Ntfs!NtfsFillStandardInfo函数分析在scb和ccb中得到文件的标准信息
第一部分:
1: kd> t
Ntfs!NtfsFastQueryStdInfo+0x145:
f7182273 e8009efcff call Ntfs!NtfsFillStandardInfo (f714c078)
1: kd> t
Ntfs!NtfsFillStandardInfo:
f714c078 55 push ebp
1: kd> kc
#
00 Ntfs!NtfsFillStandardInfo
01 Ntfs!NtfsFastQueryStdInfo
02 nt!FsRtlGetFileSize
03 nt!MmCreateSection
04 nt!NtCreateSection
05 nt!_KiSystemService
06 SharedUserData!SystemCallStub
07 ntdll!ZwCreateSection
08 basesrv!BaseSrvNlsCreateSection
09 CSRSRV!CsrCallServerFromServer
0a ntdll!CsrClientCallServer
0b KERNEL32!CsrBasepNlsCreateSection
0c KERNEL32!NlsServerInitialize
0d KERNEL32!NlsDllInitialize
0e KERNEL32!BaseDllInitialize
0f ntdll!LdrpCallInitRoutine
10 ntdll!LdrpRunInitializeRoutines
11 ntdll!LdrpLoadDll
12 ntdll!LdrLoadDll
13 CSRSRV!CsrLoadServerDll
14 CSRSRV!CsrParseServerCommandLine
15 CSRSRV!CsrServerInitialization
16 csrss!main
17 csrss!NtProcessStartup
第二部分:
1: kd> dv
Buffer = 0xf704bc04
Scb = 0xe14725c8
Ccb = 0xe139eda0
1: kd> dx -id 0,0,8953a020 -r1 ((Ntfs!_SCB *)0xe14725c8)
((Ntfs!_SCB *)0xe14725c8) : 0xe14725c8 [Type: _SCB *]
[+0x000] Header [Type: _NTFS_ADVANCED_FCB_HEADER]
[+0x040] FcbLinks [Type: _LIST_ENTRY]
[+0x048] Fcb : 0xe1472500 [Type: _FCB *]
[+0x04c] Vcb : 0x898f1100 [Type: _VCB *]
[+0x100] TotalAllocated : 90112 [Type: __int64]
1: kd> dx -id 0,0,8953a020 -r1 (*((Ntfs!_NTFS_ADVANCED_FCB_HEADER *)0xe14725c8))
(*((Ntfs!_NTFS_ADVANCED_FCB_HEADER *)0xe14725c8)) [Type: _NTFS_ADVANCED_FCB_HEADER]
[+0x000] NodeTypeCode : 1797 [Type: short]
[+0x002] NodeByteSize : 336 [Type: short]
[+0x004] Flags : 0xe0 [Type: unsigned char]
[+0x005] IsFastIoPossible : 0x1 [Type: unsigned char]
[+0x006] Flags2 : 0x2 [Type: unsigned char]
[+0x007] Reserved : 0x0 [Type: unsigned char]
[+0x008] Resource : 0x89808838 [Type: _ERESOURCE *]
[+0x00c] PagingIoResource : 0x89593f30 [Type: _ERESOURCE *]
[+0x010] AllocationSize : {90112} [Type: _LARGE_INTEGER]
[+0x018] FileSize : {89588} [Type: _LARGE_INTEGER]
1: kd> dx -id 0,0,8953a020 -r1 ((Ntfs!_FCB *)0xe1472500)
((Ntfs!_FCB *)0xe1472500) : 0xe1472500 [Type: _FCB *]
[+0x000] NodeTypeCode : 1794 [Type: short]
[+0x002] NodeByteSize : 200 [Type: short]
[+0x004] FcbState : 0xa48 [Type: unsigned long]
[+0x008] FileReference [Type: _MFT_SEGMENT_REFERENCE]
[+0x010] CleanupCount : 0x1 [Type: unsigned long]
[+0x014] CloseCount : 0x2 [Type: unsigned long]
[+0x018] ReferenceCount : 0x0 [Type: unsigned long]
[+0x01c] FcbDenyDelete : 0x1 [Type: unsigned long]
[+0x020] FcbDeleteFile : 0x0 [Type: unsigned long]
[+0x024] BaseExclusiveCount : 0x0 [Type: unsigned short]
[+0x026] EaModificationCount : 0x0 [Type: unsigned short]
[+0x028] LcbQueue [Type: _LIST_ENTRY]
[+0x030] ScbQueue [Type: _LIST_ENTRY]
[+0x038] ExclusiveFcbLinks [Type: _LIST_ENTRY]
[+0x040] Vcb : 0x898f1100 [Type: _VCB *]
[+0x044] FcbMutex : 0x89808810 [Type: _FAST_MUTEX *]
[+0x048] Resource : 0x89808838 [Type: _ERESOURCE *]
[+0x04c] PagingIoResource : 0x89593f30 [Type: _ERESOURCE *]
[+0x050] Info [Type: _DUPLICATED_INFORMATION]
[+0x088] InfoFlags : 0x0 [Type: unsigned long]
[+0x08c] LinkCount : 0x1 [Type: unsigned short]
1: kd> dt ntfs!FILE_STANDARD_INFORMATION
+0x000 AllocationSize : _LARGE_INTEGER
+0x008 EndOfFile : _LARGE_INTEGER
+0x010 NumberOfLinks : Uint4B
+0x014 DeletePending : UChar
+0x015 Directory : UChar
第三部分:
$INDEX_ALLOCATION EQU 0A0h
[+0x07c] AttributeTypeCode : 0x80 [Type: unsigned long]
if ((Scb->AttributeTypeCode != $INDEX_ALLOCATION) ||
(!IsDirectory( &Fcb->Info ) && !IsViewIndex( &Fcb->Info ))) {
1: kd> dx -id 0,0,8953a020 -r1 (*((Ntfs!_DUPLICATED_INFORMATION *)0xe1472550))
(*((Ntfs!_DUPLICATED_INFORMATION *)0xe1472550)) [Type: _DUPLICATED_INFORMATION]
[+0x000] CreationTime : 126907141100000000 [Type: __int64]
[+0x008] LastModificationTime : 126907141100000000 [Type: __int64]
[+0x010] LastChangeTime : 133707811646250000 [Type: __int64]
[+0x018] LastAccessTime : 133708070290935000 [Type: __int64]
[+0x020] AllocatedLength : 90112 [Type: __int64]
[+0x028] FileSize : 89588 [Type: __int64]
[+0x030] FileAttributes : 0x20 [Type: unsigned long] FileAttributes : 0x20
[+0x034] PackedEaSize : 0x0 [Type: unsigned short]
[+0x036] Reserved : 0x0 [Type: unsigned short]
[+0x034] ReparsePointTag : 0x0 [Type: unsigned long]
#define FlagOn(Flags,SingleFlag) ((BOOLEAN)(((Flags) & (SingleFlag)) != 0))
#define IsDirectory( DUPLICATE ) \
(FlagOn( ((PDUPLICATED_INFORMATION) (DUPLICATE))->FileAttributes, \
DUP_FILE_NAME_INDEX_PRESENT ))
#define IsViewIndex( DUPLICATE ) \
(FlagOn( ((PDUPLICATED_INFORMATION) (DUPLICATE))->FileAttributes, \
DUP_VIEW_INDEX_PRESENT ))
#define FILE_ATTRIBUTE_READONLY 0x00000001
#define FILE_ATTRIBUTE_HIDDEN 0x00000002
#define FILE_ATTRIBUTE_SYSTEM 0x00000004
//OLD DOS VOLID 0x00000008
#define FILE_ATTRIBUTE_DIRECTORY 0x00000010
#define FILE_ATTRIBUTE_ARCHIVE 0x00000020
#define FILE_ATTRIBUTE_DEVICE 0x00000040
#define FILE_ATTRIBUTE_NORMAL 0x00000080
第四部分:
1: kd> p
Ntfs!NtfsFillStandardInfo+0x5f:
f714c0d7 8b8600010000 mov eax,dword ptr [esi+100h]
1: kd> r
eax=00000000 ebx=e1472500 ecx=00000000 edx=f704bc04 esi=e14725c8
1: kd> dx -id 0,0,8953a020 -r1 ((Ntfs!_SCB *)0xe14725c8)
((Ntfs!_SCB *)0xe14725c8) : 0xe14725c8 [Type: _SCB *]
[+0x100] TotalAllocated : 90112 [Type: __int64]
Buffer->AllocationSize.QuadPart = Scb->TotalAllocated;
Buffer->EndOfFile = Scb->Header.FileSize;
1: kd> dx -id 0,0,8953a020 -r1 ((Ntfs!_SCB *)0xe14725c8)
((Ntfs!_SCB *)0xe14725c8) : 0xe14725c8 [Type: _SCB *]
[+0x000] Header [Type: _NTFS_ADVANCED_FCB_HEADER]
1: kd> dx -id 0,0,8953a020 -r1 (*((Ntfs!_NTFS_ADVANCED_FCB_HEADER *)0xe14725c8))
(*((Ntfs!_NTFS_ADVANCED_FCB_HEADER *)0xe14725c8)) [Type: _NTFS_ADVANCED_FCB_HEADER]
[+0x000] NodeTypeCode : 1797 [Type: short]
[+0x002] NodeByteSize : 336 [Type: short]
[+0x004] Flags : 0xe0 [Type: unsigned char]
[+0x018] FileSize : {89588} [Type: _LARGE_INTEGER]
unicode.nls右键属性:
87.4 KB (89,588 字节)
88.0 KB (90,112 字节)
#define BooleanIsDirectory( DUPLICATE ) \
(BooleanFlagOn( ((PDUPLICATED_INFORMATION) (DUPLICATE))->FileAttributes, \
DUP_FILE_NAME_INDEX_PRESENT ))
#define BooleanFlagOn(F,SF) ( \
(BOOLEAN)(((F) & (SF)) != 0) \
)
第五部分:
if (FlagOn( Ccb->Flags, CCB_FLAG_OPEN_AS_FILE )) {
if ((Scb->Fcb->LinkCount == 0) ||
((Ccb->Lcb != NULL) && FlagOn( Ccb->Lcb->LcbState, LCB_STATE_DELETE_ON_CLOSE ))) {
Buffer->DeletePending = TRUE;
}
Buffer->Directory = BooleanIsDirectory( &Scb->Fcb->Info );
#define CCB_FLAG_OPEN_AS_FILE (0x00000002)
if (FlagOn( Ccb->Flags, CCB_FLAG_OPEN_AS_FILE )) {
Ccb = 0xe139eda0
1: kd> dx -id 0,0,8953a020 -r1 ((Ntfs!_CCB *)0xe139eda0)
((Ntfs!_CCB *)0xe139eda0) : 0xe139eda0 [Type: _CCB *]
[+0x000] NodeTypeCode : 1801 [Type: short]
[+0x002] NodeByteSize : 64 [Type: short]
[+0x004] Flags : 0x2003 [Type: unsigned long]
[+0x030] FileAttributes : 0x20 [Type: unsigned long]
第六部分:最终结果
1: kd> dv
Buffer = 0xf704bc04
Scb = 0xe14725c8
Ccb = 0xe139eda0
1: kd> dx -id 0,0,8953a020 -r1 ((Ntfs!_FILE_STANDARD_INFORMATION *)0xf704bc04)
((Ntfs!_FILE_STANDARD_INFORMATION *)0xf704bc04) : 0xf704bc04 [Type: _FILE_STANDARD_INFORMATION *]
[+0x000] AllocationSize : {90112} [Type: _LARGE_INTEGER]
[+0x008] EndOfFile : {89588} [Type: _LARGE_INTEGER]
[+0x010] NumberOfLinks : 0x1 [Type: unsigned long]
[+0x014] DeletePending : 0x0 [Type: unsigned char]
[+0x015] Directory : 0x0 [Type: unsigned char]