当前位置：首页 > news >正文

nt!WMIInitialize函数分析之WMIAdminDevice和WMIDataDevice设备对象的建立

news 2026/5/11 21:09:14

nt!WMIInitialize函数分析之WMIAdminDevice和WMIDataDevice设备对象的建立
1: kd> p
Breakpoint 39 hit
eax=f789a68c ebx=00000000 ecx=0000001e edx=f789a68c esi=00000001 edi=00000000
eip=80c61426 esp=f789a678 ebp=f789a694 iopl=0 nv up ei pl nz na pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000207
nt!IoCreateDriver:
80c61426 55 push ebp
1: kd> kc
#
00 nt!IoCreateDriver
01 nt!WMIInitialize
02 nt!IoInitSystem
03 nt!Phase1Initialization
04 nt!PspSystemThreadStartup
05 nt!KiThreadStartup
1: kd> gu
Breakpoint 4 hit
eax=f789a5a8 ebx=00000000 ecx=0000002a edx=f789a5a8 esi=89983180 edi=00000100
eip=80c63538 esp=f789a564 ebp=f789a5b4 iopl=0 nv up ei pl nz na po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000203
nt!IoCreateDevice:
80c63538 55 push ebp
1: kd> kc
#
00 nt!IoCreateDevice
01 nt!WmipDriverEntry
02 nt!IoCreateDriver
03 nt!WMIInitialize
04 nt!IoInitSystem
05 nt!Phase1Initialization
06 nt!PspSystemThreadStartup
07 nt!KiThreadStartup
1: kd> gu
eax=00000000 ebx=00000000 ecx=899c1878 edx=899c1854 esi=89983180 edi=00000100
eip=80e8d224 esp=f789a584 ebp=f789a5b4 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!WmipDriverEntry+0xd2:
80e8d224 3bc3 cmp eax,ebx
1: kd> gu
Breakpoint 4 hit
eax=f789a5a8 ebx=00000000 ecx=0000002c edx=f789a5a8 esi=89983180 edi=00000100
eip=80c63538 esp=f789a564 ebp=f789a5b4 iopl=0 nv up ei pl nz na po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000203
nt!IoCreateDevice:
80c63538 55 push ebp
1: kd> gu
eax=00000000 ebx=00000000 ecx=899c1758 edx=899c1734 esi=89983180 edi=00000100
eip=80e8d288 esp=f789a584 ebp=f789a5b4 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!WmipDriverEntry+0x136:
80e8d288 8bf8 mov edi,eax
1: kd> dv
DriverObject = 0x00000000
RegistryPath = 0x00000000
ServiceSymbolicLinkName = "\DosDevices\WMIDataDevice"
AnsiString = struct _STRING "\Registry\Machine\System\CurrentControlSet\Services\WMI"
DeviceName = "\Device\WMIAdminDevice"
Status = 0n0
AdminSymbolicLinkName = ""
AdminDeviceSd = 0xe10011a8
1: kd> gu
eax=00000000 ebx=89983180 ecx=00000000 edx=00000000 esi=80e8c67a edi=00000000
eip=80c61625 esp=f789a5c4 ebp=f789a674 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!IoCreateDriver+0x1ff:
80c61625 8bf0 mov esi,eax
1: kd> gu
eax=00000000 ebx=00000000 ecx=00000000 edx=00000000 esi=00000001 edi=00000000
eip=80e8c713 esp=f789a684 ebp=f789a694 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!WMIInitialize+0x61:
80e8c713 8bf0 mov esi,eax
1: kd> kc
#
00 nt!WMIInitialize
01 nt!IoInitSystem
02 nt!Phase1Initialization
03 nt!PspSystemThreadStartup
04 nt!KiThreadStartup

1: kd> !object \driver
Object: e127b3d0 Type: (899a2e70) Directory
ObjectHeader: e127b3b8 (old version)
HandleCount: 0 PointerCount: 4
Directory Object: e10007c0 Name: Driver

Hash Address Type Name
---- ------- ---- ----
18 89983180 Driver WMIxWDM
899833a8 Driver ACPI_HAL
33 899873b0 Driver PnpManager
1: kd> !object 89983180
Object: 89983180 Type: (89987ac0) Driver
ObjectHeader: 89983168 (old version)
HandleCount: 0 PointerCount: 517
Directory Object: e127b3d0 Name: WMIxWDM
1: kd> !drvobj 89983180
Driver object (89983180) is for:
\Driver\WMIxWDM

Driver Extension List: (id , addr)

Device Object list:
899c1758 899c1878

1: kd> !object \device
Object: e1003278 Type: (899a2e70) Directory
ObjectHeader: e1003260 (old version)
HandleCount: 0 PointerCount: 50
Directory Object: e10007c0 Name: Device

Hash Address Type Name
---- ------- ---- ----
00 899c2948 Device 00000025
899c36f8 Device 00000019
01 899c26f8 Device 00000026
02 899c24a8 Device 00000027
03 899c1758 Device WMIAdminDevice
899c2258 Device 00000028
04 89983f10 Device 00000029
05 899c4b98 Device 0000000a
06 899c4948 Device 0000000b
07 899c1878 Device WMIDataDevice
899c46f8 Device 0000000c
08 899c34a8 Device 0000001a
899c44a8 Device 0000000d
09 899c3258 Device 0000001b
899c4258 Device 0000000e
10 89984f10 Device 0000001c
89985f10 Device 0000000f
11 89984cc0 Device 0000001d
12 89983cc0 Device 0000002a
89984a70 Device 0000001e
13 89983a70 Device 0000002b
89984820 Device 0000001f
14 89983820 Device 0000002c
15 899835d0 Device 0000002d
17 899c1de0 Device 0000002f
26 899c59a8 Device 00000001
27 89986e90 Device 00000002
28 89985cc0 Device 00000010
89986c40 Device 00000003
29 89985a70 Device 00000011
899869f0 Device 00000004
30 89985820 Device 00000012
899867a0 Device 00000005
e1001680 Section PhysicalMemory
31 899855d0 Device 00000013
89986510 Device 00000006
32 899845d0 Device 00000020
89985380 Device 00000014
899862c0 Device 00000007
33 89984380 Device 00000021
899c3038 Device 00000015
899c4038 Device 00000008
34 899c2038 Device 00000022
899c3de8 Device 00000016
899c4de8 Device 00000009
35 899c2de8 Device 00000023
899c3b98 Device 00000017
36 899c2b98 Device 00000024
899c3948 Device 00000018