue is not busy to see. this device object has a name, called 0000000e, belonging to the drive acpikd>! strct device_object fe4dd730struct _DEVICE_OBJECT (sizeof = 184) 00 int16 Type = 0003 02 uint16 Size = 00b8 04 int32 ReferenceCount = 00000001 08 struct _DRIVER_OBJECT * DriverObject = FE4E8AD0 / / is the DRIVER_OBJECT acpi address 0c struct _DEVICE_OBJECT * NextDevice = FE4DD850 10 struct _DEVICE_OBJECT * AttachedDevice = FE4F5020 // layer above the device object 14 struct _IRP * CurrentIrp = 00000000 ... ae uint16 Spare1 = 0001 b0 struct _DEVOBJ_EXTENSION * DeviceObjectExtension = FE4DD7E8 // DEVOBJ_EXTENSION in its FE4DD7E8 b4 void * Reserved = 00000000kd>! strct DEVOBJ_EXTENSION FE4DD7E8struct _DEVOBJ_EXTENSION (sizeof = 36) 00 int16 Type = 000d 02 uint16 Size = 0000 04 struct _DEVICE_OBJ ECT * DeviceObject = FE4DD730 08 uint32 PowerFlags = 00000010 0c * Dope = 00000000 10 uint32 ExtensionFlags = 00000000 14 void * DeviceNode = FE4FED68 18 struct _DEVICE_OBJECT * AttachedTo = 00000000 // empty end, no other device object represents the following 1C struct_list_entry fileobjectList 1c struct_list_entry * flink = 00000000 20 struct _list_entry * blink = 00000000 from above. / Device / keyboardClass0 (Driver_Object is KBDClass) You can find Device_Object (driver_Object is i8042PRT) without the name address of Fe4F5020.
