nt!IopCompleteReques函数分析之IopUpdateOtherTransferCount和IopDequeueThreadIrp
VOID
IopCompleteRequest(
IN PKAPC Apc,
IN PKNORMAL_ROUTINE *NormalRoutine,
IN PVOID *NormalContext,
IN PVOID *SystemArgument1,
IN PVOID *SystemArgument2
)
第一部分:
if (irp->UserEvent) {
(VOID) KeSetEvent( irp->UserEvent, 0, FALSE );
1: kd> dt kAPC 896e4e40
CSRSRV!KAPC
+0x000 Type : 0n18
+0x002 Size : 0n48
+0x004 Spare0 : 0
+0x008 Thread : 0x89510898 _KTHREAD
+0x00c ApcListEntry : _LIST_ENTRY [ 0x895108cc - 0x895108cc ]
+0x014 KernelRoutine : 0x80a2bd0e void nt!IopCompleteRequest+0
+0x018 RundownRoutine : 0x80c72194 void nt!IopAbortRequest+0
+0x01c NormalRoutine : (null)
+0x020 NormalContext : (null)
+0x024 SystemArgument1 : 0x895a7ca8 Void
+0x028 SystemArgument2 : (null)
+0x02c ApcStateIndex : 0 ''
+0x02d ApcMode : 0 ''
+0x02e Inserted : 0 ''
1: kd> dx -id 0,0,89838358 -r1 ((basesrv!_KEVENT *)0x894e9800)
((basesrv!_KEVENT *)0x894e9800) : 0x894e9800 [Type: _KEVENT *]
[+0x000] Header [Type: _DISPATCHER_HEADER]
1: kd> dx -id 0,0,89838358 -r1 (*((basesrv!_DISPATCHER_HEADER *)0x894e9800))
(*((basesrv!_DISPATCHER_HEADER *)0x894e9800)) [Type: _DISPATCHER_HEADER]
[+0x000] Type : 0x0 [Type: unsigned char]
[+0x001] Absolute : 0x0 [Type: unsigned char]
[+0x002] Size : 0x4 [Type: unsigned char]
[+0x003] Inserted : 0x0 [Type: unsigned char]
[+0x003] DebugActive : 0x0 [Type: unsigned char]
[+0x000] Lock : 262144 [Type: long]
[+0x004] SignalState : 0 [Type: long]
[+0x008] WaitListHead [Type: _LIST_ENTRY]
1: kd> dx -id 0,0,89838358 -r1 (*((basesrv!_LIST_ENTRY *)0x894e9808))
(*((basesrv!_LIST_ENTRY *)0x894e9808)) [Type: _LIST_ENTRY]
[+0x000] Flink : 0x894e9808 [Type: _LIST_ENTRY *]
[+0x004] Blink : 0x894e9808 [Type: _LIST_ENTRY *]
1: kd> gu
nt!IopCompleteRequest+0x2ac:
80a2bfba 3bfe cmp edi,esi
1: kd> dx -r1 ((ntkrnlmp!_KEVENT *)0x894e9800)
((ntkrnlmp!_KEVENT *)0x894e9800) : 0x894e9800 [Type: _KEVENT *]
[+0x000] Header [Type: _DISPATCHER_HEADER]
1: kd> dx -r1 (*((ntkrnlmp!_DISPATCHER_HEADER *)0x894e9800))
(*((ntkrnlmp!_DISPATCHER_HEADER *)0x894e9800)) [Type: _DISPATCHER_HEADER]
[+0x000] Type : 0x0 [Type: unsigned char]
[+0x001] Absolute : 0x0 [Type: unsigned char]
[+0x002] Size : 0x4 [Type: unsigned char]
[+0x003] Inserted : 0x0 [Type: unsigned char]
[+0x003] DebugActive : 0x0 [Type: unsigned char]
[+0x000] Lock : 262144 [Type: long]
[+0x004] SignalState : 1 [Type: long] SignalState : 1
[+0x008] WaitListHead [Type: _LIST_ENTRY]
第二部分:Flags : 0x840
1: kd> dt irp 896e4e40-40
Local var @ 0xba3eebf0 Type _IRP*
0x896e4e00
+0x000 Type : 0n6
+0x002 Size : 0x94
+0x004 MdlAddress : (null)
+0x008 Flags : 0x840 //Flags : 0x840
#define IRP_NOCACHE 0x00000001
#define IRP_PAGING_IO 0x00000002
#define IRP_SYNCHRONOUS_API 0x00000004
#define IRP_SYNCHRONOUS_PAGING_IO 0x00000040
//
// Define I/O Request Packet (IRP) flags
//
#define IRP_NOCACHE 0x00000001
#define IRP_PAGING_IO 0x00000002
#define IRP_MOUNT_COMPLETION 0x00000002
#define IRP_SYNCHRONOUS_API 0x00000004
#define IRP_ASSOCIATED_IRP 0x00000008
#define IRP_BUFFERED_IO 0x00000010
#define IRP_DEALLOCATE_BUFFER 0x00000020
#define IRP_INPUT_OPERATION 0x00000040
#define IRP_SYNCHRONOUS_PAGING_IO 0x00000040
#define IRP_CREATE_OPERATION 0x00000080
#define IRP_READ_OPERATION 0x00000100
#define IRP_WRITE_OPERATION 0x00000200
#define IRP_CLOSE_OPERATION 0x00000400
第三部分:IopUpdateOtherTransferCount
//
// If this is normal I/O, update the transfer count for this process.
//
if (!(irp->Flags & IRP_CREATE_OPERATION)) {
if (irp->Flags & IRP_READ_OPERATION) {
IopUpdateReadTransferCount( (ULONG) irp->IoStatus.Information );
} else if (irp->Flags & IRP_WRITE_OPERATION) {
IopUpdateWriteTransferCount( (ULONG) irp->IoStatus.Information );
} else {
//
// If the information field contains a pointer then skip the update.
// Some PNP IRPs contain this.
//
if (!((ULONG) irp->IoStatus.Information & 0x80000000)) {
IopUpdateOtherTransferCount( (ULONG) irp->IoStatus.Information );//运行这行!!!
}
}
}
1: kd> x nt!IoCountOperations
80b0e288 nt!IoCountOperations = 1
1: kd> x nt!IoOtherTransferCount
80b1ee90 nt!IoOtherTransferCount = {436672}
1: kd> dx -r1 (*((ntkrnlmp!_LARGE_INTEGER *)0x80b1ee90))
(*((ntkrnlmp!_LARGE_INTEGER *)0x80b1ee90)) : {436672} [Type: _LARGE_INTEGER]
[<Raw View>] [Type: _LARGE_INTEGER]
1: kd> dx -r1 -nv (*((ntkrnlmp!_LARGE_INTEGER *)0x80b1ee90))
(*((ntkrnlmp!_LARGE_INTEGER *)0x80b1ee90)) : {436672} [Type: _LARGE_INTEGER]
[+0x000] LowPart : 0x6a9c0 [Type: unsigned long]
[+0x004] HighPart : 0 [Type: long]
[+0x000] u [Type: __unnamed]
[+0x000] QuadPart : 436672 [Type: __int64]
1: kd> dx -id 0,0,89838358 -r1 (*((CSRSRV!_KAPC_STATE *)0x895108cc))
(*((CSRSRV!_KAPC_STATE *)0x895108cc)) [Type: _KAPC_STATE]
[+0x000] ApcListHead [Type: _LIST_ENTRY [2]]
[+0x010] Process : 0x89838358 [Type: _KPROCESS *]
1: kd> dt ePROCESS 0x89838358
+0x1c0 OtherTransferCount : _LARGE_INTEGER 0x6952
1: kd> dx -id 0,0,89838358 -r1 (*((CSRSRV!_LARGE_INTEGER *)0x89838518))
(*((CSRSRV!_LARGE_INTEGER *)0x89838518)) : {26962} [Type: _LARGE_INTEGER]
[<Raw View>] [Type: _LARGE_INTEGER]
1: kd> dx -id 0,0,89838358 -r1 -nv (*((CSRSRV!_LARGE_INTEGER *)0x89838518))
(*((CSRSRV!_LARGE_INTEGER *)0x89838518)) : {26962} [Type: _LARGE_INTEGER]
[+0x000] LowPart : 0x6952 [Type: unsigned long]
[+0x004] HighPart : 0 [Type: long]
[+0x000] u [Type: __unnamed]
[+0x000] QuadPart : 26962 [Type: __int64]
VOID
IopUpdateOtherTransferCount(
IN ULONG TransferCount
)
/*++
Routine Description:
This routine is invoked to update the transfer count for the current
process for an operation other than a read or write system service.
There is an implicit assumption that this call is always made in the context
of the issuing thread. Also note that overflow is folded into the thread's
process.
Arguments:
TransferCount - The count of the number of bytes transferred.
Return Value:
None.
--*/
{
if (IoCountOperations == TRUE) {
ExInterlockedAddLargeStatistic( &IoOtherTransferCount, TransferCount );
ExInterlockedAddLargeStatistic( &THREAD_TO_PROCESS(PsGetCurrentThread())->OtherTransferCount, TransferCount);
}
}
IopUpdateOtherTransferCount函数之后:
1: kd> dx -id 0,0,89838358 -r1 -nv (*((CSRSRV!_LARGE_INTEGER *)0x89838518))
(*((CSRSRV!_LARGE_INTEGER *)0x89838518)) : {27010} [Type: _LARGE_INTEGER]
[+0x000] LowPart : 0x6982 [Type: unsigned long]
[+0x004] HighPart : 0 [Type: long]
[+0x000] u [Type: __unnamed]
[+0x000] QuadPart : 27010 [Type: __int64]
26962 + 48= 27010
1: kd> dt irp 896e4e40-40
Local var @ 0xba3eebf0 Type _IRP*
0x896e4e00
+0x000 Type : 0n6
+0x002 Size : 0x94
+0x004 MdlAddress : (null)
+0x008 Flags : 0x840
+0x00c AssociatedIrp : __unnamed
+0x010 ThreadListEntry : _LIST_ENTRY [ 0x89510ab0 - 0x89510ab0 ]
+0x018 IoStatus : _IO_STATUS_BLOCK
+0x020 RequestorMode : 1 ''
+0x021 PendingReturned : 0x1 ''
+0x022 StackCount : 1 ''
+0x023 CurrentLocation : 3 ''
+0x024 Cancel : 0 ''
+0x025 CancelIrql : 0 ''
+0x026 ApcEnvironment : 0 ''
+0x027 AllocationFlags : 0xc ''
+0x028 UserIosb : 0x006c1a00 _IO_STATUS_BLOCK
+0x02c UserEvent : 0x894e9800 _KEVENT
+0x030 Overlay : __unnamed
+0x038 CancelRoutine : (null)
+0x03c UserBuffer : 0x006c1408 Void
+0x040 Tail : __unnamed
1: kd> dx -id 0,0,89838358 -r1 (*((ntkrnlmp!_IO_STATUS_BLOCK *)0x896e4e18))
(*((ntkrnlmp!_IO_STATUS_BLOCK *)0x896e4e18)) [Type: _IO_STATUS_BLOCK]
[+0x000] Status : 0 [Type: long]
[+0x000] Pointer : 0x0 [Type: void *]
[+0x004] Information : 0x30 [Type: unsigned long] Information : 0x30
1: kd> x nt!IoOtherTransferCount
80b1ee90 nt!IoOtherTransferCount = {436720}
1: kd> dx -r1 (*((ntkrnlmp!_LARGE_INTEGER *)0x80b1ee90))
(*((ntkrnlmp!_LARGE_INTEGER *)0x80b1ee90)) : {436720} [Type: _LARGE_INTEGER]
[<Raw View>] [Type: _LARGE_INTEGER]
1: kd> dx -r1 -nv (*((ntkrnlmp!_LARGE_INTEGER *)0x80b1ee90))
(*((ntkrnlmp!_LARGE_INTEGER *)0x80b1ee90)) : {436720} [Type: _LARGE_INTEGER]
[+0x000] LowPart : 0x6a9f0 [Type: unsigned long]
[+0x004] HighPart : 0 [Type: long]
[+0x000] u [Type: __unnamed]
[+0x000] QuadPart : 436720 [Type: __int64]
436672+48=436720
第四部分:IopDequeueThreadIrp函数分析
第四部分A:
//
// Dequeue the packet from the thread's pending I/O request list.
//
IopDequeueThreadIrp( irp );
#define IopDequeueThreadIrp( Irp ) \
{ \
RemoveEntryList( &Irp->ThreadListEntry ); \
InitializeListHead( &Irp->ThreadListEntry ) ; \
}
第四部分B:
1: kd> dt irp 896e4e40-40
+0x010 ThreadListEntry : _LIST_ENTRY [ 0x89510ab0 - 0x89510ab0 ]
1: kd> dx -id 0,0,89838358 -r1 (*((ntkrnlmp!_LIST_ENTRY *)0x896e4e10))
(*((ntkrnlmp!_LIST_ENTRY *)0x896e4e10)) [Type: _LIST_ENTRY]
[+0x000] Flink : 0x89510ab0 [Type: _LIST_ENTRY *]
[+0x004] Blink : 0x89510ab0 [Type: _LIST_ENTRY *]
1: kd> dt eTHREAD 89510898
+0x218 IrpList : _LIST_ENTRY [ 0x896e4e10 - 0x896e4e10 ]
1: kd> dx -id 0,0,89838358 -r1 (*((CSRSRV!_LIST_ENTRY *)0x89510ab0))
(*((CSRSRV!_LIST_ENTRY *)0x89510ab0)) [Type: _LIST_ENTRY]
[+0x000] Flink : 0x896e4e10 [Type: _LIST_ENTRY *]
[+0x004] Blink : 0x896e4e10 [Type: _LIST_ENTRY *]
第四部分C:
1: kd> dt irp 896e4e40-40
+0x010 ThreadListEntry : _LIST_ENTRY [ 0x896e4e10 - 0x896e4e10 ]
1: kd> dx -id 0,0,89838358 -r1 (*((ntkrnlmp!_LIST_ENTRY *)0x896e4e10))
(*((ntkrnlmp!_LIST_ENTRY *)0x896e4e10)) [Type: _LIST_ENTRY]
[+0x000] Flink : 0x896e4e10 [Type: _LIST_ENTRY *]
[+0x004] Blink : 0x896e4e10 [Type: _LIST_ENTRY *]
1: kd> dt eTHREAD 89510898
+0x218 IrpList : _LIST_ENTRY [ 0x89510ab0 - 0x89510ab0 ]
1: kd> dx -id 0,0,89838358 -r1 (*((CSRSRV!_LIST_ENTRY *)0x89510ab0))
(*((CSRSRV!_LIST_ENTRY *)0x89510ab0)) [Type: _LIST_ENTRY]
[+0x000] Flink : 0x89510ab0 [Type: _LIST_ENTRY *]
[+0x004] Blink : 0x89510ab0 [Type: _LIST_ENTRY *]