当前位置: 首页 > news >正文

nt!IopCompleteReques函数分析之IopUpdateOtherTransferCount和IopDequeueThreadIrp

VOID
IopCompleteRequest(
    IN PKAPC Apc,
    IN PKNORMAL_ROUTINE *NormalRoutine,
    IN PVOID *NormalContext,
    IN PVOID *SystemArgument1,
    IN PVOID *SystemArgument2
    )


第一部分:

        if (irp->UserEvent) {
            (VOID) KeSetEvent( irp->UserEvent, 0, FALSE );

1: kd> dt kAPC 896e4e40
CSRSRV!KAPC
   +0x000 Type             : 0n18
   +0x002 Size             : 0n48
   +0x004 Spare0           : 0
   +0x008 Thread           : 0x89510898 _KTHREAD
   +0x00c ApcListEntry     : _LIST_ENTRY [ 0x895108cc - 0x895108cc ]
   +0x014 KernelRoutine    : 0x80a2bd0e     void  nt!IopCompleteRequest+0
   +0x018 RundownRoutine   : 0x80c72194     void  nt!IopAbortRequest+0
   +0x01c NormalRoutine    : (null)
   +0x020 NormalContext    : (null)
   +0x024 SystemArgument1  : 0x895a7ca8 Void
   +0x028 SystemArgument2  : (null)
   +0x02c ApcStateIndex    : 0 ''
   +0x02d ApcMode          : 0 ''
   +0x02e Inserted         : 0 ''


1: kd> dx -id 0,0,89838358 -r1 ((basesrv!_KEVENT *)0x894e9800)
((basesrv!_KEVENT *)0x894e9800)                 : 0x894e9800 [Type: _KEVENT *]
    [+0x000] Header           [Type: _DISPATCHER_HEADER]
1: kd> dx -id 0,0,89838358 -r1 (*((basesrv!_DISPATCHER_HEADER *)0x894e9800))
(*((basesrv!_DISPATCHER_HEADER *)0x894e9800))                 [Type: _DISPATCHER_HEADER]
    [+0x000] Type             : 0x0 [Type: unsigned char]
    [+0x001] Absolute         : 0x0 [Type: unsigned char]
    [+0x002] Size             : 0x4 [Type: unsigned char]
    [+0x003] Inserted         : 0x0 [Type: unsigned char]
    [+0x003] DebugActive      : 0x0 [Type: unsigned char]
    [+0x000] Lock             : 262144 [Type: long]
    [+0x004] SignalState      : 0 [Type: long]
    [+0x008] WaitListHead     [Type: _LIST_ENTRY]
1: kd> dx -id 0,0,89838358 -r1 (*((basesrv!_LIST_ENTRY *)0x894e9808))
(*((basesrv!_LIST_ENTRY *)0x894e9808))                 [Type: _LIST_ENTRY]
    [+0x000] Flink            : 0x894e9808 [Type: _LIST_ENTRY *]
    [+0x004] Blink            : 0x894e9808 [Type: _LIST_ENTRY *]

1: kd> gu
nt!IopCompleteRequest+0x2ac:
80a2bfba 3bfe            cmp     edi,esi
1: kd> dx -r1 ((ntkrnlmp!_KEVENT *)0x894e9800)
((ntkrnlmp!_KEVENT *)0x894e9800)                 : 0x894e9800 [Type: _KEVENT *]
    [+0x000] Header           [Type: _DISPATCHER_HEADER]
1: kd> dx -r1 (*((ntkrnlmp!_DISPATCHER_HEADER *)0x894e9800))
(*((ntkrnlmp!_DISPATCHER_HEADER *)0x894e9800))                 [Type: _DISPATCHER_HEADER]
    [+0x000] Type             : 0x0 [Type: unsigned char]
    [+0x001] Absolute         : 0x0 [Type: unsigned char]
    [+0x002] Size             : 0x4 [Type: unsigned char]
    [+0x003] Inserted         : 0x0 [Type: unsigned char]
    [+0x003] DebugActive      : 0x0 [Type: unsigned char]
    [+0x000] Lock             : 262144 [Type: long]
    [+0x004] SignalState      : 1 [Type: long]             SignalState      : 1
    [+0x008] WaitListHead     [Type: _LIST_ENTRY]

第二部分:Flags            : 0x840

1: kd> dt irp 896e4e40-40
Local var @ 0xba3eebf0 Type _IRP*
0x896e4e00
   +0x000 Type             : 0n6
   +0x002 Size             : 0x94
   +0x004 MdlAddress       : (null)
   +0x008 Flags            : 0x840                //Flags            : 0x840


#define IRP_NOCACHE                     0x00000001
#define IRP_PAGING_IO                   0x00000002
#define IRP_SYNCHRONOUS_API             0x00000004
#define IRP_SYNCHRONOUS_PAGING_IO       0x00000040


//
// Define I/O Request Packet (IRP) flags
//

#define IRP_NOCACHE                     0x00000001
#define IRP_PAGING_IO                   0x00000002
#define IRP_MOUNT_COMPLETION            0x00000002
#define IRP_SYNCHRONOUS_API             0x00000004
#define IRP_ASSOCIATED_IRP              0x00000008
#define IRP_BUFFERED_IO                 0x00000010
#define IRP_DEALLOCATE_BUFFER           0x00000020
#define IRP_INPUT_OPERATION             0x00000040
#define IRP_SYNCHRONOUS_PAGING_IO       0x00000040
#define IRP_CREATE_OPERATION            0x00000080
#define IRP_READ_OPERATION              0x00000100
#define IRP_WRITE_OPERATION             0x00000200
#define IRP_CLOSE_OPERATION             0x00000400

第三部分:IopUpdateOtherTransferCount

        //
        // If this is normal I/O, update the transfer count for this process.
        //

        if (!(irp->Flags & IRP_CREATE_OPERATION)) {
            if (irp->Flags & IRP_READ_OPERATION) {
                IopUpdateReadTransferCount( (ULONG) irp->IoStatus.Information );
            } else if (irp->Flags & IRP_WRITE_OPERATION) {
                IopUpdateWriteTransferCount( (ULONG) irp->IoStatus.Information );
            } else {
                //
                // If the information field contains a pointer then skip the update.
                // Some PNP IRPs contain this.
                //
                if (!((ULONG) irp->IoStatus.Information & 0x80000000)) {
                    IopUpdateOtherTransferCount( (ULONG) irp->IoStatus.Information );//运行这行!!!
                }
            }
        }

1: kd> x nt!IoCountOperations
80b0e288          nt!IoCountOperations = 1


1: kd> x nt!IoOtherTransferCount
80b1ee90          nt!IoOtherTransferCount = {436672}
1: kd> dx -r1 (*((ntkrnlmp!_LARGE_INTEGER *)0x80b1ee90))
(*((ntkrnlmp!_LARGE_INTEGER *)0x80b1ee90))                 : {436672} [Type: _LARGE_INTEGER]
    [<Raw View>]     [Type: _LARGE_INTEGER]
1: kd> dx -r1 -nv (*((ntkrnlmp!_LARGE_INTEGER *)0x80b1ee90))
(*((ntkrnlmp!_LARGE_INTEGER *)0x80b1ee90))                 : {436672} [Type: _LARGE_INTEGER]
    [+0x000] LowPart          : 0x6a9c0 [Type: unsigned long]
    [+0x004] HighPart         : 0 [Type: long]
    [+0x000] u                [Type: __unnamed]
    [+0x000] QuadPart         : 436672 [Type: __int64]

1: kd> dx -id 0,0,89838358 -r1 (*((CSRSRV!_KAPC_STATE *)0x895108cc))
(*((CSRSRV!_KAPC_STATE *)0x895108cc))                 [Type: _KAPC_STATE]
    [+0x000] ApcListHead      [Type: _LIST_ENTRY [2]]
    [+0x010] Process          : 0x89838358 [Type: _KPROCESS *]


1: kd> dt ePROCESS 0x89838358

   +0x1c0 OtherTransferCount : _LARGE_INTEGER 0x6952
 
1: kd> dx -id 0,0,89838358 -r1 (*((CSRSRV!_LARGE_INTEGER *)0x89838518))
(*((CSRSRV!_LARGE_INTEGER *)0x89838518))                 : {26962} [Type: _LARGE_INTEGER]
    [<Raw View>]     [Type: _LARGE_INTEGER]
1: kd> dx -id 0,0,89838358 -r1 -nv (*((CSRSRV!_LARGE_INTEGER *)0x89838518))
(*((CSRSRV!_LARGE_INTEGER *)0x89838518))                 : {26962} [Type: _LARGE_INTEGER]
    [+0x000] LowPart          : 0x6952 [Type: unsigned long]
    [+0x004] HighPart         : 0 [Type: long]
    [+0x000] u                [Type: __unnamed]
    [+0x000] QuadPart         : 26962 [Type: __int64]

VOID
IopUpdateOtherTransferCount(
    IN ULONG TransferCount
    )
/*++

Routine Description:

    This routine is invoked to update the transfer count for the current
    process for an operation other than a read or write system service.

    There is an implicit assumption that this call is always made in the context
    of the issuing thread. Also note that overflow is folded into the thread's
    process.

Arguments:

    TransferCount - The count of the number of bytes transferred.

Return Value:

    None.

--*/
{
    if (IoCountOperations == TRUE) {
        ExInterlockedAddLargeStatistic( &IoOtherTransferCount, TransferCount );
        ExInterlockedAddLargeStatistic( &THREAD_TO_PROCESS(PsGetCurrentThread())->OtherTransferCount, TransferCount);
    }
}

IopUpdateOtherTransferCount函数之后:

1: kd> dx -id 0,0,89838358 -r1 -nv (*((CSRSRV!_LARGE_INTEGER *)0x89838518))
(*((CSRSRV!_LARGE_INTEGER *)0x89838518))                 : {27010} [Type: _LARGE_INTEGER]
    [+0x000] LowPart          : 0x6982 [Type: unsigned long]
    [+0x004] HighPart         : 0 [Type: long]
    [+0x000] u                [Type: __unnamed]
    [+0x000] QuadPart         : 27010 [Type: __int64]

    26962     + 48=    27010


1: kd> dt irp 896e4e40-40
Local var @ 0xba3eebf0 Type _IRP*
0x896e4e00
   +0x000 Type             : 0n6
   +0x002 Size             : 0x94
   +0x004 MdlAddress       : (null)
   +0x008 Flags            : 0x840
   +0x00c AssociatedIrp    : __unnamed
   +0x010 ThreadListEntry  : _LIST_ENTRY [ 0x89510ab0 - 0x89510ab0 ]
   +0x018 IoStatus         : _IO_STATUS_BLOCK
   +0x020 RequestorMode    : 1 ''
   +0x021 PendingReturned  : 0x1 ''
   +0x022 StackCount       : 1 ''
   +0x023 CurrentLocation  : 3 ''
   +0x024 Cancel           : 0 ''
   +0x025 CancelIrql       : 0 ''
   +0x026 ApcEnvironment   : 0 ''
   +0x027 AllocationFlags  : 0xc ''
   +0x028 UserIosb         : 0x006c1a00 _IO_STATUS_BLOCK
   +0x02c UserEvent        : 0x894e9800 _KEVENT
   +0x030 Overlay          : __unnamed
   +0x038 CancelRoutine    : (null)
   +0x03c UserBuffer       : 0x006c1408 Void
   +0x040 Tail             : __unnamed
1: kd> dx -id 0,0,89838358 -r1 (*((ntkrnlmp!_IO_STATUS_BLOCK *)0x896e4e18))
(*((ntkrnlmp!_IO_STATUS_BLOCK *)0x896e4e18))                 [Type: _IO_STATUS_BLOCK]
    [+0x000] Status           : 0 [Type: long]
    [+0x000] Pointer          : 0x0 [Type: void *]
    [+0x004] Information      : 0x30 [Type: unsigned long]        Information      : 0x30

1: kd> x nt!IoOtherTransferCount
80b1ee90          nt!IoOtherTransferCount = {436720}
1: kd> dx -r1 (*((ntkrnlmp!_LARGE_INTEGER *)0x80b1ee90))
(*((ntkrnlmp!_LARGE_INTEGER *)0x80b1ee90))                 : {436720} [Type: _LARGE_INTEGER]
    [<Raw View>]     [Type: _LARGE_INTEGER]
1: kd> dx -r1 -nv (*((ntkrnlmp!_LARGE_INTEGER *)0x80b1ee90))
(*((ntkrnlmp!_LARGE_INTEGER *)0x80b1ee90))                 : {436720} [Type: _LARGE_INTEGER]
    [+0x000] LowPart          : 0x6a9f0 [Type: unsigned long]
    [+0x004] HighPart         : 0 [Type: long]
    [+0x000] u                [Type: __unnamed]
    [+0x000] QuadPart         : 436720 [Type: __int64]


436672+48=436720


第四部分:IopDequeueThreadIrp函数分析

第四部分A:
        //
        // Dequeue the packet from the thread's pending I/O request list.
        //

        IopDequeueThreadIrp( irp );

#define IopDequeueThreadIrp( Irp ) \
   { \
   RemoveEntryList( &Irp->ThreadListEntry ); \
   InitializeListHead( &Irp->ThreadListEntry ) ; \
   }


第四部分B:
1: kd> dt irp 896e4e40-40

   +0x010 ThreadListEntry  : _LIST_ENTRY [ 0x89510ab0 - 0x89510ab0 ]

1: kd> dx -id 0,0,89838358 -r1 (*((ntkrnlmp!_LIST_ENTRY *)0x896e4e10))
(*((ntkrnlmp!_LIST_ENTRY *)0x896e4e10))                 [Type: _LIST_ENTRY]
    [+0x000] Flink            : 0x89510ab0 [Type: _LIST_ENTRY *]
    [+0x004] Blink            : 0x89510ab0 [Type: _LIST_ENTRY *]


1: kd>   dt eTHREAD 89510898

   +0x218 IrpList          : _LIST_ENTRY [ 0x896e4e10 - 0x896e4e10 ]
 
1: kd> dx -id 0,0,89838358 -r1 (*((CSRSRV!_LIST_ENTRY *)0x89510ab0))
(*((CSRSRV!_LIST_ENTRY *)0x89510ab0))                 [Type: _LIST_ENTRY]
    [+0x000] Flink            : 0x896e4e10 [Type: _LIST_ENTRY *]
    [+0x004] Blink            : 0x896e4e10 [Type: _LIST_ENTRY *]

第四部分C:


1: kd> dt irp 896e4e40-40

   +0x010 ThreadListEntry  : _LIST_ENTRY [ 0x896e4e10 - 0x896e4e10 ]

1: kd> dx -id 0,0,89838358 -r1 (*((ntkrnlmp!_LIST_ENTRY *)0x896e4e10))
(*((ntkrnlmp!_LIST_ENTRY *)0x896e4e10))                 [Type: _LIST_ENTRY]
    [+0x000] Flink            : 0x896e4e10 [Type: _LIST_ENTRY *]
    [+0x004] Blink            : 0x896e4e10 [Type: _LIST_ENTRY *]
1: kd>   dt eTHREAD 89510898

   +0x218 IrpList          : _LIST_ENTRY [ 0x89510ab0 - 0x89510ab0 ]
 
1: kd> dx -id 0,0,89838358 -r1 (*((CSRSRV!_LIST_ENTRY *)0x89510ab0))
(*((CSRSRV!_LIST_ENTRY *)0x89510ab0))                 [Type: _LIST_ENTRY]
    [+0x000] Flink            : 0x89510ab0 [Type: _LIST_ENTRY *]
    [+0x004] Blink            : 0x89510ab0 [Type: _LIST_ENTRY *]

http://www.dtcms.com/a/92290.html

相关文章:

  • 【Pandas】pandas Series to_excel
  • 串口USART
  • vue3中watch 函数参数说明
  • db_join连接语句
  • Ubuntu 22.04 安装向日葵远程控制
  • 电路租用和专线
  • [Linux]从零开始的STM32MP157 Linux内核移植
  • 只出现一次的数字
  • 为AI聊天工具添加一个知识系统 之150 设计重审 之15 完整方案及评估 之3
  • 【mybatis使用小知识合集持续更新】
  • 283.移动零解题记录
  • 深入解析 MyBatis-Plus 批量操作:原理、实现与性能优化
  • Matplotlib.day16
  • Nextjs15 - 什么是CSR、SSR、SSG和ISR
  • centos 7 搭建ftp 基于虚拟用户用shell脚本搭建
  • k8s存储介绍(六)StorangeClass
  • Redis :command not allowed when used memory
  • a, b = map(int, input().split()) 从用户输入中读取两个整数
  • 耘想Docker LinNAS,颠覆传统存储体验!
  • muduo库的思路梳理
  • 前端使用WPS WebOffice 做在线文档预览与编辑
  • Redux,React-redux。基础
  • 【脏读、不可重复读、幻读区别】
  • 云端陷阱:当免费午餐变成付费订阅,智能家居用户如何破局?
  • 【48】指针:函数的“数组入口”与“安全锁”——数组参数传递
  • 【Linux】嵌入式Web服务库:mongoose
  • pytorch与其他ai工具
  • 什么是异步编程,如何在 JavaScript 中实现?
  • 亚马逊多账号风控防护体系构建指南
  • 设计模式类型