当前位置：首页 > news >正文

Ntfs!NtfsFreeRestartTableIndex函数分析

news 2025/6/13 13:28:09

第一部分：

0: kd> p
Ntfs!NtfsCommitCurrentTransaction+0x25c:
f7178ca6 e88785fcff      call    Ntfs!NtfsFreeRestartTableIndex (f7141232)
0: kd> t
Ntfs!NtfsFreeRestartTableIndex:
f7141232 55              push    ebp
0: kd> kc
#
00 Ntfs!NtfsFreeRestartTableIndex
01 Ntfs!NtfsCommitCurrentTransaction
02 Ntfs!NtfsCompleteRequest
03 Ntfs!NtfsMountVolume
04 Ntfs!NtfsCommonFileSystemControl
05 Ntfs!NtfsFspDispatch
06 nt!ExpWorkerThread
07 nt!PspSystemThreadStartup
08 nt!KiThreadStartup
0: kd> kv
# ChildEBP RetAddr Args to Child
00 f78d6a14 f7178cab 8962e368 00000018 00000000 Ntfs!NtfsFreeRestartTableIndex (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\fs\ntfs\logsup.c @ 4303]
01 f78d6ab0 f713e314 89797aa8 00000000 00000000 Ntfs!NtfsCommitCurrentTransaction+0x261 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\fs\ntfs\logsup.c @ 3414]
02 f78d6ac8 f719343a 89797aa8 894e2008 00000000 Ntfs!NtfsCompleteRequest+0x3a (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\fs\ntfs\ntfsdata.c @ 1674]
03 f78d6cec f717c5aa 89797aa8 894e2008 89797aa8 Ntfs!NtfsMountVolume+0x1856 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\fs\ntfs\fsctrl.c @ 3174]
04 f78d6d04 f71484b0 89797aa8 894e2008 8999d020 Ntfs!NtfsCommonFileSystemControl+0x8c (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\fs\ntfs\fsctrl.c @ 837]
05 f78d6d80 80af2bb9 89797aa8 00000000 8999d020 Ntfs!NtfsFspDispatch+0x1fe (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\fs\ntfs\fspdisp.c @ 336]
06 f78d6dac 80d391f0 89797aa8 00000000 00000000 nt!ExpWorkerThread+0x10f (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ex\worker.c @ 1153]
07 f78d6ddc 80b00d52 80af2aaa 00000000 00000000 nt!PspSystemThreadStartup+0x2e (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ps\create.c @ 2213]
08 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16 [d:\srv03rtm\base\ntos\ke\i386\threadbg.asm @ 81]

0: kd> dv
   TablePointer = 0x8962e368
          Index = 0x18
     LockHandle = struct _KLOCK_QUEUE_HANDLE

0: kd> dx -r1 ((Ntfs!_RESTART_POINTERS *)0x8962e368)
((Ntfs!_RESTART_POINTERS *)0x8962e368)                 : 0x8962e368 [Type: _RESTART_POINTERS *]
    [+0x000] Resource         [Type: _ERESOURCE]
    [+0x038] Table            : 0x899c5380 [Type: _RESTART_TABLE *]
    [+0x03c] SpinLock         : 0x0 [Type: unsigned long]
    [+0x040] ResourceInitialized : 0x1 [Type: unsigned char]
    [+0x041] DrainPending     : 0x0 [Type: unsigned char]
    [+0x042] Unused           [Type: unsigned char [6]]
0: kd> dx -r1 ((Ntfs!_RESTART_TABLE *)0x899c5380)
((Ntfs!_RESTART_TABLE *)0x899c5380)                 : 0x899c5380 [Type: _RESTART_TABLE *]
    [+0x000] EntrySize        : 0x28 [Type: unsigned short]
    [+0x002] NumberEntries    : 0x5 [Type: unsigned short]
    [+0x004] NumberAllocated : 0x1 [Type: unsigned short]           [+0x004] NumberAllocated : 0x1
    [+0x006] Reserved         [Type: unsigned short [3]]
    [+0x00c] FreeGoal         : 0xffffffff [Type: unsigned long]
    [+0x010] FirstFree        : 0x40 [Type: unsigned long]           [+0x010] FirstFree        : 0x40
    [+0x014] LastFree         : 0xb8 [Type: unsigned long]

第二部分：

Entry = GetRestartEntryFromIndex( TablePointer, Index );

#define GetRestartEntryFromIndex(TBL,INDX) ( \
(PVOID)((PCHAR)(TBL)->Table + (INDX)) \
)

0: kd> dt _TRANSACTION_ENTRY 0x899c5380+18
Ntfs!_TRANSACTION_ENTRY
   +0x000 AllocatedOrNextFree : 0xffffffff
   +0x004 TransactionState : 0x1 ''
   +0x005 Reserved         : [3] ""
   +0x008 FirstLsn         : _LARGE_INTEGER 0x80ee20e
   +0x010 PreviousLsn      : _LARGE_INTEGER 0x80ee239
   +0x018 UndoNextLsn      : _LARGE_INTEGER 0x0
   +0x020 UndoRecords      : 1
   +0x024 UndoBytes        : 0n96

第三部分：

        if (Table->LastFree == 0) {
            Table->LastFree = Index;
        }

0: kd> p
Ntfs!NtfsFreeRestartTableIndex+0xa7:
f71412d9 837e1400 cmp dword ptr [esi+14h],0
0: kd> r
eax=00000040 ebx=899c5398 ecx=8962e3a4 edx=00000000 esi=899c5380

if (Index < Table->FreeGoal) {

*Entry = Table->FirstFree;

ASSERT( Index != RESTART_ENTRY_ALLOCATED );

        Table->FirstFree = Index;
        if (Table->LastFree == 0) {
            Table->LastFree = Index;
        }

第四部分：

0: kd> dx -r1 ((Ntfs!_RESTART_TABLE *)0x899c5380)
((Ntfs!_RESTART_TABLE *)0x899c5380)                 : 0x899c5380 [Type: _RESTART_TABLE *]
    [+0x000] EntrySize        : 0x28 [Type: unsigned short]
    [+0x002] NumberEntries    : 0x5 [Type: unsigned short]
    [+0x004] NumberAllocated : 0x0 [Type: unsigned short]           [+0x004] NumberAllocated : 0x0
    [+0x006] Reserved         [Type: unsigned short [3]]
    [+0x00c] FreeGoal         : 0xffffffff [Type: unsigned long]
    [+0x010] FirstFree        : 0x18 [Type: unsigned long]           [+0x010] FirstFree        : 0x18
    [+0x014] LastFree         : 0xb8 [Type: unsigned long]

0: kd> dt _TRANSACTION_ENTRY 0x899c5380+18
Ntfs!_TRANSACTION_ENTRY
   +0x000 AllocatedOrNextFree : 0x40
   +0x004 TransactionState : 0x1 ''
   +0x005 Reserved         : [3] ""
   +0x008 FirstLsn         : _LARGE_INTEGER 0x80ee20e
   +0x010 PreviousLsn      : _LARGE_INTEGER 0x80ee239
   +0x018 UndoNextLsn      : _LARGE_INTEGER 0x0
   +0x020 UndoRecords      : 1
   +0x024 UndoBytes        : 0n96
0: kd> dt _TRANSACTION_ENTRY 0x899c5380+18+28*2
Ntfs!_TRANSACTION_ENTRY
   +0x000 AllocatedOrNextFree : 0x90
   +0x004 TransactionState : 0 ''
   +0x005 Reserved         : [3] ""
   +0x008 FirstLsn         : _LARGE_INTEGER 0x0
   +0x010 PreviousLsn      : _LARGE_INTEGER 0x0
   +0x018 UndoNextLsn      : _LARGE_INTEGER 0x0
   +0x020 UndoRecords      : 0
   +0x024 UndoBytes        : 0n0
0: kd> dt _TRANSACTION_ENTRY 0x899c5380+18+28*3
Ntfs!_TRANSACTION_ENTRY
   +0x000 AllocatedOrNextFree : 0xb8
   +0x004 TransactionState : 0 ''
   +0x005 Reserved         : [3] ""
   +0x008 FirstLsn         : _LARGE_INTEGER 0x0
   +0x010 PreviousLsn      : _LARGE_INTEGER 0x0
   +0x018 UndoNextLsn      : _LARGE_INTEGER 0x0
   +0x020 UndoRecords      : 0
   +0x024 UndoBytes        : 0n0