nt!PpSaveDeviceCapabilities函数分析保存设备Capabilities到注册表

nt!PpSaveDeviceCapabilities函数分析保存设备Capabilities到注册表

win7注册表相应地方：

//
// Open the device instance key
//

status = PpIrpQueryCapabilities(DeviceNode->PhysicalDeviceObject, &capabilities); 返回到这里：
if (!NT_SUCCESS(status)) {

return status;
}

return PpSaveDeviceCapabilities(DeviceNode,&capabilities);
}

0: kd> kc
#
00 nt!PpSaveDeviceCapabilities
01 nt!IopQueryAndSaveDeviceNodeCapabilities
02 nt!PipProcessStartPhase3
03 nt!PipProcessDevNodeTree
04 nt!PipDeviceActionWorker
05 nt!PipRequestDeviceAction
06 nt!IopInitializeBootDrivers
07 nt!IoInitSystem
08 nt!Phase1Initialization
09 nt!PspSystemThreadStartup
0a nt!KiThreadStartup
0: kd> dv
DeviceNode = 0x899c1008
Capabilities = 0xf789a2f4
unicodeName = struct _UNICODE_STRING ""
handle = 0x00000008
status = 0n-1986260984
value = 0x80c8924a
0: kd> dx -r1 ((ntkrnlmp!_DEVICE_CAPABILITIES *)0xf789a2f4)
((ntkrnlmp!_DEVICE_CAPABILITIES *)0xf789a2f4) : 0xf789a2f4 [Type: _DEVICE_CAPABILITIES *]
[+0x000] Size : 0x40 [Type: unsigned short]
[+0x002] Version : 0x1 [Type: unsigned short]
[+0x004 ( 0: 0)] DeviceD1 : 0x0 [Type: unsigned long]
[+0x004 ( 1: 1)] DeviceD2 : 0x0 [Type: unsigned long]
[+0x004 ( 2: 2)] LockSupported : 0x0 [Type: unsigned long]
[+0x004 ( 3: 3)] EjectSupported : 0x0 [Type: unsigned long]
[+0x004 ( 4: 4)] Removable : 0x0 [Type: unsigned long]
[+0x004 ( 5: 5)] DockDevice : 0x0 [Type: unsigned long]
[+0x004 ( 6: 6)] UniqueID : 0x1 [Type: unsigned long]
[+0x004 ( 7: 7)] SilentInstall : 0x1 [Type: unsigned long]
[+0x004 ( 8: 8)] RawDeviceOK : 0x0 [Type: unsigned long]
[+0x004 ( 9: 9)] SurpriseRemovalOK : 0x0 [Type: unsigned long]
[+0x004 (10:10)] WakeFromD0 : 0x0 [Type: unsigned long]
[+0x004 (11:11)] WakeFromD1 : 0x0 [Type: unsigned long]
[+0x004 (12:12)] WakeFromD2 : 0x0 [Type: unsigned long]
[+0x004 (13:13)] WakeFromD3 : 0x0 [Type: unsigned long]
[+0x004 (14:14)] HardwareDisabled : 0x0 [Type: unsigned long]
[+0x004 (15:15)] NonDynamic : 0x0 [Type: unsigned long]
[+0x004 (16:16)] WarmEjectSupported : 0x0 [Type: unsigned long]
[+0x004 (17:17)] NoDisplayInUI : 0x0 [Type: unsigned long]
[+0x004 (31:18)] Reserved : 0x0 [Type: unsigned long]
[+0x008] Address : 0xffffffff [Type: unsigned long]
[+0x00c] UINumber : 0xffffffff [Type: unsigned long]
[+0x010] DeviceState [Type: _DEVICE_POWER_STATE [7]]
[+0x02c] SystemWake : PowerSystemUnspecified (0) [Type: _SYSTEM_POWER_STATE]
[+0x030] DeviceWake : PowerDeviceUnspecified (0) [Type: _DEVICE_POWER_STATE]
[+0x034] D1Latency : 0x0 [Type: unsigned long]
[+0x038] D2Latency : 0x0 [Type: unsigned long]
[+0x03c] D3Latency : 0x0 [Type: unsigned long]
0: kd> dx -r1 (*((ntkrnlmp!_DEVICE_POWER_STATE (*)[7])0xf789a304))
(*((ntkrnlmp!_DEVICE_POWER_STATE (*)[7])0xf789a304)) [Type: _DEVICE_POWER_STATE [7]]
[0] : PowerDeviceUnspecified (0) [Type: _DEVICE_POWER_STATE]
[1] : PowerDeviceD0 (1) [Type: _DEVICE_POWER_STATE]
[2] : PowerDeviceD1 (2) [Type: _DEVICE_POWER_STATE]
[3] : PowerDeviceUnspecified (0) [Type: _DEVICE_POWER_STATE]
[4] : PowerDeviceUnspecified (0) [Type: _DEVICE_POWER_STATE]
[5] : PowerDeviceD3 (4) [Type: _DEVICE_POWER_STATE]
[6] : PowerDeviceD3 (4) [Type: _DEVICE_POWER_STATE]

//
// Open the device instance key
//
status = IopDeviceObjectToDeviceInstance(DeviceNode->PhysicalDeviceObject, &handle, KEY_ALL_ACCESS);
if (NT_SUCCESS(status)) {

0: kd> dv
DeviceNode = 0x899c1008
Capabilities = 0xf789a2f4
unicodeName = ""
handle = 0x8000027c
status = 0n-1986260984
value = 8
0: kd> !handle 27c

PROCESS 899a2278 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 0a200000 ObjectTable: e1000e38 HandleCount: 33.
Image: System

Kernel handle table at e1000e38 with 33 entries in use

027c: Object: e127f5e0 GrantedAccess: 000f003f Entry: e10044f8
Object: e127f5e0 Type: (89996048) Key
ObjectHeader: e127f5c8 (old version)
HandleCount: 1 PointerCount: 1
Directory Object: 00000000 Name: \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\ENUM\ACPI_HAL\PNP0C08\0

value = (Capabilities->LockSupported) |
(Capabilities->EjectSupported << 1) |
(Capabilities->WarmEjectSupported<< 1) |
(Capabilities->Removable << 2) |
(Capabilities->DockDevice << 3) |
(Capabilities->UniqueID << 4) |
(Capabilities->SilentInstall << 5) |
(Capabilities->RawDeviceOK << 6) |
(Capabilities->SurpriseRemovalOK << 7) |
(Capabilities->HardwareDisabled << 8) |
(Capabilities->NonDynamic << 9);

PiWstrToUnicodeString(&unicodeName, REGSTR_VALUE_CAPABILITIES);
ZwSetValueKey(
handle,
&unicodeName,
TITLE_INDEX_VALUE,
REG_DWORD,
&value,
sizeof(value));

0: kd> t
eax=f789a2d0 ebx=00000000 ecx=00000030 edx=80a3d105 esi=f789a2f4 edi=00000004
eip=80a3e2d8 esp=f789a2a8 ebp=f789a2e0 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206
nt!ZwSetValueKey:
80a3e2d8 b800010000 mov eax,100h
0: kd> dv
0: kd> kc
#
00 nt!ZwSetValueKey
01 nt!PpSaveDeviceCapabilities
02 nt!IopQueryAndSaveDeviceNodeCapabilities
03 nt!PipProcessStartPhase3
04 nt!PipProcessDevNodeTree
05 nt!PipDeviceActionWorker
06 nt!PipRequestDeviceAction
07 nt!IopInitializeBootDrivers
08 nt!IoInitSystem
09 nt!Phase1Initialization
0a nt!PspSystemThreadStartup
0b nt!KiThreadStartup
0: kd> dv
0: kd> r
eax=f789a2d0 ebx=00000000 ecx=00000030 edx=80a3d105 esi=f789a2f4 edi=00000004
eip=80a3e2d8 esp=f789a2a8 ebp=f789a2e0 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206
nt!ZwSetValueKey:
80a3e2d8 b800010000 mov eax,100h

0: kd> dd f789a2a8
f789a2a8 80c8933e 8000027c f789a2d0 00000000
f789a2b8 00000004 f789a2d8 00000004 899c1008
f789a2c8 899c1008 00000000 001a0018 80c891da
f789a2d8 00000030 8000027c f789a334 80c8bea4
f789a2e8 00000000 f789a2f4 804edc6c 00010040
f789a2f8 000000c0 ffffffff ffffffff 00000000
f789a308 00000001 00000002 00000000 00000000
f789a318 00000004 00000004 00000000 00000000

0: kd> dd f789a2d0
f789a2d0 001a0018 80c891da 00000030 8000027c

0: kd> dv
DeviceNode = 0x00000000
Capabilities = 0xf789a2f4
unicodeName = "Capabilities"
handle = 0x8000027c
status = 0n0
value = 0x30
0011 0000

0: kd> dx -r1 ((ntkrnlmp!_DEVICE_CAPABILITIES *)0xf789a2f4)
((ntkrnlmp!_DEVICE_CAPABILITIES *)0xf789a2f4) : 0xf789a2f4 [Type: _DEVICE_CAPABILITIES *]
[+0x000] Size : 0x40 [Type: unsigned short]
[+0x002] Version : 0x1 [Type: unsigned short]
[+0x004 ( 0: 0)] DeviceD1 : 0x0 [Type: unsigned long]
[+0x004 ( 1: 1)] DeviceD2 : 0x0 [Type: unsigned long]
[+0x004 ( 2: 2)] LockSupported : 0x0 [Type: unsigned long]
[+0x004 ( 3: 3)] EjectSupported : 0x0 [Type: unsigned long]
[+0x004 ( 4: 4)] Removable : 0x0 [Type: unsigned long]
[+0x004 ( 5: 5)] DockDevice : 0x0 [Type: unsigned long]
[+0x004 ( 6: 6)] UniqueID : 0x1 [Type: unsigned long]
[+0x004 ( 7: 7)] SilentInstall : 0x1 [Type: unsigned long]
[+0x004 ( 8: 8)] RawDeviceOK : 0x0 [Type: unsigned long]
[+0x004 ( 9: 9)] SurpriseRemovalOK : 0x0 [Type: unsigned long]

[+0x004 ( 6: 6)] UniqueID : 0x1 [Type: unsigned long]
[+0x004 ( 7: 7)] SilentInstall : 0x1 [Type: unsigned long]

(Capabilities->UniqueID << 4) |
(Capabilities->SilentInstall << 5) |

第四位和第五位为1。
0: kd> dv value
value = 0x30