Take the following example, who create the PDOs:
- 0xffffe20b12e65b20
- 0xffffe20b12e66b20
- 0xffffe20b12e67b20
- 0xffffe20b12e68b20
By volmgr? But I never found how it responds the BusRelations. Many thanks!!!
1: kd> !devnode 0 1 volmgr
Dumping IopRootDeviceNode (= 0xffffe20b127ac9b0)
DevNode 0xffffe20b1278a9b0 for PDO 0xffffe20b126b4d80
InstancePath is "ROOT\volmgr\0000"
ServiceName is "volmgr"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
DevNode 0xffffe20b12e6aad0 for PDO 0xffffe20b12e65b20 // 1
InstancePath is "STORAGE\Volume\{0f38df59-eeb8-11ea-bfcf-806e6f6e6963}#0000000000100000"
ServiceName is "volume"
TargetDeviceNotify List - f 0xffffce09bff437d0 b 0xffffce09bfb04d10
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeStartPostWork (0x307)
DevNode 0xffffe20b12e6ead0 for PDO 0xffffe20b12e66b20 // 2
InstancePath is "STORAGE\Volume\{0f38df59-eeb8-11ea-bfcf-806e6f6e6963}#000000001F400000"
ServiceName is "volume"
TargetDeviceNotify List - f 0xffffce09bff434c0 b 0xffffce09bfb04840
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeStartPostWork (0x307)
DevNode 0xffffe20b12e6fad0 for PDO 0xffffe20b12e67b20 // 3
InstancePath is "STORAGE\Volume\{0f38df59-eeb8-11ea-bfcf-806e6f6e6963}#0000000025700000"
ServiceName is "volume"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeStartPostWork (0x307)
DevNode 0xffffe20b12e70ad0 for PDO 0xffffe20b12e68b20 // 4
InstancePath is "STORAGE\Volume\{0f38df59-eeb8-11ea-bfcf-806e6f6e6963}#0000000026700000"
ServiceName is "volume"
TargetDeviceNotify List - f 0xffffce09bff43d80 b 0xffffce09bfb048b0
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeStartPostWork (0x307)
These PDOs are created by Volmgr.
@Tai-Hing_Tse said:
These PDOs are created by Volmgr.
Then how Volmgr return these PDOs to Pnp Manager ? By means of BusRelations ? It seems that Volmgr only process the cases of PowerRelations and TargetDeviceRelation, and ignored the other cases.
That doesn’t sound right to me. How did you determine that it doesn’t support BusRelations?
@“Scott_Noone_(OSR)” said:
That doesn’t sound right to me. How did you determine that it doesn’t support BusRelations?
This is my commented volmgr!VmPnp, from offset at volmgr!VmPnp+0xdd, it is the logic volmgr process the IRP_MN_QUERY_DEVICE_RELATIONS, there is no logic for BusRelations.
...
;IRP_MN_QUERY_DEVICE_RELATIONS
volmgr!VmPnp+0xdd:
;eax=_IO_STACK_LOCATION.Parameters.QueryDeviceRelations.Type
fffff808`4e4cc0ed 8b4708 mov eax,dword ptr [rdi+8]
fffff808`4e4cc0f0 83f802 cmp eax,2 ;PowerRelations
fffff808`4e4cc0f3 0f8436020000 je volmgr!VmPnp+0x31f (fffff808`4e4cc32f) Branch
volmgr!VmPnp+0xe9:
fffff808`4e4cc0f9 488d7230 lea rsi,[rdx+30h] ;_IRP.IoStatus
fffff808`4e4cc0fd 83f804 cmp eax,4 ;TargetDeviceRelation
fffff808`4e4cc100 0f859c000000 jne volmgr!VmPnp+0x192 (fffff808`4e4cc1a2) Branch
volmgr!VmPnp+0xf6:
fffff808`4e4cc106 8d500c lea edx,[rax+0Ch]
fffff808`4e4cc109 41b8564d2020 mov r8d,20204D56h
fffff808`4e4cc10f 418bce mov ecx,r14d
fffff808`4e4cc112 48ff15ffdeffff call qword ptr [volmgr!_imp_ExAllocatePoolWithTag (fffff808`4e4ca018)]
fffff808`4e4cc119 0f1f440000 nop dword ptr [rax+rax]
fffff808`4e4cc11e 48894530 mov qword ptr [rbp+30h],rax ;_DEVICE_RELATIONS
fffff808`4e4cc122 4885c0 test rax,rax
fffff808`4e4cc125 0f8470480000 je volmgr!VmPnp+0x498b (fffff808`4e4d099b) Branch
...
volmgr!VmPnp+0x15e:
fffff808`4e4cc16e 33d2 xor edx,edx
fffff808`4e4cc170 488bcb mov rcx,rbx
;complete the _IRP
fffff808`4e4cc173 48ff155ee1ffff call qword ptr [volmgr!_imp_IofCompleteRequest (fffff808`4e4ca2d8)]
fffff808`4e4cc17a 0f1f440000 nop dword ptr [rax+rax]
fffff808`4e4cc17f 8bc7 mov eax,edi
volmgr!VmPnp+0x171:
fffff808`4e4cc181 488b5c2468 mov rbx,qword ptr [rsp+68h]
fffff808`4e4cc186 488b742470 mov rsi,qword ptr [rsp+70h]
fffff808`4e4cc18b 488b7c2478 mov rdi,qword ptr [rsp+78h]
fffff808`4e4cc190 4883c430 add rsp,30h
fffff808`4e4cc194 415f pop r15
fffff808`4e4cc196 415e pop r14
fffff808`4e4cc198 415d pop r13
fffff808`4e4cc19a 415c pop r12
fffff808`4e4cc19c 5d pop rbp
fffff808`4e4cc19d c3 ret
...
volmgr!VmPnp+0x192:
fffff808`4e4cc1a2 8b3e mov edi,dword ptr [rsi]
fffff808`4e4cc1a4 ebc8 jmp volmgr!VmPnp+0x15e (fffff808`4e4cc16e) Branch
What version of Windows? On Win10 2004 I see this path to deal with BusRelations:
Information from resource tables:
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: volmgr.sys
OriginalFilename: volmgr.sys
ProductVersion: 10.0.19041.1
FileVersion: 10.0.19041.1 (WinBuild.160101.0800)
FileDescription: Volume Manager Driver
LegalCopyright: © Microsoft Corporation. All rights reserved.
volmgr!VmPnp+0x243:
fffff803`0ffdc8f3 cmp dword ptr [rdi+8],r13d ; @r13 == 0 == BusRelations
fffff803`0ffdc8f7 jne volmgr!VmPnp+0x30d7 (fffff803`0ffdf787) Branch
volmgr!VmPnp+0x24d:
fffff803`0ffdc8fd mov rcx,rsi
fffff803`0ffdc900 call volmgr!VmpAcquireDevices (fffff803`0ffd2a14)
fffff803`0ffdc905 lea rdi,[rsi+0D0h]
fffff803`0ffdc90c mov r15d,r13d
fffff803`0ffdc90f mov rax,qword ptr [rdi]
fffff803`0ffdc912 mov r14d,1
fffff803`0ffdc918 jmp volmgr!VmPnp+0x270 (fffff803`0ffdc920) Branch
volmgr!VmPnp+0x26a:
fffff803`0ffdc91a mov rax,qword ptr [rax]
fffff803`0ffdc91d add r15d,r14d
volmgr!VmPnp+0x270:
fffff803`0ffdc920 cmp rax,rdi
fffff803`0ffdc923 jne volmgr!VmPnp+0x26a (fffff803`0ffdc91a) Branch
volmgr!VmPnp+0x275:
fffff803`0ffdc925 lea edx,[r15*8+8]
fffff803`0ffdc92d mov r8d,20204D56h
fffff803`0ffdc933 mov ecx,r14d
fffff803`0ffdc936 mov r10,qword ptr [volmgr!_imp_ExAllocatePoolWithTag (fffff803`0ffda370)]
fffff803`0ffdc93d call nt!ExAllocatePoolWithTag (fffff803`0bfc1030)
fffff803`0ffdc942 mov qword ptr [rbp+30h],rax
fffff803`0ffdc946 test rax,rax
fffff803`0ffdc949 je volmgr!VmPnp+0x2ff8 (fffff803`0ffdf6a8) Branch
The code then goes on to fill in the allocation, reference the device objects, and pass the IRP down the stack. Here’s the call stack leading to this point in case it helps:
# Child-SP RetAddr Call Site
00 ffff9a02`f2c06e80 fffff803`0b846d25 volmgr!VmPnp+0x247
01 ffff9a02`f2c06ee0 fffff803`0bd5852e nt!IofCallDriver+0x55
02 ffff9a02`f2c06f20 fffff803`0b8f05ca nt!PnpAsynchronousCall+0xea
03 ffff9a02`f2c06f60 fffff803`0bd30959 nt!PnpSendIrp+0x9e
04 ffff9a02`f2c06fd0 fffff803`0bd308c0 nt!PnpQueryDeviceRelations+0x51
05 ffff9a02`f2c07060 fffff803`0bd2ad11 nt!PipEnumerateDevice+0xc8
06 ffff9a02`f2c07090 fffff803`0b95bc47 nt!PipProcessDevNodeTree+0x191
07 ffff9a02`f2c07150 fffff803`0b95b81f nt!PnpDeviceActionWorker+0x3c7
08 ffff9a02`f2c07210 fffff803`0c06464e nt!PnpRequestDeviceAction+0x37b
09 ffff9a02`f2c07280 fffff803`0c04a4e0 nt!IopInitializeBootDrivers+0x7e2
0a ffff9a02`f2c07430 fffff803`0c072aa9 nt!IoInitSystemPreDrivers+0xb24
0b ffff9a02`f2c07570 fffff803`0bda299b nt!IoInitSystem+0x15
0c ffff9a02`f2c075a0 fffff803`0b946715 nt!Phase1Initialization+0x3b
0d ffff9a02`f2c075d0 fffff803`0b9e5078 nt!PspSystemThreadStartup+0x55
0e ffff9a02`f2c07620 00000000`00000000 nt!KiStartSystemThread+0x28
the Information from resource tables of the volmgr is blank, the Information from resource tables of nt is (LTSC)
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: ntkrnlmp.exe
OriginalFilename: ntkrnlmp.exe
ProductVersion: 10.0.17763.107
FileVersion: 10.0.17763.107 (WinBuild.160101.0800)
FileDescription: NT Kernel & System
LegalCopyright: © Microsoft Corporation. All rights reserved.
and I break VmPnp as follow
bp volmgr!VmPnp ".if(by(poi(@rdx+0B8h)+1)==7 & by(poi(@rdx+0B8h)+8)==0) {k;gc;} .else {gc;}"
got the following call stack (same as yours)
# Child-SP RetAddr Call Site
00 ffffee8d`ba206468 fffff806`306da189 volmgr!VmPnp
01 ffffee8d`ba206470 fffff806`30c8254e nt!IofCallDriver+0x59
02 ffffee8d`ba2064b0 fffff806`306aaf01 nt!PnpAsynchronousCall+0xea
03 ffffee8d`ba2064f0 fffff806`30c6d48d nt!PnpSendIrp+0x95
04 ffffee8d`ba206560 fffff806`30c6d3f4 nt!PnpQueryDeviceRelations+0x51
05 ffffee8d`ba2065f0 fffff806`30c6c023 nt!PipEnumerateDevice+0xc8
06 ffffee8d`ba206620 fffff806`3077900b nt!PipProcessDevNodeTree+0x187
07 ffffee8d`ba2066e0 fffff806`30778c03 nt!PnpDeviceActionWorker+0x3ab
08 ffffee8d`ba2067a0 fffff806`30f6e705 nt!PnpRequestDeviceAction+0x29f
09 ffffee8d`ba206810 fffff806`30f5622e nt!IopInitializeBootDrivers+0x779
0a ffffee8d`ba206a70 fffff806`30f730ed nt!IoInitSystemPreDrivers+0xa52
0b ffffee8d`ba206bb0 fffff806`30ccba82 nt!IoInitSystem+0x9
0c ffffee8d`ba206be0 fffff806`307406c5 nt!Phase1Initialization+0x42
0d ffffee8d`ba206c10 fffff806`307d749c nt!PspSystemThreadStartup+0x55
0e ffffee8d`ba206c60 00000000`00000000 nt!KiStartSystemThread+0x1c
It’s a LTSC Windows
Information from resource tables:
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: ntkrnlmp.exe
OriginalFilename: ntkrnlmp.exe
ProductVersion: 10.0.17763.107
FileVersion: 10.0.17763.107 (WinBuild.160101.0800)
FileDescription: NT Kernel & System
LegalCopyright: © Microsoft Corporation. All rights reserved.
by
bp volmgr!VmPnp ".if(by(poi(@rdx+0B8h)+1)==7 & by(poi(@rdx+0B8h)+8)==0) {k;gc;} .else {gc;}"
got the same call stack
# Child-SP RetAddr Call Site
00 ffffee8d`ba206468 fffff806`306da189 volmgr!VmPnp
01 ffffee8d`ba206470 fffff806`30c8254e nt!IofCallDriver+0x59
02 ffffee8d`ba2064b0 fffff806`306aaf01 nt!PnpAsynchronousCall+0xea
03 ffffee8d`ba2064f0 fffff806`30c6d48d nt!PnpSendIrp+0x95
04 ffffee8d`ba206560 fffff806`30c6d3f4 nt!PnpQueryDeviceRelations+0x51
05 ffffee8d`ba2065f0 fffff806`30c6c023 nt!PipEnumerateDevice+0xc8
06 ffffee8d`ba206620 fffff806`3077900b nt!PipProcessDevNodeTree+0x187
07 ffffee8d`ba2066e0 fffff806`30778c03 nt!PnpDeviceActionWorker+0x3ab
08 ffffee8d`ba2067a0 fffff806`30f6e705 nt!PnpRequestDeviceAction+0x29f
09 ffffee8d`ba206810 fffff806`30f5622e nt!IopInitializeBootDrivers+0x779
0a ffffee8d`ba206a70 fffff806`30f730ed nt!IoInitSystemPreDrivers+0xa52
0b ffffee8d`ba206bb0 fffff806`30ccba82 nt!IoInitSystem+0x9
0c ffffee8d`ba206be0 fffff806`307406c5 nt!Phase1Initialization+0x42
0d ffffee8d`ba206c10 fffff806`307d749c nt!PspSystemThreadStartup+0x55
0e ffffee8d`ba206c60 00000000`00000000 nt!KiStartSystemThread+0x1c
sorry for my careless. I found it.
1 Like