The function of MountMgrIsBootVolume does rougly the following (spent around 20 minutes decoding it):
NTSTATUS MountMgrIsBootVolume(PUNICODE_STRING Name, OUT BOOLEAN* IsBoot)
{
FileObj = NULL;
DevObj = NULL;
*IsBoot = FALSE;
status = IoGetDeviceObjectPointer(Name, 80h, &DevObj, &FileObj);
if( !NT_SUCCESS(status) )
return status;
DevBase = IoGetDeviceAttachmentBaseRef(FileObj->DeviceObject);
if( DevBase->Flags & DO_SYSTEM_BOOT_PARTITION )
*IsBoot = TRUE;
ObDereferenceObject(DevBase);
ObDereferenceObject(FileObj);
return status;
}
According to the public docs: "If the given device object is not attached to a driver stack, IoGetDeviceAttachmentBaseRef returns NULL. ".
So, there are chances that DevBase is NULL, and MountMgrIsBootVolume will crash, and will crash on boot (this function is used in the path which assigns the NtSystemRoot global just after the boot drivers are inited). So, there are chances that, with some kind of virtual disk drivers, the OS will crash on boot.
Either the documentation is incorrect or the Win7 code is incorrect.
The WinDbg output is below, includes the offending assembly code and the OS version.
1: kd> vertarget
Windows 7 Kernel Version 7100 MP (4 procs) Free x64
Built by: 7100.0.amd64fre.winmain_win7rc.090421-1700
Machine Name:Loading symbols for fffff880`152d3000 srv.sys -> srv.sys
Kernel base = 0xfffff8000160f000 PsLoadedModuleList = 0xfffff80001848e90
Debug session time: Sat Jul 18 19:05:18.699 2009 (GMT+4)
System Uptime: 0 days 0:14:00.109
1: kd> u MountMgrIsBootVolume
mountmgr!MountMgrIsBootVolume:
fffff8800103e864 488bc4 mov rax,rsp fffff8800103e867 48895808 mov qword ptr [rax+8],rbx
fffff8800103e86b 57 push rdi fffff8800103e86c 4883ec20 sub rsp,20h
fffff8800103e870 4883601800 and qword ptr [rax+18h],0 fffff8800103e875 4883601000 and qword ptr [rax+10h],0
fffff8800103e87a 488bfa mov rdi,rdx fffff8800103e87d c60200 mov byte ptr [rdx],0
1: kd> u
mountmgr!MountMgrIsBootVolume+0x1c:
fffff8800103e880 4c8d4818 lea r9,[rax+18h] fffff8800103e884 4c8d4010 lea r8,[rax+10h]
fffff8800103e888 ba80000000 mov edx,80h fffff8800103e88d ff15a508ffff call qword ptr [mountmgr!_imp_IoGetDeviceObjectPointer (fffff880`0102f138)]
fffff880`0103e893 8bd8 mov ebx,eax
fffff880`0103e895 85c0 test eax,eax
fffff880`0103e897 782d js mountmgr!MountMgrIsBootVolume+0x62 (fffff880`0103e8c6)
fffff880`0103e899 488b4c2438 mov rcx,qword ptr [rsp+38h]
1: kd> u
mountmgr!MountMgrIsBootVolume+0x3a:
fffff880`0103e89e 488b4908 mov rcx,qword ptr [rcx+8]
Note these 2 instructions, and no check for “rax” being nonzero in between.
fffff8800103e8a2 ff15e008ffff call qword ptr [mountmgr!_imp_IoGetDeviceAttachmentBaseRef (fffff8800102f188)]
fffff8800103e8a8 0fba603008 bt dword ptr [rax+30h],8 fffff8800103e8ad 7303 jae mountmgr!MountMgrIsBootVolume+0x4e (fffff8800103e8b2) fffff8800103e8af c60701 mov byte ptr [rdi],1
fffff8800103e8b2 488bc8 mov rcx,rax fffff8800103e8b5 ff152d09ffff call qword ptr [mountmgr!_imp_ObfDereferenceObject (fffff8800102f1e8)] fffff8800103e8bb 488b4c2438 mov rcx,qword ptr [rsp+38h]
1: kd> u
mountmgr!MountMgrIsBootVolume+0x5c:
fffff8800103e8c0 ff152209ffff call qword ptr [mountmgr!_imp_ObfDereferenceObject (fffff8800102f1e8)]
fffff8800103e8c6 8bc3 mov eax,ebx fffff8800103e8c8 488b5c2430 mov rbx,qword ptr [rsp+30h]
fffff8800103e8cd 4883c420 add rsp,20h fffff8800103e8d1 5f pop rdi
fffff880`0103e8d2 c3 ret
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com