第一部分:
1: kd> g
Breakpoint 3 hit
nt!CcGetVacbMiss:
80a1a19e 6a30??????????? push??? 30h
1: kd> kc
?#
00 nt!CcGetVacbMiss
01 nt!CcGetVirtualAddress
02 nt!CcMapData
03 Ntfs!NtfsMapStream
04 Ntfs!NtfsReadBootSector?? ??? ??? ??? ??? ?Ntfs!NtfsReadBootSector
05 Ntfs!NtfsMountVolume
06 Ntfs!NtfsCommonFileSystemControl
07 Ntfs!NtfsFspDispatch
08 nt!ExpWorkerThread
09 nt!PspSystemThreadStartup
0a nt!KiThreadStartup
1: kd> kv
?# ChildEBP RetAddr? Args to Child???????????? ?
00 f78d6994 80a1a947 89901cc8 00000000 00000000 nt!CcGetVacbMiss (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\cache\vacbsup.c @ 492]
01 f78d69c0 80bf97f1 89901d98 00000000 00000000 nt!CcGetVirtualAddress+0xc7 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\cache\vacbsup.c @ 414]
02 f78d6a28 f7171729 899c41b0 f78d6a64 00000200 nt!CcMapData+0x89 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\cache\pinsup.c @ 191]
03 f78d6a54 f7196c08 895de328 898ffa10 00000000 Ntfs!NtfsMapStream+0xaf (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\fs\ntfs\cachesup.c @ 625]
04 f78d6ac0 f7191e0a 895de328 898fe7f8 f78d6c80 Ntfs!NtfsReadBootSector+0x15a (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\fs\ntfs\fsctrl.c @ 5143]
05 f78d6cec f717c5aa 895de328 89456310 895de328 Ntfs!NtfsMountVolume+0x226 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\fs\ntfs\fsctrl.c @ 1307]
06 f78d6d04 f71484b0 895de328 89456310 8999d020 Ntfs!NtfsCommonFileSystemControl+0x8c (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\fs\ntfs\fsctrl.c @ 837]
07 f78d6d80 80af2bb9 895de328 00000000 8999d020 Ntfs!NtfsFspDispatch+0x1fe (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\fs\ntfs\fspdisp.c @ 336]
08 f78d6dac 80d391f0 895de328 00000000 00000000 nt!ExpWorkerThread+0x10f (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ex\worker.c @ 1153]
09 f78d6ddc 80b00d52 80af2aaa 00000000 00000000 nt!PspSystemThreadStartup+0x2e (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ps\create.c @ 2213]
0a 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16 [d:\srv03rtm\base\ntos\ke\i386\threadbg.asm @ 81]
第二部分:
1: kd> dt SHARED_CACHE_MAP 89901cc8
nt!SHARED_CACHE_MAP
?? +0x000 NodeTypeCode???? : 0n767
?? +0x002 NodeByteSize???? : 0n304
?? +0x004 OpenCount??????? : 1
?? +0x008 FileSize???????? : _LARGE_INTEGER 0x2200
?? +0x010 BcbList????????? : _LIST_ENTRY [ 0x89901cd8 - 0x89901cd8 ]
?? +0x018 SectionSize????? : _LARGE_INTEGER 0x100000
?? +0x020 ValidDataLength? : _LARGE_INTEGER 0x7fffffff`ffffffff
?? +0x028 ValidDataGoal??? : _LARGE_INTEGER 0x7fffffff`ffffffff
?? +0x030 InitialVacbs???? : [4] (null)
?? +0x040 Vacbs??????????? : 0x89901cf8? -> (null) ?? ??? ??? ?+0x040 Vacbs??????????? : 0x89901cf8
?? +0x044 FileObject?????? : 0x899c41b0 _FILE_OBJECT
?? +0x048 ActiveVacb?????? : (null)
?? +0x04c NeedToZero?????? : (null)
?? +0x050 ActivePage?????? : 0
?? +0x054 NeedToZeroPage?? : 0
?? +0x058 ActiveVacbSpinLock : 0
?? +0x05c VacbActiveCount? : 0?? ??? ??? ??? ?+0x05c VacbActiveCount? : 0
1: kd> dd 0x89901cf8
89901cf8? 00000000 00000000 00000000 00000000
89901d08? 89901cf8 899c41b0 00000000 00000000
89901d18? 00000000 00000000 00000000 00000000
89901d28? 00000000 80b1cbd0 80b1cbd0 00000204
PVACB
CcGetVacbMiss (
??? IN PSHARED_CACHE_MAP SharedCacheMap,
??? IN LARGE_INTEGER FileOffset,
??? IN OUT PKIRQL OldIrql
??? )
1: kd> dv
?? SharedCacheMap = 0x89901cc8
?????? FileOffset = {0}
????????? OldIrql = 0xf78d69bf ""
??? //
??? //? Mark it in use so no one else will muck with it after
??? //? we release the spin lock.
??? //
??? Vacb->Overlay.ActiveCount = 1;
??? SharedCacheMap->VacbActiveCount += 1;
第三部分:預先分析
??????? Vacb = CONTAINING_RECORD( CcVacbFreeList.Flink, VACB, LruList );
??????? CcMoveVacbToReuseTail( Vacb );
1: kd> x nt!CcVacbFreeList
80b1cb58????????? nt!CcVacbFreeList = struct _LIST_ENTRY [ 0x89988010 - 0x89993fc8 ]
1: kd> dx -r1 (*((ntkrnlmp!_LIST_ENTRY *)0x80b1cb58))
(*((ntkrnlmp!_LIST_ENTRY *)0x80b1cb58))???????????????? [Type: _LIST_ENTRY]
??? [+0x000] Flink??????????? : 0x89988010 [Type: _LIST_ENTRY *]
??? [+0x004] Blink??????????? : 0x89993fc8 [Type: _LIST_ENTRY *]
1: kd> dt _vacb 0x89988010-10
nt!_VACB
?? +0x000 BaseAddress????? : (null)
?? +0x004 SharedCacheMap?? : (null)
?? +0x008 Overlay????????? : __unnamed
?? +0x010 LruList????????? : _LIST_ENTRY [ 0x89988028 - 0x80b1cb58 ]
#define CcMoveVacbToReuseTail(V)??????? RemoveEntryList( &(V)->LruList );???????????????? \
??????????????????????????????????????? InsertTailList( &CcVacbLru, &(V)->LruList );
1: kd> x nt!CcVacbLru
80b1cb60????????? nt!CcVacbLru = struct _LIST_ENTRY [ 0x80b1cb60 - 0x80b1cb60 ]
1: kd> dx -r1 (*((ntkrnlmp!_LIST_ENTRY *)0x80b1cb60))
(*((ntkrnlmp!_LIST_ENTRY *)0x80b1cb60))???????????????? [Type: _LIST_ENTRY]
??? [+0x000] Flink??????????? : 0x80b1cb60 [Type: _LIST_ENTRY *]
??? [+0x004] Blink??????????? : 0x80b1cb60 [Type: _LIST_ENTRY *]
第四部分:調試過程
??????? Vacb = CONTAINING_RECORD( CcVacbFreeList.Flink, VACB, LruList );?? ?//之后
dv
???????????? Vacb = 0x89988000
1: kd> dx -r1 ((ntkrnlmp!_VACB *)0x89988000)
((ntkrnlmp!_VACB *)0x89988000)???????????????? : 0x89988000 [Type: _VACB *]
??? [+0x000] BaseAddress????? : 0x0 [Type: void *]
??? [+0x004] SharedCacheMap?? : 0x0 [Type: _SHARED_CACHE_MAP *]
??? [+0x008] Overlay????????? [Type: __unnamed]
??? [+0x010] LruList????????? [Type: _LIST_ENTRY]
1: kd> dx -r1 (*((ntkrnlmp!_LIST_ENTRY *)0x89988010))
(*((ntkrnlmp!_LIST_ENTRY *)0x89988010))???????????????? [Type: _LIST_ENTRY]
??? [+0x000] Flink??????????? : 0x89988028 [Type: _LIST_ENTRY *]
??? [+0x004] Blink??????????? : 0x80b1cb58 [Type: _LIST_ENTRY *]
??????? CcMoveVacbToReuseTail( Vacb );?? ??? ?//之后
1: kd> dx -r1 ((ntkrnlmp!_VACB *)0x89988000)
((ntkrnlmp!_VACB *)0x89988000)???????????????? : 0x89988000 [Type: _VACB *]
??? [+0x000] BaseAddress????? : 0x0 [Type: void *]
??? [+0x004] SharedCacheMap?? : 0x0 [Type: _SHARED_CACHE_MAP *]
??? [+0x008] Overlay????????? [Type: __unnamed]
??? [+0x010] LruList????????? [Type: _LIST_ENTRY]
1: kd> dx -r1 (*((ntkrnlmp!_LIST_ENTRY *)0x89988010))
(*((ntkrnlmp!_LIST_ENTRY *)0x89988010))???????????????? [Type: _LIST_ENTRY]
??? [+0x000] Flink??????????? : 0x80b1cb60 [Type: _LIST_ENTRY *]
??? [+0x004] Blink??????????? : 0x80b1cb60 [Type: _LIST_ENTRY *]
1: kd> x nt!CcVacbLru
80b1cb60????????? nt!CcVacbLru = struct _LIST_ENTRY [ 0x89988010 - 0x89988010 ]
1: kd> dx -r1 (*((ntkrnlmp!_LIST_ENTRY *)0x80b1cb60))
(*((ntkrnlmp!_LIST_ENTRY *)0x80b1cb60))???????????????? [Type: _LIST_ENTRY]
??? [+0x000] Flink??????????? : 0x89988010 [Type: _LIST_ENTRY *]
??? [+0x004] Blink??????????? : 0x89988010 [Type: _LIST_ENTRY *]
過程的簡要解剖)
用法)
)
![[論文閱讀]Prompt Injection attack against LLM-integrated Applications](http://pic.xiahunao.cn/[論文閱讀]Prompt Injection attack against LLM-integrated Applications)
![[免費]SpringBoot+Vue在線教育(在線學習)系統(高級版)【論文+源碼+SQL腳本】](http://pic.xiahunao.cn/[免費]SpringBoot+Vue在線教育(在線學習)系統(高級版)【論文+源碼+SQL腳本】)
