第一部分:
0: kd> dt _FILE_RECORD_SEGMENT_HEADER 0xc1241400
Ntfs!_FILE_RECORD_SEGMENT_HEADER
?? +0x000 MultiSectorHeader : _MULTI_SECTOR_HEADER
?? +0x008 Lsn????????????? : _LARGE_INTEGER 0x80e74aa
?? +0x010 SequenceNumber?? : 5
?? +0x012 ReferenceCount?? : 1
?? +0x014 FirstAttributeOffset : 0x38
?? +0x016 Flags??????????? : 3
?? +0x018 FirstFreeByte??? : 0x2b8
?? +0x01c BytesAvailable?? : 0x400
?? +0x020 BaseFileRecordSegment : _MFT_SEGMENT_REFERENCE
?? +0x028 NextAttributeInstance : 0xa
?? +0x02a SegmentNumberHighPart : 0
?? +0x02c SegmentNumberLowPart : 5
?? +0x030 UpdateArrayForCreateOnly : [1] 0x131
0: kd> dt ATTRIBUTE_RECORD_HEADER 0xc1241400+38
Ntfs!ATTRIBUTE_RECORD_HEADER
?? +0x000 TypeCode???????? : 0x10
?? +0x004 RecordLength???? : 0x48
?? +0x008 FormCode???????? : 0 ''
?? +0x009 NameLength?????? : 0 ''
?? +0x00a NameOffset?????? : 0x18
?? +0x00c Flags??????????? : 0
?? +0x00e Instance???????? : 0
?? +0x010 Form???????????? : __unnamed
0: kd> dt ATTRIBUTE_RECORD_HEADER 0xc1241400+38+48
Ntfs!ATTRIBUTE_RECORD_HEADER
?? +0x000 TypeCode???????? : 0x30
?? +0x004 RecordLength???? : 0x60
?? +0x008 FormCode???????? : 0 ''
?? +0x009 NameLength?????? : 0 ''
?? +0x00a NameOffset?????? : 0x18
?? +0x00c Flags??????????? : 0
?? +0x00e Instance???????? : 1
?? +0x010 Form???????????? : __unnamed
0: kd> dt ATTRIBUTE_RECORD_HEADER 0xc1241400+38+48+60
Ntfs!ATTRIBUTE_RECORD_HEADER
?? +0x000 TypeCode???????? : 0x40
?? +0x004 RecordLength???? : 0x28
?? +0x008 FormCode???????? : 0 ''
?? +0x009 NameLength?????? : 0 ''
?? +0x00a NameOffset?????? : 0
?? +0x00c Flags??????????? : 0
?? +0x00e Instance???????? : 9
?? +0x010 Form???????????? : __unnamed
0: kd> dt ATTRIBUTE_RECORD_HEADER 0xc1241400+38+48+60+28
Ntfs!ATTRIBUTE_RECORD_HEADER
?? +0x000 TypeCode???????? : 0x50
?? +0x004 RecordLength???? : 0x48
?? +0x008 FormCode???????? : 0x1 ''
?? +0x009 NameLength?????? : 0 ''
?? +0x00a NameOffset?????? : 0x40
?? +0x00c Flags??????????? : 0
?? +0x00e Instance???????? : 2
?? +0x010 Form???????????? : __unnamed
0: kd> dt ATTRIBUTE_RECORD_HEADER 0xc1241400+38+48+60+28+48
Ntfs!ATTRIBUTE_RECORD_HEADER
?? +0x000 TypeCode???????? : 0x90
?? +0x004 RecordLength???? : 0xe0
?? +0x008 FormCode???????? : 0 ''
?? +0x009 NameLength?????? : 0x4 ''
?? +0x00a NameOffset?????? : 0x18
?? +0x00c Flags??????????? : 0
?? +0x00e Instance???????? : 6
?? +0x010 Form???????????? : __unnamed
0: kd> dt ATTRIBUTE_RECORD_HEADER 0xc1241400+38+48+60+28+48+e0
Ntfs!ATTRIBUTE_RECORD_HEADER
?? +0x000 TypeCode???????? : 0xa0
?? +0x004 RecordLength???? : 0x58
?? +0x008 FormCode???????? : 0x1 ''
?? +0x009 NameLength?????? : 0x4 ''
?? +0x00a NameOffset?????? : 0x40
?? +0x00c Flags??????????? : 0
?? +0x00e Instance???????? : 8
?? +0x010 Form???????????? : __unnamed
0: kd> dt ATTRIBUTE_RECORD_HEADER 0xc1241400+38+48+60+28+48+e0+58
Ntfs!ATTRIBUTE_RECORD_HEADER
?? +0x000 TypeCode???????? : 0xb0
?? +0x004 RecordLength???? : 0x28
?? +0x008 FormCode???????? : 0 ''
?? +0x009 NameLength?????? : 0x4 ''
?? +0x00a NameOffset?????? : 0x18
?? +0x00c Flags??????????? : 0
?? +0x00e Instance???????? : 7
?? +0x010 Form???????????? : __unnamed
0: kd> dt ATTRIBUTE_RECORD_HEADER 0xc1241400+38+48+60+28+48+e0+58+28
Ntfs!ATTRIBUTE_RECORD_HEADER
?? +0x000 TypeCode???????? : 0xffffffff
?? +0x004 RecordLength???? : 0
?? +0x008 FormCode???????? : 0 ''
?? +0x009 NameLength?????? : 0 ''
?? +0x00a NameOffset?????? : 0
?? +0x00c Flags??????????? : 0
?? +0x00e Instance???????? : 0
?? +0x010 Form???????????? : __unnamed
第二部分:
0: kd> db? 0xc1241400+38+48+60+28+48+e0+58
c1241688? b0 00 00 00 28 00 00 00-00 04 18 00 00 00 07 00? ....(...........
c1241698? 08 00 00 00 20 00 00 00-24 00 49 00 33 00 30 00? .... ...$.I.3.0.
c12416a8? 03 00 00 00 00 00 00 00-ff ff ff ff 00 00 00 00? ................
c12416b8? 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00? ................
c12416c8? 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00? ................
c12416d8? 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00? ................
c12416e8? 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00? ................
c12416f8? 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00? ................
c12416a8? 03 00 00 00 00
0011 0000 0000 0000?? ?說明第一個vcn和第二個vcn都被使用
第三部分:
0: kd> db 0xc1241400+38+48+60+28+48+e0
c1241630? a0 00 00 00 58 00 00 00-01 04 40 00 00 00 08 00? ....X.....@.....
c1241640? 00 00 00 00 00 00 00 00-01 00 00 00 00 00 00 00? ................
c1241650? 48 00 00 00 00 00 00 00-00 20 00 00 00 00 00 00? H........ ......
c1241660? 00 20 00 00 00 00 00 00-00 20 00 00 00 00 00 00? . ....... ......
c1241670? 24 00 49 00 33 00 30 00-31 01 5d 71 51 31 01 8c? $.I.3.0.1.]qQ1..
c1241680? 6a b0 00 e1 48 d9 17 ba-b0 00 00 00 28 00 00 00? j...H.......(...
c1241690? 00 04 18 00 00 00 07 00-08 00 00 00 20 00 00 00? ............ ...
c12416a0? 24 00 49 00 33 00 30 00-03 00 00 00 00 00 00 00? $.I.3.0.........
31 01 5d 71 51?? ?長度為1:0x51715d是LCN號
31 01 8c 6a b0?? ?長度為1:0xbo6a8c是LCN號
第四部分:
0: kd> dt index_root? 0xc1241400+38+48+60+28+48+20
Ntfs!INDEX_ROOT
?? +0x000 IndexedAttributeType : 0x30
?? +0x004 CollationRule??? : 1
?? +0x008 BytesPerIndexBuffer : 0x1000
?? +0x00c BlocksPerIndexBuffer : 0x1 ''
?? +0x00d Reserved???????? : [3]? ""
?? +0x010 IndexHeader????? : _INDEX_HEADER
0: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!_INDEX_HEADER *)0xc1241580))
(*((Ntfs!_INDEX_HEADER *)0xc1241580))???????????????? [Type: _INDEX_HEADER]
??? [+0x000] FirstIndexEntry? : 0x10 [Type: unsigned long]
??? [+0x004] FirstFreeByte??? : 0xb0 [Type: unsigned long]
??? [+0x008] BytesAvailable?? : 0xb0 [Type: unsigned long]
??? [+0x00c] Flags??????????? : 0x1 [Type: unsigned char]
??? [+0x00d] Reserved???????? [Type: unsigned char [3]]
0: kd> dt index_entry? 0xc1241400+38+48+60+28+48+20+20
Ntfs!INDEX_ENTRY
?? +0x000 FileReference??? : _MFT_SEGMENT_REFERENCE
?? +0x000 DataOffset?????? : 0xd4a
?? +0x002 DataLength?????? : 0
?? +0x004 ReservedForZero? : 0x10000
?? +0x008 Length?????????? : 0x88
?? +0x00a AttributeLength? : 0x6e
?? +0x00c Flags??????????? : 1?? ??? ??? ?//索引節點VCN?? ?00000000 00000000
?? +0x00e Reserved???????? : 0
0: kd> dd 0xc1241400+38+48+60+28+48+20+20+88-8
c1241610? 00000000 00000000 00000000 00000000
c1241620? 00000018 00000003 00000001 00000000
c1241630? 000000a0 00000058 00400401 00080000
c1241640? 00000000 00000000 00000001 00000000
c1241650? 00000048 00000000 00002000 00000000
c1241660? 00002000 00000000 00002000 00000000
c1241670? 00490024 00300033 715d0131 8c013151
c1241680? e100b06a ba17d948 000000b0 00000028
0: kd> dt index_entry? 0xc1241400+38+48+60+28+48+20+20+88
Ntfs!INDEX_ENTRY
?? +0x000 FileReference??? : _MFT_SEGMENT_REFERENCE
?? +0x000 DataOffset?????? : 0
?? +0x002 DataLength?????? : 0
?? +0x004 ReservedForZero? : 0
?? +0x008 Length?????????? : 0x18
?? +0x00a AttributeLength? : 0
?? +0x00c Flags??????????? : 3?? ??? ??? ?//索引節點VCN?? ?c1241628? 00000001 00000000
?? +0x00e Reserved???????? : 0
0: kd> dd? 0xc1241400+38+48+60+28+48+20+20+88+18-8
c1241628? 00000001 00000000 000000a0 00000058
c1241638? 00400401 00080000 00000000 00000000
c1241648? 00000001 00000000 00000048 00000000
c1241658? 00002000 00000000 00002000 00000000
c1241668? 00002000 00000000 00490024 00300033
c1241678? 715d0131 8c013151 e100b06a ba17d948
c1241688? 000000b0 00000028 00180400 00070000
c1241698? 00000008 00000020 00490024 00300033