1. 首页首页
  2. 科技前沿科技前沿

小端口驱动启动及关闭过程

科技前沿 阅读 37

小端口驱动启动及关闭过程网卡启动过程 1 进入 DriverEntry 后 调用 NdisMRegiste 注册小端口驱动 ChildEBP RetAddr 807e04ec 89222eec netvmini620 MPSetOptions d td newframe drivers vd network netvmini620 miniport c

大家好,我是讯享网,很高兴认识大家。

网卡启动过程

1. 进入DriverEntry后,调用NdisMRegisterMiniportDriver注册小端口驱动

ChildEBP RetAddr 807e04ec 89222eec netvmini620!MPSetOptions [d:\td\newframe\drivers-vd\network\netvmini620\miniport.c @ 299] 807e0510 8bd3f1fc ndis!NdisMRegisterMiniportDriver+0x498 807e0598 83fd72e6 netvmini620!DriverEntry+0x1ec [d:\td\newframe\drivers-vd\network\netvmini620\miniport.c @ 180] 807e077c 83fc37f4 nt!IopLoadDriver+0x7ed 807e0828  nt!PipCallDriverAddDeviceQueryRoutine+0x34b 807e0860  nt!RtlpCallQueryRegistryRoutine+0x2ea 807e08cc 83fd16a4 nt!RtlQueryRegistryValues+0x31d 807e09a8 83fd0e12 nt!PipCallDriverAddDevice+0x383 807e0ba4 840a0a4e nt!PipProcessDevNodeTree+0x15d 807e0bd8 83e27cb7 nt!PiRestartDevice+0x8a 807e0c00 83e90aab nt!PnpDeviceActionWorker+0x1fb 807e0c50 8401cf5e nt!ExpWorkerThread+0x10d 807e0c90 83ec4219 nt!PspSystemThreadStartup+0x9e 00000000 00000000 nt!KiThreadStartup+0x19

讯享网注意MPSetOptions是在NdisMRegisterMiniportDriver上下文中被调用的。

2. 调用MPInitializeEx,初始化适配器

讯享网807e0528 8927ecf2 netvmini620!MPInitializeEx [d:\td\newframe\drivers-vd\network\netvmini620\adapter.c @ 171] 807e07f4 8927e474 ndis!ndisMInitializeAdapter+0x76b 807e082c 8927e2ed ndis!ndisInitializeAdapter+0x10a 807e0854 89283d23 ndis!ndisPnPStartDevice+0x130 807e0898 83e4a593 ndis!ndisPnPDispatch+0x62f 807e08b0 83fd26f8 nt!IofCallDriver+0x63 807e08cc 83e2528b nt!PnpAsynchronousCall+0x92 807e0930 83fc9561 nt!PnpStartDevice+0xe1 807e098c 83fc942a nt!PnpStartDeviceNode+0x12c 807e09a8 83fd0e3d nt!PipProcessStartPhase1+0x62 807e0ba4 840a0a4e nt!PipProcessDevNodeTree+0x188 807e0bd8 83e27cb7 nt!PiRestartDevice+0x8a 807e0c00 83e90aab nt!PnpDeviceActionWorker+0x1fb 807e0c50 8401cf5e nt!ExpWorkerThread+0x10d 807e0c90 83ec4219 nt!PspSystemThreadStartup+0x9e 00000000 00000000 nt!KiThreadStartup+0x19
调用MPInitializeEx时适配器处于Initializing状态,初始化成功后处于Paused状态,初始化失败返回Halted状态。

3. 调用MPRestart函数,启动适配器

807e04ec 8927b852 netvmini620!MPRestart [d:\td\newframe\drivers-vd\network\netvmini620\adapter.c @ 679] 807e052c 8927fe17 ndis!ndisRestartMiniport+0x16f 807e07f4 8927e474 ndis!ndisMInitializeAdapter+0x1890 807e082c 8927e2ed ndis!ndisInitializeAdapter+0x10a 807e0854 89283d23 ndis!ndisPnPStartDevice+0x130 807e0898 83e4a593 ndis!ndisPnPDispatch+0x62f 807e08b0 83fd26f8 nt!IofCallDriver+0x63 807e08cc 83e2528b nt!PnpAsynchronousCall+0x92 807e0930 83fc9561 nt!PnpStartDevice+0xe1 807e098c 83fc942a nt!PnpStartDeviceNode+0x12c 807e09a8 83fd0e3d nt!PipProcessStartPhase1+0x62 807e0ba4 840a0a4e nt!PipProcessDevNodeTree+0x188 807e0bd8 83e27cb7 nt!PiRestartDevice+0x8a 807e0c00 83e90aab nt!PnpDeviceActionWorker+0x1fb 807e0c50 8401cf5e nt!ExpWorkerThread+0x10d 807e0c90 83ec4219 nt!PspSystemThreadStartup+0x9e 00000000 00000000 nt!KiThreadStartup+0x19
调用MPRestart时适配器处于Restarting状态,初始化成功后处于Running状态,初始化失败返回Paused状态。

4. 调用MPDevicePnpEventNotify发送PNP通知

讯享网807e04c8 b netvmini620!MPDevicePnpEventNotify+0x8 [d:\td\newframe\drivers-vd\network\netvmini620\adapter.c @ 1117] 807e0508 c8 ndis!ndisDevicePnPEventNotifyMiniport+0xf4 807e0524 f5 ndis!ndisNotifyMiniports+0x5d 807e07f4 8927e474 ndis!ndisMInitializeAdapter+0x1b6e 807e082c 8927e2ed ndis!ndisInitializeAdapter+0x10a 807e0854 89283d23 ndis!ndisPnPStartDevice+0x130 807e0898 83e4a593 ndis!ndisPnPDispatch+0x62f 807e08b0 83fd26f8 nt!IofCallDriver+0x63 807e08cc 83e2528b nt!PnpAsynchronousCall+0x92 807e0930 83fc9561 nt!PnpStartDevice+0xe1 807e098c 83fc942a nt!PnpStartDeviceNode+0x12c 807e09a8 83fd0e3d nt!PipProcessStartPhase1+0x62 807e0ba4 840a0a4e nt!PipProcessDevNodeTree+0x188 807e0bd8 83e27cb7 nt!PiRestartDevice+0x8a 807e0c00 83e90aab nt!PnpDeviceActionWorker+0x1fb 807e0c50 8401cf5e nt!ExpWorkerThread+0x10d 807e0c90 83ec4219 nt!PspSystemThreadStartup+0x9e 00000000 00000000 nt!KiThreadStartup+0x19
根据调试,发送的通知为NdisDevicePnPEventPowerProfileChanged,确认电源类型(battery or AC online)

5. 调用MPPause,暂停网卡

8e30ba74 8927be18 netvmini620!MPPause [d:\td\newframe\drivers-vd\network\netvmini620\adapter.c @ 600] 8e30bab0  ndis!ndisPauseMiniport+0x17f 8e30bbe4 89215cea ndis!ndisAttachFilterToMiniport+0x2fc 8e30bc0c 89280cad ndis!ndisCheckMiniportFilters+0x105 8e30bc24  ndis!ndisQueuedCheckAdapterBindings+0xc8 8e30bc34 e ndis!ndisWorkItemHandler+0xe 8e30bc50 8401cf5e ndis!ndisWorkerThread+0xa4 8e30bc90 83ec4219 nt!PspSystemThreadStartup+0x9e 00000000 00000000 nt!KiThreadStartup+0x19
此为一工作线程,查看堆栈,暂停网卡的目的可能是挂载过滤驱动。

6. 再次调用MPRestart函数,启动适配器

讯享网8e30b848 8927b852 netvmini620!MPRestart [d:\td\newframe\drivers-vd\network\netvmini620\adapter.c @ 679] 8e30b888 8921e76c ndis!ndisRestartMiniport+0x16f 8e30baac d ndis!ndisRestartMiniportFilterStack+0xa5 8e30bbe4 89215cea ndis!ndisAttachFilterToMiniport+0x15e2 8e30bc0c 89280cad ndis!ndisCheckMiniportFilters+0x105 8e30bc24  ndis!ndisQueuedCheckAdapterBindings+0xc8 8e30bc34 e ndis!ndisWorkItemHandler+0xe 8e30bc50 8401cf5e ndis!ndisWorkerThread+0xa4 8e30bc90 83ec4219 nt!PspSystemThreadStartup+0x9e 00000000 00000000 nt!KiThreadStartup+0x19
此工作线程与上一调用MPPause的工作线程为同一线程。


讯享网

至此,适配器启动完毕。

网卡关闭过程

1. 调用MPPause,进入Pause状态(关闭发送、接收数据包路径)

807e477c 8927be18 netvmini620!MPPause [d:\td\newframe\drivers-vd\network\netvmini620\adapter.c @ 600] 807e47b8 8928ab77 ndis!ndisPauseMiniport+0x17f 807e484c 8928f62b ndis!ndisCloseMiniportBindings+0xcb 807e497c 8923f538 ndis!ndisPnPRemoveDevice+0x23c 807e49ac 89283ac3 ndis!ndisPnPRemoveDeviceEx+0xaa 807e49f0 83e4a593 ndis!ndisPnPDispatch+0x3cf 807e4a08 83fecf95 nt!IofCallDriver+0x63 807e4a38 840d9a3f nt!IopSynchronousCall+0xc2 807e4a90 83eef346 nt!IopRemoveDevice+0xd4 807e4abc 840d1787 nt!PnpRemoveLockedDeviceNode+0x16c 807e4ad0 840d1a3b nt!PnpDeleteLockedDeviceNode+0x2d 807e4b04 840d5417 nt!PnpDeleteLockedDeviceNodes+0x4c 807e4bc4 83fc52ca nt!PnpProcessQueryRemoveAndEject+0x946 807e4bdc 83fd33ca nt!PnpProcessTargetDeviceEvent+0x38 807e4c00 83e90aab nt!PnpDeviceEventWorker+0x216 807e4c50 8401cf5e nt!ExpWorkerThread+0x10d 807e4c90 83ec4219 nt!PspSystemThreadStartup+0x9e 00000000 00000000 nt!KiThreadStartup+0x19
2. 调用MPRestart,不懂 

讯享网807e4778 8927b852 netvmini620!MPRestart [d:\td\newframe\drivers-vd\network\netvmini620\adapter.c @ 679] 807e47b8 8928ad21 ndis!ndisRestartMiniport+0x16f 807e484c 8928f62b ndis!ndisCloseMiniportBindings+0x275 807e497c 8923f538 ndis!ndisPnPRemoveDevice+0x23c 807e49ac 89283ac3 ndis!ndisPnPRemoveDeviceEx+0xaa 807e49f0 83e4a593 ndis!ndisPnPDispatch+0x3cf 807e4a08 83fecf95 nt!IofCallDriver+0x63 807e4a38 840d9a3f nt!IopSynchronousCall+0xc2 807e4a90 83eef346 nt!IopRemoveDevice+0xd4 807e4abc 840d1787 nt!PnpRemoveLockedDeviceNode+0x16c 807e4ad0 840d1a3b nt!PnpDeleteLockedDeviceNode+0x2d 807e4b04 840d5417 nt!PnpDeleteLockedDeviceNodes+0x4c 807e4bc4 83fc52ca nt!PnpProcessQueryRemoveAndEject+0x946 807e4bdc 83fd33ca nt!PnpProcessTargetDeviceEvent+0x38 807e4c00 83e90aab nt!PnpDeviceEventWorker+0x216 807e4c50 8401cf5e nt!ExpWorkerThread+0x10d 807e4c90 83ec4219 nt!PspSystemThreadStartup+0x9e 00000000 00000000 nt!KiThreadStartup+0x19
3.  调用MPPause,呼应上面的MPRestart 

807e47a4 8927be18 netvmini620!MPPause [d:\td\newframe\drivers-vd\network\netvmini620\adapter.c @ 600] 807e47e0 89227f90 ndis!ndisPauseMiniport+0x17f 807e484c 8928f631 ndis!ndisDetachFiltersOnMiniport+0x136 807e497c 8923f538 ndis!ndisPnPRemoveDevice+0x242 807e49ac 89283ac3 ndis!ndisPnPRemoveDeviceEx+0xaa 807e49f0 83e4a593 ndis!ndisPnPDispatch+0x3cf 807e4a08 83fecf95 nt!IofCallDriver+0x63 807e4a38 840d9a3f nt!IopSynchronousCall+0xc2 807e4a90 83eef346 nt!IopRemoveDevice+0xd4 807e4abc 840d1787 nt!PnpRemoveLockedDeviceNode+0x16c 807e4ad0 840d1a3b nt!PnpDeleteLockedDeviceNode+0x2d 807e4b04 840d5417 nt!PnpDeleteLockedDeviceNodes+0x4c 807e4bc4 83fc52ca nt!PnpProcessQueryRemoveAndEject+0x946 807e4bdc 83fd33ca nt!PnpProcessTargetDeviceEvent+0x38 807e4c00 83e90aab nt!PnpDeviceEventWorker+0x216 807e4c50 8401cf5e nt!ExpWorkerThread+0x10d 807e4c90 83ec4219 nt!PspSystemThreadStartup+0x9e 00000000 00000000 nt!KiThreadStartup+0x19
分析上面的堆栈,与卸载过滤驱动有关。 

讯享网807e47a0 8927b852 netvmini620!MPRestart [d:\td\newframe\drivers-vd\network\netvmini620\adapter.c @ 679] 807e47e0 89227fcf ndis!ndisRestartMiniport+0x16f 807e484c 8928f631 ndis!ndisDetachFiltersOnMiniport+0x175 807e497c 8923f538 ndis!ndisPnPRemoveDevice+0x242 807e49ac 89283ac3 ndis!ndisPnPRemoveDeviceEx+0xaa 807e49f0 83e4a593 ndis!ndisPnPDispatch+0x3cf 807e4a08 83fecf95 nt!IofCallDriver+0x63 807e4a38 840d9a3f nt!IopSynchronousCall+0xc2 807e4a90 83eef346 nt!IopRemoveDevice+0xd4 807e4abc 840d1787 nt!PnpRemoveLockedDeviceNode+0x16c 807e4ad0 840d1a3b nt!PnpDeleteLockedDeviceNode+0x2d 807e4b04 840d5417 nt!PnpDeleteLockedDeviceNodes+0x4c 807e4bc4 83fc52ca nt!PnpProcessQueryRemoveAndEject+0x946 807e4bdc 83fd33ca nt!PnpProcessTargetDeviceEvent+0x38 807e4c00 83e90aab nt!PnpDeviceEventWorker+0x216 807e4c50 8401cf5e nt!ExpWorkerThread+0x10d 807e4c90 83ec4219 nt!PspSystemThreadStartup+0x9e 00000000 00000000 nt!KiThreadStartup+0x19

5.  调用MPPause,呼应上面的MPRestart 

807e480c 8927be18 netvmini620!MPPause [d:\td\newframe\drivers-vd\network\netvmini620\adapter.c @ 600] 807e4848 8928f648 ndis!ndisPauseMiniport+0x17f 807e497c 8923f538 ndis!ndisPnPRemoveDevice+0x259 807e49ac 89283ac3 ndis!ndisPnPRemoveDeviceEx+0xaa 807e49f0 83e4a593 ndis!ndisPnPDispatch+0x3cf 807e4a08 83fecf95 nt!IofCallDriver+0x63 807e4a38 840d9a3f nt!IopSynchronousCall+0xc2 807e4a90 83eef346 nt!IopRemoveDevice+0xd4 807e4abc 840d1787 nt!PnpRemoveLockedDeviceNode+0x16c 807e4ad0 840d1a3b nt!PnpDeleteLockedDeviceNode+0x2d 807e4b04 840d5417 nt!PnpDeleteLockedDeviceNodes+0x4c 807e4bc4 83fc52ca nt!PnpProcessQueryRemoveAndEject+0x946 807e4bdc 83fd33ca nt!PnpProcessTargetDeviceEvent+0x38 807e4c00 83e90aab nt!PnpDeviceEventWorker+0x216 807e4c50 8401cf5e nt!ExpWorkerThread+0x10d 807e4c90 83ec4219 nt!PspSystemThreadStartup+0x9e 00000000 00000000 nt!KiThreadStartup+0x19

6. 调用MPHaltEx,卸载适配器 

讯享网807e47f4 8928a69f netvmini620!MPHaltEx [d:\td\newframe\drivers-vd\network\netvmini620\adapter.c @ 745] 807e4830 8928d9e7 ndis!ndisMCommonHaltMiniport+0x54f 807e484c 8928f729 ndis!ndisMHaltMiniport+0x5a 807e497c 8923f538 ndis!ndisPnPRemoveDevice+0x33a 807e49ac 89283ac3 ndis!ndisPnPRemoveDeviceEx+0xaa 807e49f0 83e4a593 ndis!ndisPnPDispatch+0x3cf 807e4a08 83fecf95 nt!IofCallDriver+0x63 807e4a38 840d9a3f nt!IopSynchronousCall+0xc2 807e4a90 83eef346 nt!IopRemoveDevice+0xd4 807e4abc 840d1787 nt!PnpRemoveLockedDeviceNode+0x16c 807e4ad0 840d1a3b nt!PnpDeleteLockedDeviceNode+0x2d 807e4b04 840d5417 nt!PnpDeleteLockedDeviceNodes+0x4c 807e4bc4 83fc52ca nt!PnpProcessQueryRemoveAndEject+0x946 807e4bdc 83fd33ca nt!PnpProcessTargetDeviceEvent+0x38 807e4c00 83e90aab nt!PnpDeviceEventWorker+0x216 807e4c50 8401cf5e nt!ExpWorkerThread+0x10d 807e4c90 83ec4219 nt!PspSystemThreadStartup+0x9e 00000000 00000000 nt!KiThreadStartup+0x19

以上的过程是在我的win 7虚拟机上测试的,在各位看官的机器上,我觉得关闭适配器的流程可能会与我的机器有所不同,具体可能关系到是否有过滤驱动,没测试,瞎掰以下,关闭适配器的过程多次调用了Pause及Restart例程,我觉得调用几次并没有关系,只要讲发送接收路径控制好即可。

小讯
上一篇 2025-03-03 18:38
下一篇 2025-03-19 23:55

相关推荐

版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容,请联系我们,一经查实,本站将立刻删除。
如需转载请保留出处:https://51itzy.com/kjqy/58310.html