笔记

1. I/O堆栈的主要目的是保存功能代码和I/O请求的参数

 

2. IoCopyCurrentIrpStackLocationToNext和IoSkipCurrentIrpStackLocation用法上的区别：

 

A driver calls IoCopyCurrentIrpStackLocationToNext to copy the IRP parameters from its stack location to the next-lower driver's stack location.

After calling this routine, a driver typically sets an I/O completion routine with IoSetCompletionRoutine before passing the IRP to the next-lower driver with IoCallDriver. Drivers that pass on their IRP parameters but do not set an I/O completion routine should call IoSkipCurrentIrpStackLocation instead of this routine.

 

现在暂时还不知道I/O completion routine 是干嘛用的，硬着头皮继续往下吧

 

3. 现在理解的IO_STACK_LOACTION的作用就是保存IRP传到下一层驱动时的信息用的

 

4.VC的调试版本会生成跳转表

5.On x86 Pentium II processors and higher, Windows uses the special sysenter instruction,
which Intel defined specifically for fast system service dispatches. To support the instruction,
Windows stores at boot time the address of the kernel’s system service dispatcher routine in a
machine specific register (MSR) associated with the instruction. The execution of the instruction
causes the change to kernel mode and execution of the system service dispatcher. The system
service number is passed in the EAX processor register and the EDX register points to the list of
caller arguments. To return to user mode, the system service dispatcher usually executes the
sysexit instruction. (In some cases, like when the single-step flag is enabled on the processor, the
system service dispatcher uses the iretd instead because stepping over a sysexit instruction with
the kernel debugger would result in an undefined system state leading to a crash.)

6.system进程的PEB为NULL