当前位置：首页 > news >正文

Ntfs!NtfsAllocateRestartTableIndex函数分析和Ntfs!DIRTY_PAGE_ENTRY_V0结构的关系

news 2025/6/13 8:39:44

第一部分：

1: kd> t
Ntfs!DirtyPageRoutine+0x42:
f7145234 e84f0d0100      call    Ntfs!NtfsAllocateRestartTableIndex (f7155f88)
1: kd> t
Ntfs!NtfsAllocateRestartTableIndex:
f7155f88 55              push    ebp
1: kd> kc
#
00 Ntfs!NtfsAllocateRestartTableIndex
01 Ntfs!DirtyPageRoutine
02 nt!CcGetDirtyPages
03 Ntfs!NtfsCheckpointVolume
04 Ntfs!NtfsCheckpointAllVolumes
05 nt!ExpWorkerThread
06 nt!PspSystemThreadStartup
07 nt!KiThreadStartup
1: kd> dv
   TablePointer = 0xf78d2b90
      Exclusive = 1
     LockHandle = struct _KLOCK_QUEUE_HANDLE
     EntryIndex = 0xf78d2b90

1: kd> dx -r1 ((Ntfs!_RESTART_POINTERS *)0xf78d2b90)
((Ntfs!_RESTART_POINTERS *)0xf78d2b90)                 : 0xf78d2b90 [Type: _RESTART_POINTERS *]
    [+0x000] Resource         [Type: _ERESOURCE]
    [+0x038] Table            : 0x895b9840 [Type: _RESTART_TABLE *]
    [+0x03c] SpinLock         : 0x0 [Type: unsigned long]
    [+0x040] ResourceInitialized : 0x1 [Type: unsigned char]
    [+0x041] DrainPending     : 0x0 [Type: unsigned char]
    [+0x042] Unused           [Type: unsigned char [6]]
1: kd> dx -r1 ((Ntfs!_RESTART_TABLE *)0x895b9840)
((Ntfs!_RESTART_TABLE *)0x895b9840)                 : 0x895b9840 [Type: _RESTART_TABLE *]
    [+0x000] EntrySize        : 0x2c [Type: unsigned short]
    [+0x002] NumberEntries    : 0x20 [Type: unsigned short]
    [+0x004] NumberAllocated : 0x0 [Type: unsigned short]
    [+0x006] Reserved         [Type: unsigned short [3]]
    [+0x00c] FreeGoal         : 0xffffffff [Type: unsigned long]
    [+0x010] FirstFree        : 0x18 [Type: unsigned long]
    [+0x014] LastFree         : 0x56c [Type: unsigned long]

第二部分：

    //
    // Get First Free to return it.
    //

EntryIndex = Table->FirstFree; [+0x010] FirstFree : 0x18

#define GetRestartEntryFromIndex(TBL,INDX) ( \
(PVOID)((PCHAR)(TBL)->Table + (INDX)) \
)

    //
    // Dequeue this entry and zero it.
    //

Entry = (PULONG)GetRestartEntryFromIndex( TablePointer, EntryIndex );

#define RESTART_ENTRY_ALLOCATED (0xFFFFFFFF)

第三部分：

1: kd> dx -id 0,0,899a2278 -r1 ((Ntfs!_RESTART_TABLE *)0x895b9840)
((Ntfs!_RESTART_TABLE *)0x895b9840)                 : 0x895b9840 [Type: _RESTART_TABLE *]
    [+0x000] EntrySize        : 0x2c [Type: unsigned short]
    [+0x002] NumberEntries    : 0x20 [Type: unsigned short]
    [+0x004] NumberAllocated : 0x0 [Type: unsigned short]
    [+0x006] Reserved         [Type: unsigned short [3]]
    [+0x00c] FreeGoal         : 0xffffffff [Type: unsigned long]
    [+0x010] FirstFree        : 0x44 [Type: unsigned long]
    [+0x014] LastFree         : 0x56c [Type: unsigned long]

1: kd> dt DIRTY_PAGE_ENTRY_V0 0x895b9840+18
Ntfs!DIRTY_PAGE_ENTRY_V0
   +0x000 AllocatedOrNextFree : 0xffffffff
   +0x004 TargetAttribute : 0
   +0x008 LengthOfTransfer : 0
   +0x00c LcnsToFollow     : 0
   +0x010 Reserved         : 0
   +0x014 Vcn              : 0n0
   +0x01c OldestLsn        : _LARGE_INTEGER 0x0
   +0x024 LcnsForPage      : [1] 0n0

第四部分：

1: kd> dt DIRTY_PAGE_ENTRY_V0 0x895b9840+18+2c
Ntfs!DIRTY_PAGE_ENTRY_V0
   +0x000 AllocatedOrNextFree : 0x70
   +0x004 TargetAttribute : 0
   +0x008 LengthOfTransfer : 0
   +0x00c LcnsToFollow     : 0
   +0x010 Reserved         : 0
   +0x014 Vcn              : 0n0
   +0x01c OldestLsn        : _LARGE_INTEGER 0x0
   +0x024 LcnsForPage      : [1] 0n0
1: kd> dt DIRTY_PAGE_ENTRY_V0 0x895b9840+18+2c*2
Ntfs!DIRTY_PAGE_ENTRY_V0
   +0x000 AllocatedOrNextFree : 0x9c
   +0x004 TargetAttribute : 0
   +0x008 LengthOfTransfer : 0
   +0x00c LcnsToFollow     : 0
   +0x010 Reserved         : 0
   +0x014 Vcn              : 0n0
   +0x01c OldestLsn        : _LARGE_INTEGER 0x0
   +0x024 LcnsForPage      : [1] 0n0
1: kd> dt DIRTY_PAGE_ENTRY_V0 0x895b9840+18+2c*3
Ntfs!DIRTY_PAGE_ENTRY_V0
   +0x000 AllocatedOrNextFree : 0xc8
   +0x004 TargetAttribute : 0
   +0x008 LengthOfTransfer : 0
   +0x00c LcnsToFollow     : 0
   +0x010 Reserved         : 0
   +0x014 Vcn              : 0n0
   +0x01c OldestLsn        : _LARGE_INTEGER 0x0
   +0x024 LcnsForPage      : [1] 0n0
1: kd> dt DIRTY_PAGE_ENTRY_V0 0x895b9840+18+2c*4
Ntfs!DIRTY_PAGE_ENTRY_V0
   +0x000 AllocatedOrNextFree : 0xf4
   +0x004 TargetAttribute : 0
   +0x008 LengthOfTransfer : 0
   +0x00c LcnsToFollow     : 0
   +0x010 Reserved         : 0
   +0x014 Vcn              : 0n0
   +0x01c OldestLsn        : _LARGE_INTEGER 0x0
   +0x024 LcnsForPage      : [1] 0n0
1: kd> dt DIRTY_PAGE_ENTRY_V0 0x895b9840+18+2c*5
Ntfs!DIRTY_PAGE_ENTRY_V0
   +0x000 AllocatedOrNextFree : 0x120
   +0x004 TargetAttribute : 0
   +0x008 LengthOfTransfer : 0
   +0x00c LcnsToFollow     : 0
   +0x010 Reserved         : 0
   +0x014 Vcn              : 0n0
   +0x01c OldestLsn        : _LARGE_INTEGER 0x0
   +0x024 LcnsForPage      : [1] 0n0

第五部分：

Table->NumberAllocated += 1;

1: kd> dt _RESTART_POINTERS 0xf78d2b90
Ntfs!_RESTART_POINTERS
   +0x000 Resource         : _ERESOURCE
   +0x038 Table            : 0x895b9840 _RESTART_TABLE
   +0x03c SpinLock         : 0
   +0x040 ResourceInitialized : 0x1 ''
   +0x041 DrainPending     : 0 ''
   +0x042 Unused           : [6] ""
1: kd> dx -id 0,0,899a2278 -r1 ((Ntfs!_RESTART_TABLE *)0x895b9840)
((Ntfs!_RESTART_TABLE *)0x895b9840)                 : 0x895b9840 [Type: _RESTART_TABLE *]
    [+0x000] EntrySize        : 0x2c [Type: unsigned short]
    [+0x002] NumberEntries    : 0x20 [Type: unsigned short]
    [+0x004] NumberAllocated : 0x1 [Type: unsigned short]
    [+0x006] Reserved         [Type: unsigned short [3]]
    [+0x00c] FreeGoal         : 0xffffffff [Type: unsigned long]
    [+0x010] FirstFree        : 0x44 [Type: unsigned long]
    [+0x014] LastFree         : 0x56c [Type: unsigned long]