nt!IopInitializePlugPlayServices函数分析之创建\Driver\PnpManager和驱动对应的ROOT设备-洪萨配资

nt!IopInitializePlugPlayServices函数分析之创建\Driver\PnpManager和驱动对应的ROOT设备

第0部分：根据[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root]

的内容创建的\Driver\PnpManager对应的ROOT设备！！！

通过网盘分享的文件：root.reg
链接: https://pan.baidu.com/s/1MRtDJTnkP8rLaOvYwsr7lQ?pwd=3790 提取码: 3790
--来自百度网盘超级会员v8的分享

第一部分：
nt!DbgBreakPoint:
80ae0d10 cc int 3
0: kd> kc
#
00 nt!DbgBreakPoint
01 hal!HalpGetParameters
02 hal!HalInitSystem
03 nt!ExpInitializeExecutive
04 nt!KiInitializeKernel
05 nt!KiSystemStartup
0: kd> bp nt!IopInitializePlugPlayServices
0: kd> g
Breakpoint 6 hit
nt!IopInitializePlugPlayServices:
80e67f60 55 push ebp
1: kd> !object \driver
Object: e1288870 Type: (89dd5e70) Directory
ObjectHeader: e1288858 (old version)
HandleCount: 0 PointerCount: 1
Directory Object: e1002aa0 Name: Driver

Hash Address Type Name
---- ------- ---- ----

第二部分：
1: kd> gu
nt!IoInitSystem+0x68f:
80e6554b 85c0 test eax,eax

1: kd> !object \driver
Object: e1288870 Type: (89dd5e70) Directory
ObjectHeader: e1288858 (old version)
HandleCount: 0 PointerCount: 2
Directory Object: e1002aa0 Name: Driver

Hash Address Type Name
---- ------- ---- ----
33 89db9d28 Driver PnpManager

1: kd> !object \driver
Object: e1288870 Type: (89dd5e70) Directory
ObjectHeader: e1288858 (old version)
HandleCount: 0 PointerCount: 2
Directory Object: e1002aa0 Name: Driver

Hash Address Type Name
---- ------- ---- ----
33 89db9d28 Driver PnpManager
1: kd> !object 89db9d28
Object: 89db9d28 Type: (89df9ac0) Driver
ObjectHeader: 89db9d10 (old version)
HandleCount: 0 PointerCount: 560
Directory Object: e1288870 Name: PnpManager
1: kd> !drvobj 89db9d28
Driver object (89db9d28) is for:
\Driver\PnpManager
Driver Extension List: (id , addr)

Device Object list:
89df54a8 89df56f8 89df5948 89df5b98
89df5de8 89df5038 89db6380 89db65d0
89db6820 89db6a70 89db6cc0 89db6f10
89df6258 89df64a8 89df66f8 89df6948
89df6b98 89df6de8 89df6038 89db7380
89db75d0 89db7820 89db7a70 89db7cc0
89db7f10 89df7258 89df74a8 89df76f8
89df7948 89df7b98 89df7de8 89df7038
89db8380 89db85d0 89db8820 89db8a70
89db8cc0 89db8f10 89df8260 89df84b0
89df8700 89df8950 89df8ba0 89df8df0
89db98a089db9c00
1: kd> dt _device_object 89db9c00
ntdll!_DEVICE_OBJECT
+0x000 Type : 0n3
+0x002 Size : 0xc0
+0x004 ReferenceCount : 0n0
+0x008 DriverObject : 0x89db9d28 _DRIVER_OBJECT
+0x00c NextDevice : (null)
+0x010 AttachedDevice : (null)
+0x014 CurrentIrp : (null)
+0x018 Timer : (null)
+0x01c Flags : 0x1000
+0x020 Characteristics : 0
+0x024 Vpb : (null)
+0x028 DeviceExtension : 0x89db9cb8 Void
+0x02c DeviceType : 4
+0x030 StackSize : 1 ''
+0x034 Queue : __unnamed
+0x05c AlignmentRequirement : 0
+0x060 DeviceQueue : _KDEVICE_QUEUE
+0x074 Dpc : _KDPC
+0x094 ActiveThreadCount : 0
+0x098 SecurityDescriptor : (null)
+0x09c DeviceLock : _KEVENT
+0x0ac SectorSize : 0
+0x0ae Spare1 : 0
+0x0b0 DeviceObjectExtension : 0x89db9cc0 _DEVOBJ_EXTENSION
+0x0b4 Reserved : (null)
1: kd> dx -id 0,0,ffffffff89dd5240 -r1 ((ntdll!_DEVOBJ_EXTENSION *)0x89db9cc0)
((ntdll!_DEVOBJ_EXTENSION *)0x89db9cc0) : 0x89db9cc0 [Type: _DEVOBJ_EXTENSION *]
[+0x000] Type : 13 [Type: short]
[+0x002] Size : 0x0 [Type: unsigned short]
[+0x004] DeviceObject : 0x89db9c00 : Device for "\Driver\PnpManager" [Type: _DEVICE_OBJECT *]
[+0x008] PowerFlags : 0x0 [Type: unsigned long]
[+0x00c] Dope : 0x0 [Type: _DEVICE_OBJECT_POWER_EXTENSION *]
[+0x010] ExtensionFlags : 0x0 [Type: unsigned long]
[+0x014] DeviceNode : 0x89db9ac0 [Type: void *]
[+0x018] AttachedTo : 0x0 [Type: _DEVICE_OBJECT *]
[+0x01c] StartIoCount : 0 [Type: long]
[+0x020] StartIoKey : 0 [Type: long]
[+0x024] StartIoFlags : 0x0 [Type: unsigned long]
[+0x028] Vpb : 0x0 [Type: _VPB *]

1: kd> dt _device_node 0x89db9ac0
nt!_DEVICE_NODE
+0x000 Sibling : (null)
+0x004 Child : 0x89df8008 _DEVICE_NODE
+0x008 Parent : (null)
+0x00c LastChild : 0x89df5350 _DEVICE_NODE
+0x010 Level : 0
+0x014 Notify : (null)
+0x018 State : 308 ( DeviceNodeStarted )
+0x01c PreviousState : 30d ( DeviceNodeEnumerateCompletion )
+0x020 StateHistory : [20] 301 ( DeviceNodeUninitialized )
+0x070 StateHistoryEntry : 3
+0x074 CompletionStatus : 0n0
+0x078 PendingIrp : (null)
+0x07c Flags : 0x131
+0x080 UserFlags : 0
+0x084 Problem : 0
+0x088 PhysicalDeviceObject : 0x89db9c00 _DEVICE_OBJECT
+0x08c ResourceList : (null)
+0x090 ResourceListTranslated : (null)
+0x094 InstancePath : _UNICODE_STRING "HTREE\ROOT\0"
+0x09c ServiceName : _UNICODE_STRING ""
+0x0a4 DuplicatePDO : (null)
+0x0a8 ResourceRequirements : (null)
+0x0ac InterfaceType : 0xffffffff (No matching name)
+0x0b0 BusNumber : 0xffffffff
+0x0b4 ChildInterfaceType : 0xffffffff (No matching name)
+0x0b8 ChildBusNumber : 0xffffffff
+0x0bc ChildBusTypeIndex : 0xffff
+0x0be RemovalPolicy : 0 ''
+0x0bf HardwareRemovalPolicy : 0 ''
+0x0c0 TargetDeviceNotify : _LIST_ENTRY [ 0x89db9b80 - 0x89db9b80 ]
+0x0c8 DeviceArbiterList : _LIST_ENTRY [ 0x89db9b88 - 0x89db9b88 ]
+0x0d0 DeviceTranslatorList : _LIST_ENTRY [ 0x89db9b90 - 0x89db9b90 ]
+0x0d8 NoTranslatorMask : 0
+0x0da QueryTranslatorMask : 0
+0x0dc NoArbiterMask : 0
+0x0de QueryArbiterMask : 0
+0x0e0 OverUsed1 : __unnamed
+0x0e4 OverUsed2 : __unnamed
+0x0e8 BootResources : (null)
+0x0ec CapabilityFlags : 0
+0x0f0 DockInfo : __unnamed
+0x100 DisableableDepends : 0
+0x104 PendedSetInterfaceState : _LIST_ENTRY [ 0x89db9bc4 - 0x89db9bc4 ]
+0x10c LegacyBusListEntry : _LIST_ENTRY [ 0x89db9bcc - 0x89db9bcc ]

第三部分：第一个节点是最后添加的驱动对应的设备

1: kd> dt _device_object 89df54a8
ntdll!_DEVICE_OBJECT
+0x000 Type : 0n3
+0x002 Size : 0xc0
+0x004 ReferenceCount : 0n0
+0x008 DriverObject : 0x89db9d28 _DRIVER_OBJECT
+0x00c NextDevice : 0x89df56f8 _DEVICE_OBJECT
+0x010 AttachedDevice : (null)
+0x014 CurrentIrp : (null)
+0x018 Timer : (null)
+0x01c Flags : 0x1040
+0x020 Characteristics : 0x80
+0x024 Vpb : (null)
+0x028 DeviceExtension : 0x89df5560 Void
+0x02c DeviceType : 4
+0x030 StackSize : 1 ''
+0x034 Queue : __unnamed
+0x05c AlignmentRequirement : 0
+0x060 DeviceQueue : _KDEVICE_QUEUE
+0x074 Dpc : _KDPC
+0x094 ActiveThreadCount : 0
+0x098 SecurityDescriptor : 0xe12a38e8 Void
+0x09c DeviceLock : _KEVENT
+0x0ac SectorSize : 0
+0x0ae Spare1 : 0
+0x0b0 DeviceObjectExtension : 0x89df5568 _DEVOBJ_EXTENSION
+0x0b4 Reserved : (null)
1: kd> dx -id 0,0,ffffffff89dd5240 -r1 ((ntdll!_DEVOBJ_EXTENSION *)0x89df5568)
((ntdll!_DEVOBJ_EXTENSION *)0x89df5568) : 0x89df5568 [Type: _DEVOBJ_EXTENSION *]
[+0x000] Type : 13 [Type: short]
[+0x002] Size : 0x0 [Type: unsigned short]
[+0x004] DeviceObject : 0x89df54a8 : Device for "\Driver\PnpManager" [Type: _DEVICE_OBJECT *]
[+0x008] PowerFlags : 0x0 [Type: unsigned long]
[+0x00c] Dope : 0x0 [Type: _DEVICE_OBJECT_POWER_EXTENSION *]
[+0x010] ExtensionFlags : 0x10 [Type: unsigned long]
[+0x014] DeviceNode : 0x89df5350 [Type: void *]
[+0x018] AttachedTo : 0x0 [Type: _DEVICE_OBJECT *]
[+0x01c] StartIoCount : 0 [Type: long]
[+0x020] StartIoKey : 0 [Type: long]
[+0x024] StartIoFlags : 0x0 [Type: unsigned long]
[+0x028] Vpb : 0x0 [Type: _VPB *]
1: kd> dt _device_node 0x89df5350
nt!_DEVICE_NODE
+0x000 Sibling : (null)
+0x004 Child : (null)
+0x008 Parent : 0x89db9ac0 _DEVICE_NODE
+0x00c LastChild : (null)
+0x010 Level : 1
+0x014 Notify : (null)
+0x018 State : 302 ( DeviceNodeInitialized )
+0x01c PreviousState : 301 ( DeviceNodeUninitialized )
+0x020 StateHistory : [20] 301 ( DeviceNodeUninitialized )
+0x070 StateHistoryEntry : 1
+0x074 CompletionStatus : 0n0
+0x078 PendingIrp : (null)
+0x07c Flags : 0x11
+0x080 UserFlags : 0
+0x084 Problem : 0
+0x088 PhysicalDeviceObject : 0x89df54a8 _DEVICE_OBJECT
+0x08c ResourceList : (null)
+0x090 ResourceListTranslated : (null)
+0x094 InstancePath : _UNICODE_STRING "Root\SYSTEM\0001"
+0x09c ServiceName : _UNICODE_STRING "update"
+0x0a4 DuplicatePDO : (null)
+0x0a8 ResourceRequirements : (null)
+0x0ac InterfaceType : 0xffffffff (No matching name)
+0x0b0 BusNumber : 0xffffffff
+0x0b4 ChildInterfaceType : 0xffffffff (No matching name)
+0x0b8 ChildBusNumber : 0xffffffff
+0x0bc ChildBusTypeIndex : 0xffff
+0x0be RemovalPolicy : 0 ''
+0x0bf HardwareRemovalPolicy : 0 ''
+0x0c0 TargetDeviceNotify : _LIST_ENTRY [ 0x89df5410 - 0x89df5410 ]
+0x0c8 DeviceArbiterList : _LIST_ENTRY [ 0x89df5418 - 0x89df5418 ]
+0x0d0 DeviceTranslatorList : _LIST_ENTRY [ 0x89df5420 - 0x89df5420 ]
+0x0d8 NoTranslatorMask : 0
+0x0da QueryTranslatorMask : 0
+0x0dc NoArbiterMask : 0
+0x0de QueryArbiterMask : 0
+0x0e0 OverUsed1 : __unnamed
+0x0e4 OverUsed2 : __unnamed
+0x0e8 BootResources : (null)
+0x0ec CapabilityFlags : 0
+0x0f0 DockInfo : __unnamed
+0x100 DisableableDepends : 0
+0x104 PendedSetInterfaceState : _LIST_ENTRY [ 0x89df5454 - 0x89df5454 ]
+0x10c LegacyBusListEntry : _LIST_ENTRY [ 0x89df545c - 0x89df545c ]

第四部分：最后一个节点对应的注册表信息，根据这个信息，添加的设备对象和设备节点！！！

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\SYSTEM\0001]
"Class"="System"
"ClassGUID"="{4D36E97D-E325-11CE-BFC1-08002BE10318}"
"ConfigFlags"=dword:00000000
"HardwareID"=hex(7):72,00,6f,00,6f,00,74,00,5c,00,75,00,70,00,64,00,61,00,74,\
00,65,00,00,00,00,00
"Service"="update"
"Capabilities"=dword:00000000
"Driver"="{4D36E97D-E325-11CE-BFC1-08002BE10318}\\0002"
"Mfg"="(Standard system devices)"
"DeviceDesc"="Microcode Update Device"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\SYSTEM\0001\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\SYSTEM\0001\Control]
"ActiveService"="Update"

nt!IopInitializePlugPlayServices函数分析之创建\Driver\PnpManager和驱动对应的ROOT设备

解锁PC游戏手柄兼容性：虚拟控制器驱动终极指南

PyTorch镜像中使用transformers pipeline快速推理

XUnity自动翻译插件：零门槛实现游戏文本实时翻译

人机交互指示灯模块与毛球修剪器电路图融合设计

ViGEmBus虚拟驱动：彻底解决PC游戏手柄兼容性问题的完整指南

PyTorch-CUDA-v2.8镜像对ShuffleNet模型的轻量化支持