第一部分:MmMapViewInSystemCache函數返回
??????? Status = MmMapViewInSystemCache (SharedCacheMap->Section,
???????????????????????????????????????? &Vacb->BaseAddress,
???????????????????????????????????????? &NormalOffset,
???????????????????????????????????????? &MappedLength.LowPart);
NTSTATUS
MmMapViewInSystemCache (
??? IN PVOID SectionToMap,
??? OUT PVOID *CapturedBase,
??? IN OUT PLARGE_INTEGER SectionOffset,
??? IN OUT PULONG CapturedViewSize
??? )
第二部分:(ntkrnlmp!_VACB *)0x89988000結構中的BaseAddress????? : 0xc1080000
1: kd> p
nt!MmMapViewInSystemCache+0x51e:
80aaf210 c21000????????? ret???? 10h
1: kd> p
nt!CcGetVacbMiss+0x300:
80a1a49e 8945d4????????? mov???? dword ptr [ebp-2Ch],eax
1: kd> dv
?? SharedCacheMap = 0x89901cc8
?????? FileOffset = {0}
????????? OldIrql = 0xf78d69bf ""
????? PageIsDirty = 0x89901cc8
OldSharedCacheMap = 0xffffffff
???? NormalOffset = {0}
?????? ActiveVacb = 0x00000000
???????????? Vacb = 0x89988000
?????????? Status = 0n-141727208
?????? ActivePage = 0x30
???? MappedLength = {262144}
1: kd> dx -r1 ((ntkrnlmp!_VACB *)0x89988000)
((ntkrnlmp!_VACB *)0x89988000)???????????????? : 0x89988000 [Type: _VACB *]
??? [+0x000] BaseAddress????? : 0xc1080000 [Type: void *]?? ??? ??? ??? ??? ?BaseAddress????? : 0xc1080000
??? [+0x004] SharedCacheMap?? : 0x0 [Type: _SHARED_CACHE_MAP *]
??? [+0x008] Overlay????????? [Type: __unnamed]
??? [+0x010] LruList????????? [Type: _LIST_ENTRY]
第三部分:
??? //
??? //? Finish filling in the Vacb, and store its address in the array in
??? //? the Shared Cache Map.? (We have to rewrite the ActiveCount
??? //? since it is overlaid.)? To do this we must reacquire the
??? //? spin lock one more time.? Note we have to check for the unusual
??? //? case that someone beat us to mapping this view, since we had to
??? //? drop the spin lock.
??? //
??? if ((TempVacb = GetVacb( SharedCacheMap, NormalOffset )) == NULL) {
??????? Vacb->SharedCacheMap = SharedCacheMap;
??????? Vacb->Overlay.FileOffset = NormalOffset;
??????? Vacb->Overlay.ActiveCount = 1;
??????? SetVacb( SharedCacheMap, NormalOffset, Vacb );
#define GetVacb(SCM,OFF) (??????????????????????????????????????????????????????????????? \
??? ((SCM)->SectionSize.QuadPart > VACB_SIZE_OF_FIRST_LEVEL) ???????????????????????????? \
??? CcGetVacbLargeOffset((SCM),(OFF).QuadPart) :????????????????????????????????????????? \
??? (SCM)->Vacbs[(OFF).LowPart >> VACB_OFFSET_SHIFT]????????????????????????????????????? \
)
dv
???? NormalOffset = {0}
1: kd> p
nt!CcGetVacbMiss+0x4cb:
80a1a669 8b1c81????????? mov???? ebx,dword ptr [ecx+eax*4]
1: kd> r
eax=00000000 ebx=00000000 ecx=89901cf8
第四部分: ((TempVacb = GetVacb( SharedCacheMap, NormalOffset )) == NULL)
1: kd> dd 89901cf8
89901cf8? 00000000 00000000 00000000 00000000
89901d08? 89901cf8 899c41b0 00000000 00000000
89901d18? 00000000 00000000 00000000 00000001
89901d28? 00000000 80b1cbd0 80b1cbd0 00000204
89901d38? 00000000 00000000 e127a740 00000000
89901d48? 00000000 00000000 00000000 00000000
89901d58? f7169a2c 898ffa10 89901dec 89901dec
89901d68? 00000000 f718f6ec 00000000 00000000
1: kd> p
nt!CcGetVacbMiss+0x4ce:
80a1a66c 85db??????????? test??? ebx,ebx
1: kd> r
eax=00000000 ebx=00000000 ecx=89901cf8 edx=00000000 esi=89988000 edi=89901cc8
eip=80a1a66c esp=f78d6948 ebp=f78d6994 iopl=0???????? nv up ei pl zr na pe nc
cs=0008? ss=0010? ds=0023? es=0023? fs=0030? gs=0000???????????? efl=00000246
nt!CcGetVacbMiss+0x4ce:
80a1a66c 85db??????????? test??? ebx,ebx
1: kd> p
nt!CcGetVacbMiss+0x4d0:
80a1a66e 7527??????????? jne???? nt!CcGetVacbMiss+0x4f9 (80a1a697)
89901cf8還沒有被設置現在設置Vacb!!!
第五部分:
??? if ((TempVacb = GetVacb( SharedCacheMap, NormalOffset )) == NULL) {
??????? Vacb->SharedCacheMap = SharedCacheMap;
??????? Vacb->Overlay.FileOffset = NormalOffset;
??????? Vacb->Overlay.ActiveCount = 1;
??????? SetVacb( SharedCacheMap, NormalOffset, Vacb );
1: kd> dx -r1 ((ntkrnlmp!_VACB *)0x89988000)
((ntkrnlmp!_VACB *)0x89988000)???????????????? : 0x89988000 [Type: _VACB *]
??? [+0x000] BaseAddress????? : 0xc1080000 [Type: void *]
??? [+0x004] SharedCacheMap?? : 0x89901cc8 [Type: _SHARED_CACHE_MAP *]
??? [+0x008] Overlay????????? [Type: __unnamed]
??? [+0x010] LruList????????? [Type: _LIST_ENTRY]
?? +0x008 Overlay????????? : __unnamed
????? +0x000 FileOffset?????? : _LARGE_INTEGER
???????? +0x000 LowPart????????? : Uint4B
???????? +0x004 HighPart???????? : Int4B
???????? +0x000 u??????????????? : __unnamed
???????? +0x000 QuadPart???????? : Int8B
????? +0x000 ActiveCount????? : Uint2B
1: kd> dd 0x89988000
89988000? c1080000 89901cc8 00000001 00000000
89988010? 80b1cb60 80b1cb60
第六部分:
1: kd> t
Breakpoint 2 hit
nt!SetVacb:
80a194a2 55????????????? push??? ebp
1: kd> kc
?#
00 nt!SetVacb
01 nt!CcGetVacbMiss
02 nt!CcGetVirtualAddress
03 nt!CcMapData
04 Ntfs!NtfsMapStream
05 Ntfs!NtfsReadBootSector
06 Ntfs!NtfsMountVolume
07 Ntfs!NtfsCommonFileSystemControl
08 Ntfs!NtfsFspDispatch
09 nt!ExpWorkerThread
0a nt!PspSystemThreadStartup
0b nt!KiThreadStartup
1: kd> dv
?SharedCacheMap = 0x89901cc8
???????? Offset = {0}
?????????? Vacb = 0x89988000
??? } else if (Vacb < VACB_SPECIAL_FIRST_VALID) {
??????? SharedCacheMap->Vacbs[Offset.LowPart >> VACB_OFFSET_SHIFT] = Vacb;
??? }
#define VACB_OFFSET_SHIFT??????????????? (18)
第七部分:結果!!!
1: kd> dd 0x89901cf8
89901cf8? 89988000
1: kd> dt nt!_vacb 89988000
?? +0x000 BaseAddress????? : 0xc1080000 Void
?? +0x004 SharedCacheMap?? : 0x89901cc8 _SHARED_CACHE_MAP
?? +0x008 Overlay????????? : __unnamed
?? +0x010 LruList????????? : _LIST_ENTRY [ 0x80b1cb60 - 0x80b1cb60 ]
原來為0
1: kd> dd 89901cf8
89901cf8? 00000000 00000000 00000000 00000000
Teigha在CAD C#二次開發中的基本應用)
)
)
)
Java學習-5.19(地址管理,三級聯動,預支付))
