发布时间:2014-5-13 19:27
分类名称:Driver
typedef struct _DRIVER_OBJECT {
CSHORT Type;
CSHORT Size;
//
// The following links all of the devices created by a single driver
// together on a list, and the Flags word provides an extensible flag
// location for driver objects.
//
// 指向第一个DeviceObject,通过DeviceObject->NextDevice指向下一个,NextDevice会在IoCreateDevice中进行连接更新
// DeviceObject->DriverObject可以回指对应的DriverObject。
PDEVICE_OBJECT DeviceObject;
ULONG Flags;
//
// The following section describes where the driver is loaded. The count
// field is used to count the number of times the driver has had its
// registered reinitialization routine invoked.
//
PVOID DriverStart; // Driver被加载到内存后的起始的虚拟地址
ULONG DriverSize; // Driver的大小,PE文件中的信息:ntHeaders->OptionalHeader.SizeOfImage
PVOID DriverSection;
PDRIVER_EXTENSION DriverExtension; // 见下文:最重要的一项为DriverExtension->AddDevice。
//
// The driver name field is used by the error log thread
// determine the name of the driver that an I/O request is/was bound.
//
UNICODE_STRING DriverName;
//
// The following section is for registry support. Thise is a pointer
// to the path to the hardware information in the registry
//
PUNICODE_STRING HardwareDatabase;
//
// The following section contains the optional pointer to an array of
// alternate entry points to a driver for "fast I/O" support. Fast I/O
// is performed by invoking the driver routine directly with separate
// parameters, rather than using the standard IRP call mechanism. Note
// that these functions may only be used for synchronous I/O, and when
// the file is cached.
//
PFAST_IO_DISPATCH FastIoDispatch;
//
// The following section describes the entry points to this particular
// driver. Note that the major function dispatch table must be the last
// field in the object so that it remains extensible.
//
PDRIVER_INITIALIZE DriverInit; // 运行起始地址(不是DriverEntry的地址)。ntHeaders->OptionalHeader.AddressOfEntryPoint
PDRIVER_STARTIO DriverStartIo;
PDRIVER_UNLOAD DriverUnload;
PDRIVER_DISPATCH MajorFunction[IRP_MJ_MAXIMUM_FUNCTION + 1];
} DRIVER_OBJECT;
typedef struct _DRIVER_OBJECT *PDRIVER_OBJECT; // ntndis
typedef struct _DRIVER_EXTENSION {
//
// Back pointer to Driver Object
//
struct _DRIVER_OBJECT *DriverObject;
//
// The AddDevice entry point is called by the Plug & Play manager
// to inform the driver when a new device instance arrives that this
// driver must control.
//
PDRIVER_ADD_DEVICE AddDevice;
//
// The count field is used to count the number of times the driver has
// had its registered reinitialization routine invoked.
//
ULONG Count;
//
// The service name field is used by the pnp manager to determine
// where the driver related info is stored in the registry.
//
UNICODE_STRING ServiceKeyName;
//
// Note: any new shared fields get added here.
//
// end_ntddk end_wdm end_nthal end_ntifs end_ntosp
//
// The client driver object extension field is used by class driver
// to store per driver information.
//
PIO_CLIENT_EXTENSION ClientDriverExtension;
//
// The file system filter callback extension field is used
// to safely notify filters of system operations that were
// previously not shown to file system filters.
//
PFS_FILTER_CALLBACKS FsFilterCallbacks;
// begin_ntddk begin_wdm begin_nthal begin_ntifs begin_ntosp
} DRIVER_EXTENSION, *PDRIVER_EXTENSION;
typedef struct DECLSPEC_ALIGN(MEMORY_ALLOCATION_ALIGNMENT) _DEVICE_OBJECT {
CSHORT Type; // IO_TYPE_DEVICE
USHORT Size; // (USHORT) (sizeof( DEVICE_OBJECT ) + 用户创建的DeviceExtensionSize);
LONG ReferenceCount; //
struct _DRIVER_OBJECT *DriverObject; // 回指对应DriverObject
struct _DEVICE_OBJECT *NextDevice; // 下一个DeviceObject
struct _DEVICE_OBJECT *AttachedDevice; // 上一层有Device挂着,指向上面的Device。
struct _IRP *CurrentIrp; // 一般在StartIo中使用,当前处理的IRP。
PIO_TIMER Timer;
ULONG Flags; // See above: DO_DIRECT_IO, DO_BUFFERED_IO, DO_DEVICE_INITIALIZING ...
ULONG Characteristics; // See ntioapi: FILE_...
PVPB Vpb;
PVOID DeviceExtension; // 用户自己使用的Buffer区域。
DEVICE_TYPE DeviceType; // 用户传入的DeviceType,如FILE_DEVICE_UNKNOWN,FILE_DEVICE_SMARTCARD
CCHAR StackSize; // 一般调用IoAttachDeviceToDeviceStack,会设置此项目,值为下层的StackSize+1。初始值为:1,在IoCreateDevice时初始化
union {
LIST_ENTRY ListEntry;
WAIT_CONTEXT_BLOCK Wcb;
} Queue;
ULONG AlignmentRequirement;
KDEVICE_QUEUE DeviceQueue; // 在StartIo中使用,串起等待处理的IRP们。
KDPC Dpc;
//
// The following field is for exclusive use by the filesystem to keep
// track of the number of Fsp threads currently using the device
//
ULONG ActiveThreadCount;
PSECURITY_DESCRIPTOR SecurityDescriptor;
KEVENT DeviceLock;
USHORT SectorSize;
USHORT Spare1;
struct _DEVOBJ_EXTENSION *DeviceObjectExtension;
PVOID Reserved;
} DEVICE_OBJECT;
typedef struct DECLSPEC_ALIGN(MEMORY_ALLOCATION_ALIGNMENT) _IRP {
CSHORT Type; // 一般为IO_TYPE_IRP(0x00000006)
USHORT Size; // IRP + 和其对应的I/0堆栈的总大小,分配IRP的时候,它们就是一起在堆上分配的空间,所以IRP下面就是I/O堆栈
//
// Define the common fields used to control the IRP.
//
//
// Define a pointer to the Memory Descriptor List (MDL) for this I/O
// request. This field is only used if the I/O is "direct I/O".
//
PMDL MdlAddress;
//
// Flags word - used to remember various flags.
//
ULONG Flags;
//
// The following union is used for one of three purposes:
//
// 1. This IRP is an associated IRP. The field is a pointer to a master
// IRP.
//
// 2. This is the master IRP. The field is the count of the number of
// IRPs which must complete (associated IRPs) before the master can
// complete.
//
// 3. This operation is being buffered and the field is the address of
// the system space buffer.
//
union {
struct _IRP *MasterIrp;
__volatile LONG IrpCount;
PVOID SystemBuffer;
} AssociatedIrp;
//
// Thread list entry - allows queueing the IRP to the thread pending I/O
// request packet list.
//
LIST_ENTRY ThreadListEntry;
//
// I/O status - final status of operation.
//
IO_STATUS_BLOCK IoStatus;
//
// Requestor mode - mode of the original requestor of this operation.
//
KPROCESSOR_MODE RequestorMode;
//
// Pending returned - TRUE if pending was initially returned as the
// status for this packet.
//
// 在IoComplateRequest函数中,有一句:Irp->PendingReturned = stackPointer->Control & SL_PENDING_RETURNED;
// 在回弹完成函数时,如果stackPointer->Control(IoMarkIrpPending可设置)有SL_PENDING_RETURNED,会将其保存到Irp->PendingReturned
// 在完成函数中判断Irp->PendingReturned,继续调用IoMarkIrpPending,向上传递。
BOOLEAN PendingReturned;
//
// Stack state information.
//
CHAR StackCount; // 和 Device->StackSize 大小一样
CHAR CurrentLocation; // 当前Location,初始值为StackCount大小加1,用来和StackCount+1对比,是否到达最上层
//
// Cancel - packet has been canceled.
//
// 当IRP被取消时,会被设置为FALSE。如在,IoCancelIrp中被设置为TRUE。
BOOLEAN Cancel;
//
// Cancel Irql - Irql at which the cancel spinlock was acquired.
//
// IoAcquireCancelSpinLock得到锁后的IRQL
KIRQL CancelIrql;
//
// ApcEnvironment - Used to save the APC environment at the time that the
// packet was initialized.
//
CCHAR ApcEnvironment;
//
// Allocation control flags.
//
UCHAR AllocationFlags;
//
// User parameters.
//
PIO_STATUS_BLOCK UserIosb;
PKEVENT UserEvent; // 保存用户层传递的Evnet(如ReadFile异步调用时)
union {
struct {
union {
PIO_APC_ROUTINE UserApcRoutine; // 用户层传递的,APC 异步调用函数
PVOID IssuingProcess;
};
PVOID UserApcContext; // APC 参数
} AsynchronousParameters; // APC异步调用参数
LARGE_INTEGER AllocationSize;
} Overlay; //通过名字可以和用户层对应起来,都是Overlay。
//
// CancelRoutine - Used to contain the address of a cancel routine supplied
// by a device driver when the IRP is in a cancelable state.
//
// IRP取消的时候会被调用
__volatile PDRIVER_CANCEL CancelRoutine;
//
// Note that the UserBuffer parameter is outside of the stack so that I/O
// completion can copy data back into the user's address space without
// having to know exactly which service was being invoked. The length
// of the copy is stored in the second half of the I/O status block. If
// the UserBuffer field is NULL, then no copy is performed.
//
PVOID UserBuffer;
//
// Kernel structures
//
// The following section contains kernel structures which the IRP needs
// in order to place various work information in kernel controller system
// queues. Because the size and alignment cannot be controlled, they are
// placed here at the end so they just hang off and do not affect the
// alignment of other fields in the IRP.
//
union {
struct {
union {
//
// DeviceQueueEntry - The device queue entry field is used to
// queue the IRP to the device driver device queue.
//
// KeInsertDeviceQueue( &DeviceObject->DeviceQueue, &Irp->Tail.Overlay.DeviceQueueEntry );
// 将IRP和DeviceObject连接起来,使用在StartIO串行方式中。
KDEVICE_QUEUE_ENTRY DeviceQueueEntry;
struct {
//
// The following are available to the driver to use in
// whatever manner is desired, while the driver owns the
// packet.
//
PVOID DriverContext[4];
} ;
} ;
//
// Thread - pointer to caller's Thread Control Block.
//
// PsGetCurrentThread
PETHREAD Thread;
//
// Auxiliary buffer - pointer to any auxiliary buffer that is
// required to pass information to a driver that is not contained
// in a normal buffer.
//
PCHAR AuxiliaryBuffer;
//
// The following unnamed structure must be exactly identical
// to the unnamed structure used in the minipacket header used
// for completion queue entries.
//
struct {
//
// List entry - used to queue the packet to completion queue, among
// others.
//
LIST_ENTRY ListEntry;
union {
//
// Current stack location - contains a pointer to the current
// IO_STACK_LOCATION structure in the IRP stack. This field
// should never be directly accessed by drivers. They should
// use the standard functions.
//
struct _IO_STACK_LOCATION *CurrentStackLocation;
//
// Minipacket type.
//
ULONG PacketType;
};
};
//
// Original file object - pointer to the original file object
// that was used to open the file. This field is owned by the
// I/O system and should not be used by any other drivers.
//
PFILE_OBJECT OriginalFileObject;
} Overlay;
//
// APC - This APC control block is used for the special kernel APC as
// well as for the caller's APC, if one was specified in the original
// argument list. If so, then the APC is reused for the normal APC for
// whatever mode the caller was in and the "special" routine that is
// invoked before the APC gets control simply deallocates the IRP.
//
KAPC Apc;
//
// CompletionKey - This is the key that is used to distinguish
// individual I/O operations initiated on a single file handle.
//
PVOID CompletionKey;
} Tail;
} IRP;
typedef struct _IO_STACK_LOCATION {
UCHAR MajorFunction;
UCHAR MinorFunction;
UCHAR Flags;
UCHAR Control;
//
// The following user parameters are based on the service that is being
// invoked. Drivers and file systems can determine which set to use based
// on the above major and minor function codes.
//
union {
//
// System service parameters for: NtCreateFile
//
struct {
PIO_SECURITY_CONTEXT SecurityContext;
ULONG Options;
USHORT POINTER_ALIGNMENT FileAttributes;
USHORT ShareAccess;
ULONG POINTER_ALIGNMENT EaLength;
} Create;
// end_ntddk end_wdm end_nthal end_ntifs end_ntosp
//
// System service parameters for: NtCreateNamedPipeFile
//
// Notice that the fields in the following parameter structure must
// match those for the create structure other than the last longword.
// This is so that no distinctions need be made by the I/O system's
// parse routine other than for the last longword.
//
struct {
PIO_SECURITY_CONTEXT SecurityContext;
ULONG Options;
USHORT POINTER_ALIGNMENT Reserved;
USHORT ShareAccess;
PNAMED_PIPE_CREATE_PARAMETERS Parameters;
} CreatePipe;
//
// System service parameters for: NtCreateMailslotFile
//
// Notice that the fields in the following parameter structure must
// match those for the create structure other than the last longword.
// This is so that no distinctions need be made by the I/O system's
// parse routine other than for the last longword.
//
struct {
PIO_SECURITY_CONTEXT SecurityContext;
ULONG Options;
USHORT POINTER_ALIGNMENT Reserved;
USHORT ShareAccess;
PMAILSLOT_CREATE_PARAMETERS Parameters;
} CreateMailslot;
// begin_ntddk begin_wdm begin_nthal begin_ntifs begin_ntosp
//
// System service parameters for: NtReadFile
//
struct {
ULONG Length;
ULONG POINTER_ALIGNMENT Key;
LARGE_INTEGER ByteOffset;
} Read;
//
// System service parameters for: NtWriteFile
//
struct {
ULONG Length;
ULONG POINTER_ALIGNMENT Key;
LARGE_INTEGER ByteOffset;
} Write;
// end_ntddk end_wdm end_nthal
//
// System service parameters for: NtQueryDirectoryFile
//
struct {
ULONG Length;
PUNICODE_STRING FileName;
FILE_INFORMATION_CLASS FileInformationClass;
ULONG POINTER_ALIGNMENT FileIndex;
} QueryDirectory;
//
// System service parameters for: NtNotifyChangeDirectoryFile
//
struct {
ULONG Length;
ULONG POINTER_ALIGNMENT CompletionFilter;
} NotifyDirectory;
// begin_ntddk begin_wdm begin_nthal
//
// System service parameters for: NtQueryInformationFile
//
struct {
ULONG Length;
FILE_INFORMATION_CLASS POINTER_ALIGNMENT FileInformationClass;
} QueryFile;
//
// System service parameters for: NtSetInformationFile
//
struct {
ULONG Length;
FILE_INFORMATION_CLASS POINTER_ALIGNMENT FileInformationClass;
PFILE_OBJECT FileObject;
union {
struct {
BOOLEAN ReplaceIfExists;
BOOLEAN AdvanceOnly;
};
ULONG ClusterCount;
HANDLE DeleteHandle;
};
} SetFile;
// end_ntddk end_wdm end_nthal end_ntosp
//
// System service parameters for: NtQueryEaFile
//
struct {
ULONG Length;
PVOID EaList;
ULONG EaListLength;
ULONG POINTER_ALIGNMENT EaIndex;
} QueryEa;
//
// System service parameters for: NtSetEaFile
//
struct {
ULONG Length;
} SetEa;
// begin_ntddk begin_wdm begin_nthal begin_ntosp
//
// System service parameters for: NtQueryVolumeInformationFile
//
struct {
ULONG Length;
FS_INFORMATION_CLASS POINTER_ALIGNMENT FsInformationClass;
} QueryVolume;
// end_ntddk end_wdm end_nthal end_ntosp
//
// System service parameters for: NtSetVolumeInformationFile
//
struct {
ULONG Length;
FS_INFORMATION_CLASS POINTER_ALIGNMENT FsInformationClass;
} SetVolume;
// begin_ntosp
//
// System service parameters for: NtFsControlFile
//
// Note that the user's output buffer is stored in the UserBuffer field
// and the user's input buffer is stored in the SystemBuffer field.
//
struct {
ULONG OutputBufferLength;
ULONG POINTER_ALIGNMENT InputBufferLength;
ULONG POINTER_ALIGNMENT FsControlCode;
PVOID Type3InputBuffer;
} FileSystemControl;
//
// System service parameters for: NtLockFile/NtUnlockFile
//
struct {
PLARGE_INTEGER Length;
ULONG POINTER_ALIGNMENT Key;
LARGE_INTEGER ByteOffset;
} LockControl;
// begin_ntddk begin_wdm begin_nthal
//
// System service parameters for: NtFlushBuffersFile
//
// No extra user-supplied parameters.
//
// end_ntddk end_wdm end_nthal
// end_ntosp
//
// System service parameters for: NtCancelIoFile
//
// No extra user-supplied parameters.
//
// begin_ntddk begin_wdm begin_nthal begin_ntosp
//
// System service parameters for: NtDeviceIoControlFile
//
// Note that the user's output buffer is stored in the UserBuffer field
// and the user's input buffer is stored in the SystemBuffer field.
//
struct {
ULONG OutputBufferLength;
ULONG POINTER_ALIGNMENT InputBufferLength;
ULONG POINTER_ALIGNMENT IoControlCode;
PVOID Type3InputBuffer;
} DeviceIoControl;
// end_wdm
//
// System service parameters for: NtQuerySecurityObject
//
struct {
SECURITY_INFORMATION SecurityInformation;
ULONG POINTER_ALIGNMENT Length;
} QuerySecurity;
//
// System service parameters for: NtSetSecurityObject
//
struct {
SECURITY_INFORMATION SecurityInformation;
PSECURITY_DESCRIPTOR SecurityDescriptor;
} SetSecurity;
// begin_wdm
//
// Non-system service parameters.
//
// Parameters for MountVolume
//
struct {
PVPB Vpb;
PDEVICE_OBJECT DeviceObject;
} MountVolume;
//
// Parameters for VerifyVolume
//
struct {
PVPB Vpb;
PDEVICE_OBJECT DeviceObject;
} VerifyVolume;
//
// Parameters for Scsi with internal device contorl.
//
struct {
struct _SCSI_REQUEST_BLOCK *Srb;
} Scsi;
// end_ntddk end_wdm end_nthal end_ntosp
//
// System service parameters for: NtQueryQuotaInformationFile
//
struct {
ULONG Length;
PSID StartSid;
PFILE_GET_QUOTA_INFORMATION SidList;
ULONG SidListLength;
} QueryQuota;
//
// System service parameters for: NtSetQuotaInformationFile
//
struct {
ULONG Length;
} SetQuota;
// begin_ntddk begin_wdm begin_nthal begin_ntosp
//
// Parameters for IRP_MN_QUERY_DEVICE_RELATIONS
//
struct {
DEVICE_RELATION_TYPE Type;
} QueryDeviceRelations;
//
// Parameters for IRP_MN_QUERY_INTERFACE
//
struct {
CONST GUID *InterfaceType;
USHORT Size;
USHORT Version;
PINTERFACE Interface;
PVOID InterfaceSpecificData;
} QueryInterface;
// end_ntifs
//
// Parameters for IRP_MN_QUERY_CAPABILITIES
//
struct {
PDEVICE_CAPABILITIES Capabilities;
} DeviceCapabilities;
//
// Parameters for IRP_MN_FILTER_RESOURCE_REQUIREMENTS
//
struct {
PIO_RESOURCE_REQUIREMENTS_LIST IoResourceRequirementList;
} FilterResourceRequirements;
//
// Parameters for IRP_MN_READ_CONFIG and IRP_MN_WRITE_CONFIG
//
struct {
ULONG WhichSpace;
PVOID Buffer;
ULONG Offset;
ULONG POINTER_ALIGNMENT Length;
} ReadWriteConfig;
//
// Parameters for IRP_MN_SET_LOCK
//
struct {
BOOLEAN Lock;
} SetLock;
//
// Parameters for IRP_MN_QUERY_ID
//
struct {
BUS_QUERY_ID_TYPE IdType;
} QueryId;
//
// Parameters for IRP_MN_QUERY_DEVICE_TEXT
//
struct {
DEVICE_TEXT_TYPE DeviceTextType;
LCID POINTER_ALIGNMENT LocaleId;
} QueryDeviceText;
//
// Parameters for IRP_MN_DEVICE_USAGE_NOTIFICATION
//
struct {
BOOLEAN InPath;
BOOLEAN Reserved[3];
DEVICE_USAGE_NOTIFICATION_TYPE POINTER_ALIGNMENT Type;
} UsageNotification;
//
// Parameters for IRP_MN_WAIT_WAKE
//
struct {
SYSTEM_POWER_STATE PowerState;
} WaitWake;
//
// Parameter for IRP_MN_POWER_SEQUENCE
//
struct {
PPOWER_SEQUENCE PowerSequence;
} PowerSequence;
//
// Parameters for IRP_MN_SET_POWER and IRP_MN_QUERY_POWER
//
struct {
ULONG SystemContext;
POWER_STATE_TYPE POINTER_ALIGNMENT Type;
POWER_STATE POINTER_ALIGNMENT State;
POWER_ACTION POINTER_ALIGNMENT ShutdownType;
} Power;
//
// Parameters for StartDevice
//
struct {
PCM_RESOURCE_LIST AllocatedResources;
PCM_RESOURCE_LIST AllocatedResourcesTranslated;
} StartDevice;
// begin_ntifs
//
// Parameters for Cleanup
//
// No extra parameters supplied
//
//
// WMI Irps
//
struct {
ULONG_PTR ProviderId;
PVOID DataPath;
ULONG BufferSize;
PVOID Buffer;
} WMI;
//
// Others - driver-specific
//
struct {
PVOID Argument1;
PVOID Argument2;
PVOID Argument3;
PVOID Argument4;
} Others;
} Parameters;
//
// Save a pointer to this device driver's device object for this request
// so it can be passed to the completion routine if needed.
//
// 此项一般在IoCallDriver中被设置。
PDEVICE_OBJECT DeviceObject;
//
// The following location contains a pointer to the file object for this
//
PFILE_OBJECT FileObject;
//
// The following routine is invoked depending on the flags in the above
// flags field.
//
// 完成函数,每层都有。
PIO_COMPLETION_ROUTINE CompletionRoutine;
//
// The following is used to store the address of the context parameter
// that should be passed to the CompletionRoutine.
//
PVOID Context;
} IO_STACK_LOCATION, *PIO_STACK_LOCATION;
VOID
FASTCALL
IopfCompleteRequest(
IN PIRP Irp,
IN CCHAR PriorityBoost
)
/*++
Routine Description:
This routine is invoked to complete an I/O request. It is invoked by the
driver in its DPC routine to perform the final completion of the IRP. The
functions performed by this routine are as follows.
1. A check is made to determine whether the packet's stack locations
have been exhausted. If not, then the stack location pointer is set
to the next location and if there is a routine to be invoked, then
it will be invoked. This continues until there are either no more
routines which are interested or the packet runs out of stack.
If a routine is invoked to complete the packet for a specific driver
which needs to perform work a lot of work or the work needs to be
performed in the context of another process, then the routine will
return an alternate success code of STATUS_MORE_PROCESSING_REQUIRED.
This indicates that this completion routine should simply return to
its caller because the operation will be "completed" by this routine
again sometime in the future.
2. A check is made to determine whether this IRP is an associated IRP.
If it is, then the count on the master IRP is decremented. If the
count for the master becomes zero, then the master IRP will be
completed according to the steps below taken for a normal IRP being
completed. If the count is still non-zero, then this IRP (the one
being completed) will simply be deallocated.
3. If this is paging I/O or a close operation, then simply write the
I/O status block and set the event to the signaled state, and
dereference the event. If this is paging I/O, deallocate the IRP
as well.
4. Unlock the pages, if any, specified by the MDL by calling
MmUnlockPages.
5. A check is made to determine whether or not completion of the
request can be deferred until later. If it can be, then this
routine simply exits and leaves it up to the originator of the
request to fully complete the IRP. By not initializing and queueing
the special kernel APC to the calling thread (which is the current
thread by definition), a lot of interrupt and queueing processing
can be avoided.
6. The final rundown routine is invoked to queue the request packet to
the target (requesting) thread as a special kernel mode APC.
Arguments:
Irp - Pointer to the I/O Request Packet to complete.
PriorityBoost - Supplies the amount of priority boost that is to be given
to the target thread when the special kernel APC is queued.
Return Value:
None.
--*/
#define ZeroIrpStackLocation( IrpSp ) { \
(IrpSp)->MinorFunction = 0; \
(IrpSp)->Flags = 0; \
(IrpSp)->Control &= SL_ERROR_RETURNED ; \
(IrpSp)->Parameters.Others.Argument1 = 0; \
(IrpSp)->Parameters.Others.Argument2 = 0; \
(IrpSp)->Parameters.Others.Argument3 = 0; \
(IrpSp)->FileObject = (PFILE_OBJECT) NULL; }
{
PIRP masterIrp;
NTSTATUS status;
PIO_STACK_LOCATION stackPointer;
PIO_STACK_LOCATION bottomSp;
PDEVICE_OBJECT deviceObject;
PMDL mdl;
PETHREAD thread;
PFILE_OBJECT fileObject;
KIRQL irql;
PVOID saveAuxiliaryPointer = NULL;
NTSTATUS errorStatus;
//
// Begin by ensuring that this packet has not already been completed
// by someone.
//
// 判断此IRP的堆栈和类型是否合法
if (Irp->CurrentLocation > (CCHAR) (Irp->StackCount + 1) ||
Irp->Type != IO_TYPE_IRP) {
KeBugCheckEx( MULTIPLE_IRP_COMPLETE_REQUESTS, (ULONG_PTR) Irp, __LINE__, 0, 0 );
}
//
// Ensure that the packet being completed really is still an IRP.
//
ASSERT( Irp->Type == IO_TYPE_IRP );
//
// Ensure that no one believes that this request is still in a cancelable
// state.
//
ASSERT( !Irp->CancelRoutine );
//
// Ensure that the packet is not being completed with a thoroughly
// confusing status code. Actually completing a packet with a pending
// status probably means that someone forgot to set the real status in
// the packet.
//
ASSERT( Irp->IoStatus.Status != STATUS_PENDING );
//
// Ensure that the packet is not being completed with a minus one. This
// is apparently a common problem in some drivers, and has no meaning
// as a status code.
//
ASSERT( Irp->IoStatus.Status != 0xffffffff );
//
// Diagnosability support.
//
bottomSp = ((PIO_STACK_LOCATION) ((UCHAR *) (Irp) + sizeof( IRP )));
if (bottomSp->Control & SL_ERROR_RETURNED) {
errorStatus = (NTSTATUS)(ULONG_PTR)(bottomSp->Parameters.Others.Argument4);
} else {
errorStatus = STATUS_SUCCESS;
}
//
// Now check to see whether this is the last driver that needs to be
// invoked for this packet. If not, then bump the stack and check to
// see whether the driver wishes to see the completion. As each stack
// location is examined, invoke any routine which needs to be invoked.
// If the routine returns STATUS_MORE_PROCESSING_REQUIRED, then stop the
// processing of this packet.
//
for (stackPointer = IoGetCurrentIrpStackLocation( Irp ), // 获取当前IO堆栈,当前的堆栈中,可能会在上层驱动中调用IoSetCompletionRoutine(将完成函数设置到下一层)来对本层设置。
Irp->CurrentLocation++, // 移到上层IO堆栈,现在的IRP对应的堆栈是上一层。
Irp->Tail.Overlay.CurrentStackLocation++; // 移到上层IO堆栈,现在的IRP对应的堆栈是上一层。
Irp->CurrentLocation <= (CCHAR) (Irp->StackCount + 1); // 到最上层停止时停止。
stackPointer++, // 向上迭代
Irp->CurrentLocation++,
Irp->Tail.Overlay.CurrentStackLocation++) {
//
// A stack location was located. Check to see whether or not it
// has a completion routine and if so, whether or not it should be
// invoked.
//
// Begin by saving the pending returned flag in the current stack
// location in the fixed part of the IRP.
//
// 判断stackPointer->Control是否具有SL_PENDING_RETURNED(使用IoMarkIrpPending来设置),如果有,将SL_PENDING_RETURNED保存到Irp->PendingReturned。
// 在完成函数中判断该值,来判断是否需要调用IoMarkIrpPending,如果不调用,会将此标记清除,无法继续向上传递,可以会出现死锁发送。
Irp->PendingReturned = stackPointer->Control & SL_PENDING_RETURNED;
//
// If a completion routine changed the status then
// mark the upper level stack pointer as the one
// that flagged the error.
//
if (!NT_SUCCESS(Irp->IoStatus.Status)) {
if (Irp->IoStatus.Status != errorStatus) {
errorStatus = Irp->IoStatus.Status;
stackPointer->Control |= SL_ERROR_RETURNED;
bottomSp->Parameters.Others.Argument4 = (PVOID)(ULONG_PTR)errorStatus;
bottomSp->Control |= SL_ERROR_RETURNED; // Mark that there is status in this location
}
}
if ( (NT_SUCCESS( Irp->IoStatus.Status ) &&
stackPointer->Control & SL_INVOKE_ON_SUCCESS) ||
(!NT_SUCCESS( Irp->IoStatus.Status ) &&
stackPointer->Control & SL_INVOKE_ON_ERROR) ||
(Irp->Cancel &&
stackPointer->Control & SL_INVOKE_ON_CANCEL)
) {
//
// This driver has specified a completion routine. Invoke the
// routine passing it a pointer to its device object and the
// IRP that is being completed.
//
// 清除当前栈,防止上一层的栈就无法使用此栈信息。
ZeroIrpStackLocation( stackPointer );
// 如果是最上层了,deviceObject为NULL。
if (Irp->CurrentLocation == (CCHAR) (Irp->StackCount + 1)) {
deviceObject = NULL;
}
else {
// 由于上面的IRP的IO堆栈已经++,所以获取到的是上层的DeviceObject.
// 可以看出,通过IRP的IO堆栈中的deviceObject,可以回指对应的DeviceObject。
deviceObject = IoGetCurrentIrpStackLocation( Irp )->DeviceObject;
}
// 调用完成函数
status = stackPointer->CompletionRoutine( deviceObject,
Irp,
stackPointer->Context );
if (status == STATUS_MORE_PROCESSING_REQUIRED) {
//
// Note: Notice that if the driver has returned the above
// status value, it may have already DEALLOCATED the
// packet! Therefore, do NOT touch any part of the
// IRP in the following code.
//
// 正如书中说的,STATUS_MORE_PROCESSING_REQUIRED,则返回。此时IRP还是有效的。
return;
}
} else {
// 如果没有完成函数,直接IoMarkIrpPending,继续循环。
if (Irp->PendingReturned && Irp->CurrentLocation <= Irp->StackCount) {
IoMarkIrpPending( Irp );
}
ZeroIrpStackLocation( stackPointer );
}
}
//
// Check to see whether this is an associated IRP. If so, then decrement
// the count in the master IRP. If the count is decremented to zero,
// then complete the master packet as well.
//
if (Irp->Flags & IRP_ASSOCIATED_IRP) {
ULONG count;
masterIrp = Irp->AssociatedIrp.MasterIrp;
//
// After this decrement master IRP cannot be touched except if count == 1.
//
count = IopInterlockedDecrementUlong( LockQueueIoDatabaseLock,
&masterIrp->AssociatedIrp.IrpCount );
//
// Deallocate this packet and any MDLs that are associated with it
// by either doing direct deallocations if they were allocated from
// a zone or by queueing the packet to a thread to perform the
// deallocation.
//
// Also, check the count of the master IRP to determine whether or not
// the count has gone to zero. If not, then simply get out of here.
// Otherwise, complete the master packet.
//
IopFreeIrpAndMdls( Irp );
if (count == 1) {
IoCompleteRequest( masterIrp, PriorityBoost );
}
return;
}
//
// Check to see if we have a name junction. If so set the stage to
// transmogrify the reparse point data in IopCompleteRequest.
//
if ((Irp->IoStatus.Status == STATUS_REPARSE ) &&
(Irp->IoStatus.Information > IO_REPARSE_TAG_RESERVED_RANGE)) {
if (Irp->IoStatus.Information == IO_REPARSE_TAG_MOUNT_POINT) {
//
// For name junctions, we save the pointer to the auxiliary
// buffer and use it below.
//
ASSERT( Irp->Tail.Overlay.AuxiliaryBuffer != NULL );
saveAuxiliaryPointer = (PVOID) Irp->Tail.Overlay.AuxiliaryBuffer;
//
// We NULL the entry to avoid its de-allocation at this time.
// This buffer get deallocated in IopDoNameTransmogrify
//
Irp->Tail.Overlay.AuxiliaryBuffer = NULL;
} else {
//
// Fail the request. A driver needed to act on this IRP prior
// to getting to this point.
//
Irp->IoStatus.Status = STATUS_IO_REPARSE_TAG_NOT_HANDLED;
}
}
//
// Check the auxiliary buffer pointer in the packet and if a buffer was
// allocated, deallocate it now. Note that this buffer must be freed
// here since the pointer is overlayed with the APC that will be used
// to get to the requesting thread's context.
//
if (Irp->Tail.Overlay.AuxiliaryBuffer) {
ExFreePool( Irp->Tail.Overlay.AuxiliaryBuffer );
Irp->Tail.Overlay.AuxiliaryBuffer = NULL;
}
//
// Check to see if this is paging I/O or a close operation. If either,
// then special processing must be performed. The reasons that special
// processing must be performed is different based on the type of
// operation being performed. The biggest reasons for special processing
// on paging operations are that using a special kernel APC for an in-
// page operation cannot work since the special kernel APC can incur
// another pagefault. Likewise, all paging I/O uses MDLs that belong
// to the memory manager, not the I/O system.
//
// Close operations are special because the close may have been invoked
// because of a special kernel APC (some IRP was completed which caused
// the reference count on the object to become zero while in the I/O
// system's special kernel APC routine). Therefore, a special kernel APC
// cannot be used since it cannot execute until the close APC finishes.
//
// The special steps are as follows for a synchronous paging operation
// and close are:
//
// 1. Copy the I/O status block (it is in SVAS, nonpaged).
// 2. Signal the event
// 3. If paging I/O, deallocate the IRP
//
// The special steps taken for asynchronous paging operations (out-pages)
// are as follows:
//
// 1. Initialize a special kernel APC just for page writes.
// 1. Queue the special kernel APC.
//
// It should also be noted that the logic for completing a Mount request
// operation is exactly the same as a Page Read. No assumptions should be
// made here about this being a Page Read operation w/o carefully checking
// to ensure that they are also true for a Mount. That is:
//
// IRP_PAGING_IO and IRP_MOUNT_COMPLETION
//
// are the same flag in the IRP.
//
// Also note that the last time the IRP is touched for a close operation
// must be just before the event is set to the signaled state. Once this
// occurs, the IRP can be deallocated by the thread waiting for the event.
//
//
// IRP_CLOSE_OPERATION and IRP_SET_USER_EVENT are the same flags. They both indicate
// that only the user event field should be set and no APC should be queued. Unfortunately
// IRP_CLOSE_OPERATION is used by some drivers to do exactly this so it cannot be renamed.
//
//
if (Irp->Flags & (IRP_PAGING_IO | IRP_CLOSE_OPERATION |IRP_SET_USER_EVENT)) {
if (Irp->Flags & (IRP_SYNCHRONOUS_PAGING_IO | IRP_CLOSE_OPERATION |IRP_SET_USER_EVENT)) {
ULONG flags;
flags = Irp->Flags & (IRP_SYNCHRONOUS_PAGING_IO|IRP_PAGING_IO);
*Irp->UserIosb = Irp->IoStatus;
(VOID) KeSetEvent( Irp->UserEvent, PriorityBoost, FALSE );
if (flags) {
if (IopIsReserveIrp(Irp)) {
IopFreeReserveIrp(PriorityBoost);
} else {
IoFreeIrp( Irp );
}
}
} else {
thread = Irp->Tail.Overlay.Thread;
KeInitializeApc( &Irp->Tail.Apc,
&thread->Tcb,
Irp->ApcEnvironment,
IopCompletePageWrite,
(PKRUNDOWN_ROUTINE) NULL,
(PKNORMAL_ROUTINE) NULL,
KernelMode,
(PVOID) NULL );
(VOID) KeInsertQueueApc( &Irp->Tail.Apc,
(PVOID) NULL,
(PVOID) NULL,
PriorityBoost );
}
return;
}
//
// Check to see whether any pages need to be unlocked.
//
if (Irp->MdlAddress != NULL) {
//
// Unlock any pages that may be described by MDLs.
//
mdl = Irp->MdlAddress;
while (mdl != NULL) {
MmUnlockPages( mdl );
mdl = mdl->Next;
}
}
//
// Make a final check here to determine whether or not this is a
// synchronous I/O operation that is being completed in the context
// of the original requestor. If so, then an optimal path through
// I/O completion can be taken.
//
// !Irp->PendingReturned 没有SL_PENDING_RETURNED,则是同步完成的,直接返回,无需等待。算是个优化。
if (Irp->Flags & IRP_DEFER_IO_COMPLETION && !Irp->PendingReturned) {
if ((Irp->IoStatus.Status == STATUS_REPARSE ) &&
(Irp->IoStatus.Information == IO_REPARSE_TAG_MOUNT_POINT)) {
//
// For name junctions we reinstate the address of the appropriate
// buffer. It is freed in parse.c
//
Irp->Tail.Overlay.AuxiliaryBuffer = saveAuxiliaryPointer;
}
return;
}
//
// Finally, initialize the IRP as an APC structure and queue the special
// kernel APC to the target thread.
//
thread = Irp->Tail.Overlay.Thread;//当前进程
fileObject = Irp->Tail.Overlay.OriginalFileObject;
if (!Irp->Cancel) {
KeInitializeApc( &Irp->Tail.Apc,
&thread->Tcb,
Irp->ApcEnvironment,
IopCompleteRequest,
IopAbortRequest,
(PKNORMAL_ROUTINE) NULL,
KernelMode,
(PVOID) NULL );
(VOID) KeInsertQueueApc( &Irp->Tail.Apc,
fileObject,
(PVOID) saveAuxiliaryPointer,
PriorityBoost );
} else {
//
// This request has been cancelled. Ensure that access to the thread
// is synchronized, otherwise it may go away while attempting to get
// through the remainder of completion for this request. This happens
// when the thread times out waiting for the request to be completed
// once it has been cancelled.
//
// Note that it is safe to capture the thread pointer above, w/o having
// the lock because the cancel flag was not set at that point, and
// the code that disassociates IRPs must set the flag before looking to
// see whether or not the packet has been completed, and this packet
// will appear to be completed because it no longer belongs to a driver.
//
irql = KeAcquireQueuedSpinLock( LockQueueIoCompletionLock );
thread = Irp->Tail.Overlay.Thread;
if (thread) {
// 将IopCompleteRequest排队到线程的APC队列中。在其里面进行SetEvent等一些完成处理。
KeInitializeApc( &Irp->Tail.Apc,
&thread->Tcb,
Irp->ApcEnvironment,
IopCompleteRequest,
IopAbortRequest,
(PKNORMAL_ROUTINE) NULL,
KernelMode,
(PVOID) NULL );
(VOID) KeInsertQueueApc( &Irp->Tail.Apc,
fileObject,
(PVOID) saveAuxiliaryPointer,
PriorityBoost );
KeReleaseQueuedSpinLock( LockQueueIoCompletionLock, irql );
} else {
//
// This request has been aborted from completing in the caller's
// thread. This can only occur if the packet was cancelled, and
// the driver did not complete the request, so it was timed out.
// Attempt to drop things on the floor, since the originating thread
// has probably exited at this point.
//
KeReleaseQueuedSpinLock( LockQueueIoCompletionLock, irql );
ASSERT( Irp->Cancel );
//
// Drop the IRP on the floor.
//
IopDropIrp( Irp, fileObject );
}
}
}
VOID
IopCompleteRequest(
IN PKAPC Apc,
IN PKNORMAL_ROUTINE *NormalRoutine,
IN PVOID *NormalContext,
IN PVOID *SystemArgument1,
IN PVOID *SystemArgument2
)
/*++
Routine Description:
This routine executes as a special kernel APC routine in the context of
the thread which originally requested the I/O operation which is now
being completed.
This routine performs the following tasks:
o A check is made to determine whether the specified request ended
with an error status. If so, and the error code qualifies as one
which should be reported to an error port, then an error port is
looked for in the thread/process. If one exists, then this routine
will attempt to set up an LPC to it. Otherwise, it will attempt to
set up an LPC to the system error port.
o Copy buffers.
o Free MDLs.
o Copy I/O status.
o Set event, if any and dereference if appropriate.
o Dequeue the IRP from the thread queue as pending I/O request.
o Queue APC to thread, if any.
o If no APC is to be queued, then free the packet now.
Arguments:
Apc - Supplies a pointer to kernel APC structure.
NormalRoutine - Supplies a pointer to a pointer to the normal function
that was specified when the APC was initialized.
NormalContext - Supplies a pointer to a pointer to an arbitrary data
structure that was specified when the APC was initialized.
SystemArgument1 - Supplies a pointer to an argument that contains the
address of the original file object for this I/O operation.
SystemArgument2 - Supplies a pointer to an argument that contains an
argument that is used by this routine only in the case of STATUS_REPARSE.
Return Value:
None.
--*/
{
#define SynchronousIo( Irp, FileObject ) ( \
(Irp->Flags & IRP_SYNCHRONOUS_API) || \
(FileObject == NULL ? 0 : FileObject->Flags & FO_SYNCHRONOUS_IO) )
PIRP irp;
PMDL mdl, nextMdl;
PETHREAD thread;
PFILE_OBJECT fileObject;
NTSTATUS status;
UNREFERENCED_PARAMETER( NormalRoutine );
UNREFERENCED_PARAMETER( NormalContext );
//
// Begin by getting the address of the I/O Request Packet. Also, get
// the address of the current thread and the address of the original file
// object for this I/O operation.
//
irp = CONTAINING_RECORD( Apc, IRP, Tail.Apc ); // 得到IRP,设置的时候设置的是&Irp->Tail.Apc,即Irp->Tail.Apc中的地址。所以反推了回来。
thread = PsGetCurrentThread();
fileObject = (PFILE_OBJECT) *SystemArgument1;
IOVP_COMPLETE_REQUEST(Apc, SystemArgument1, SystemArgument2);
//
// Ensure that the packet is not being completed with a minus one. This
// is apparently a common problem in some drivers, and has no meaning
// as a status code.
//
ASSERT( irp->IoStatus.Status != 0xffffffff );
//
// See if we need to do the name transmogrify work.
//
if ( *SystemArgument2 != NULL ) {
PREPARSE_DATA_BUFFER reparseBuffer = NULL;
//
// The IO_REPARSE_TAG_MOUNT_POINT tag needs attention.
//
if ( irp->IoStatus.Status == STATUS_REPARSE &&
irp->IoStatus.Information == IO_REPARSE_TAG_MOUNT_POINT ) {
reparseBuffer = (PREPARSE_DATA_BUFFER) *SystemArgument2;
ASSERT( reparseBuffer->ReparseTag == IO_REPARSE_TAG_MOUNT_POINT );
ASSERT( reparseBuffer->ReparseDataLength < MAXIMUM_REPARSE_DATA_BUFFER_SIZE );
ASSERT( reparseBuffer->Reserved < MAXIMUM_REPARSE_DATA_BUFFER_SIZE );
IopDoNameTransmogrify( irp,
fileObject,
reparseBuffer );
}
}
//
// Check to see whether there is any data in a system buffer which needs
// to be copied to the caller's buffer. If so, copy the data and then
// free the system buffer if necessary.
//
if (irp->Flags & IRP_BUFFERED_IO) {
//
// Copy the data if this was an input operation. Note that no copy
// is performed if the status indicates that a verify operation is
// required, or if the final status was an error-level severity.
//
if (irp->Flags & IRP_INPUT_OPERATION &&
irp->IoStatus.Status != STATUS_VERIFY_REQUIRED &&
!NT_ERROR( irp->IoStatus.Status )) {
//
// Copy the information from the system buffer to the caller's
// buffer. This is done with an exception handler in case
// the operation fails because the caller's address space
// has gone away, or it's protection has been changed while
// the service was executing.
//
status = STATUS_SUCCESS;
try {
RtlCopyMemory( irp->UserBuffer,
irp->AssociatedIrp.SystemBuffer,
irp->IoStatus.Information );
} except(IopExceptionFilter(GetExceptionInformation(), &status)) {
//
// An exception occurred while attempting to copy the
// system buffer contents to the caller's buffer. Set
// a new I/O completion status.
// If the status is a special one set by Mm then we need to
// return here and the operation will be retried in
// IoRetryIrpCompletions.
//
if (status == STATUS_MULTIPLE_FAULT_VIOLATION) {
irp->Tail.Overlay.OriginalFileObject = fileObject; /* Wiped out by APC overlay */
irp->Flags |= IRP_RETRY_IO_COMPLETION;
return;
}
irp->IoStatus.Status = GetExceptionCode();
}
}
//
// Free the buffer if needed.
//
if (irp->Flags & IRP_DEALLOCATE_BUFFER) {
ExFreePool( irp->AssociatedIrp.SystemBuffer );
}
}
irp->Flags &= ~(IRP_DEALLOCATE_BUFFER|IRP_BUFFERED_IO);
//
// If there is an MDL (or MDLs) associated with this I/O request,
// Free it (them) here. This is accomplished by walking the MDL list
// hanging off of the IRP and deallocating each MDL encountered.
//
if (irp->MdlAddress) {
for (mdl = irp->MdlAddress; mdl != NULL; mdl = nextMdl) {
nextMdl = mdl->Next;
IoFreeMdl( mdl );
}
}
irp->MdlAddress = NULL;
//
// Check to see whether or not the I/O operation actually completed. If
// it did, then proceed normally. Otherwise, cleanup everything and get
// out of here.
//
if (!NT_ERROR( irp->IoStatus.Status ) ||
(NT_ERROR( irp->IoStatus.Status ) &&
irp->PendingReturned &&
!SynchronousIo( irp, fileObject ))) {
PVOID port = NULL;
PVOID key = NULL;
BOOLEAN createOperation = FALSE;
//
// If there is an I/O completion port object associated w/this request,
// save it here so that the file object can be dereferenced.
//
if (fileObject && fileObject->CompletionContext) {
port = fileObject->CompletionContext->Port;
key = fileObject->CompletionContext->Key;
}
//
// Copy the I/O status from the IRP into the caller's I/O status
// block. This is done using an exception handler in case the caller's
// virtual address space for the I/O status block was deleted or
// its protection was changed to readonly. Note that if the I/O
// status block cannot be written, the error is simply ignored since
// there is no way to tell the caller that something went wrong.
// This is, of course, by definition, since the I/O status block
// is where the caller will attempt to look for errors in the first
// place!
//
status = STATUS_SUCCESS;
try {
//
// Since HasOverlappedIoCompleted and GetOverlappedResult only
// look at the Status field of the UserIosb to determine if the
// IRP has completed, the Information field must be written
// before the Status field.
//
#if defined(_WIN64)
PIO_STATUS_BLOCK32 UserIosb32;
//
// If the caller passes a 32 bit IOSB the ApcRoutine has the LSB set to 1
//
if (IopIsIosb32(irp->Overlay.AsynchronousParameters.UserApcRoutine)) {
UserIosb32 = (PIO_STATUS_BLOCK32)irp->UserIosb;
UserIosb32->Information = (ULONG)irp->IoStatus.Information;
KeMemoryBarrierWithoutFence ();
*((volatile NTSTATUS *) &UserIosb32->Status) = irp->IoStatus.Status;
} else {
irp->UserIosb->Information = irp->IoStatus.Information;
KeMemoryBarrierWithoutFence ();
*((volatile NTSTATUS *) &irp->UserIosb->Status) = irp->IoStatus.Status;
}
#else
irp->UserIosb->Information = irp->IoStatus.Information;
KeMemoryBarrierWithoutFence ();
*((volatile NTSTATUS *) &irp->UserIosb->Status) = irp->IoStatus.Status;
#endif /*_WIN64 */
} except(IopExceptionFilter(GetExceptionInformation(), &status)) {
//
// An exception was incurred attempting to write the caller's
// I/O status block. Simply continue executing as if nothing
// ever happened since nothing can be done about it anyway.
// If the status is a multiple fault status, this is a special
// status sent by the Memory manager. Mark the IRP and return from
// this routine. Mm will call us back later and we will retry this
// operation (IoRetryIrpCompletions)
//
if (status == STATUS_MULTIPLE_FAULT_VIOLATION) {
irp->Tail.Overlay.OriginalFileObject = fileObject; /* Wiped out by APC overlay */
irp->Flags |= IRP_RETRY_IO_COMPLETION;
return;
}
}
//
// Determine whether the caller supplied an event that needs to be set
// to the Signaled state. If so, then set it; otherwise, set the event
// in the file object to the Signaled state.
//
// It is possible for the event to have been specified as a PKEVENT if
// this was an I/O operation hand-built for an FSP or an FSD, or
// some other types of operations such as synchronous I/O APIs. In
// any of these cases, the event was not referenced since it is not an
// object manager event, so it should not be dereferenced.
//
// Also, it is possible for there not to be a file object for this IRP.
// This occurs when an FSP is doing I/O operations to a device driver on
// behalf of a process doing I/O to a file. The file object cannot be
// dereferenced if this is the case. If this operation was a create
// operation then the object should not be dereferenced either. This
// is because the reference count must be one or it will go away for
// the caller (not much point in making an object that just got created
// go away).
//
// 这是SetEvent:irp->UserEvent || fileObject。irp->UserEvent由用户传入,fileObject为deviceobject对应的。
// 同步的时候使用。
if (irp->UserEvent) {
(VOID) KeSetEvent( irp->UserEvent, 0, FALSE );
if (fileObject) {
if (!(irp->Flags & IRP_SYNCHRONOUS_API)) {
ObDereferenceObject( irp->UserEvent );
}
if (fileObject->Flags & FO_SYNCHRONOUS_IO && !(irp->Flags & IRP_OB_QUERY_NAME)) {
(VOID) KeSetEvent( &fileObject->Event, 0, FALSE );
fileObject->FinalStatus = irp->IoStatus.Status;
}
if (irp->Flags & IRP_CREATE_OPERATION) {
createOperation = TRUE;
irp->Overlay.AsynchronousParameters.UserApcRoutine = (PIO_APC_ROUTINE) NULL;
}
}
} else if (fileObject) {
(VOID) KeSetEvent( &fileObject->Event, 0, FALSE );
fileObject->FinalStatus = irp->IoStatus.Status;
if (irp->Flags & IRP_CREATE_OPERATION) {
createOperation = TRUE;
irp->Overlay.AsynchronousParameters.UserApcRoutine = (PIO_APC_ROUTINE) NULL;
}
}
//
// If this is normal I/O, update the transfer count for this process.
//
if (!(irp->Flags & IRP_CREATE_OPERATION)) {
if (irp->Flags & IRP_READ_OPERATION) {
IopUpdateReadTransferCount( (ULONG) irp->IoStatus.Information );
} else if (irp->Flags & IRP_WRITE_OPERATION) {
IopUpdateWriteTransferCount( (ULONG) irp->IoStatus.Information );
} else {
//
// If the information field contains a pointer then skip the update.
// Some PNP IRPs contain this.
//
if (!((ULONG_PTR) irp->IoStatus.Information & IopKernelPointerBit)) {
IopUpdateOtherTransferCount( (ULONG) irp->IoStatus.Information );
}
}
}
//
// Dequeue the packet from the thread's pending I/O request list.
//
IopDequeueThreadIrp( irp );
//
// If the caller requested an APC, queue it to the thread. If not, then
// simply free the packet now.
//
#ifdef _WIN64
//
// For 64 bit systems clear the LSB field of the ApcRoutine that indicates whether
// the IOSB is a 32 bit IOSB or a 64 bit IOSB.
//
irp->Overlay.AsynchronousParameters.UserApcRoutine =
(PIO_APC_ROUTINE)((LONG_PTR)(irp->Overlay.AsynchronousParameters.UserApcRoutine) & ~1);
#endif
if (irp->Overlay.AsynchronousParameters.UserApcRoutine) {
KeInitializeApc( &irp->Tail.Apc,
&thread->Tcb,
CurrentApcEnvironment,
IopUserCompletion,
(PKRUNDOWN_ROUTINE) IopUserRundown,
(PKNORMAL_ROUTINE) irp->Overlay.AsynchronousParameters.UserApcRoutine,
irp->RequestorMode,
irp->Overlay.AsynchronousParameters.UserApcContext );
KeInsertQueueApc( &irp->Tail.Apc,
irp->UserIosb,
NULL,
2 );
} else if (port && irp->Overlay.AsynchronousParameters.UserApcContext) {
//
// If there is a completion context associated w/this I/O operation,
// send the message to the port. Tag completion packet as an Irp.
//
irp->Tail.CompletionKey = key;
irp->Tail.Overlay.PacketType = IopCompletionPacketIrp;
KeInsertQueue( (PKQUEUE) port,
&irp->Tail.Overlay.ListEntry );
} else {
//
// Free the IRP now since it is no longer needed.
//
IoFreeIrp( irp );
}
if (fileObject && !createOperation) {
//
// Dereference the file object now.
//
ObDereferenceObjectDeferDelete( fileObject );
}
} else {
if (irp->PendingReturned && fileObject) {
//
// This is an I/O operation that completed as an error for
// which a pending status was returned and the I/O operation
// is synchronous. For this case, the I/O system is waiting
// on behalf of the caller. If the reason that the I/O was
// synchronous is that the file object was opened for synchronous
// I/O, then the event associated with the file object is set
// to the signaled state. If the I/O operation was synchronous
// because this is a synchronous API, then the event is set to
// the signaled state.
//
// Note also that the status must be returned for both types
// of synchronous I/O. If this is a synchronous API, then the
// I/O system supplies its own status block so it can simply
// be written; otherwise, the I/O system will obtain the final
// status from the file object itself.
//
if (irp->Flags & IRP_SYNCHRONOUS_API) {
*irp->UserIosb = irp->IoStatus;
if (irp->UserEvent) {
(VOID) KeSetEvent( irp->UserEvent, 0, FALSE );
} else {
(VOID) KeSetEvent( &fileObject->Event, 0, FALSE );
}
} else {
fileObject->FinalStatus = irp->IoStatus.Status;
(VOID) KeSetEvent( &fileObject->Event, 0, FALSE );
}
}
//
// The operation was incomplete. Perform the general cleanup. Note
// that everything is basically dropped on the floor without doing
// anything. That is:
//
// IoStatusBlock - Do nothing.
// Event - Dereference without setting to Signaled state.
// FileObject - Dereference without setting to Signaled state.
// ApcRoutine - Do nothing.
//
if (fileObject) {
if (!(irp->Flags & IRP_CREATE_OPERATION)) {
ObDereferenceObjectDeferDelete( fileObject );
}
}
if (irp->UserEvent &&
fileObject &&
!(irp->Flags & IRP_SYNCHRONOUS_API)) {
ObDereferenceObject( irp->UserEvent );
}
IopDequeueThreadIrp( irp );
IoFreeIrp( irp );
}
}
IRP对应一个IO堆栈,堆栈的层数是要传递的设备的栈的数目。每层栈对应一个IO栈,但这种对应并不需要层层对应,如本层可以使用上层对应的,也没有关系,所以有宏:
#define IoSkipCurrentIrpStackLocation( Irp ) { \
(Irp)->CurrentLocation++; \
(Irp)->Tail.Overlay.CurrentStackLocation++; }
++后,在IoCallDriver再--,等于没变,等于让下层驱动使用本层的IO堆栈。
说实话,微软的内核里很多函数真长啊。翻几页。。。