Who create the volume device?

Take the following example, who create the PDOs:

  1. 0xffffe20b12e65b20
  2. 0xffffe20b12e66b20
  3. 0xffffe20b12e67b20
  4. 0xffffe20b12e68b20
    By volmgr? But I never found how it responds the BusRelations. Many thanks!!!
1: kd> !devnode 0 1 volmgr
Dumping IopRootDeviceNode (= 0xffffe20b127ac9b0)
DevNode 0xffffe20b1278a9b0 for PDO 0xffffe20b126b4d80
  InstancePath is "ROOT\volmgr\0000"
  ServiceName is "volmgr"
  State = DeviceNodeStarted (0x308)
  Previous State = DeviceNodeEnumerateCompletion (0x30d)
  DevNode 0xffffe20b12e6aad0 for PDO 0xffffe20b12e65b20	// 1
    InstancePath is "STORAGE\Volume\{0f38df59-eeb8-11ea-bfcf-806e6f6e6963}#0000000000100000"
    ServiceName is "volume"
    TargetDeviceNotify List - f 0xffffce09bff437d0  b 0xffffce09bfb04d10
    State = DeviceNodeStarted (0x308)
    Previous State = DeviceNodeStartPostWork (0x307)
  DevNode 0xffffe20b12e6ead0 for PDO 0xffffe20b12e66b20	// 2
    InstancePath is "STORAGE\Volume\{0f38df59-eeb8-11ea-bfcf-806e6f6e6963}#000000001F400000"
    ServiceName is "volume"
    TargetDeviceNotify List - f 0xffffce09bff434c0  b 0xffffce09bfb04840
    State = DeviceNodeStarted (0x308)
    Previous State = DeviceNodeStartPostWork (0x307)
  DevNode 0xffffe20b12e6fad0 for PDO 0xffffe20b12e67b20	// 3
    InstancePath is "STORAGE\Volume\{0f38df59-eeb8-11ea-bfcf-806e6f6e6963}#0000000025700000"
    ServiceName is "volume"
    State = DeviceNodeStarted (0x308)
    Previous State = DeviceNodeStartPostWork (0x307)
  DevNode 0xffffe20b12e70ad0 for PDO 0xffffe20b12e68b20	// 4
    InstancePath is "STORAGE\Volume\{0f38df59-eeb8-11ea-bfcf-806e6f6e6963}#0000000026700000"
    ServiceName is "volume"
    TargetDeviceNotify List - f 0xffffce09bff43d80  b 0xffffce09bfb048b0
    State = DeviceNodeStarted (0x308)
    Previous State = DeviceNodeStartPostWork (0x307)

These PDOs are created by Volmgr.

@Tai-Hing_Tse said:
These PDOs are created by Volmgr.

Then how Volmgr return these PDOs to Pnp Manager ? By means of BusRelations ? It seems that Volmgr only process the cases of PowerRelations and TargetDeviceRelation, and ignored the other cases.

That doesn’t sound right to me. How did you determine that it doesn’t support BusRelations?

@“Scott_Noone_(OSR)” said:
That doesn’t sound right to me. How did you determine that it doesn’t support BusRelations?
This is my commented volmgr!VmPnp, from offset at volmgr!VmPnp+0xdd, it is the logic volmgr process the IRP_MN_QUERY_DEVICE_RELATIONS, there is no logic for BusRelations.

...
;IRP_MN_QUERY_DEVICE_RELATIONS
volmgr!VmPnp+0xdd:
;eax=_IO_STACK_LOCATION.Parameters.QueryDeviceRelations.Type
fffff808`4e4cc0ed 8b4708          mov     eax,dword ptr [rdi+8]
fffff808`4e4cc0f0 83f802          cmp     eax,2						;PowerRelations
fffff808`4e4cc0f3 0f8436020000    je      volmgr!VmPnp+0x31f (fffff808`4e4cc32f)  Branch

volmgr!VmPnp+0xe9:
fffff808`4e4cc0f9 488d7230        lea     rsi,[rdx+30h]				;_IRP.IoStatus
fffff808`4e4cc0fd 83f804          cmp     eax,4                                           ;TargetDeviceRelation
fffff808`4e4cc100 0f859c000000    jne     volmgr!VmPnp+0x192 (fffff808`4e4cc1a2)  Branch

volmgr!VmPnp+0xf6:
fffff808`4e4cc106 8d500c          lea     edx,[rax+0Ch]
fffff808`4e4cc109 41b8564d2020    mov     r8d,20204D56h
fffff808`4e4cc10f 418bce          mov     ecx,r14d
fffff808`4e4cc112 48ff15ffdeffff  call    qword ptr [volmgr!_imp_ExAllocatePoolWithTag (fffff808`4e4ca018)]
fffff808`4e4cc119 0f1f440000      nop     dword ptr [rax+rax]
fffff808`4e4cc11e 48894530        mov     qword ptr [rbp+30h],rax	;_DEVICE_RELATIONS
fffff808`4e4cc122 4885c0          test    rax,rax
fffff808`4e4cc125 0f8470480000    je      volmgr!VmPnp+0x498b (fffff808`4e4d099b)  Branch
...
volmgr!VmPnp+0x15e:
fffff808`4e4cc16e 33d2            xor     edx,edx
fffff808`4e4cc170 488bcb          mov     rcx,rbx
;complete the _IRP
fffff808`4e4cc173 48ff155ee1ffff  call    qword ptr [volmgr!_imp_IofCompleteRequest (fffff808`4e4ca2d8)]
fffff808`4e4cc17a 0f1f440000      nop     dword ptr [rax+rax]
fffff808`4e4cc17f 8bc7            mov     eax,edi

volmgr!VmPnp+0x171:
fffff808`4e4cc181 488b5c2468      mov     rbx,qword ptr [rsp+68h]
fffff808`4e4cc186 488b742470      mov     rsi,qword ptr [rsp+70h]
fffff808`4e4cc18b 488b7c2478      mov     rdi,qword ptr [rsp+78h]
fffff808`4e4cc190 4883c430        add     rsp,30h
fffff808`4e4cc194 415f            pop     r15
fffff808`4e4cc196 415e            pop     r14
fffff808`4e4cc198 415d            pop     r13
fffff808`4e4cc19a 415c            pop     r12
fffff808`4e4cc19c 5d              pop     rbp
fffff808`4e4cc19d c3              ret
...
volmgr!VmPnp+0x192:
fffff808`4e4cc1a2 8b3e            mov     edi,dword ptr [rsi]
fffff808`4e4cc1a4 ebc8            jmp     volmgr!VmPnp+0x15e (fffff808`4e4cc16e)  Branch

What version of Windows? On Win10 2004 I see this path to deal with BusRelations:

    Information from resource tables:
        CompanyName:      Microsoft Corporation
        ProductName:      Microsoft® Windows® Operating System
        InternalName:     volmgr.sys
        OriginalFilename: volmgr.sys
        ProductVersion:   10.0.19041.1
        FileVersion:      10.0.19041.1 (WinBuild.160101.0800)
        FileDescription:  Volume Manager Driver
        LegalCopyright:   © Microsoft Corporation. All rights reserved.

volmgr!VmPnp+0x243:
fffff803`0ffdc8f3 cmp     dword ptr [rdi+8],r13d ; @r13 == 0 == BusRelations
fffff803`0ffdc8f7 jne     volmgr!VmPnp+0x30d7 (fffff803`0ffdf787)  Branch

volmgr!VmPnp+0x24d:
fffff803`0ffdc8fd mov     rcx,rsi
fffff803`0ffdc900 call    volmgr!VmpAcquireDevices (fffff803`0ffd2a14)
fffff803`0ffdc905 lea     rdi,[rsi+0D0h]
fffff803`0ffdc90c mov     r15d,r13d
fffff803`0ffdc90f mov     rax,qword ptr [rdi]
fffff803`0ffdc912 mov     r14d,1
fffff803`0ffdc918 jmp     volmgr!VmPnp+0x270 (fffff803`0ffdc920)  Branch

volmgr!VmPnp+0x26a:
fffff803`0ffdc91a mov     rax,qword ptr [rax]
fffff803`0ffdc91d add     r15d,r14d

volmgr!VmPnp+0x270:
fffff803`0ffdc920 cmp     rax,rdi
fffff803`0ffdc923 jne     volmgr!VmPnp+0x26a (fffff803`0ffdc91a)  Branch

volmgr!VmPnp+0x275:
fffff803`0ffdc925 lea     edx,[r15*8+8]
fffff803`0ffdc92d mov     r8d,20204D56h
fffff803`0ffdc933 mov     ecx,r14d
fffff803`0ffdc936 mov     r10,qword ptr [volmgr!_imp_ExAllocatePoolWithTag (fffff803`0ffda370)]
fffff803`0ffdc93d call    nt!ExAllocatePoolWithTag (fffff803`0bfc1030)
fffff803`0ffdc942 mov     qword ptr [rbp+30h],rax
fffff803`0ffdc946 test    rax,rax
fffff803`0ffdc949 je      volmgr!VmPnp+0x2ff8 (fffff803`0ffdf6a8)  Branch

The code then goes on to fill in the allocation, reference the device objects, and pass the IRP down the stack. Here’s the call stack leading to this point in case it helps:

 # Child-SP          RetAddr           Call Site
00 ffff9a02`f2c06e80 fffff803`0b846d25 volmgr!VmPnp+0x247
01 ffff9a02`f2c06ee0 fffff803`0bd5852e nt!IofCallDriver+0x55
02 ffff9a02`f2c06f20 fffff803`0b8f05ca nt!PnpAsynchronousCall+0xea
03 ffff9a02`f2c06f60 fffff803`0bd30959 nt!PnpSendIrp+0x9e
04 ffff9a02`f2c06fd0 fffff803`0bd308c0 nt!PnpQueryDeviceRelations+0x51
05 ffff9a02`f2c07060 fffff803`0bd2ad11 nt!PipEnumerateDevice+0xc8
06 ffff9a02`f2c07090 fffff803`0b95bc47 nt!PipProcessDevNodeTree+0x191
07 ffff9a02`f2c07150 fffff803`0b95b81f nt!PnpDeviceActionWorker+0x3c7
08 ffff9a02`f2c07210 fffff803`0c06464e nt!PnpRequestDeviceAction+0x37b
09 ffff9a02`f2c07280 fffff803`0c04a4e0 nt!IopInitializeBootDrivers+0x7e2
0a ffff9a02`f2c07430 fffff803`0c072aa9 nt!IoInitSystemPreDrivers+0xb24
0b ffff9a02`f2c07570 fffff803`0bda299b nt!IoInitSystem+0x15
0c ffff9a02`f2c075a0 fffff803`0b946715 nt!Phase1Initialization+0x3b
0d ffff9a02`f2c075d0 fffff803`0b9e5078 nt!PspSystemThreadStartup+0x55
0e ffff9a02`f2c07620 00000000`00000000 nt!KiStartSystemThread+0x28

the Information from resource tables of the volmgr is blank, the Information from resource tables of nt is (LTSC)

CompanyName:      Microsoft Corporation
ProductName:      Microsoft® Windows® Operating System
InternalName:     ntkrnlmp.exe
OriginalFilename: ntkrnlmp.exe
ProductVersion:   10.0.17763.107
FileVersion:      10.0.17763.107 (WinBuild.160101.0800)
FileDescription:  NT Kernel & System
LegalCopyright:   © Microsoft Corporation. All rights reserved.

and I break VmPnp as follow

bp volmgr!VmPnp ".if(by(poi(@rdx+0B8h)+1)==7 & by(poi(@rdx+0B8h)+8)==0) {k;gc;} .else {gc;}"

got the following call stack (same as yours)

 # Child-SP          RetAddr           Call Site
00 ffffee8d`ba206468 fffff806`306da189 volmgr!VmPnp
01 ffffee8d`ba206470 fffff806`30c8254e nt!IofCallDriver+0x59
02 ffffee8d`ba2064b0 fffff806`306aaf01 nt!PnpAsynchronousCall+0xea
03 ffffee8d`ba2064f0 fffff806`30c6d48d nt!PnpSendIrp+0x95
04 ffffee8d`ba206560 fffff806`30c6d3f4 nt!PnpQueryDeviceRelations+0x51
05 ffffee8d`ba2065f0 fffff806`30c6c023 nt!PipEnumerateDevice+0xc8
06 ffffee8d`ba206620 fffff806`3077900b nt!PipProcessDevNodeTree+0x187
07 ffffee8d`ba2066e0 fffff806`30778c03 nt!PnpDeviceActionWorker+0x3ab
08 ffffee8d`ba2067a0 fffff806`30f6e705 nt!PnpRequestDeviceAction+0x29f
09 ffffee8d`ba206810 fffff806`30f5622e nt!IopInitializeBootDrivers+0x779
0a ffffee8d`ba206a70 fffff806`30f730ed nt!IoInitSystemPreDrivers+0xa52
0b ffffee8d`ba206bb0 fffff806`30ccba82 nt!IoInitSystem+0x9
0c ffffee8d`ba206be0 fffff806`307406c5 nt!Phase1Initialization+0x42
0d ffffee8d`ba206c10 fffff806`307d749c nt!PspSystemThreadStartup+0x55
0e ffffee8d`ba206c60 00000000`00000000 nt!KiStartSystemThread+0x1c

It’s a LTSC Windows

Information from resource tables:
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     ntkrnlmp.exe
    OriginalFilename: ntkrnlmp.exe
    ProductVersion:   10.0.17763.107
    FileVersion:      10.0.17763.107 (WinBuild.160101.0800)
    FileDescription:  NT Kernel & System
    LegalCopyright:   © Microsoft Corporation. All rights reserved.

by

bp volmgr!VmPnp ".if(by(poi(@rdx+0B8h)+1)==7 & by(poi(@rdx+0B8h)+8)==0) {k;gc;} .else {gc;}"

got the same call stack

 # Child-SP          RetAddr           Call Site
00 ffffee8d`ba206468 fffff806`306da189 volmgr!VmPnp
01 ffffee8d`ba206470 fffff806`30c8254e nt!IofCallDriver+0x59
02 ffffee8d`ba2064b0 fffff806`306aaf01 nt!PnpAsynchronousCall+0xea
03 ffffee8d`ba2064f0 fffff806`30c6d48d nt!PnpSendIrp+0x95
04 ffffee8d`ba206560 fffff806`30c6d3f4 nt!PnpQueryDeviceRelations+0x51
05 ffffee8d`ba2065f0 fffff806`30c6c023 nt!PipEnumerateDevice+0xc8
06 ffffee8d`ba206620 fffff806`3077900b nt!PipProcessDevNodeTree+0x187
07 ffffee8d`ba2066e0 fffff806`30778c03 nt!PnpDeviceActionWorker+0x3ab
08 ffffee8d`ba2067a0 fffff806`30f6e705 nt!PnpRequestDeviceAction+0x29f
09 ffffee8d`ba206810 fffff806`30f5622e nt!IopInitializeBootDrivers+0x779
0a ffffee8d`ba206a70 fffff806`30f730ed nt!IoInitSystemPreDrivers+0xa52
0b ffffee8d`ba206bb0 fffff806`30ccba82 nt!IoInitSystem+0x9
0c ffffee8d`ba206be0 fffff806`307406c5 nt!Phase1Initialization+0x42
0d ffffee8d`ba206c10 fffff806`307d749c nt!PspSystemThreadStartup+0x55
0e ffffee8d`ba206c60 00000000`00000000 nt!KiStartSystemThread+0x1c

sorry for my careless. I found it.

1 Like