IO_STACK_LOCATION

最新推荐文章于 2023-06-04 23:30:44 发布
转载 最新推荐文章于 2023-06-04 23:30:44 发布 · 916 阅读 · 0
文章标签:

#IO_STACK_LOCATION #IRP #IRP_MJ_READ #IRP_MJ_WRITE

IO_STACK_LOCATION

转载自MSDN库:http://msdn.microsoft.com/zh-cn/library/ff550659(v=vs.85).aspx

The IO_STACK_LOCATION structure defines an I/O stack location, which is an entry in the I/O stack that is associated with each IRP. Each I/O stack location in an IRP has some common members and some request-type-specific members.

typedef struct _IO_STACK_LOCATION {
  UCHAR  MajorFunction;
  UCHAR  MinorFunction;
  UCHAR  Flags;
  UCHAR  Control;
  union {
        //
        // Parameters for IRP_MJ_CREATE 
        //
        struct {
            PIO_SECURITY_CONTEXT  SecurityContext;
            ULONG  Options;
            USHORT POINTER_ALIGNMENT  FileAttributes;
            USHORT  ShareAccess;
            ULONG POINTER_ALIGNMENT  EaLength;
        } Create;
        //
        // Parameters for IRP_MJ_READ 
        //
        struct {
            ULONG  Length;
            ULONG POINTER_ALIGNMENT  Key;
            LARGE_INTEGER  ByteOffset;
        } Read;
        //
        // Parameters for IRP_MJ_WRITE 
        //
        struct {
            ULONG  Length;
            ULONG POINTER_ALIGNMENT  Key;
            LARGE_INTEGER  ByteOffset;
        } Write;
        //
        // Parameters for IRP_MJ_QUERY_INFORMATION 
        //
        struct {
            ULONG  Length;
            FILE_INFORMATION_CLASS POINTER_ALIGNMENT  FileInformationClass;
        } QueryFile;
        //
        // Parameters for IRP_MJ_SET_INFORMATION 
        //
        struct {
            ULONG  Length;
            FILE_INFORMATION_CLASS POINTER_ALIGNMENT  FileInformationClass;
            PFILE_OBJECT  FileObject;
            union {
                struct {
                    BOOLEAN  ReplaceIfExists;
                    BOOLEAN  AdvanceOnly;
                };
                ULONG  ClusterCount;
                HANDLE  DeleteHandle;
            };
        } SetFile;
        //
        // Parameters for IRP_MJ_QUERY_VOLUME_INFORMATION 
        //
        struct {
            ULONG  Length;
            FS_INFORMATION_CLASS POINTER_ALIGNMENT  FsInformationClass;
        } QueryVolume;
        //
        // Parameters for IRP_MJ_DEVICE_CONTROL and IRP_MJ_INTERNAL_DEVICE_CONTROL 
        //
        struct {
            ULONG  OutputBufferLength;
            ULONG POINTER_ALIGNMENT  InputBufferLength;
            ULONG POINTER_ALIGNMENT  IoControlCode;
            PVOID  Type3InputBuffer;
        } DeviceIoControl;
        //
        // Nonsystem service parameters.
        //
        // Parameters for IRP_MN_MOUNT_VOLUME 
        //
        struct {
            PVOID  DoNotUse1;
            PDEVICE_OBJECT  DeviceObject;
        } MountVolume;
        //
        // Parameters for IRP_MN_VERIFY_VOLUME 
        //
        struct {
            PVOID  DoNotUse1;
            PDEVICE_OBJECT  DeviceObject;
        } VerifyVolume;
        //
        // Parameters for Scsi using IRP_MJ_INTERNAL_DEVICE_CONTROL 
        //
        struct {
            struct _SCSI_REQUEST_BLOCK  *Srb;
        } Scsi;
        //
        // Parameters for IRP_MN_QUERY_DEVICE_RELATIONS 
        //
        struct {
            DEVICE_RELATION_TYPE  Type;
        } QueryDeviceRelations;
        //
        // Parameters for IRP_MN_QUERY_INTERFACE 
        //
        struct {
            CONST GUID  *InterfaceType;
            USHORT  Size;
            USHORT  Version;
            PINTERFACE  Interface;
            PVOID  InterfaceSpecificData;
        } QueryInterface;
        //
        // Parameters for IRP_MN_QUERY_CAPABILITIES 
        //
        struct {
            PDEVICE_CAPABILITIES  Capabilities;
        } DeviceCapabilities;
        //
        // Parameters for IRP_MN_FILTER_RESOURCE_REQUIREMENTS 
        //
        struct {
            PIO_RESOURCE_REQUIREMENTS_LIST  IoResourceRequirementList;
        } FilterResourceRequirements;
        //
        // Parameters for IRP_MN_READ_CONFIG and IRP_MN_WRITE_CONFIG 
        //
        struct {
            ULONG  WhichSpace;
            PVOID  Buffer;
            ULONG  Offset;
            ULONG  POINTER_ALIGNMENT Length;
        } ReadWriteConfig;
        //
        // Parameters for IRP_MN_SET_LOCK 
        //
        struct {
            BOOLEAN  Lock;
        } SetLock;
        //
        // Parameters for IRP_MN_QUERY_ID 
        //
        struct {
            BUS_QUERY_ID_TYPE  IdType;
        } QueryId;
        //
        // Parameters for IRP_MN_QUERY_DEVICE_TEXT 
        //
        struct {
            DEVICE_TEXT_TYPE  DeviceTextType;
            LCID POINTER_ALIGNMENT  LocaleId;
        } QueryDeviceText;
        //
        // Parameters for IRP_MN_DEVICE_USAGE_NOTIFICATION 
        //
        struct {
            BOOLEAN  InPath;
            BOOLEAN  Reserved[3];
            DEVICE_USAGE_NOTIFICATION_TYPE POINTER_ALIGNMENT Type;
        } UsageNotification;
        //
        // Parameters for IRP_MN_WAIT_WAKE 
        //
        struct {
            SYSTEM_POWER_STATE  PowerState;
        } WaitWake;
        //
        // Parameter for IRP_MN_POWER_SEQUENCE 
        //
        struct {
            PPOWER_SEQUENCE  PowerSequence;
        } PowerSequence;
        //
        // Parameters for IRP_MN_SET_POWER and IRP_MN_QUERY_POWER 
        //
#if (NTDDI_VERSION >= NTDDI_VISTA)
        struct {
            union {
                ULONG  SystemContext;
                SYSTEM_POWER_STATE_CONTEXT  SystemPowerStateContext;
            };
            POWER_STATE_TYPE POINTER_ALIGNMENT  Type;
            POWER_STATE POINTER_ALIGNMENT  State;
            POWER_ACTION POINTER_ALIGNMENT  ShutdownType;
        } Power;
#else
        struct {
            ULONG  SystemContext;
            POWER_STATE_TYPE POINTER_ALIGNMENT  Type;
            POWER_STATE POINTER_ALIGNMENT  State;
            POWER_ACTION POINTER_ALIGNMENT  ShutdownType;
        } Power;
#endif
        //
        // Parameters for IRP_MN_START_DEVICE 
        //
        struct {
            PCM_RESOURCE_LIST  AllocatedResources;
            PCM_RESOURCE_LIST  AllocatedResourcesTranslated;
        } StartDevice;
        //
        // Parameters for WMI Minor IRPs 
        //
        struct {
            ULONG_PTR  ProviderId;
            PVOID  DataPath;
            ULONG  BufferSize;
            PVOID  Buffer;
        } WMI;
        //
        // Others - driver-specific
        //
        struct {
            PVOID  Argument1;
            PVOID  Argument2;
            PVOID  Argument3;
            PVOID  Argument4;
        } Others;
    } Parameters;
  PDEVICE_OBJECT  DeviceObject;
  PFILE_OBJECT  FileObject;
  .
  .
  .
} IO_STACK_LOCATION, *PIO_STACK_LOCATION;

Members

MajorFunction

The IRP major function code indicating the type of I/O operation to be performed.

MinorFunction

A subfunction code for MajorFunction. The PnP manager, the power manager, file system drivers, and SCSI class drivers set this member for some requests.

Flags

Request-type-specific values used almost exclusively by file system drivers. Removable-media device drivers check whether this member is set with SL_OVERRIDE_VERIFY_VOLUME for read requests to determine whether to continue the read operation even if the device object's Flags is set with DO_VERIFY_VOLUME. Intermediate drivers layered over a removable-media device driver must copy this member into the I/O stack location of the next-lower driver in all incoming IRP_MJ_READ requests.

Control

Drivers can check this member to determine whether it is set with SL_PENDING_RETURNED. Drivers have read-only access to this member.

Parameters

A union that depends on the major and minor IRP function code values contained in MajorFunction and MinorFunction. The following table shows which IRPs use the individual members of the Parameters union.

Member nameIRPs that use this member
CreateIRP_MJ_CREATE
ReadIRP_MJ_READ
WriteIRP_MJ_WRITE
QueryFileIRP_MJ_QUERY_INFORMATION
SetFileIRP_MJ_SET_INFORMATION
QueryVolumeIRP_MJ_QUERY_VOLUME_INFORMATION
DeviceIoControlIRP_MJ_DEVICE_CONTROL and IRP_MJ_INTERNAL_DEVICE_CONTROL
MountVolumeIRP_MN_MOUNT_VOLUME
VerifyVolumeIRP_MN_VERIFY_VOLUME
ScsiIRP_MJ_INTERNAL_DEVICE_CONTROL (SCSI)
QueryDeviceRelationsIRP_MN_QUERY_DEVICE_RELATIONS
QueryInterfaceIRP_MN_QUERY_INTERFACE
DeviceCapabilitiesIRP_MN_QUERY_CAPABILITIES
FilterResourceRequirementsIRP_MN_FILTER_RESOURCE_REQUIREMENTS
ReadWriteConfigIRP_MN_READ_CONFIG and IRP_MN_WRITE_CONFIG
SetLockIRP_MN_SET_LOCK
QueryIdIRP_MN_QUERY_ID
QueryDeviceTextIRP_MN_QUERY_DEVICE_TEXT
UsageNotificationIRP_MN_DEVICE_USAGE_NOTIFICATION
WaitWakeIRP_MN_WAIT_WAKE
PowerSequenceIRP_MN_POWER_SEQUENCE
PowerIRP_MN_SET_POWER and IRP_MN_QUERY_POWER
StartDeviceIRP_MN_START_DEVICE
WMIWMI minor IRPs
OthersDriver-specific IRPs

 

For more information, see IRP Major Function Codes.

DeviceObject

A pointer to the driver-created DEVICE_OBJECT structure representing the target physical, logical, or virtual device for which this driver is to handle the IRP.

FileObject

A pointer to a FILE_OBJECT structure that represents the file object, if any, that is associated with DeviceObject pointer.

Remarks

For each IRP, there is one IO_STACK_LOCATION structure for each driver in a driver stack. Each IRP's set of I/O stack locations is appended to the IRP, following the IRP structure.

Every higher-level driver is responsible for setting up the I/O stack location for the next-lower driver in each IRP. A driver must call IoGetCurrentIrpStackLocation to get a pointer to its own stack location for each IRP. Higher-level drivers can call IoGetNextIrpStackLocation to get a pointer to the next-lower driver's stack location.

The higher-level driver must set up the stack location contents before calling IoCallDriver to pass an IRP to the lower-level driver. If the driver will pass the input IRP on to the next lower-level driver, the dispatch routine should call IoSkipCurrentIrpStackLocation or IoCopyCurrentIrpStackLocationToNext to set up the I/O stack location of the next-lower driver.

A higher-level driver's call to IoCallDriver sets the DeviceObject member to the next-lower-level driver's target device object, in the I/O stack location of the lower driver. The I/O manager passes each higher-level driver's IoCompletion routine a pointer to its own device object when the IoCompletion routine is called on completion of the IRP.

If a higher-level driver allocates IRPs to make requests of its own, its IoCompletion routine is passed a NULL DeviceObject pointer if that driver neither allocates a stack location for itself nor sets up the DeviceObject pointer in its own stack location of the newly allocated IRP.

In some cases, a higher-level driver layered over a mass-storage device driver is responsible for splitting up large transfer requests for the underlying device driver. In particular, SCSI class drivers must check the Parameters.Read.Length and Parameters.Write.Length, determine whether the size of the requested transfer exceeds the underlying HBA's transfer capabilities, and, if so, split the Length of the original request into a sequence of partial transfers to satisfy the original IRP.

关于设备栈,IO栈,IO_STACK_LOCATION----文件系统过滤驱动学习收获
tianyu的专栏 - Linux site:blog.youkuaiyun.com/wishfly
05-09 277
最近在学习文件系统过滤驱动,学习代码WDK示例sfilter,参考资料:《windows驱动开发技术详解》,《寒江独钓》,谭文的《windows文件系统过滤驱动开发教程》。在这里对我这段时间的学习做一下总结。由于我刚接触windows驱动不久,还是个菜鸟,问中所讲述的都是比较浅显的概念,所以大神请不要黑我。如果有讲的不对的地方,诚请指正,因为这对我的学习就是帮助。 操作系统中负责...
wdk tips (2): IO_STACK_LOCATION
weixin_30783629的博客
01-19 227
如前文所述,nt内核的驱动模型没有完全使用函数调用栈,而是自己山寨出来一个IO_STACK_LOCATION,里面保存了驱动调用序列。我们知道函数调用栈的push和pop都是编译器帮忙弄的,你甚至都可以在完全不了解内幕的前提下写代码,但是驱动开发不一样,调用序列要你自己去关心,何时入栈,何时出栈,栈内保留的什么内容,全部都要照顾好,否则BSOD就在前方不远等你。 与IO_STACK_L...
【驱动之二】IO_STACK_LOCATION总结
seedluo815的专栏
05-03 1087
typedef struct _IO_STACK_LOCATION { UCHAR MajorFunction; UCHAR MinorFunction; UCHAR Flags; UCHAR Control; union { // // Parameters for IRP_MJ_CREATE // s
IRPIO_STACK_LOCATION
02-18
window驱动开发中关于IRPIO_STACK_LOCATION之间的关系分析
IO_STACK_LOCATION — I/O堆栈
多媒体编程、网络编程、系统编程、网络安全编程、驱动编程
06-17 749
I/O堆栈    任何内核模式程序在创建一个IRP时,同时还创建了一个与之关联的 IO_STACK_LOCATION 结构数组:数组中的每个堆栈单元都对应一个将处理该IRP的驱动程序,另外还有一个堆栈单元供IRP的创建者使用(见图5-3)。堆栈单元中包含该IRP的类型代码和参数信息以及完成函数的地址。下图显示了堆栈单元的结构。    I/O堆栈单元数据结构:
/* File Kmd.cpp By WzrterFX */ #include "Kmd.h" namespace Kmd { NTSTATUS Kmd::Create(PDRIVER_OBJECT driverObject) { NTSTATUS status = STATUS_UNSUCCESSFUL; UNICODE_STRING deviceName { }; RtlInitUnicodeString(&deviceName, L"\\Device\\Kmd"); status = IoCreateDevice( driverObject, NULL, &deviceName, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &_deviceObject ); if (!NT_SUCCESS(status)) { DbgPrintEx(0, 0, "Fatal, failed to create driver device.\n" ); return status; } UNICODE_STRING symbolicLink { }; RtlInitUnicodeString(&symbolicLink, L"\\DosDevices\\Kmd"); status = IoCreateSymbolicLink(&symbolicLink, &deviceName); if (!NT_SUCCESS(status)) { DbgPrintEx(0, 0, "Fatal, failed to establish driver link.\n" ); IoDeleteDevice(_deviceObject); return status; } SetFlag(_deviceObject->Flags, DO_BUFFERED_IO); driverObject->MajorFunction[IRP_MJ_CREATE] = [](PDEVICE_OBJECT, PIRP io) -> NTSTATUS { IoCompleteRequest(io, IO_NO_INCREMENT); return io->IoStatus.Status; }; driverObject->MajorFunction[IRP_MJ_CLOSE] = [](PDEVICE_OBJECT, PIRP io) -> NTSTATUS { IoCompleteRequest(io, IO_NO_INCREMENT); return io->IoStatus.Status; }; driverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = &this->KmdControl; ClearFlag(_deviceObject->Flags, DO_DEVICE_INITIALIZING); return STATUS_SUCCESS; } NTSTATUS Kmd::KmdControl(PDEVICE_OBJECT, PIRP io) { NTSTATUS status = STATUS_UNSUCCESSFUL; PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(io); if (!stack) { IoCompleteRequest(io, IO_NO_INCREMENT); DbgPrintEx(0, 0, "Fatal, missing driver stack location.\n" ); return status; } PKmdRequest request = reinterpret_cast<PKmdRequest>(io->AssociatedIrp.SystemBuffer); if (!request) { IoCompleteRequest(io, IO_NO_INCREMENT); DbgPrintEx(0, 0, "Fatal, missing driver associated request.\n" ); return status; } static PEPROCESS process { }; static SIZE_T reserved { }; switch (stack->Parameters.DeviceIoControl.IoControlCode) { case ::Kmd::_IoCtls::attach: { status = ::Kmd::_NtifsApi::PsLookupProcessByProcessId( request->attachRequest.process, &process ); break; } case ::Kmd::_IoCtls::read: { if (process) { status = ::Kmd::_NtifsApi::MmCopyVirtualMemory( process, request->copyMemoryRequest.from, PsGetCurrentProcess(), request->copyMemoryRequest.to, request->copyMemoryRequest.requested, MODE::KernelMode, &reserved ); } break; } case ::Kmd::_IoCtls::write: { if (process) { status = ::Kmd::_NtifsApi::MmCopyVirtualMemory( PsGetCurrentProcess(), request->copyMemoryRequest.to, process, request->copyMemoryRequest.from, request->copyMemoryRequest.requested, MODE::KernelMode, &reserved ); } break; } default: { status = STATUS_INVALID_DEVICE_REQUEST; break; } } io->IoStatus.Status = status; io->IoStatus.Information = sizeof(KmdRequest); IoCompleteRequest(io, IO_NO_INCREMENT); return status; } }帮我全部加上注释
03-22
PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(io); if (!stack) { // 栈位置验证 IoCompleteRequest(io, IO_NO_INCREMENT); DbgPrintEx(0, 0, "Fatal, missing driver stack location.\n"); ...
ULONG64 IRP_IO_修改内存属性(PIRP pirp) { PIO_STACK_LOCATION irpStack = IoGetCurrentIrpStackLocation(pirp); //获取应用层传来的参数 UINT64* 缓冲区 = (UINT64*)(pirp->AssociatedIrp.SystemBuffer); KdPrint(("yjx:%s 行号%d\n", __FUNCDNAME__, __LINE__)); if (缓冲区) { UINT32 PID = (UINT32)(UINT64)缓冲区[0]; //传入数据 PVOID pBase = (PVOID)((UINT64)缓冲区[1]); //传入数据 ULONG64 newProtect = (ULONG64)((UINT64)缓冲区[2]); //传入数据 NTSTATUS status = STATUS_SUCCESS; ULONG oldProtect; PEPROCESS Process{ 0 }; KAPC_STATE apc_state; SIZE_T protectSize = PAGE_SIZE; ULONG64 aligned_addr = (ULONG64)pBase & 0xFFFFFFFFFFFFF000; PVOID baseAddress = (PVOID)aligned_addr; status = PsLookupProcessByProcessId((HANDLE)PID, &Process); if (!NT_SUCCESS(status)) { DbgPrint("PsLookupProcessByProcessId 失败: 0x%X", status); return status; } KeStackAttachProcess(Process, &apc_state); status = ZwProtectVirtualMemory(NtCurrentProcess(), &baseAddress, &protectSize, newProtect, &oldProtect); if (!NT_SUCCESS(status)) { DbgPrint("ZwProtectVirtualMemory 失败: 0x%X", status); } KeUnstackDetachProcess(&apc_state); ObDereferenceObject(Process); pirp->IoStatus.Status = STATUS_SUCCESS; pirp->IoStatus.Information = 8;//返回给DeviceIoControl中的 倒数第二个参数lpBytesReturned IoCompleteRequest(pirp, IO_NO_INCREMENT);//调用方已完成所有I/O请求处理操作 并且不增加优先级 } } 第一次调用能成功 第二次就不行
最新发布
09-03
PIO_STACK_LOCATION irpStack = IoGetCurrentIrpStackLocation(pirp); UINT64* 缓冲区 = (UINT64*)(pirp->AssociatedIrp.SystemBuffer); if (!pirp || !pirp->AssociatedIrp.SystemBuffer) { pirp->IoStatus....
IRPIO_STACK_LOCATION
keepdoingit的专栏
07-12 3720
当一个应用程序调用函数去操作某个设备时,比如调用createFile,deviceIOControl,等等时,I/O管理器为此函数创建一个IRP数据结构对象和一个IRP_STACK_LOCATION数据结构对象数组。 (数组个数等于驱动程序堆栈上驱动的个数)。IRP对象中的数据成员是已经被填充好了的,其中有一个CurrentLocation是当前IRP_STACK_LOCATION堆栈单元的索引
IO Stack Location
猫猫不喵喵 的专栏
11-17 1566
为了驱动的构建,在IRP建立时,IO管理器给每个驱动分配一个IO堆栈区,每个IO堆栈区由 IO_STACK_LOCATION 结构组成。     IO管理器为每个IRP建立了一个IO堆栈序列,这个序列中每个IO堆栈可以给驱动使用。每个驱动拥有这个序列中的一个堆栈结构,并且 可以通过IoGetCurrentIrpStackLocation函数取得这个IO操作的详细信息。     驱动程序可以通过调用
关于windows驱动中的IO_STACK_LOCATION
要把所有那些负面的信息当做对自身行为的评价,而不是对自身价值的评判。
06-04 865
理解IO_STACK_LOCATION是驱动入门的一个重要知识点,该结构体是理解驱动工作过程的核心知识之一。闲话不多时,直接看代码,看完下面几段windows源码,你要还不能理解,直接来找我。
IO_STACK_LOCATION 结构
wuxupu的专栏
07-10 614
I/O堆栈    任何内核模式程序在创建一个IRP时,同时还创建了一个与之关联的 IO_STACK_LOCATION 结构数组:数组中的每个堆栈单元都对应一个将处理该IRP的驱动程序,另外还有一个堆栈单元供IRP的创建者使用(见图5-3)。堆栈单元中包含该IRP的类型代码和参数信息以及完成函数的地址。下图显示了堆栈单元的结构。    I/O堆栈单元数据结构:
IO_STACK_LOCATION说明
残酷な天使
04-24 1292
<br />转自http://hi.baidu.com/pinemoon/blog/item/01fa8c19fbccb7f0af513398.html<br /> <br /> <br />来自《《Rootkits:Subverting the Windows Kernel》学习笔记---第六章》<br /><br />这一章讲的是驱动程序分层。分层?呵呵,没啥,就像网络协议一样,分为一层层。其实写过程序的人都会用过“分层”写程序,把一个程序分为一层一层地实现,这是一个相当简单的概念。<br />驱动与设
IRP IO_STACK_LOCATION详解
hercs的博客
07-18 532
http://www.cnblogs.com/LittleHann/p/3450436.html
15.driverbase-IRPIO_STACK_LOCATION、文件三种读写方式(buffer/driect/other)、DeviceIoControl
hgy413的专栏
02-16 2546
IRP简介 文件读写的三种方式简介及windbg调试 DeviceIoControl与驱动交互
windows driver中的IO_STACK_LOCATION
06-30 1739
define IoSkipCurrentIrpStackLocation( Irp ) /(Irp)->CurrentLocation++; /(Irp)->Tail.Overlay.CurrentStackLocation++; #define IoCopyCurrentIrpStackLocationToNext  ( Irp )   Value:{ /    PIO_
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值