当前位置：首页 > news >正文

nt!PiProcessNewDeviceNode函数中nt!PiCreateDeviceInstanceKey

news 2026/3/27 5:36:14

NTSTATUS
PiProcessNewDeviceNode(
IN PDEVICE_NODE DeviceNode
)
{
//
// Build the device instance path and create the instance key.
//
status = PiBuildDeviceNodeInstancePath(DeviceNode, busID, deviceID, instanceID);
if (NT_SUCCESS(status)) {

status = PiCreateDeviceInstanceKey(DeviceNode, &instanceKey, &disposition);
}

0: kd> kc
#
00 nt!PiCreateDeviceInstanceKey
01 nt!PiProcessNewDeviceNode
02 nt!PipProcessDevNodeTree
03 nt!PipDeviceActionWorker
04 nt!PipRequestDeviceAction
05 nt!IopInitializeBootDrivers
06 nt!IoInitSystem
07 nt!Phase1Initialization
08 nt!PspSystemThreadStartup
09 nt!KiThreadStartup
0: kd> dv
DeviceNode = 0x894ffea8
InstanceKey = 0xf789a388
Disposition = 0xf789a35c
keyValueInformation = 0x00000008
status = 0n0
unicodeString = ""
enumHandle = 0x80c9069c

status = IopOpenRegistryKeyEx(
&enumHandle,
NULL,
&CmRegistryMachineSystemCurrentControlSetEnumName,
KEY_ALL_ACCESS
);

0: kd> dv enumHandle
enumHandle = 0x80000244
0: kd> !handle 244

PROCESS 899a2278 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 0a200000 ObjectTable: e1000e38 HandleCount: 33.
Image: System

Kernel handle table at e1000e38 with 33 entries in use

0244: Object: e127f5e0 GrantedAccess: 000f003f Entry: e1004488
Object: e127f5e0 Type: (89996048) Key
ObjectHeader: e127f5c8 (old version)
HandleCount: 1 PointerCount: 1
Directory Object: 00000000 Name: \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\ENUM

if (NT_SUCCESS(status)) {

status = IopCreateRegistryKeyEx(
InstanceKey,
enumHandle,
&DeviceNode->InstancePath,
KEY_ALL_ACCESS,
REG_OPTION_NON_VOLATILE,
Disposition
);
if (NT_SUCCESS(status)) {

0: kd> dv InstanceKey
InstanceKey = 0xf789a388
0: kd> dx -r1 ((ntkrnlmp!void * *)0xf789a388)
((ntkrnlmp!void * *)0xf789a388) : 0xf789a388 [Type: void * *]
0x80000214 [Type: void *]
0: kd> !handle 214

PROCESS 899a2278 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 0a200000 ObjectTable: e1000e38 HandleCount: 34.
Image: System

Kernel handle table at e1000e38 with 34 entries in use

0214: Object: e1271ae0 GrantedAccess: 000f003f Entry: e1004428
Object: e1271ae0 Type: (89996048) Key
ObjectHeader: e1271ac8 (old version)
HandleCount: 1 PointerCount: 1
Directory Object: 00000000 Name: \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0A03\2&DABA3FF&0

0: kd> dv Disposition
Disposition = 0xf789a35c
0: kd> dx -r1 ((ntkrnlmp!unsigned long *)0xf789a35c)
((ntkrnlmp!unsigned long *)0xf789a35c) : 0xf789a35c : 0x2 [Type: unsigned long *]
0x2 [Type: unsigned long]

通过文本模式设置迁移的键值应被视为“新键”。迁移的键值可通过设备实例键值下是否存在非零的REG_DWORD值“Migrated”来识别。
if (NT_SUCCESS(status)) {
//
// Keys migrated by textmode setup should be treated as "new".
// Migrated keys are identified by the presence of non-zero
// REG_DWORD value "Migrated" under the device instance key.
//
if (*Disposition != REG_CREATED_NEW_KEY) {

D:\srv03rtm\public\sdk\inc/winnt.h:9079:#define REG_CREATED_NEW_KEY (0x00000001L) // New Registry Key created

//
// Key creation/open disposition
//

#define REG_CREATED_NEW_KEY (0x00000001L) // New Registry Key created
#define REG_OPENED_EXISTING_KEY (0x00000002L) // Existing Key opened

if (*Disposition != REG_CREATED_NEW_KEY) {

keyValueInformation = NULL;
IopGetRegistryValue(
*InstanceKey,
REGSTR_VALUE_MIGRATED,
&keyValueInformation);
if (keyValueInformation) {

0: kd> p
eax=c0000034 ebx=f789a35c ecx=00030001 edx=00020000 esi=f789a388 edi=00000000
eip=80c9079f esp=f789a2ac ebp=f789a2cc iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206
nt!PiCreateDeviceInstanceKey+0x103:
80c9079f 8b45fc mov eax,dword ptr [ebp-4] ss:0010:f789a2c8=00000000
0: kd> dv keyValueInformation
keyValueInformation = 0x00000000

查看全文

http://www.jsqmd.com/news/346310/