Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Who create the volume device?

yu_shangyu_shang Member Posts: 12

Take the following example, who create the PDOs:
1. 0xffffe20b12e65b20
2. 0xffffe20b12e66b20
3. 0xffffe20b12e67b20
4. 0xffffe20b12e68b20
By volmgr? But I never found how it responds the BusRelations. Many thanks!!!

1: kd> !devnode 0 1 volmgr
Dumping IopRootDeviceNode (= 0xffffe20b127ac9b0)
DevNode 0xffffe20b1278a9b0 for PDO 0xffffe20b126b4d80
  InstancePath is "ROOT\volmgr\0000"
  ServiceName is "volmgr"
  State = DeviceNodeStarted (0x308)
  Previous State = DeviceNodeEnumerateCompletion (0x30d)
  DevNode 0xffffe20b12e6aad0 for PDO 0xffffe20b12e65b20 // 1
    InstancePath is "STORAGE\Volume\{0f38df59-eeb8-11ea-bfcf-806e6f6e6963}#0000000000100000"
    ServiceName is "volume"
    TargetDeviceNotify List - f 0xffffce09bff437d0  b 0xffffce09bfb04d10
    State = DeviceNodeStarted (0x308)
    Previous State = DeviceNodeStartPostWork (0x307)
  DevNode 0xffffe20b12e6ead0 for PDO 0xffffe20b12e66b20 // 2
    InstancePath is "STORAGE\Volume\{0f38df59-eeb8-11ea-bfcf-806e6f6e6963}#000000001F400000"
    ServiceName is "volume"
    TargetDeviceNotify List - f 0xffffce09bff434c0  b 0xffffce09bfb04840
    State = DeviceNodeStarted (0x308)
    Previous State = DeviceNodeStartPostWork (0x307)
  DevNode 0xffffe20b12e6fad0 for PDO 0xffffe20b12e67b20 // 3
    InstancePath is "STORAGE\Volume\{0f38df59-eeb8-11ea-bfcf-806e6f6e6963}#0000000025700000"
    ServiceName is "volume"
    State = DeviceNodeStarted (0x308)
    Previous State = DeviceNodeStartPostWork (0x307)
  DevNode 0xffffe20b12e70ad0 for PDO 0xffffe20b12e68b20 // 4
    InstancePath is "STORAGE\Volume\{0f38df59-eeb8-11ea-bfcf-806e6f6e6963}#0000000026700000"
    ServiceName is "volume"
    TargetDeviceNotify List - f 0xffffce09bff43d80  b 0xffffce09bfb048b0
    State = DeviceNodeStarted (0x308)
    Previous State = DeviceNodeStartPostWork (0x307)

Comments

  • Tai-Hing_TseTai-Hing_Tse Member - All Emails Posts: 21

    These PDOs are created by Volmgr.

  • yu_shangyu_shang Member Posts: 12

    @Tai-Hing_Tse said:
    These PDOs are created by Volmgr.

    Then how Volmgr return these PDOs to Pnp Manager ? By means of BusRelations ? It seems that Volmgr only process the cases of PowerRelations and TargetDeviceRelation, and ignored the other cases.

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,343

    That doesn't sound right to me. How did you determine that it doesn't support BusRelations?

    -scott
    OSR

  • yu_shangyu_shang Member Posts: 12
    edited September 9

    @Scott_Noone_(OSR) said:
    That doesn't sound right to me. How did you determine that it doesn't support BusRelations?

    This is my commented volmgr!VmPnp, from offset at volmgr!VmPnp+0xdd, it is the logic volmgr process the IRP_MN_QUERY_DEVICE_RELATIONS, there is no logic for BusRelations.

    ...
    ;IRP_MN_QUERY_DEVICE_RELATIONS
    volmgr!VmPnp+0xdd:
    ;eax=_IO_STACK_LOCATION.Parameters.QueryDeviceRelations.Type
    fffff808`4e4cc0ed 8b4708          mov     eax,dword ptr [rdi+8]
    fffff808`4e4cc0f0 83f802          cmp     eax,2                     ;PowerRelations
    fffff808`4e4cc0f3 0f8436020000    je      volmgr!VmPnp+0x31f (fffff808`4e4cc32f)  Branch
    
    volmgr!VmPnp+0xe9:
    fffff808`4e4cc0f9 488d7230        lea     rsi,[rdx+30h]             ;_IRP.IoStatus
    fffff808`4e4cc0fd 83f804          cmp     eax,4                                           ;TargetDeviceRelation
    fffff808`4e4cc100 0f859c000000    jne     volmgr!VmPnp+0x192 (fffff808`4e4cc1a2)  Branch
    
    volmgr!VmPnp+0xf6:
    fffff808`4e4cc106 8d500c          lea     edx,[rax+0Ch]
    fffff808`4e4cc109 41b8564d2020    mov     r8d,20204D56h
    fffff808`4e4cc10f 418bce          mov     ecx,r14d
    fffff808`4e4cc112 48ff15ffdeffff  call    qword ptr [volmgr!_imp_ExAllocatePoolWithTag (fffff808`4e4ca018)]
    fffff808`4e4cc119 0f1f440000      nop     dword ptr [rax+rax]
    fffff808`4e4cc11e 48894530        mov     qword ptr [rbp+30h],rax   ;_DEVICE_RELATIONS
    fffff808`4e4cc122 4885c0          test    rax,rax
    fffff808`4e4cc125 0f8470480000    je      volmgr!VmPnp+0x498b (fffff808`4e4d099b)  Branch
    ...
    volmgr!VmPnp+0x15e:
    fffff808`4e4cc16e 33d2            xor     edx,edx
    fffff808`4e4cc170 488bcb          mov     rcx,rbx
    ;complete the _IRP
    fffff808`4e4cc173 48ff155ee1ffff  call    qword ptr [volmgr!_imp_IofCompleteRequest (fffff808`4e4ca2d8)]
    fffff808`4e4cc17a 0f1f440000      nop     dword ptr [rax+rax]
    fffff808`4e4cc17f 8bc7            mov     eax,edi
    
    volmgr!VmPnp+0x171:
    fffff808`4e4cc181 488b5c2468      mov     rbx,qword ptr [rsp+68h]
    fffff808`4e4cc186 488b742470      mov     rsi,qword ptr [rsp+70h]
    fffff808`4e4cc18b 488b7c2478      mov     rdi,qword ptr [rsp+78h]
    fffff808`4e4cc190 4883c430        add     rsp,30h
    fffff808`4e4cc194 415f            pop     r15
    fffff808`4e4cc196 415e            pop     r14
    fffff808`4e4cc198 415d            pop     r13
    fffff808`4e4cc19a 415c            pop     r12
    fffff808`4e4cc19c 5d              pop     rbp
    fffff808`4e4cc19d c3              ret
    ...
    volmgr!VmPnp+0x192:
    fffff808`4e4cc1a2 8b3e            mov     edi,dword ptr [rsi]
    fffff808`4e4cc1a4 ebc8            jmp     volmgr!VmPnp+0x15e (fffff808`4e4cc16e)  Branch
    
  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,343

    What version of Windows? On Win10 2004 I see this path to deal with BusRelations:

        Information from resource tables:
            CompanyName:      Microsoft Corporation
            ProductName:      Microsoft® Windows® Operating System
            InternalName:     volmgr.sys
            OriginalFilename: volmgr.sys
            ProductVersion:   10.0.19041.1
            FileVersion:      10.0.19041.1 (WinBuild.160101.0800)
            FileDescription:  Volume Manager Driver
            LegalCopyright:   © Microsoft Corporation. All rights reserved.
    
    volmgr!VmPnp+0x243:
    fffff803`0ffdc8f3 cmp     dword ptr [rdi+8],r13d ; @r13 == 0 == BusRelations
    fffff803`0ffdc8f7 jne     volmgr!VmPnp+0x30d7 (fffff803`0ffdf787)  Branch
    
    volmgr!VmPnp+0x24d:
    fffff803`0ffdc8fd mov     rcx,rsi
    fffff803`0ffdc900 call    volmgr!VmpAcquireDevices (fffff803`0ffd2a14)
    fffff803`0ffdc905 lea     rdi,[rsi+0D0h]
    fffff803`0ffdc90c mov     r15d,r13d
    fffff803`0ffdc90f mov     rax,qword ptr [rdi]
    fffff803`0ffdc912 mov     r14d,1
    fffff803`0ffdc918 jmp     volmgr!VmPnp+0x270 (fffff803`0ffdc920)  Branch
    
    volmgr!VmPnp+0x26a:
    fffff803`0ffdc91a mov     rax,qword ptr [rax]
    fffff803`0ffdc91d add     r15d,r14d
    
    volmgr!VmPnp+0x270:
    fffff803`0ffdc920 cmp     rax,rdi
    fffff803`0ffdc923 jne     volmgr!VmPnp+0x26a (fffff803`0ffdc91a)  Branch
    
    volmgr!VmPnp+0x275:
    fffff803`0ffdc925 lea     edx,[r15*8+8]
    fffff803`0ffdc92d mov     r8d,20204D56h
    fffff803`0ffdc933 mov     ecx,r14d
    fffff803`0ffdc936 mov     r10,qword ptr [volmgr!_imp_ExAllocatePoolWithTag (fffff803`0ffda370)]
    fffff803`0ffdc93d call    nt!ExAllocatePoolWithTag (fffff803`0bfc1030)
    fffff803`0ffdc942 mov     qword ptr [rbp+30h],rax
    fffff803`0ffdc946 test    rax,rax
    fffff803`0ffdc949 je      volmgr!VmPnp+0x2ff8 (fffff803`0ffdf6a8)  Branch
    
    

    The code then goes on to fill in the allocation, reference the device objects, and pass the IRP down the stack. Here's the call stack leading to this point in case it helps:

     # Child-SP          RetAddr           Call Site
    00 ffff9a02`f2c06e80 fffff803`0b846d25 volmgr!VmPnp+0x247
    01 ffff9a02`f2c06ee0 fffff803`0bd5852e nt!IofCallDriver+0x55
    02 ffff9a02`f2c06f20 fffff803`0b8f05ca nt!PnpAsynchronousCall+0xea
    03 ffff9a02`f2c06f60 fffff803`0bd30959 nt!PnpSendIrp+0x9e
    04 ffff9a02`f2c06fd0 fffff803`0bd308c0 nt!PnpQueryDeviceRelations+0x51
    05 ffff9a02`f2c07060 fffff803`0bd2ad11 nt!PipEnumerateDevice+0xc8
    06 ffff9a02`f2c07090 fffff803`0b95bc47 nt!PipProcessDevNodeTree+0x191
    07 ffff9a02`f2c07150 fffff803`0b95b81f nt!PnpDeviceActionWorker+0x3c7
    08 ffff9a02`f2c07210 fffff803`0c06464e nt!PnpRequestDeviceAction+0x37b
    09 ffff9a02`f2c07280 fffff803`0c04a4e0 nt!IopInitializeBootDrivers+0x7e2
    0a ffff9a02`f2c07430 fffff803`0c072aa9 nt!IoInitSystemPreDrivers+0xb24
    0b ffff9a02`f2c07570 fffff803`0bda299b nt!IoInitSystem+0x15
    0c ffff9a02`f2c075a0 fffff803`0b946715 nt!Phase1Initialization+0x3b
    0d ffff9a02`f2c075d0 fffff803`0b9e5078 nt!PspSystemThreadStartup+0x55
    0e ffff9a02`f2c07620 00000000`00000000 nt!KiStartSystemThread+0x28
    

    -scott
    OSR

  • yu_shangyu_shang Member Posts: 12
    edited September 9

    the Information from resource tables of the volmgr is blank, the Information from resource tables of nt is (LTSC)

    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     ntkrnlmp.exe
    OriginalFilename: ntkrnlmp.exe
    ProductVersion:   10.0.17763.107
    FileVersion:      10.0.17763.107 (WinBuild.160101.0800)
    FileDescription:  NT Kernel & System
    LegalCopyright:   © Microsoft Corporation. All rights reserved.
    

    and I break VmPnp as follow

    bp volmgr!VmPnp ".if(by(poi(@rdx+0B8h)+1)==7 & by(poi(@rdx+0B8h)+8)==0) {k;gc;} .else {gc;}"
    

    got the following call stack (same as yours)

     # Child-SP          RetAddr           Call Site
    00 ffffee8d`ba206468 fffff806`306da189 volmgr!VmPnp
    01 ffffee8d`ba206470 fffff806`30c8254e nt!IofCallDriver+0x59
    02 ffffee8d`ba2064b0 fffff806`306aaf01 nt!PnpAsynchronousCall+0xea
    03 ffffee8d`ba2064f0 fffff806`30c6d48d nt!PnpSendIrp+0x95
    04 ffffee8d`ba206560 fffff806`30c6d3f4 nt!PnpQueryDeviceRelations+0x51
    05 ffffee8d`ba2065f0 fffff806`30c6c023 nt!PipEnumerateDevice+0xc8
    06 ffffee8d`ba206620 fffff806`3077900b nt!PipProcessDevNodeTree+0x187
    07 ffffee8d`ba2066e0 fffff806`30778c03 nt!PnpDeviceActionWorker+0x3ab
    08 ffffee8d`ba2067a0 fffff806`30f6e705 nt!PnpRequestDeviceAction+0x29f
    09 ffffee8d`ba206810 fffff806`30f5622e nt!IopInitializeBootDrivers+0x779
    0a ffffee8d`ba206a70 fffff806`30f730ed nt!IoInitSystemPreDrivers+0xa52
    0b ffffee8d`ba206bb0 fffff806`30ccba82 nt!IoInitSystem+0x9
    0c ffffee8d`ba206be0 fffff806`307406c5 nt!Phase1Initialization+0x42
    0d ffffee8d`ba206c10 fffff806`307d749c nt!PspSystemThreadStartup+0x55
    0e ffffee8d`ba206c60 00000000`00000000 nt!KiStartSystemThread+0x1c
    
  • yu_shangyu_shang Member Posts: 12

    It's a LTSC Windows

    Information from resource tables:
        CompanyName:      Microsoft Corporation
        ProductName:      Microsoft® Windows® Operating System
        InternalName:     ntkrnlmp.exe
        OriginalFilename: ntkrnlmp.exe
        ProductVersion:   10.0.17763.107
        FileVersion:      10.0.17763.107 (WinBuild.160101.0800)
        FileDescription:  NT Kernel & System
        LegalCopyright:   © Microsoft Corporation. All rights reserved.
    

    by

    bp volmgr!VmPnp ".if(by(poi(@rdx+0B8h)+1)==7 & by(poi(@rdx+0B8h)+8)==0) {k;gc;} .else {gc;}"
    

    got the same call stack

     # Child-SP          RetAddr           Call Site
    00 ffffee8d`ba206468 fffff806`306da189 volmgr!VmPnp
    01 ffffee8d`ba206470 fffff806`30c8254e nt!IofCallDriver+0x59
    02 ffffee8d`ba2064b0 fffff806`306aaf01 nt!PnpAsynchronousCall+0xea
    03 ffffee8d`ba2064f0 fffff806`30c6d48d nt!PnpSendIrp+0x95
    04 ffffee8d`ba206560 fffff806`30c6d3f4 nt!PnpQueryDeviceRelations+0x51
    05 ffffee8d`ba2065f0 fffff806`30c6c023 nt!PipEnumerateDevice+0xc8
    06 ffffee8d`ba206620 fffff806`3077900b nt!PipProcessDevNodeTree+0x187
    07 ffffee8d`ba2066e0 fffff806`30778c03 nt!PnpDeviceActionWorker+0x3ab
    08 ffffee8d`ba2067a0 fffff806`30f6e705 nt!PnpRequestDeviceAction+0x29f
    09 ffffee8d`ba206810 fffff806`30f5622e nt!IopInitializeBootDrivers+0x779
    0a ffffee8d`ba206a70 fffff806`30f730ed nt!IoInitSystemPreDrivers+0xa52
    0b ffffee8d`ba206bb0 fffff806`30ccba82 nt!IoInitSystem+0x9
    0c ffffee8d`ba206be0 fffff806`307406c5 nt!Phase1Initialization+0x42
    0d ffffee8d`ba206c10 fffff806`307d749c nt!PspSystemThreadStartup+0x55
    0e ffffee8d`ba206c60 00000000`00000000 nt!KiStartSystemThread+0x1c
    
  • yu_shangyu_shang Member Posts: 12

    sorry for my careless. I found it.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Internals & Software Drivers 30 Nov 2020 LIVE ONLINE
Writing WDF Drivers 7 Dec 2020 LIVE ONLINE
Developing Minifilters Early 2021 LIVE ONLINE