关于 IoAttachDevice 的使用,怎么这么怪?

看 <<Progameing Windowd Drive Mode 2 >>, 对该函数有这样的描述:

NOTE
I recommend avoiding an older routine named IoAttachDevice, which appears superficially to be a sort-of combination of IoGetDeviceObjectPointer and IoAttachDeviceToDevice&shy;Stack. The older routine does its internal ZwClose call after attaching your device object. Your driver will receive the resulting IRP_MJ_CLOSE. To handle the IRP correctly, you must call IoAttachDevice in such a way that your dispatch routine has access to the location you specify for the output DEVICE_OBJECT pointer. It turns out that IoAttachDevice sets your output pointer before calling ZwClose and depends on you using it to forward the IRP_MJ_CLOSE to the target device. This is the only example I’ve seen in many decades of programming where you’re required to use the return value from a function before the function actually returns.

照这段文字, 我理解是:
     该函数利用 ZwOpen () 来打开目标设备的句柄, 然后将 我们的设备对象挂入栈中, 接着调用 ZwClose(),由于我们的设备对象已经挂入栈中, 这样调用该函数的驱动会收到一个 IRP_MJ_CLOSE 的请求,
在调用驱动的 DISPATCH 历程中,需要用返回的 AttatchDevice, 向它下发这个 IRP_MJ_CLOSE 请求.
各位大虾,是这样的吗?感觉这么怪呢.

ZwOpenFile和ZwClose只是为了得到设备句柄，然后ObReferenceObjectByHandle->IoGetRelatedDeviceObject
最后再 IoAttachDeviceToDeviceStackSafe
改一下DeviceObject中相关链表~

找到代码了,贴上:
NTSTATUS
IoAttachDevice(
    IN PDEVICE_OBJECT SourceDevice,
    IN PUNICODE_STRING TargetDevice,
    OUT PDEVICE_OBJECT *AttachedDevice
    )

/*++

Routine Description:

    This routine "attaches" a device to another device.  That is, it associates
    the source device to a target device which enables the I/O system to ensure
    that the target device a) exists, and b) cannot be unloaded until the source
    device has detached.  Also, requests bound for the target device are given
    to the source device first, where applicable.

Arguments:

    SourceDevice - Pointer to device object to be attached to the target.

    TargetDevice - Supplies the name of the target device to which the attach
        is to occur.

    AttachedDevice - Returns a pointer to the device to which the attach
        occurred.  This is the device object that the source driver should
        use to communicate with the target driver.

Return Value:

    The function value is the final status of the operation.

--*/

{
    NTSTATUS status;
    PDEVICE_OBJECT targetDevice;
    PFILE_OBJECT fileObject;
    OBJECT_ATTRIBUTES objectAttributes;
    HANDLE fileHandle;
    IO_STATUS_BLOCK ioStatus;

    PAGED_CODE();

    //
    // Attempt to open the target device for attach access.  This ensures that
    // the device itself will be opened, with all of the special considerations
    // thereof.
    //

    InitializeObjectAttributes( &objectAttributes,
                                TargetDevice,
                                0,
                                (HANDLE) NULL,
                                (PSECURITY_DESCRIPTOR) NULL );

    status = ZwOpenFile( &fileHandle,
                         FILE_READ_ATTRIBUTES,
                         &objectAttributes,
                         &ioStatus,
                         0,
                         FILE_NON_DIRECTORY_FILE | IO_ATTACH_DEVICE_API );

    if (NT_SUCCESS( status )) {

        //
        // The open operation was successful.  Dereference the file handle
        // and obtain a pointer to the device object for the handle.
        //

        status = ObReferenceObjectByHandle( fileHandle,
                                            0,
                                            IoFileObjectType,
                                            KernelMode,
                                            (PVOID *) &fileObject,
                                            NULL );
        if (NT_SUCCESS( status )) {

            //
            // Get a pointer to the device object for this file, and close
            // the handle.
            //

            targetDevice = IoGetRelatedDeviceObject( fileObject );
            (VOID) ZwClose( fileHandle );

        } else {

            return status;
        }

    } else {

        return status;

    }

    //
    // Set the attached device pointer so that the driver being attached to
    // cannot unload until the detach occurs, and so that attempts to open the
    // device object go through the attached driver.  Note that the reference
    // count is not incremented since exclusive drivers can only be opened once
    // and this would count as an open.  At that point, both device objects
    // would become useless.
    //

    *AttachedDevice = IoAttachDeviceToDeviceStack( SourceDevice, targetDevice );
    if(!*AttachedDevice) {
        status = STATUS_NO_SUCH_DEVICE;
    }

    //
    // Finally, dereference the file object.  This decrements the reference
    // count for the target device so that when the detach occurs the device
    // can go away if necessary.
    //

    ObDereferenceObject( fileObject );

    //
    // Return the final status of the operation.
    //

    return status;
}

先关的句柄,然后做的attach 动作,呵呵;