Ntfs!NtfsReadBootSector函数分析之nt!CcGetVacbMiss中得到一个nt!_VACB结构
第一部分:
1: kd> g
Breakpoint 3 hit
nt!CcGetVacbMiss:
80a1a19e 6a30 push 30h
1: kd> kc
#
00 nt!CcGetVacbMiss
01 nt!CcGetVirtualAddress
02 nt!CcMapData
03 Ntfs!NtfsMapStream
04 Ntfs!NtfsReadBootSector Ntfs!NtfsReadBootSector
05 Ntfs!NtfsMountVolume
06 Ntfs!NtfsCommonFileSystemControl
07 Ntfs!NtfsFspDispatch
08 nt!ExpWorkerThread
09 nt!PspSystemThreadStartup
0a nt!KiThreadStartup
1: kd> kv
# ChildEBP RetAddr Args to Child
00 f78d6994 80a1a947 89901cc8 00000000 00000000 nt!CcGetVacbMiss (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\cache\vacbsup.c @ 492]
01 f78d69c0 80bf97f1 89901d98 00000000 00000000 nt!CcGetVirtualAddress+0xc7 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\cache\vacbsup.c @ 414]
02 f78d6a28 f7171729 899c41b0 f78d6a64 00000200 nt!CcMapData+0x89 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\cache\pinsup.c @ 191]
03 f78d6a54 f7196c08 895de328 898ffa10 00000000 Ntfs!NtfsMapStream+0xaf (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\fs\ntfs\cachesup.c @ 625]
04 f78d6ac0 f7191e0a 895de328 898fe7f8 f78d6c80 Ntfs!NtfsReadBootSector+0x15a (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\fs\ntfs\fsctrl.c @ 5143]
05 f78d6cec f717c5aa 895de328 89456310 895de328 Ntfs!NtfsMountVolume+0x226 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\fs\ntfs\fsctrl.c @ 1307]
06 f78d6d04 f71484b0 895de328 89456310 8999d020 Ntfs!NtfsCommonFileSystemControl+0x8c (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\fs\ntfs\fsctrl.c @ 837]
07 f78d6d80 80af2bb9 895de328 00000000 8999d020 Ntfs!NtfsFspDispatch+0x1fe (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\fs\ntfs\fspdisp.c @ 336]
08 f78d6dac 80d391f0 895de328 00000000 00000000 nt!ExpWorkerThread+0x10f (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ex\worker.c @ 1153]
09 f78d6ddc 80b00d52 80af2aaa 00000000 00000000 nt!PspSystemThreadStartup+0x2e (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ps\create.c @ 2213]
0a 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16 [d:\srv03rtm\base\ntos\ke\i386\threadbg.asm @ 81]
第二部分:
1: kd> dt SHARED_CACHE_MAP 89901cc8
nt!SHARED_CACHE_MAP
+0x000 NodeTypeCode : 0n767
+0x002 NodeByteSize : 0n304
+0x004 OpenCount : 1
+0x008 FileSize : _LARGE_INTEGER 0x2200
+0x010 BcbList : _LIST_ENTRY [ 0x89901cd8 - 0x89901cd8 ]
+0x018 SectionSize : _LARGE_INTEGER 0x100000
+0x020 ValidDataLength : _LARGE_INTEGER 0x7fffffff`ffffffff
+0x028 ValidDataGoal : _LARGE_INTEGER 0x7fffffff`ffffffff
+0x030 InitialVacbs : [4] (null)
+0x040 Vacbs : 0x89901cf8 -> (null) +0x040 Vacbs : 0x89901cf8
+0x044 FileObject : 0x899c41b0 _FILE_OBJECT
+0x048 ActiveVacb : (null)
+0x04c NeedToZero : (null)
+0x050 ActivePage : 0
+0x054 NeedToZeroPage : 0
+0x058 ActiveVacbSpinLock : 0
+0x05c VacbActiveCount : 0 +0x05c VacbActiveCount : 0
1: kd> dd 0x89901cf8
89901cf8 00000000 00000000 00000000 00000000
89901d08 89901cf8 899c41b0 00000000 00000000
89901d18 00000000 00000000 00000000 00000000
89901d28 00000000 80b1cbd0 80b1cbd0 00000204
PVACB
CcGetVacbMiss (
IN PSHARED_CACHE_MAP SharedCacheMap,
IN LARGE_INTEGER FileOffset,
IN OUT PKIRQL OldIrql
)
1: kd> dv
SharedCacheMap = 0x89901cc8
FileOffset = {0}
OldIrql = 0xf78d69bf ""
//
// Mark it in use so no one else will muck with it after
// we release the spin lock.
//
Vacb->Overlay.ActiveCount = 1;
SharedCacheMap->VacbActiveCount += 1;
第三部分:预先分析
Vacb = CONTAINING_RECORD( CcVacbFreeList.Flink, VACB, LruList );
CcMoveVacbToReuseTail( Vacb );
1: kd> x nt!CcVacbFreeList
80b1cb58 nt!CcVacbFreeList = struct _LIST_ENTRY [ 0x89988010 - 0x89993fc8 ]
1: kd> dx -r1 (*((ntkrnlmp!_LIST_ENTRY *)0x80b1cb58))
(*((ntkrnlmp!_LIST_ENTRY *)0x80b1cb58)) [Type: _LIST_ENTRY]
[+0x000] Flink : 0x89988010 [Type: _LIST_ENTRY *]
[+0x004] Blink : 0x89993fc8 [Type: _LIST_ENTRY *]
1: kd> dt _vacb 0x89988010-10
nt!_VACB
+0x000 BaseAddress : (null)
+0x004 SharedCacheMap : (null)
+0x008 Overlay : __unnamed
+0x010 LruList : _LIST_ENTRY [ 0x89988028 - 0x80b1cb58 ]
#define CcMoveVacbToReuseTail(V) RemoveEntryList( &(V)->LruList ); \
InsertTailList( &CcVacbLru, &(V)->LruList );
1: kd> x nt!CcVacbLru
80b1cb60 nt!CcVacbLru = struct _LIST_ENTRY [ 0x80b1cb60 - 0x80b1cb60 ]
1: kd> dx -r1 (*((ntkrnlmp!_LIST_ENTRY *)0x80b1cb60))
(*((ntkrnlmp!_LIST_ENTRY *)0x80b1cb60)) [Type: _LIST_ENTRY]
[+0x000] Flink : 0x80b1cb60 [Type: _LIST_ENTRY *]
[+0x004] Blink : 0x80b1cb60 [Type: _LIST_ENTRY *]
第四部分:调试过程
Vacb = CONTAINING_RECORD( CcVacbFreeList.Flink, VACB, LruList ); //之后
dv
Vacb = 0x89988000
1: kd> dx -r1 ((ntkrnlmp!_VACB *)0x89988000)
((ntkrnlmp!_VACB *)0x89988000) : 0x89988000 [Type: _VACB *]
[+0x000] BaseAddress : 0x0 [Type: void *]
[+0x004] SharedCacheMap : 0x0 [Type: _SHARED_CACHE_MAP *]
[+0x008] Overlay [Type: __unnamed]
[+0x010] LruList [Type: _LIST_ENTRY]
1: kd> dx -r1 (*((ntkrnlmp!_LIST_ENTRY *)0x89988010))
(*((ntkrnlmp!_LIST_ENTRY *)0x89988010)) [Type: _LIST_ENTRY]
[+0x000] Flink : 0x89988028 [Type: _LIST_ENTRY *]
[+0x004] Blink : 0x80b1cb58 [Type: _LIST_ENTRY *]
CcMoveVacbToReuseTail( Vacb ); //之后
1: kd> dx -r1 ((ntkrnlmp!_VACB *)0x89988000)
((ntkrnlmp!_VACB *)0x89988000) : 0x89988000 [Type: _VACB *]
[+0x000] BaseAddress : 0x0 [Type: void *]
[+0x004] SharedCacheMap : 0x0 [Type: _SHARED_CACHE_MAP *]
[+0x008] Overlay [Type: __unnamed]
[+0x010] LruList [Type: _LIST_ENTRY]
1: kd> dx -r1 (*((ntkrnlmp!_LIST_ENTRY *)0x89988010))
(*((ntkrnlmp!_LIST_ENTRY *)0x89988010)) [Type: _LIST_ENTRY]
[+0x000] Flink : 0x80b1cb60 [Type: _LIST_ENTRY *]
[+0x004] Blink : 0x80b1cb60 [Type: _LIST_ENTRY *]
1: kd> x nt!CcVacbLru
80b1cb60 nt!CcVacbLru = struct _LIST_ENTRY [ 0x89988010 - 0x89988010 ]
1: kd> dx -r1 (*((ntkrnlmp!_LIST_ENTRY *)0x80b1cb60))
(*((ntkrnlmp!_LIST_ENTRY *)0x80b1cb60)) [Type: _LIST_ENTRY]
[+0x000] Flink : 0x89988010 [Type: _LIST_ENTRY *]
[+0x004] Blink : 0x89988010 [Type: _LIST_ENTRY *]