nt!IopInitializePlugPlayServices函数分析之调用后全局变量nt!PpDeviceReferenceTable正好有46个设备引用--重要

nt!IopInitializePlugPlayServices函数分析之调用后全局变量nt!PpDeviceReferenceTable正好有46个设备引用--重要

0: kd> bp nt!IopInitializePlugPlayServices
0: kd> g
Breakpoint 1 hit
nt!IopInitializePlugPlayServices:
80e67f60 55 push ebp
1: kd> kc
#
00 nt!IopInitializePlugPlayServices
01 nt!IoInitSystem
02 nt!Phase1Initialization
03 nt!PspSystemThreadStartup
04 nt!KiThreadStartup
1: kd> x nt!PpDeviceReferenceTable
80b1fa40 nt!PpDeviceReferenceTable = struct _RTL_AVL_TABLE
1: kd> dx -id 0,0,ffffffff89dd5240 -r1 (*((ntkrnlmp!_RTL_AVL_TABLE *)0xffffffff80b1fa40))
(*((ntkrnlmp!_RTL_AVL_TABLE *)0xffffffff80b1fa40)) [Type: _RTL_AVL_TABLE]
[+0x000] BalancedRoot [Type: _RTL_BALANCED_LINKS]
[+0x010] OrderedPointer : 0x0 [Type: void *]
[+0x014] WhichOrderedElement : 0x0 [Type: unsigned long]
[+0x018]NumberGenericTableElements : 0x0[Type: unsigned long]
[+0x01c] DepthOfTree : 0x0 [Type: unsigned long]
[+0x020] RestartKey : 0x0 [Type: _RTL_BALANCED_LINKS *]
[+0x024] DeleteCount : 0x0 [Type: unsigned long]
[+0x028] CompareRoutine : 0x80c87772 [Type: _RTL_GENERIC_COMPARE_RESULTS (*)(_RTL_AVL_TABLE *,void *,void *)]
[+0x02c] AllocateRoutine : 0x80c87834 [Type: void * (*)(_RTL_AVL_TABLE *,unsigned long)]
[+0x030] FreeRoutine : 0x80c878de [Type: void (*)(_RTL_AVL_TABLE *,void *)]
[+0x034] TableContext : 0x0 [Type: void *]

第二部分：
1: kd> gu
nt!IoInitSystem+0x68f:
80e6554b 85c0 test eax,eax
1: kd> x nt!PpDeviceReferenceTable
80b1fa40 nt!PpDeviceReferenceTable = struct _RTL_AVL_TABLE
1: kd> dx -id 0,0,ffffffff89dd5240 -r1 (*((ntkrnlmp!_RTL_AVL_TABLE *)0xffffffff80b1fa40))
(*((ntkrnlmp!_RTL_AVL_TABLE *)0xffffffff80b1fa40)) [Type: _RTL_AVL_TABLE]
[+0x000] BalancedRoot [Type: _RTL_BALANCED_LINKS]
[+0x010] OrderedPointer : 0x0 [Type: void *]
[+0x014] WhichOrderedElement : 0x0 [Type: unsigned long]
[+0x018]NumberGenericTableElements : 0x2e[Type: unsigned long]
[+0x01c] DepthOfTree : 0x6 [Type: unsigned long]
[+0x020] RestartKey : 0x0 [Type: _RTL_BALANCED_LINKS *]
[+0x024] DeleteCount : 0x0 [Type: unsigned long]
[+0x028] CompareRoutine : 0x80c87772 [Type: _RTL_GENERIC_COMPARE_RESULTS (*)(_RTL_AVL_TABLE *,void *,void *)]
[+0x02c] AllocateRoutine : 0x80c87834 [Type: void * (*)(_RTL_AVL_TABLE *,unsigned long)]
[+0x030] FreeRoutine : 0x80c878de [Type: void (*)(_RTL_AVL_TABLE *,void *)]
[+0x034] TableContext : 0x0 [Type: void *]
1: kd> ?0x2e
Evaluate expression: 46 = 0000002e
1: kd> !object \driver
Object: e1292890 Type: (89dd5e70) Directory
ObjectHeader: e1292878 (old version)
HandleCount: 0 PointerCount: 2
Directory Object: e1002aa0 Name: Driver

Hash Address Type Name
---- ------- ---- ----
33 89db9d28 Driver PnpManager
1: kd> !object 89db9d28
Object: 89db9d28 Type: (89df9ac0) Driver
ObjectHeader: 89db9d10 (old version)
HandleCount: 0 PointerCount: 560
Directory Object: e1292890 Name: PnpManager
1: kd> !drvobj 89db9d28
Driver object (89db9d28) is for:
\Driver\PnpManager
Driver Extension List: (id , addr)

Device Object list:
89df54a8 89df56f8 89df5948 89df5b98
89df5de8 89df5038 89db6380 89db65d0
89db6820 89db6a70 89db6cc0 89db6f10
89df6258 89df64a889df66f889df6948
89df6b98 89df6de8 89df6038 89db7380
89db75d0 89db7820 89db7a70 89db7cc0
89db7f10 89df7258 89df74a8 89df76f8
89df7948 89df7b98 89df7de8 89df7038
89db8380 89db85d0 89db8820 89db8a70
89db8cc0 89db8f10 89df8260 89df84b0
89df8700 89df8950 89df8ba0 89df8df0
89db98a0 89db9c00

4*11+2=0n46=0x2e

1: kd> dx -id 0,0,ffffffff89dd5240 -r1 (*((ntkrnlmp!_RTL_BALANCED_LINKS *)0xffffffff80b1fa40))
(*((ntkrnlmp!_RTL_BALANCED_LINKS *)0xffffffff80b1fa40)) [Type: _RTL_BALANCED_LINKS]
[+0x000] Parent : 0x80b1fa40 [Type: _RTL_BALANCED_LINKS *]
[+0x004] LeftChild : 0x0 [Type: _RTL_BALANCED_LINKS *]
[+0x008] RightChild : 0xe129f320 [Type: _RTL_BALANCED_LINKS *]
[+0x00c] Balance : -1 [Type: char]
[+0x00d] Reserved [Type: unsigned char [3]]
1: kd> dx -id 0,0,ffffffff89dd5240 -r1 ((ntkrnlmp!_RTL_BALANCED_LINKS *)0xe129f320)
((ntkrnlmp!_RTL_BALANCED_LINKS *)0xe129f320) : 0xe129f320 [Type: _RTL_BALANCED_LINKS *]
[+0x000] Parent : 0x80b1fa40 [Type: _RTL_BALANCED_LINKS *]
[+0x004] LeftChild : 0xe12a54a8 [Type: _RTL_BALANCED_LINKS *]
[+0x008] RightChild : 0xe128a5e8 [Type: _RTL_BALANCED_LINKS *]
[+0x00c] Balance : 1 [Type: char]
[+0x00d] Reserved [Type: unsigned char [3]]
1: kd> dx -id 0,0,ffffffff89dd5240 -r1 ((ntkrnlmp!_RTL_BALANCED_LINKS *)0xe128a5e8)
((ntkrnlmp!_RTL_BALANCED_LINKS *)0xe128a5e8) : 0xe128a5e8 [Type: _RTL_BALANCED_LINKS *]
[+0x000] Parent : 0xe129f320 [Type: _RTL_BALANCED_LINKS *]
[+0x004] LeftChild : 0xe128c768 [Type: _RTL_BALANCED_LINKS *]
[+0x008] RightChild : 0xe127e210 [Type: _RTL_BALANCED_LINKS *]
[+0x00c] Balance : 0 [Type: char]
[+0x00d] Reserved [Type: unsigned char [3]]

1: kd> dt _DEVICE_REFERENCE 0xe128a5e8+10
nt!_DEVICE_REFERENCE
+0x000 DeviceObject : 0x89df66f8 _DEVICE_OBJECT
+0x004 DeviceInstance : 0x89df6634 _UNICODE_STRING "Root\MEDIA\MS_MMACM"
1: kd> dt _device_object 0x89df66f8
hal!_DEVICE_OBJECT
+0x000 Type : 0n3
+0x002 Size : 0xc0
+0x004 ReferenceCount : 0n0
+0x008 DriverObject : 0x89db9d28 _DRIVER_OBJECT
+0x00c NextDevice : 0x89df6948 _DEVICE_OBJECT
+0x010 AttachedDevice : (null)
+0x014 CurrentIrp : (null)
+0x018 Timer : (null)
+0x01c Flags : 0x1040
+0x020 Characteristics : 0x80
+0x024 Vpb : (null)
+0x028 DeviceExtension : 0x89df67b0 Void
+0x02c DeviceType : 4
+0x030 StackSize : 1 ''
+0x034 Queue : __unnamed
+0x05c AlignmentRequirement : 0
+0x060 DeviceQueue : _KDEVICE_QUEUE
+0x074 Dpc : _KDPC
+0x094 ActiveThreadCount : 0
+0x098 SecurityDescriptor : 0xe12a7e30 Void
+0x09c DeviceLock : _KEVENT
+0x0ac SectorSize : 0
+0x0ae Spare1 : 0
+0x0b0 DeviceObjectExtension : 0x89df67b8 _DEVOBJ_EXTENSION
+0x0b4 Reserved : (null)

1: kd> dx -id 0,0,ffffffff89dd5240 -r1 -n (*((halmacpi!_DRIVER_OBJECT *)0x89db9d28))
(*((halmacpi!_DRIVER_OBJECT *)0x89db9d28)) : Driver "\Driver\PnpManager" [Type: _DRIVER_OBJECT]
[+0x000] Type : 4 [Type: short]
[+0x002] Size : 168 [Type: short]
[+0x004] DeviceObject : 0x89df54a8 : Device for "\Driver\PnpManager" [Type: _DEVICE_OBJECT *]
[+0x008] Flags : 0x4 [Type: unsigned long]
[+0x00c] DriverStart : 0x0 [Type: void *]
[+0x010] DriverSize : 0x0 [Type: unsigned long]
[+0x014] DriverSection : 0x0 [Type: void *]
[+0x018] DriverExtension : 0x89db9dd0 [Type: _DRIVER_EXTENSION *]
[+0x01c] DriverName [Type: _UNICODE_STRING]
[+0x024] HardwareDatabase : 0x0 [Type: _UNICODE_STRING *]
[+0x028] FastIoDispatch : 0x0 [Type: _FAST_IO_DISPATCH *]
[+0x02c] DriverInit : 0x80e6708c [Type: long (*)(_DRIVER_OBJECT *,_UNICODE_STRING *)]
[+0x030] DriverStartIo : 0x0 [Type: void (*)(_DEVICE_OBJECT *,_IRP *)]
[+0x034] DriverUnload : 0x0 [Type: void (*)(_DRIVER_OBJECT *)]
[+0x038] MajorFunction [Type: long (* [28])(_DEVICE_OBJECT *,_IRP *)]

1: kd> dt nt!_DEVOBJ_EXTENSION *)0x89df67b8
Numeric expression missing from '*)0x89df67b8'
1: kd> dt nt!_DEVOBJ_EXTENSION 0x89df67b8
+0x000 Type : 0n13
+0x002 Size : 0
+0x004 DeviceObject : 0x89df66f8 _DEVICE_OBJECT
+0x008 PowerFlags : 0
+0x00c Dope : (null)
+0x010 ExtensionFlags : 0x10
+0x014 DeviceNode : 0x89df65a0 Void
+0x018 AttachedTo : (null)
+0x01c StartIoCount : 0n0
+0x020 StartIoKey : 0n0
+0x024 StartIoFlags : 0
+0x028 Vpb : (null)
1: kd> dt _device_node 0x89df65a0
nt!_DEVICE_NODE
+0x000 Sibling : 0x89df6350 _DEVICE_NODE
+0x004 Child : (null)
+0x008 Parent : 0x89db9ac0 _DEVICE_NODE
+0x00c LastChild : (null)
+0x010 Level : 1
+0x014 Notify : (null)
+0x018 State : 302 ( DeviceNodeInitialized )
+0x01c PreviousState : 301 ( DeviceNodeUninitialized )
+0x020 StateHistory : [20] 301 ( DeviceNodeUninitialized )
+0x070 StateHistoryEntry : 1
+0x074 CompletionStatus : 0n0
+0x078 PendingIrp : (null)
+0x07c Flags : 0x11
+0x080 UserFlags : 0
+0x084 Problem : 0
+0x088 PhysicalDeviceObject : 0x89df66f8 _DEVICE_OBJECT
+0x08c ResourceList : (null)
+0x090 ResourceListTranslated : (null)
+0x094 InstancePath : _UNICODE_STRING "Root\MEDIA\MS_MMACM"
+0x09c ServiceName : _UNICODE_STRING "audstub"
+0x0a4 DuplicatePDO : (null)
+0x0a8 ResourceRequirements : (null)
+0x0ac InterfaceType : 0xffffffff (No matching name)
+0x0b0 BusNumber : 0xffffffff
+0x0b4 ChildInterfaceType : 0xffffffff (No matching name)
+0x0b8 ChildBusNumber : 0xffffffff
+0x0bc ChildBusTypeIndex : 0xffff
+0x0be RemovalPolicy : 0 ''
+0x0bf HardwareRemovalPolicy : 0 ''
+0x0c0 TargetDeviceNotify : _LIST_ENTRY [ 0x89df6660 - 0x89df6660 ]
+0x0c8 DeviceArbiterList : _LIST_ENTRY [ 0x89df6668 - 0x89df6668 ]
+0x0d0 DeviceTranslatorList : _LIST_ENTRY [ 0x89df6670 - 0x89df6670 ]
+0x0d8 NoTranslatorMask : 0
+0x0da QueryTranslatorMask : 0
+0x0dc NoArbiterMask : 0
+0x0de QueryArbiterMask : 0
+0x0e0 OverUsed1 : __unnamed
+0x0e4 OverUsed2 : __unnamed
+0x0e8 BootResources : (null)
+0x0ec CapabilityFlags : 0
+0x0f0 DockInfo : __unnamed
+0x100 DisableableDepends : 0
+0x104 PendedSetInterfaceState : _LIST_ENTRY [ 0x89df66a4 - 0x89df66a4 ]
+0x10c LegacyBusListEntry : _LIST_ENTRY [ 0x89df66ac - 0x89df66ac ]