Reading Notebook: 04-March-11
Thursday, March 10th, 2011Comments in italics are mine and express my own views, thoughts and opinions
Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:
HKLM\S\MountedDevices and basic disk volume partition offset (pp. 667 - 668)
General reparse points; symbolic links and mount points as their applications (p. 669)
Device object -> VPB, !vpb WinDbg command (p. 670) - here’s on my x64 W2K8 system:
0: kd> dt _DEVICE_OBJECT
ntdll!_DEVICE_OBJECT
+0x000 Type : Int2B
+0x002 Size : Uint2B
+0x004 ReferenceCount : Int4B
+0x008 DriverObject : Ptr64 _DRIVER_OBJECT
+0x010 NextDevice : Ptr64 _DEVICE_OBJECT
+0x018 AttachedDevice : Ptr64 _DEVICE_OBJECT
+0x020 CurrentIrp : Ptr64 _IRP
+0x028 Timer : Ptr64 _IO_TIMER
+0x030 Flags : Uint4B
+0x034 Characteristics : Uint4B
+0×038 Vpb : Ptr64 _VPB
+0×040 DeviceExtension : Ptr64 Void
+0×048 DeviceType : Uint4B
+0×04c StackSize : Char
+0×050 Queue : <unnamed-tag>
+0×098 AlignmentRequirement : Uint4B
+0×0a0 DeviceQueue : _KDEVICE_QUEUE
+0×0c8 Dpc : _KDPC
+0×108 ActiveThreadCount : Uint4B
+0×110 SecurityDescriptor : Ptr64 Void
+0×118 DeviceLock : _KEVENT
+0×130 SectorSize : Uint2B
+0×132 Spare1 : Uint2B
+0×138 DeviceObjectExtension : Ptr64 _DEVOBJ_EXTENSION
+0×140 Reserved : Ptr64 Void
0: kd> dt _VPB
ntdll!_VPB
+0x000 Type : Int2B
+0x002 Size : Int2B
+0x004 Flags : Uint2B
+0x006 VolumeLabelLength : Uint2B
+0x008 DeviceObject : Ptr64 _DEVICE_OBJECT
+0x010 RealDevice : Ptr64 _DEVICE_OBJECT
+0x018 SerialNumber : Uint4B
+0x01c ReferenceCount : Uint4B
+0x020 VolumeLabel : [32] Wchar
FS -> Volume I/O (pp. 674 - 675) - we can also see driver stack from IRP I/O stack locations:
2: kd> !irp fffffa8017492b80
[...]
cmd flg cl Device File Completion-Context
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
>[ 4,34] 1c e0 fffffa800dfe2060 00000000 fffff88001186f30-00000000 Success Error Cancel
\Driver\Disk partmgr!PmReadWriteCompletion
Args: 00001000 00000000 b99a9000 00000000
[ 4, 0] 1c e0 fffffa800dfe2b90 00000000 fffff88001197180-fffffa800da89e20 Success Error Cancel
\Driver\partmgr volmgr!VmpReadWriteCompletionRoutine
Args: 148ce8c5bed 00000000 b99a9000 00000000
[ 4, 0] c e0 fffffa800da89cd0 00000000 fffff88001968150-fffffa800dfe7190 Success Error Cancel
\Driver\volmgr volsnap!VspRefCountCompletionRoutine
Args: 00001000 00000000 148ce8c5be9 00000000
[ 4, 0] c e1 fffffa800dfe7040 00000000 fffff88001a464f4-fffff88002777a10 Success Error Cancel pending
\Driver\volsnap Ntfs!NtfsMasterIrpSyncCompletionRoutine
Args: 00001000 00000000 b996a000 00000000
[ 4, 0] 0 0 fffffa800dfed030 fffffa800da958e0 00000000-00000000
\FileSystem\Ntfs
Args: 00001000 00000000 01afc000 00000000
[…]
BitLocker architecture diagram (p.678) - parts can be seen from IRP I/O stack locations:
kd> !irp 85e7ee00
[...]
cmd flg cl Device File Completion-Context
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
>[ 3,34] 10 e0 857b9030 00000000 8353724e-00000000 Success Error Cancel
\Driver\Disk partmgr!PmReadWriteCompletion
Args: 00001000 00000000 400d6000 00000000
[ 3, 0] 10 0 857b9d18 00000000 00000000-00000000
\Driver\partmgr
Args: 6bad71d7 00000000 400d6000 00000000
[ 3, 0] 10 e0 8478b5f0 00000000 835487a4-857bc2f0 Success Error Cancel
\Driver\DriverA volmgr!VmpReadWriteCompletionRoutine
Args: 00001000 00000000 400d6000 00000000
[ 3, 0] 0 e0 857bc238 00000000 872c83e2-857bfb70 Success Error Cancel
\Driver\volmgr fvevol!FvePassThroughCompletion
Args: 00001000 00000000 6bad70ba 00000000
[ 3, 0] 0 e0 857bfab8 00000000 8709807a-859a2118 Success Error Cancel
\Driver\fvevol Ntfs!NtfsMasterIrpAsyncCompletionRoutine
Args: 00001000 00000000 40097000 00000000
[ 3, 0] 0 1 857e2020 8584ca40 00000000-00000000 pending
\FileSystem\Ntfs
Args: 00001000 00000000 0329e000 00000000
[…]
VMK -> FVEK: possibility for rekeying (p. 679)
Maximum protection: TPM+USB+PIN (p. 679)
Diffuser to protect from manipulations with AES-encrypted ciphertext (p. 681)
- Dmitry Vostokov @ SoftwareGeneralist.com -