一、设备对象(DEVICE_OBJECT)
kd> dt _device_object
ntdll!_DEVICE_OBJECT
+0x000 Type : Int2B
+0x002 Size : Uint2B
+0x004 ReferenceCount : Int4B
+0x008 DriverObject : Ptr32 _DRIVER_OBJECT ;该设备所属的驱动对象
+0x00c NextDevice : Ptr32 _DEVICE_OBJECT ;指向下一个设备,该设备与下一个设备同属于一个驱动对象
+0x010 AttachedDevice : Ptr32 _DEVICE_OBJECT ;附加到上面的最近的设备,该附加设备一般属于对本层进行过滤的另一个驱动对象
+0x014 CurrentIrp : Ptr32 _IRP
+0x018 Timer : Ptr32 _IO_TIMER
+0x01c Flags : Uint4B ;例如DO_...
+0x020 Characteristics : Uint4B ;例如FILE_...
+0x024 Vpb : Ptr32 _VPB
+0x028 DeviceExtension : Ptr32 Void
+0x02c DeviceType : Uint4B ;设备类型FILE_DEVICE_...
+0x030 StackSize : Char
+0x034 Queue : __unnamed
+0x05c AlignmentRequirement : Uint4B
+0x060 DeviceQueue : _KDEVICE_QUEUE
+0x074 Dpc : _KDPC
+0x094 ActiveThreadCount : Uint4B
+0x098 SecurityDescriptor : Ptr32 Void
+0x09c DeviceLock : _KEVENT
+0x0ac SectorSize : Uint2B
+0x0ae Spare1 : Uint2B
+0x0b0 DeviceObjectExtension : Ptr32 _DEVOBJ_EXTENSION
+0x0b4 Reserved : Ptr32 Void
(1)FLAG
flag值 | 含义 |
DO_BUFFERED_IO | 读写操作使用缓冲方式(系统复制缓冲区)访问用户模式数据 |
DO_EXCLUSIVE | 一次只允许一个线程打开设备句柄 |
DO_DIRECT_IO | 读写操作使用直接方式(内存描述符表)访问用户模式数据 |
DO_BUS_ENUMERATED_DEVICE | Bus drivers set this flag in the PDO of each device they enumerate. This flag pertains only to the PDO; it must not be set in an FDO or filter DO. Therefore, higher-level drivers layered over a bus driver must not propagate this value up the device stack. |
DO_DEVICE_INITIALIZING | 设备对象正在初始化 |
DO_POWER_INRUSH | Drivers of devices that require inrush current when powering on must set this flag. A driver cannot set both this flag and DO_POWER_PAGABLE.设备上电期间需要大电流 |
DO_POWER_PAGABLE | Windows? 2000 and later drivers that are pageable, are not part of the paging path, and do not require inrush current must set this flag. The system calls such drivers at IRQL PASSIVE_LEVEL. Drivers cannot set both this flag and DO_POWER_INRUSH. All WDM, Windows 98, and Windows Me drivers must set DO_POWER_PAGABLE.必须在PASSIVE_LEVEL级上处理IRP_MJ_PNP请求 |
DO_VERIFY_VOLUME | Removable-media drivers set this flag while processing transfer requests. Such drivers should also check for this flag in the target for a transfer request before transferring any data. See the Supporting Removable Media for details |
Characteristics: 包含另一组标志位,描述设备的可选特征
FILE_REMOVABLE_MEDIA: 可更换媒介设备
FILE_READ_ONLY_DEVICE: 只读设备
FILE_FLOPPY_DISKETTE: 软盘驱动器设备
FILE_WRITE_ONCE_MDEIA: 只写一次设备
FILE_REMOTE_DEVICE: 通过网络连接访问的设备
FILE_DEVICE_IS_MOUNTED: 物理媒介已在设备中
FILE_DEVICE_SECURE_OPEN: 在打开操作中检查设备对象的安全属性
DeviceType: 一个枚举常量,描述设备类型。
FILE_DEVICE_PRINTER: 打印机
FILE_DEVICE_SCANNER: 扫描仪
...
FILE_DEVICE_UNKNOWN: 未知设备