nt!IopGetRootDevices函数中的nt!IoCreateDevice函数填充了nt!IoPnpDriverObject --\Driver\PnpManager的设备--非常重要

nt!IopGetRootDevices函数中的nt!IoCreateDevice函数填充了nt!IoPnpDriverObject --\Driver\PnpManager的设备--非常重要

1: kd> t
Breakpoint 4 hit
eax=f789a168 ebx=00000000 ecx=00030001 edx=00020000 esi=00000000 edi=f789a258
eip=80c63538 esp=f789a120 ebp=f789a174 iopl=0         nv up ei pl zr na pe cy
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000247
nt!IoCreateDevice:
80c63538 55              push    ebp
1: kd>  !drvobj 899873b0
Driver object (899873b0) is for:
 \Driver\PnpManager

Driver Extension List: (id , addr)

Device Object list:
899c5d08  
1: kd> t
Breakpoint 4 hit
eax=f789a168 ebx=00000000 ecx=00030001 edx=00020000 esi=00000000 edi=f789a258
eip=80c63538 esp=f789a120 ebp=f789a174 iopl=0         nv up ei pl zr na pe cy
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000247
nt!IoCreateDevice:
80c63538 55              push    ebp
1: kd>  !drvobj 899873b0
Driver object (899873b0) is for:
 \Driver\PnpManager

Driver Extension List: (id , addr)

Device Object list:
899c5d08  
1: kd> kc
 #
00 nt!IoCreateDevice
01 nt!IopInitializeDeviceInstanceKey
02 nt!PipApplyFunctionToSubKeys
03 nt!IopInitializeDeviceKey
04 nt!PipApplyFunctionToSubKeys
05 nt!IopGetRootDevices
06 nt!IopPnPDispatch
07 nt!IofCallDriver
08 nt!IopSynchronousCall
09 nt!IopQueryDeviceRelations
0a nt!PipEnumerateDevice
0b nt!PipProcessDevNodeTree
0c nt!PiProcessReenumeration
0d nt!PipDeviceActionWorker
0e nt!PipRequestDeviceAction
0f nt!IopInitializePlugPlayServices
10 nt!IoInitSystem
11 nt!Phase1Initialization
12 nt!PspSystemThreadStartup
13 nt!KiThreadStartup

1: kd> kv
 # ChildEBP RetAddr  Args to Child              
00 f789a11c 80cb03be 899873b0 00000008 00000000 nt!IoCreateDevice (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\iomgr\iosubs.c @ 4282]
01 f789a174 80c87246 800004c4 00000020 f789a23c nt!IopInitializeDeviceInstanceKey+0x29a (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\pnpmgr\pnpdd.c @ 1330]
02 f789a1ac 80cb07a0 800004c0 800004c4 000f003f nt!PipApplyFunctionToSubKeys+0xec (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\pnpmgr\pnpsubs.c @ 1976]
03 f789a1d8 80c87246 800004c0 f789a1f8 f789a23c nt!IopInitializeDeviceKey+0x48 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\pnpmgr\pnpdd.c @ 1008]
04 f789a210 80cb096f 800004b0 800004c0 000f003f nt!PipApplyFunctionToSubKeys+0xec (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\pnpmgr\pnpsubs.c @ 1976]
05 f789a26c 80cb0bc8 f789a29c 899c5d08 89994008 nt!IopGetRootDevices+0x157 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\pnpmgr\pnpdd.c @ 905]
06 f789a294 80a2675c 00000000 89994008 8999409c nt!IopPnPDispatch+0x92 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\pnpmgr\pnpdd.c @ 405]
07 f789a2b0 80c95e00 00000000 899c5bc8 899c5bc8 nt!IofCallDriver+0x62 (FPO: [Non-Fpo]) (CONV: fastcall) [d:\srv03rtm\base\ntos\io\iomgr\iosubs.c @ 2237]
08 f789a2e0 80a2e3f3 00000000 f789a2fc 899c5ca8 nt!IopSynchronousCall+0x1aa (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\pnpmgr\pnpirp.c @ 258]
09 f789a320 80c8d810 00000000 899c5d08 00000001 nt!IopQueryDeviceRelations+0x39 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\pnpmgr\pnpirp.c @ 1131]
0a f789a33c 80c94e01 899c5bc8 00000001 899c5bc8 nt!PipEnumerateDevice+0x56 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\pnpmgr\pnpenum.c @ 980]
0b f789a588 80c954e7 899c5bc8 00000000 00000000 nt!PipProcessDevNodeTree+0x273 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\pnpmgr\pnpenum.c @ 4699]
0c f789a5c0 80a2de90 89996df0 80b1f6f8 00000000 nt!PiProcessReenumeration+0xaf (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\pnpmgr\pnpenum.c @ 6115]
0d f789a5e8 80a2e161 00000000 e1278d82 00000000 nt!PipDeviceActionWorker+0x174 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\pnpmgr\pnpenum.c @ 801]
0e f789a600 80e68579 899c5d08 00000008 00000000 nt!PipRequestDeviceAction+0x139 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\pnpmgr\pnpenum.c @ 598]
0f f789a694 80e6554b 8000048c 80000494 00034000 nt!IopInitializePlugPlayServices+0x619 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\pnpmgr\pnpinit.c @ 762]
10 f789a838 80e632fd 80077000 00000000 899a1020 nt!IoInitSystem+0x68f (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\iomgr\ioinit.c @ 599]
11 f789adac 80d391f0 80077000 00000000 00000000 nt!Phase1Initialization+0x9b3 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\init\init.c @ 2221]
12 f789addc 80b00d52 80e6294a 80077000 00000000 nt!PspSystemThreadStartup+0x2e (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ps\create.c @ 2213]
13 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16 [d:\srv03rtm\base\ntos\ke\i386\threadbg.asm @ 81]
windbg> .open -a ffffffff80cb03be
1: kd> x nt!IoPnpDriverObject
80b1f6fc          nt!IoPnpDriverObject = 0x899873b0 Driver "\Driver\PnpManager"

1: kd> dv
           DriverObject = 0x899873b0 Driver "\Driver\PnpManager"
    DeviceExtensionSize = 8
             DeviceName = 0x00000000
             DeviceType = 4
  DeviceCharacteristics = 0x80
              Exclusive = 0x00 ''
           DeviceObject = 0xf789a168
                 handle = 0xffffffff
       retryWithNewName = 0x00 ''
                 status = 0n0
       deviceNameBuffer = unsigned short [17]
          deviceHasName = 0x00 ''
     securityDescriptor = 0x00000000
autoGeneratedDeviceName = ""
                    acl = 0x00000000
localSecurityDescriptor = unsigned char [20] ""
             sectorSize = 0xa174
       objectAttributes = struct _OBJECT_ATTRIBUTES
           deviceObject = 0x80c63538 Device for {...}

1: kd> x nt!IopUniqueDeviceObjectNumber
80b1ee84          nt!IopUniqueDeviceObjectNumber = 0n1

            nextUniqueDeviceObjectNumber = InterlockedIncrement( &IopUniqueDeviceObjectNumber );
            swprintf( deviceNameBuffer, L"\\Device\\%08lx", nextUniqueDeviceObjectNumber );

1: kd> dv deviceNameBuffer
deviceNameBuffer = unsigned short [17]
1: kd> dx -r1 (*((ntkrnlmp!unsigned short (*)[17])0xf789a09c))
(*((ntkrnlmp!unsigned short (*)[17])0xf789a09c))                 [Type: unsigned short [17]]
    [0]              : 0x5c [Type: unsigned short]
    [1]              : 0x44 [Type: unsigned short]
    [2]              : 0x65 [Type: unsigned short]
    [3]              : 0x76 [Type: unsigned short]
    [4]              : 0x69 [Type: unsigned short]
    [5]              : 0x63 [Type: unsigned short]
    [6]              : 0x65 [Type: unsigned short]
    [7]              : 0x5c [Type: unsigned short]
    [8]              : 0x30 [Type: unsigned short]
    [9]              : 0x30 [Type: unsigned short]
    [10]             : 0x30 [Type: unsigned short]
    [11]             : 0x30 [Type: unsigned short]
    [12]             : 0x30 [Type: unsigned short]
    [13]             : 0x30 [Type: unsigned short]
    [14]             : 0x30 [Type: unsigned short]
    [15]             : 0x31 [Type: unsigned short]
    [16]             : 0x0 [Type: unsigned short]
1: kd> db 0xf789a09c
f789a09c  5c 00 44 00 65 00 76 00-69 00 63 00 65 00 5c 00  \.D.e.v.i.c.e.\.
f789a0ac  30 00 30 00 30 00 30 00-30 00 30 00 30 00 31 00  0.0.0.0.0.0.0.1.

                RtlInitUnicodeString( &au