Ntfs!ReadIndexBuffer函數分析之根目錄讀取索引緩沖區的一個例子

Ntfs!ReadIndexBuffer函數分析之根目錄讀取索引緩沖區的一個例子


第一部分:

0: kd> p
Ntfs!ReadIndexBuffer+0xdc:
f7173962 e829f60300????? call??? Ntfs!NtfsCheckIndexBuffer (f71b2f90)
0: kd> t
Ntfs!NtfsCheckIndexBuffer:
f71b2f90 55????????????? push??? ebp
0: kd> kc
?#
00 Ntfs!NtfsCheckIndexBuffer
01 Ntfs!ReadIndexBuffer
02 Ntfs!FindNextIndexEntry
03 Ntfs!NtfsContinueIndexEnumeration
04 Ntfs!NtfsQueryDirectory
05 Ntfs!NtfsCommonDirectoryControl
06 Ntfs!NtfsFsdDirectoryControl
07 nt!IofCallDriver
08 nt!IopSynchronousServiceTail
09 nt!NtQueryDirectoryFile
0a nt!_KiSystemService
0b nt!ZwQueryDirectoryFile
0c nt!CcPfPrefetchDirectoryContents
0d nt!CcPfPrefetchMetadata
0e nt!CcPfBootWorker
0f nt!PspSystemThreadStartup
10 nt!KiThreadStartup
0: kd> dv
??????????? Scb = 0xe1363d20
??? IndexBuffer = 0xc14c1000

0: kd> dv
??????????? Scb = 0xe1363d20
??? IndexBuffer = 0xc14c1000
0: kd> dx -r1 ((Ntfs!_INDEX_ALLOCATION_BUFFER *)0xc14c1000)
((Ntfs!_INDEX_ALLOCATION_BUFFER *)0xc14c1000)???????????????? : 0xc14c1000 [Type: _INDEX_ALLOCATION_BUFFER *]
??? [+0x000] MultiSectorHeader [Type: _MULTI_SECTOR_HEADER]
??? [+0x008] Lsn????????????? : {124511565} [Type: _LARGE_INTEGER]
??? [+0x010] ThisBlock??????? : 1 [Type: __int64]
??? [+0x018] IndexHeader????? [Type: _INDEX_HEADER]
??? [+0x028] UpdateSequenceArray [Type: unsigned short [1]]
0: kd> dx -r1 (*((Ntfs!_INDEX_HEADER *)0xc14c1018))
(*((Ntfs!_INDEX_HEADER *)0xc14c1018))???????????????? [Type: _INDEX_HEADER]
??? [+0x000] FirstIndexEntry? : 0x28 [Type: unsigned long]
??? [+0x004] FirstFreeByte??? : 0x828 [Type: unsigned long]
??? [+0x008] BytesAvailable?? : 0xfe8 [Type: unsigned long]
??? [+0x00c] Flags??????????? : 0x0 [Type: unsigned char]
??? [+0x00d] Reserved???????? [Type: unsigned char [3]]


第二部分:


0: kd> dv
??????????? Scb = 0xe1363d20
??? IndexBuffer = 0xc14c1000
0: kd> dx -r1 ((Ntfs!_INDEX_ALLOCATION_BUFFER *)0xc14c1000)
((Ntfs!_INDEX_ALLOCATION_BUFFER *)0xc14c1000)???????????????? : 0xc14c1000 [Type: _INDEX_ALLOCATION_BUFFER *]
??? [+0x000] MultiSectorHeader [Type: _MULTI_SECTOR_HEADER]
??? [+0x008] Lsn????????????? : {124511565} [Type: _LARGE_INTEGER]
??? [+0x010] ThisBlock??????? : 1 [Type: __int64]
??? [+0x018] IndexHeader????? [Type: _INDEX_HEADER]
??? [+0x028] UpdateSequenceArray [Type: unsigned short [1]]
0: kd> dx -r1 (*((Ntfs!_INDEX_HEADER *)0xc14c1018))
(*((Ntfs!_INDEX_HEADER *)0xc14c1018))???????????????? [Type: _INDEX_HEADER]
??? [+0x000] FirstIndexEntry? : 0x28 [Type: unsigned long]
??? [+0x004] FirstFreeByte??? : 0x828 [Type: unsigned long]
??? [+0x008] BytesAvailable?? : 0xfe8 [Type: unsigned long]
??? [+0x00c] Flags??????????? : 0x0 [Type: unsigned char]
??? [+0x00d] Reserved???????? [Type: unsigned char [3]]


0: kd> dt index_entry 0xc14c1018+28
Ntfs!INDEX_ENTRY
?? +0x000 FileReference??? : _MFT_SEGMENT_REFERENCE
?? +0x000 DataOffset?????? : 0xd4a
?? +0x002 DataLength?????? : 0
?? +0x004 ReservedForZero? : 0x10000
?? +0x008 Length?????????? : 0x68
?? +0x00a AttributeLength? : 0x52
?? +0x00c Flags??????????? : 0
?? +0x00e Reserved???????? : 0
0: kd> dt file_name 0xc14c1018+28+10
Ntfs!FILE_NAME
?? +0x000 ParentDirectory? : _MFT_SEGMENT_REFERENCE
?? +0x008 Info???????????? : _DUPLICATED_INFORMATION
?? +0x040 FileNameLength?? : 0x8 ''
?? +0x041 Flags??????????? : 0x2 ''
?? +0x042 FileName???????? : [1] 0x44
0: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!unsigned short (*)[1])0xc14c1092))
(*((Ntfs!unsigned short (*)[1])0xc14c1092))???????????????? [Type: unsigned short [1]]
??? [0]????????????? : 0x44 [Type: unsigned short]
0: kd> db 0xc14c1092
c14c1092? 44 00 4f 00 43 00 55 00-4d 00 45 00 7e 00 31 00? D.O.C.U.M.E.~.1.
c14c10a2? 2e 00 43 00 4f 00 16 28-00 00 00 00 0e 00 68 00? ..C.O..(......h.
c14c10b2? 54 00 00 00 00 00 05 00-00 00 00 00 05 00 fe d9? T...............
c14c10c2? ee 98 50 27 db 01 76 ef-9a a1 b4 30 db 01 d4 44? ..P'..v....0...D
c14c10d2? b9 5b 60 62 db 01 1e d6-3b b7 23 63 db 01 a0 00? .[`b....;.#c....
c14c10e2? 00 00 00 00 00 00 9a 00-00 00 00 00 00 00 20 00? .............. .
c14c10f2? 00 00 00 00 00 00 09 03-65 00 76 00 65 00 6e 00? ........e.v.e.n.
c14c1102? 74 00 2e 00 74 00 78 00-74 00 00 00 01 00 51 1b? t...t.x.t.....Q.


0: kd> dt index_entry 0xc14c1018+28
Ntfs!INDEX_ENTRY
?? +0x000 FileReference??? : _MFT_SEGMENT_REFERENCE
?? +0x000 DataOffset?????? : 0xd4a
?? +0x002 DataLength?????? : 0
?? +0x004 ReservedForZero? : 0x10000
?? +0x008 Length?????????? : 0x68
?? +0x00a AttributeLength? : 0x52
?? +0x00c Flags??????????? : 0
?? +0x00e Reserved???????? : 0
0: kd> dt index_entry 0xc14c1018+28+68
Ntfs!INDEX_ENTRY
?? +0x000 FileReference??? : _MFT_SEGMENT_REFERENCE
?? +0x000 DataOffset?????? : 0x2816
?? +0x002 DataLength?????? : 0
?? +0x004 ReservedForZero? : 0xe0000
?? +0x008 Length?????????? : 0x68
?? +0x00a AttributeLength? : 0x54
?? +0x00c Flags??????????? : 0
?? +0x00e Reserved???????? : 0
0: kd> dt file_name 0xc14c1018+28+68+10
Ntfs!FILE_NAME
?? +0x000 ParentDirectory? : _MFT_SEGMENT_REFERENCE
?? +0x008 Info???????????? : _DUPLICATED_INFORMATION
?? +0x040 FileNameLength?? : 0x9 ''
?? +0x041 Flags??????????? : 0x3 ''
?? +0x042 FileName???????? : [1] 0x65
0: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!unsigned short (*)[1])0xc14c10fa))
(*((Ntfs!unsigned short (*)[1])0xc14c10fa))???????????????? [Type: unsigned short [1]]
??? [0]????????????? : 0x65 [Type: unsigned short]
0: kd> db 0xc14c10fa
c14c10fa? 65 00 76 00 65 00 6e 00-74 00 2e 00 74 00 78 00? e.v.e.n.t...t.x.
c14c110a? 74 00 00 00 01 00 51 1b-00 00 00 00 01 00 60 00? t.....Q.......`.
c14c111a? 4e 00 00 00 00 00 05 00-00 00 00 00 05 00 b4 4a? N..............J
c14c112a? 1a cd c7 06 db 01 b4 4a-1a cd c7 06 db 01 b4 4a? .......J.......J
c14c113a? 1a cd c7 06 db 01 f0 84-74 d5 23 63 db 01 00 00? ........t.#c....
c14c114a? 00 00 00 00 00 00 00 00-00 00 00 00 00 00 27 00? ..............'.
c14c115a? 00 00 00 00 00 00 06 03-49 00 4f 00 2e 00 53 00? ........I.O...S.
c14c116a? 59 00 53 00 43 00 52 1b-00 00 00 00 01 00 68 00? Y.S.C.R.......h.


0: kd> dt index_entry 0xc14c1018+28+68
Ntfs!INDEX_ENTRY
?? +0x000 FileReference??? : _MFT_SEGMENT_REFERENCE
?? +0x000 DataOffset?????? : 0x2816
?? +0x002 DataLength?????? : 0
?? +0x004 ReservedForZero? : 0xe0000
?? +0x008 Length?????????? : 0x68
?? +0x00a AttributeLength? : 0x54
?? +0x00c Flags??????????? : 0
?? +0x00e Reserved???????? : 0
0: kd> dt index_entry 0xc14c1018+28+68+68
Ntfs!INDEX_ENTRY
?? +0x000 FileReference??? : _MFT_SEGMENT_REFERENCE
?? +0x000 DataOffset?????? : 0x1b51
?? +0x002 DataLength?????? : 0
?? +0x004 ReservedForZero? : 0x10000
?? +0x008 Length?????????? : 0x60
?? +0x00a AttributeLength? : 0x4e
?? +0x00c Flags??????????? : 0
?? +0x00e Reserved???????? : 0
0: kd> dt file_name 0xc14c1018+28+68+68+10
Ntfs!FILE_NAME
?? +0x000 ParentDirectory? : _MFT_SEGMENT_REFERENCE
?? +0x008 Info???????????? : _DUPLICATED_INFORMATION
?? +0x040 FileNameLength?? : 0x6 ''
?? +0x041 Flags??????????? : 0x3 ''
?? +0x042 FileName???????? : [1] 0x49
0: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!unsigned short (*)[1])0xc14c1162))
(*((Ntfs!unsigned short (*)[1])0xc14c1162))???????????????? [Type: unsigned short [1]]
??? [0]????????????? : 0x49 [Type: unsigned short]
0: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!_MFT_SEGMENT_REFERENCE *)0xc14c1120))
(*((Ntfs!_MFT_SEGMENT_REFERENCE *)0xc14c1120))???????????????? [Type: _MFT_SEGMENT_REFERENCE]
??? [+0x000] SegmentNumberLowPart : 0x5 [Type: unsigned long]
??? [+0x004] SegmentNumberHighPart : 0x0 [Type: unsigned short]
??? [+0x006] SequenceNumber?? : 0x5 [Type: unsigned short]
0: kd> db 0xc14c1162
c14c1162? 49 00 4f 00 2e 00 53 00-59 00 53 00 43 00 52 1b? I.O...S.Y.S.C.R.
c14c1172? 00 00 00 00 01 00 68 00-54 00 00 00 00 00 05 00? ......h.T.......
c14c1182? 00 00 00 00 05 00 b4 4a-1a cd c7 06 db 01 b4 4a? .......J.......J
c14c1192? 1a cd c7 06 db 01 b4 4a-1a cd c7 06 db 01 e4 da? .......J........
c14c11a2? 54 cb b7 63 db 01 00 00-00 00 00 00 00 00 00 00? T..c............
c14c11b2? 00 00 00 00 00 00 27 00-00 00 00 00 00 00 09 03? ......'.........
c14c11c2? 4d 00 53 00 44 00 4f 00-53 00 2e 00 53 00 59 00? M.S.D.O.S...S.Y.
c14c11d2? 53 00 43 00 4f 00 a9 28-00 00 00 00 02 00 80 00? S.C.O..(........


0: kd> dt index_entry 0xc14c1018+28+68+68
Ntfs!INDEX_ENTRY
?? +0x000 FileReference??? : _MFT_SEGMENT_REFERENCE
?? +0x000 DataOffset?????? : 0x1b51
?? +0x002 DataLength?????? : 0
?? +0x004 ReservedForZero? : 0x10000
?? +0x008 Length?????????? : 0x60
?? +0x00a AttributeLength? : 0x4e
?? +0x00c Flags??????????? : 0
?? +0x00e Reserved???????? : 0
0: kd> dt index_entry 0xc14c1018+28+68+68+60
Ntfs!INDEX_ENTRY
?? +0x000 FileReference??? : _MFT_SEGMENT_REFERENCE
?? +0x000 DataOffset?????? : 0x1b52
?? +0x002 DataLength?????? : 0
?? +0x004 ReservedForZero? : 0x10000
?? +0x008 Length?????????? : 0x68
?? +0x00a AttributeLength? : 0x54
?? +0x00c Flags??????????? : 0
?? +0x00e Reserved???????? : 0
0: kd> dt file_name 0xc14c1018+28+68+68+60+10
Ntfs!FILE_NAME
?? +0x000 ParentDirectory? : _MFT_SEGMENT_REFERENCE
?? +0x008 Info???????????? : _DUPLICATED_INFORMATION
?? +0x040 FileNameLength?? : 0x9 ''
?? +0x041 Flags??????????? : 0x3 ''
?? +0x042 FileName???????? : [1] 0x4d
0: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!_MFT_SEGMENT_REFERENCE *)0xc14c1180))
(*((Ntfs!_MFT_SEGMENT_REFERENCE *)0xc14c1180))???????????????? [Type: _MFT_SEGMENT_REFERENCE]
??? [+0x000] SegmentNumberLowPart : 0x5 [Type: unsigned long]
??? [+0x004] SegmentNumberHighPart : 0x0 [Type: unsigned short]
??? [+0x006] SequenceNumber?? : 0x5 [Type: unsigned short]
0: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!unsigned short (*)[1])0xc14c11c2))
(*((Ntfs!unsigned short (*)[1])0xc14c11c2))???????????????? [Type: unsigned short [1]]
??? [0]????????????? : 0x4d [Type: unsigned short]
0: kd> db 0xc14c11c2
c14c11c2? 4d 00 53 00 44 00 4f 00-53 00 2e 00 53 00 59 00? M.S.D.O.S...S.Y.
c14c11d2? 53 00 43 00 4f 00 a9 28-00 00 00 00 02 00 80 00? S.C.O..(........
c14c11e2? 6c 00 00 00 00 00 05 00-00 00 00 00 05 00 6a f7? l.............j.
c14c11f2? f9 4d a9 8e db 01 6a f7-f9 4d a9 8e db 01 6a f7? .M....j..M....j.
c14c1202? f9 4d a9 8e db 01 6a f7-f9 4d a9 8e db 01 00 00? .M....j..M......
c14c1212? 00 00 00 00 00 00 00 00-00 00 00 00 00 00 20 00? .............. .
c14c1222? 00 00 00 00 00 00 15 01-4e 00 65 00 77 00 20 00? ........N.e.w. .
c14c1232? 54 00 65 00 78 00 74 00-20 00 44 00 6f 00 63 00? T.e.x.t. .D.o.c.


0: kd> dt index_entry 0xc14c1018+28+68+68+60
Ntfs!INDEX_ENTRY
?? +0x000 FileReference??? : _MFT_SEGMENT_REFERENCE
?? +0x000 DataOffset?????? : 0x1b52
?? +0x002 DataLength?????? : 0
?? +0x004 ReservedForZero? : 0x10000
?? +0x008 Length?????????? : 0x68
?? +0x00a AttributeLength? : 0x54
?? +0x00c Flags??????????? : 0
?? +0x00e Reserved???????? : 0
0: kd> dt index_entry 0xc14c1018+28+68+68+60+68
Ntfs!INDEX_ENTRY
?? +0x000 FileReference??? : _MFT_SEGMENT_REFERENCE
?? +0x000 DataOffset?????? : 0x28a9
?? +0x002 DataLength?????? : 0
?? +0x004 ReservedForZero? : 0x20000
?? +0x008 Length?????????? : 0x80
?? +0x00a AttributeLength? : 0x6c
?? +0x00c Flags??????????? : 0
?? +0x00e Reserved???????? : 0
0: kd> dt file_name 0xc14c1018+28+68+68+60+68+10
Ntfs!FILE_NAME
?? +0x000 ParentDirectory? : _MFT_SEGMENT_REFERENCE
?? +0x008 Info???????????? : _DUPLICATED_INFORMATION
?? +0x040 FileNameLength?? : 0x15 ''
?? +0x041 Flags??????????? : 0x1 ''
?? +0x042 FileName???????? : [1] 0x4e
0: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!_MFT_SEGMENT_REFERENCE *)0xc14c11e8))
(*((Ntfs!_MFT_SEGMENT_REFERENCE *)0xc14c11e8))???????????????? [Type: _MFT_SEGMENT_REFERENCE]
??? [+0x000] SegmentNumberLowPart : 0x5 [Type: unsigned long]
??? [+0x004] SegmentNumberHighPart : 0x0 [Type: unsigned short]
??? [+0x006] SequenceNumber?? : 0x5 [Type: unsigned short]
0: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!unsigned short (*)[1])0xc14c122a))
(*((Ntfs!unsigned short (*)[1])0xc14c122a))???????????????? [Type: unsigned short [1]]
??? [0]????????????? : 0x4e [Type: unsigned short]
0: kd> db 0xc14c122a
c14c122a? 4e 00 65 00 77 00 20 00-54 00 65 00 78 00 74 00? N.e.w. .T.e.x.t.
c14c123a? 20 00 44 00 6f 00 63 00-75 00 6d 00 65 00 6e 00?? .D.o.c.u.m.e.n.
c14c124a? 74 00 2e 00 74 00 78 00-74 00 00 00 00 00 a9 28? t...t.x.t......(
c14c125a? 00 00 00 00 02 00 70 00-5a 00 00 00 00 00 05 00? ......p.Z.......
c14c126a? 00 00 00 00 05 00 6a f7-f9 4d a9 8e db 01 6a f7? ......j..M....j.
c14c127a? f9 4d a9 8e db 01 6a f7-f9 4d a9 8e db 01 6a f7? .M....j..M....j.
c14c128a? f9 4d a9 8e db 01 00 00-00 00 00 00 00 00 00 00? .M..............
c14c129a? 00 00 00 00 00 00 20 00-00 00 00 00 00 00 0c 02? ...... .........


0: kd> dt index_entry 0xc14c1018+28+68+68+60+68
Ntfs!INDEX_ENTRY
?? +0x000 FileReference??? : _MFT_SEGMENT_REFERENCE
?? +0x000 DataOffset?????? : 0x28a9
?? +0x002 DataLength?????? : 0
?? +0x004 ReservedForZero? : 0x20000
?? +0x008 Length?????????? : 0x80
?? +0x00a AttributeLength? : 0x6c
?? +0x00c Flags??????????? : 0
?? +0x00e Reserved???????? : 0
0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80
Ntfs!INDEX_ENTRY
?? +0x000 FileReference??? : _MFT_SEGMENT_REFERENCE
?? +0x000 DataOffset?????? : 0x28a9
?? +0x002 DataLength?????? : 0
?? +0x004 ReservedForZero? : 0x20000
?? +0x008 Length?????????? : 0x70
?? +0x00a AttributeLength? : 0x5a
?? +0x00c Flags??????????? : 0
?? +0x00e Reserved???????? : 0
0: kd> dt file_name 0xc14c1018+28+68+68+60+68+80+10
Ntfs!FILE_NAME
?? +0x000 ParentDirectory? : _MFT_SEGMENT_REFERENCE
?? +0x008 Info???????????? : _DUPLICATED_INFORMATION
?? +0x040 FileNameLength?? : 0xc ''
?? +0x041 Flags??????????? : 0x2 ''
?? +0x042 FileName???????? : [1] 0x4e
0: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!unsigned short (*)[1])0xc14c12aa))
(*((Ntfs!unsigned short (*)[1])0xc14c12aa))???????????????? [Type: unsigned short [1]]
??? [0]????????????? : 0x4e [Type: unsigned short]
0: kd> db 0xc14c12aa
c14c12aa? 4e 00 45 00 57 00 54 00-45 00 58 00 7e 00 31 00? N.E.W.T.E.X.~.1.
c14c12ba? 2e 00 54 00 58 00 54 00-5a 00 00 00 00 00 d3 0c? ..T.X.T.Z.......
c14c12ca? 00 00 00 00 01 00 70 00-5a 00 00 00 00 00 05 00? ......p.Z.......
c14c12da? 00 00 00 00 05 00 00 62-1c 3c b2 06 db 01 00 62? .......b.<.....b
c14c12ea? 1c 3c b2 06 db 01 ea 3a-17 d7 8b 06 db 01 84 97? .<.....:........
c14c12fa? 37 98 8b 06 db 01 00 c0-00 00 00 00 00 00 bc b9? 7...............
c14c130a? 00 00 00 00 00 00 27 00-00 00 00 00 00 00 0c 03? ......'.........
c14c131a? 4e 00 54 00 44 00 45 00-54 00 45 00 43 00 54 00? N.T.D.E.T.E.C.T.


0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80
Ntfs!INDEX_ENTRY
?? +0x000 FileReference??? : _MFT_SEGMENT_REFERENCE
?? +0x000 DataOffset?????? : 0x28a9
?? +0x002 DataLength?????? : 0
?? +0x004 ReservedForZero? : 0x20000
?? +0x008 Length?????????? : 0x70
?? +0x00a AttributeLength? : 0x5a
?? +0x00c Flags??????????? : 0
?? +0x00e Reserved???????? : 0
0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70
Ntfs!INDEX_ENTRY
?? +0x000 FileReference??? : _MFT_SEGMENT_REFERENCE
?? +0x000 DataOffset?????? : 0xcd3
?? +0x002 DataLength?????? : 0
?? +0x004 ReservedForZero? : 0x10000
?? +0x008 Length?????????? : 0x70
?? +0x00a AttributeLength? : 0x5a
?? +0x00c Flags??????????? : 0
?? +0x00e Reserved???????? : 0
0: kd> dt file_name 0xc14c1018+28+68+68+60+68+80+70+10
Ntfs!FILE_NAME
?? +0x000 ParentDirectory? : _MFT_SEGMENT_REFERENCE
?? +0x008 Info???????????? : _DUPLICATED_INFORMATION
?? +0x040 FileNameLength?? : 0xc ''
?? +0x041 Flags??????????? : 0x3 ''
?? +0x042 FileName???????? : [1] 0x4e
0: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!unsigned short (*)[1])0xc14c131a))
(*((Ntfs!unsigned short (*)[1])0xc14c131a))???????????????? [Type: unsigned short [1]]
??? [0]????????????? : 0x4e [Type: unsigned short]
0: kd> db 0xc14c131a
c14c131a? 4e 00 54 00 44 00 45 00-54 00 45 00 43 00 54 00? N.T.D.E.T.E.C.T.
c14c132a? 2e 00 43 00 4f 00 4d 00-5a 00 00 00 00 00 cf 0c? ..C.O.M.Z.......
c14c133a? 00 00 00 00 01 00 60 00-4c 00 00 00 00 00 05 00? ......`.L.......
c14c134a? 00 00 00 00 05 00 00 07-05 b9 c5 06 db 01 00 07? ................
c14c135a? 05 b9 c5 06 db 01 ea 3a-17 d7 8b 06 db 01 e4 71? .......:.......q
c14c136a? 11 98 8b 06 db 01 00 c0-04 00 00 00 00 00 a0 b4? ................
c14c137a? 04 00 00 00 00 00 27 00-00 00 00 00 00 00 05 03? ......'.........
c14c138a? 6e 00 74 00 6c 00 64 00-72 00 49 00 4c 00 c8 27? n.t.l.d.r.I.L..'


0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70
Ntfs!INDEX_ENTRY
?? +0x000 FileReference??? : _MFT_SEGMENT_REFERENCE
?? +0x000 DataOffset?????? : 0xcd3
?? +0x002 DataLength?????? : 0
?? +0x004 ReservedForZero? : 0x10000
?? +0x008 Length?????????? : 0x70
?? +0x00a AttributeLength? : 0x5a
?? +0x00c Flags??????????? : 0
?? +0x00e Reserved???????? : 0
0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70+70
Ntfs!INDEX_ENTRY
?? +0x000 FileReference??? : _MFT_SEGMENT_REFERENCE
?? +0x000 DataOffset?????? : 0xccf
?? +0x002 DataLength?????? : 0
?? +0x004 ReservedForZero? : 0x10000
?? +0x008 Length?????????? : 0x60
?? +0x00a AttributeLength? : 0x4c
?? +0x00c Flags??????????? : 0
?? +0x00e Reserved???????? : 0
0: kd> dt file_name 0xc14c1018+28+68+68+60+68+80+70+70+10
Ntfs!FILE_NAME
?? +0x000 ParentDirectory? : _MFT_SEGMENT_REFERENCE
?? +0x008 Info???????????? : _DUPLICATED_INFORMATION
?? +0x040 FileNameLength?? : 0x5 ''
?? +0x041 Flags??????????? : 0x3 ''
?? +0x042 FileName???????? : [1] 0x6e
0: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!unsigned short (*)[1])0xc14c138a))
(*((Ntfs!unsigned short (*)[1])0xc14c138a))???????????????? [Type: unsigned short [1]]
??? [0]????????????? : 0x6e [Type: unsigned short]
0: kd> db 0xc14c138a
c14c138a? 6e 00 74 00 6c 00 64 00-72 00 49 00 4c 00 c8 27? n.t.l.d.r.I.L..'
c14c139a? 00 00 00 00 07 00 70 00-5a 00 00 00 00 00 05 00? ......p.Z.......
c14c13aa? 00 00 00 00 05 00 c0 2b-54 88 8b 06 db 01 f2 cf? .......+T.......
c14c13ba? 03 b4 e4 be db 01 f2 cf-03 b4 e4 be db 01 f2 cf? ................
c14c13ca? 03 b4 e4 be db 01 00 00-e0 7f 00 00 00 00 00 00? ................
c14c13da? e0 7f 00 00 00 00 26 00-00 00 00 00 00 00 0c 03? ......&.........
c14c13ea? 70 00 61 00 67 00 65 00-66 00 69 00 6c 00 65 00? p.a.g.e.f.i.l.e.
c14c13fa? 2e 00 73 00 79 00 73 00-73 00 20 00 49 00 ca 0e? ..s.y.s.s. .I...


0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70+70
Ntfs!INDEX_ENTRY
?? +0x000 FileReference??? : _MFT_SEGMENT_REFERENCE
?? +0x000 DataOffset?????? : 0xccf
?? +0x002 DataLength?????? : 0
?? +0x004 ReservedForZero? : 0x10000
?? +0x008 Length?????????? : 0x60
?? +0x00a AttributeLength? : 0x4c
?? +0x00c Flags??????????? : 0
?? +0x00e Reserved???????? : 0
0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70+70+60
Ntfs!INDEX_ENTRY
?? +0x000 FileReference??? : _MFT_SEGMENT_REFERENCE
?? +0x000 DataOffset?????? : 0x27c8
?? +0x002 DataLength?????? : 0
?? +0x004 ReservedForZero? : 0x70000
?? +0x008 Length?????????? : 0x70
?? +0x00a AttributeLength? : 0x5a
?? +0x00c Flags??????????? : 0
?? +0x00e Reserved???????? : 0
0: kd> dt file_name 0xc14c1018+28+68+68+60+68+80+70+70+60+10
Ntfs!FILE_NAME
?? +0x000 ParentDirectory? : _MFT_SEGMENT_REFERENCE
?? +0x008 Info???????????? : _DUPLICATED_INFORMATION
?? +0x040 FileNameLength?? : 0xc ''
?? +0x041 Flags??????????? : 0x3 ''
?? +0x042 FileName???????? : [1] 0x70
0: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!unsigned short (*)[1])0xc14c13ea))
(*((Ntfs!unsigned short (*)[1])0xc14c13ea))???????????????? [Type: unsigned short [1]]
??? [0]????????????? : 0x70 [Type: unsigned short]
0: kd> db 0xc14c13ea
c14c13ea? 70 00 61 00 67 00 65 00-66 00 69 00 6c 00 65 00? p.a.g.e.f.i.l.e.
c14c13fa? 2e 00 73 00 79 00 73 00-73 00 20 00 49 00 ca 0e? ..s.y.s.s. .I...
c14c140a? 00 00 00 00 01 00 70 00-5c 00 00 00 00 00 05 00? ......p.\.......
c14c141a? 00 00 00 00 05 00 64 c4-1d cd 8b 06 db 01 72 d1? ......d.......r.
c14c142a? a9 8f c7 06 db 01 72 d1-a9 8f c7 06 db 01 46 8d? ......r.......F.
c14c143a? fd b2 e4 be db 01 00 00-00 00 00 00 00 00 00 00? ................
c14c144a? 00 00 00 00 00 00 01 00-00 10 00 00 00 00 0d 01? ................
c14c145a? 50 00 72 00 6f 00 67 00-72 00 61 00 6d 00 20 00? P.r.o.g.r.a.m. .

0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70+70+60
Ntfs!INDEX_ENTRY
?? +0x000 FileReference??? : _MFT_SEGMENT_REFERENCE
?? +0x000 DataOffset?????? : 0x27c8
?? +0x002 DataLength?????? : 0
?? +0x004 ReservedForZero? : 0x70000
?? +0x008 Length?????????? : 0x70
?? +0x00a AttributeLength? : 0x5a
?? +0x00c Flags??????????? : 0
?? +0x00e Reserved???????? : 0
0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70+70+60+70
Ntfs!INDEX_ENTRY
?? +0x000 FileReference??? : _MFT_SEGMENT_REFERENCE
?? +0x000 DataOffset?????? : 0xeca
?? +0x002 DataLength?????? : 0
?? +0x004 ReservedForZero? : 0x10000
?? +0x008 Length?????????? : 0x70
?? +0x00a AttributeLength? : 0x5c
?? +0x00c Flags??????????? : 0
?? +0x00e Reserved???????? : 0
0: kd> dt file_name 0xc14c1018+28+68+68+60+68+80+70+70+60+70+10
Ntfs!FILE_NAME
?? +0x000 ParentDirectory? : _MFT_SEGMENT_REFERENCE
?? +0x008 Info???????????? : _DUPLICATED_INFORMATION
?? +0x040 FileNameLength?? : 0xd ''
?? +0x041 Flags??????????? : 0x1 ''
?? +0x042 FileName???????? : [1] 0x50
0: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!unsigned short (*)[1])0xc14c145a))
(*((Ntfs!unsigned short (*)[1])0xc14c145a))???????????????? [Type: unsigned short [1]]
??? [0]????????????? : 0x50 [Type: unsigned short]
0: kd> db 0xc14c145a
c14c145a? 50 00 72 00 6f 00 67 00-72 00 61 00 6d 00 20 00? P.r.o.g.r.a.m. .
c14c146a? 46 00 69 00 6c 00 65 00-73 00 20 00 49 00 ca 0e? F.i.l.e.s. .I...
c14c147a? 00 00 00 00 01 00 68 00-52 00 00 00 00 00 05 00? ......h.R.......
c14c148a? 00 00 00 00 05 00 64 c4-1d cd 8b 06 db 01 72 d1? ......d.......r.
c14c149a? a9 8f c7 06 db 01 72 d1-a9 8f c7 06 db 01 46 8d? ......r.......F.
c14c14aa? fd b2 e4 be db 01 00 00-00 00 00 00 00 00 00 00? ................
c14c14ba? 00 00 00 00 00 00 01 00-00 10 00 00 00 00 08 02? ................
c14c14ca? 50 00 52 00 4f 00 47 00-52 00 41 00 7e 00 31 00? P.R.O.G.R.A.~.1.


0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70+70+60+70
Ntfs!INDEX_ENTRY
?? +0x000 FileReference??? : _MFT_SEGMENT_REFERENCE
?? +0x000 DataOffset?????? : 0xeca
?? +0x002 DataLength?????? : 0
?? +0x004 ReservedForZero? : 0x10000
?? +0x008 Length?????????? : 0x70
?? +0x00a AttributeLength? : 0x5c
?? +0x00c Flags??????????? : 0
?? +0x00e Reserved???????? : 0
0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70
Ntfs!INDEX_ENTRY
?? +0x000 FileReference??? : _MFT_SEGMENT_REFERENCE
?? +0x000 DataOffset?????? : 0xeca
?? +0x002 DataLength?????? : 0
?? +0x004 ReservedForZero? : 0x10000
?? +0x008 Length?????????? : 0x68
?? +0x00a AttributeLength? : 0x52
?? +0x00c Flags??????????? : 0
?? +0x00e Reserved???????? : 0
0: kd> dt file_name 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+10
Ntfs!FILE_NAME
?? +0x000 ParentDirectory? : _MFT_SEGMENT_REFERENCE
?? +0x008 Info???????????? : _DUPLICATED_INFORMATION
?? +0x040 FileNameLength?? : 0x8 ''
?? +0x041 Flags??????????? : 0x2 ''
?? +0x042 FileName???????? : [1] 0x50
0: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!unsigned short (*)[1])0xc14c14ca))
(*((Ntfs!unsigned short (*)[1])0xc14c14ca))???????????????? [Type: unsigned short [1]]
??? [0]????????????? : 0x50 [Type: unsigned short]
0: kd> db 0xc14c14ca
c14c14ca? 50 00 52 00 4f 00 47 00-52 00 41 00 7e 00 31 00? P.R.O.G.R.A.~.1.
c14c14da? 6f 00 6c 00 75 00 d5 27-00 00 00 00 07 00 68 00? o.l.u..'......h.
c14c14ea? 52 00 00 00 00 00 05 00-00 00 00 00 05 00 ca 1f? R...............
c14c14fa? d1 e1 f6 16 db 01 ca 1f-d1 e1 f6 16 db 01 7a 42? ..............zB
c14c150a? 28 c7 e8 88 db 01 46 8d-fd b2 e4 be db 01 00 00? (.....F.........
c14c151a? 00 00 00 00 00 00 00 00-00 00 00 00 00 00 06 00? ................
c14c152a? 00 10 00 00 00 00 08 03-52 00 45 00 43 00 59 00? ........R.E.C.Y.
c14c153a? 43 00 4c 00 45 00 52 00-42 00 47 00 75 00 60 19? C.L.E.R.B.G.u.`.


0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70
Ntfs!INDEX_ENTRY
?? +0x000 FileReference??? : _MFT_SEGMENT_REFERENCE
?? +0x000 DataOffset?????? : 0xeca
?? +0x002 DataLength?????? : 0
?? +0x004 ReservedForZero? : 0x10000
?? +0x008 Length?????????? : 0x68
?? +0x00a AttributeLength? : 0x52
?? +0x00c Flags??????????? : 0
?? +0x00e Reserved???????? : 0
0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+68
Ntfs!INDEX_ENTRY
?? +0x000 FileReference??? : _MFT_SEGMENT_REFERENCE
?? +0x000 DataOffset?????? : 0x27d5
?? +0x002 DataLength?????? : 0
?? +0x004 ReservedForZero? : 0x70000
?? +0x008 Length?????????? : 0x68
?? +0x00a AttributeLength? : 0x52
?? +0x00c Flags??????????? : 0
?? +0x00e Reserved???????? : 0
0: kd> dt file_name 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+68+10
Ntfs!FILE_NAME
?? +0x000 ParentDirectory? : _MFT_SEGMENT_REFERENCE
?? +0x008 Info???????????? : _DUPLICATED_INFORMATION
?? +0x040 FileNameLength?? : 0x8 ''
?? +0x041 Flags??????????? : 0x3 ''
?? +0x042 FileName???????? : [1] 0x52
0: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!unsigned short (*)[1])0xc14c1532))
(*((Ntfs!unsigned short (*)[1])0xc14c1532))???????????????? [Type: unsigned short [1]]
??? [0]????????????? : 0x52 [Type: unsigned short]
0: kd> db 0xc14c1532
c14c1532? 52 00 45 00 43 00 59 00-43 00 4c 00 45 00 52 00? R.E.C.Y.C.L.E.R.
c14c1542? 42 00 47 00 75 00 60 19-00 00 00 00 01 00 68 00? B.G.u.`.......h.
c14c1552? 56 00 00 00 00 00 05 00-00 00 00 00 05 00 8c 99? V...............
c14c1562? 68 a8 c7 06 db 01 ea a4-73 b1 c7 06 db 01 ea a4? h.......s.......
c14c1572? 73 b1 c7 06 db 01 50 8c-7f d6 23 63 db 01 00 20? s.....P...#c...
c14c1582? 00 00 00 00 00 00 a8 15-00 00 00 00 00 00 20 00? .............. .
c14c1592? 00 00 00 00 00 00 0a 03-53 00 49 00 50 00 4f 00? ........S.I.P.O.
c14c15a2? 42 00 4a 00 2e 00 44 00-42 00 47 00 75 00 48 0d? B.J...D.B.G.u.H.


0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+68
Ntfs!INDEX_ENTRY
?? +0x000 FileReference??? : _MFT_SEGMENT_REFERENCE
?? +0x000 DataOffset?????? : 0x27d5
?? +0x002 DataLength?????? : 0
?? +0x004 ReservedForZero? : 0x70000
?? +0x008 Length?????????? : 0x68
?? +0x00a AttributeLength? : 0x52
?? +0x00c Flags??????????? : 0
?? +0x00e Reserved???????? : 0
0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+68+68
Ntfs!INDEX_ENTRY
?? +0x000 FileReference??? : _MFT_SEGMENT_REFERENCE
?? +0x000 DataOffset?????? : 0x1960
?? +0x002 DataLength?????? : 0
?? +0x004 ReservedForZero? : 0x10000
?? +0x008 Length?????????? : 0x68
?? +0x00a AttributeLength? : 0x56
?? +0x00c Flags??????????? : 0
?? +0x00e Reserved???????? : 0
0: kd> dt file_name 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+68+68+10
Ntfs!FILE_NAME
?? +0x000 ParentDirectory? : _MFT_SEGMENT_REFERENCE
?? +0x008 Info???????????? : _DUPLICATED_INFORMATION
?? +0x040 FileNameLength?? : 0xa ''
?? +0x041 Flags??????????? : 0x3 ''
?? +0x042 FileName???????? : [1] 0x53
0: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!unsigned short (*)[1])0xc14c159a))
(*((Ntfs!unsigned short (*)[1])0xc14c159a))???????????????? [Type: unsigned short [1]]
??? [0]????????????? : 0x53 [Type: unsigned short]
0: kd> db 0xc14c159a
c14c159a? 53 00 49 00 50 00 4f 00-42 00 4a 00 2e 00 44 00? S.I.P.O.B.J...D.
c14c15aa? 42 00 47 00 75 00 48 0d-00 00 00 00 01 00 88 00? B.G.u.H.........
c14c15ba? 74 00 00 00 00 00 05 00-00 00 00 00 05 00 f2 b1? t...............
c14c15ca? aa ba 8b 06 db 01 58 ee-b9 5b 03 b4 db 01 58 ee? ......X..[....X.
c14c15da? b9 5b 03 b4 db 01 46 8d-fd b2 e4 be db 01 00 00? .[....F.........
c14c15ea? 00 00 00 00 00 00 00 00-00 00 00 00 00 00 06 00? ................
c14c15fa? 00 10 00 00 00 00 19 01-53 00 79 00 73 00 74 00? ........S.y.s.t.
c14c160a? 65 00 6d 00 20 00 56 00-6f 00 6c 00 75 00 6d 00? e.m. .V.o.l.u.m.


0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+68+68
Ntfs!INDEX_ENTRY
?? +0x000 FileReference??? : _MFT_SEGMENT_REFERENCE
?? +0x000 DataOffset?????? : 0x1960
?? +0x002 DataLength?????? : 0
?? +0x004 ReservedForZero? : 0x10000
?? +0x008 Length?????????? : 0x68
?? +0x00a AttributeLength? : 0x56
?? +0x00c Flags??????????? : 0
?? +0x00e Reserved???????? : 0
0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+68+68+68
Ntfs!INDEX_ENTRY
?? +0x000 FileReference??? : _MFT_SEGMENT_REFERENCE
?? +0x000 DataOffset?????? : 0xd48
?? +0x002 DataLength?????? : 0
?? +0x004 ReservedForZero? : 0x10000
?? +0x008 Length?????????? : 0x88
?? +0x00a AttributeLength? : 0x74
?? +0x00c Flags??????????? : 0
?? +0x00e Reserved???????? : 0
0: kd> dt file_name 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+68+68+68+10
Ntfs!FILE_NAME
?? +0x000 ParentDirectory? : _MFT_SEGMENT_REFERENCE
?? +0x008 Info???????????? : _DUPLICATED_INFORMATION
?? +0x040 FileNameLength?? : 0x19 ''
?? +0x041 Flags??????????? : 0x1 ''
?? +0x042 FileName???????? : [1] 0x53
0: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!unsigned short (*)[1])0xc14c1602))
(*((Ntfs!unsigned short (*)[1])0xc14c1602))???????????????? [Type: unsigned short [1]]
??? [0]????????????? : 0x53 [Type: unsigned short]
0: kd> db 0xc14c1602
c14c1602? 53 00 79 00 73 00 74 00-65 00 6d 00 20 00 56 00? S.y.s.t.e.m. .V.
c14c1612? 6f 00 6c 00 75 00 6d 00-65 00 20 00 49 00 6e 00? o.l.u.m.e. .I.n.
c14c1622? 66 00 6f 00 72 00 6d 00-61 00 74 00 69 00 6f 00? f.o.r.m.a.t.i.o.
c14c1632? 6e 00 00 00 00 00 48 0d-00 00 00 00 01 00 68 00? n.....H.......h.
c14c1642? 52 00 00 00 00 00 05 00-00 00 00 00 05 00 f2 b1? R...............
c14c1652? aa ba 8b 06 db 01 58 ee-b9 5b 03 b4 db 01 58 ee? ......X..[....X.
c14c1662? b9 5b 03 b4 db 01 46 8d-fd b2 e4 be db 01 00 00? .[....F.........
c14c1672? 00 00 00 00 00 00 00 00-00 00 00 00 00 00 06 00? ................


0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+68+68+68
Ntfs!INDEX_ENTRY
?? +0x000 FileReference??? : _MFT_SEGMENT_REFERENCE
?? +0x000 DataOffset?????? : 0xd48
?? +0x002 DataLength?????? : 0
?? +0x004 ReservedForZero? : 0x10000
?? +0x008 Length?????????? : 0x88
?? +0x00a AttributeLength? : 0x74
?? +0x00c Flags??????????? : 0
?? +0x00e Reserved???????? : 0
0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+68+68+68+88
Ntfs!INDEX_ENTRY
?? +0x000 FileReference??? : _MFT_SEGMENT_REFERENCE
?? +0x000 DataOffset?????? : 0xd48
?? +0x002 DataLength?????? : 0
?? +0x004 ReservedForZero? : 0x10000
?? +0x008 Length?????????? : 0x68
?? +0x00a AttributeLength? : 0x52
?? +0x00c Flags??????????? : 0
?? +0x00e Reserved???????? : 0
0: kd> dt file_name 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+68+68+68+88+10
Ntfs!FILE_NAME
?? +0x000 ParentDirectory? : _MFT_SEGMENT_REFERENCE
?? +0x008 Info???????????? : _DUPLICATED_INFORMATION
?? +0x040 FileNameLength?? : 0x8 ''
?? +0x041 Flags??????????? : 0x2 ''
?? +0x042 FileName???????? : [1] 0x53
0: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!unsigned short (*)[1])0xc14c168a))
(*((Ntfs!unsigned short (*)[1])0xc14c168a))???????????????? [Type: unsigned short [1]]
??? [0]????????????? : 0x53 [Type: unsigned short]
0: kd> db 0xc14c168a
c14c168a? 53 00 59 00 53 00 54 00-45 00 4d 00 7e 00 31 00? S.Y.S.T.E.M.~.1.
c14c169a? 00 00 00 00 00 00 f4 27-00 00 00 00 0e 00 68 00? .......'......h.
c14c16aa? 54 00 00 00 00 00 05 00-00 00 00 00 05 00 9a b0? T...............
c14c16ba? 99 05 66 23 db 01 74 64-82 83 40 27 db 01 74 64? ..f#..td..@'..td
c14c16ca? 82 83 40 27 db 01 4e c2-2d 35 ff 6e db 01 00 00? ..@'..N.-5.n....
c14c16da? 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00? ................
c14c16ea? 00 10 00 00 00 00 09 01-74 00 66 00 74 00 70 00? ........t.f.t.p.
c14c16fa? 64 00 72 00 6f 00 6f 00-74 00 00 00 01 00 f4 27? d.r.o.o.t......'


0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+68+68+68+88
Ntfs!INDEX_ENTRY
?? +0x000 FileReference??? : _MFT_SEGMENT_REFERENCE
?? +0x000 DataOffset?????? : 0xd48
?? +0x002 DataLength?????? : 0
?? +0x004 ReservedForZero? : 0x10000
?? +0x008 Length?????????? : 0x68
?? +0x00a AttributeLength? : 0x52
?? +0x00c Flags??????????? : 0
?? +0x00e Reserved???????? : 0
0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+68+68+68+88+68
Ntfs!INDEX_ENTRY
?? +0x000 FileReference??? : _MFT_SEGMENT_REFERENCE
?? +0x000 DataOffset?????? : 0x27f4
?? +0x002 DataLength?????? : 0
?? +0x004 ReservedForZero? : 0xe0000
?? +0x008 Length?????????? : 0x68
?? +0x00a AttributeLength? : 0x54
?? +0x00c Flags??????????? : 0
?? +0x00e Reserved???????? : 0
0: kd> dt file_name 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+68+68+68+88+68+10
Ntfs!FILE_NAME
?? +0x000 ParentDirectory? : _MFT_SEGMENT_REFERENCE
?? +0x008 Info???????????? : _DUPLICATED_INFORMATION
?? +0x040 FileNameLength?? : 0x9 ''
?? +0x041 Flags??????????? : 0x1 ''
?? +0x042 FileName???????? : [1] 0x74
0: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!_MFT_SEGMENT_REFERENCE *)0xc14c16b0))
(*((Ntfs!_MFT_SEGMENT_REFERENCE *)0xc14c16b0))???????????????? [Type: _MFT_SEGMENT_REFERENCE]
??? [+0x000] SegmentNumberLowPart : 0x5 [Type: unsigned long]
??? [+0x004] SegmentNumberHighPart : 0x0 [Type: unsigned short]
??? [+0x006] SequenceNumber?? : 0x5 [Type: unsigned short]
0: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!unsigned short (*)[1])0xc14c16f2))
(*((Ntfs!unsigned short (*)[1])0xc14c16f2))???????????????? [Type: unsigned short [1]]
??? [0]????????????? : 0x74 [Type: unsigned short]
0: kd> db 0xc14c16f2
c14c16f2? 74 00 66 00 74 00 70 00-64 00 72 00 6f 00 6f 00? t.f.t.p.d.r.o.o.
c14c1702? 74 00 00 00 01 00 f4 27-00 00 00 00 0e 00 68 00? t......'......h.
c14c1712? 52 00 00 00 00 00 05 00-00 00 00 00 05 00 9a b0? R...............
c14c1722? 99 05 66 23 db 01 74 64-82 83 40 27 db 01 74 64? ..f#..td..@'..td
c14c1732? 82 83 40 27 db 01 4e c2-2d 35 ff 6e db 01 00 00? ..@'..N.-5.n....
c14c1742? 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00? ................
c14c1752? 00 10 00 00 00 00 08 02-54 00 46 00 54 00 50 00? ........T.F.T.P.
c14c1762? 44 00 52 00 7e 00 31 00-00 00 00 00 01 00 1c 00? D.R.~.1.........


0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+68+68+68+88+68
Ntfs!INDEX_ENTRY
?? +0x000 FileReference??? : _MFT_SEGMENT_REFERENCE
?? +0x000 DataOffset?????? : 0x27f4
?? +0x002 DataLength?????? : 0
?? +0x004 ReservedForZero? : 0xe0000
?? +0x008 Length?????????? : 0x68
?? +0x00a AttributeLength? : 0x54
?? +0x00c Flags??????????? : 0
?? +0x00e Reserved???????? : 0
0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+68+68+68+88+68+68
Ntfs!INDEX_ENTRY
?? +0x000 FileReference??? : _MFT_SEGMENT_REFERENCE
?? +0x000 DataOffset?????? : 0x27f4
?? +0x002 DataLength?????? : 0
?? +0x004 ReservedForZero? : 0xe0000
?? +0x008 Length?????????? : 0x68
?? +0x00a AttributeLength? : 0x52
?? +0x00c Flags??????????? : 0
?? +0x00e Reserved???????? : 0
0: kd> dt file_name 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+68+68+68+88+68+68+10
Ntfs!FILE_NAME
?? +0x000 ParentDirectory? : _MFT_SEGMENT_REFERENCE
?? +0x008 Info???????????? : _DUPLICATED_INFORMATION
?? +0x040 FileNameLength?? : 0x8 ''
?? +0x041 Flags??????????? : 0x2 ''
?? +0x042 FileName???????? : [1] 0x54
0: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!unsigned short (*)[1])0xc14c175a))
(*((Ntfs!unsigned short (*)[1])0xc14c175a))???????????????? [Type: unsigned short [1]]
??? [0]????????????? : 0x54 [Type: unsigned short]
0: kd> db 0xc14c175a
c14c175a? 54 00 46 00 54 00 50 00-44 00 52 00 7e 00 31 00? T.F.T.P.D.R.~.1.
c14c176a? 00 00 00 00 01 00 1c 00-00 00 00 00 01 00 60 00? ..............`.
c14c177a? 50 00 00 00 00 00 05 00-00 00 00 00 05 00 82 17? P...............
c14c178a? 60 88 8b 06 db 01 c0 4c-84 b5 43 93 db 01 c0 4c? `......L..C....L
c14c179a? 84 b5 43 93 db 01 46 8d-fd b2 e4 be db 01 00 00? ..C...F.........
c14c17aa? 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00? ................
c14c17ba? 00 10 00 00 00 00 07 03-57 00 49 00 4e 00 44 00? ........W.I.N.D.
c14c17ca? 4f 00 57 00 53 00 da 1b-00 00 00 00 01 00 60 00? O.W.S.........`.


0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+68+68+68+88+68+68
Ntfs!INDEX_ENTRY
?? +0x000 FileReference??? : _MFT_SEGMENT_REFERENCE
?? +0x000 DataOffset?????? : 0x27f4
?? +0x002 DataLength?????? : 0
?? +0x004 ReservedForZero? : 0xe0000
?? +0x008 Length?????????? : 0x68
?? +0x00a AttributeLength? : 0x52
?? +0x00c Flags??????????? : 0
?? +0x00e Reserved???????? : 0
0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+68+68+68+88+68+68+68
Ntfs!INDEX_ENTRY
?? +0x000 FileReference??? : _MFT_SEGMENT_REFERENCE
?? +0x000 DataOffset?????? : 0x1c
?? +0x002 DataLength?????? : 0
?? +0x004 ReservedForZero? : 0x10000
?? +0x008 Length?????????? : 0x60
?? +0x00a AttributeLength? : 0x50
?? +0x00c Flags??????????? : 0
?? +0x00e Reserved???????? : 0
0: kd> dt file_name 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+68+68+68+88+68+68+68+10
Ntfs!FILE_NAME
?? +0x000 ParentDirectory? : _MFT_SEGMENT_REFERENCE
?? +0x008 Info???????????? : _DUPLICATED_INFORMATION
?? +0x040 FileNameLength?? : 0x7 ''
?? +0x041 Flags??????????? : 0x3 ''
?? +0x042 FileName???????? : [1] 0x57
0: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!unsigned short (*)[1])0xc14c17c2))
(*((Ntfs!unsigned short (*)[1])0xc14c17c2))???????????????? [Type: unsigned short [1]]
??? [0]????????????? : 0x57 [Type: unsigned short]
0: kd> db 0xc14c17c2
c14c17c2? 57 00 49 00 4e 00 44 00-4f 00 57 00 53 00 da 1b? W.I.N.D.O.W.S...
c14c17d2? 00 00 00 00 01 00 60 00-4c 00 00 00 00 00 05 00? ......`.L.......
c14c17e2? 00 00 00 00 05 00 6e 76-13 da c7 06 db 01 6e 76? ......nv......nv
c14c17f2? 13 da c7 06 db 01 6e 76-13 da c7 06 db 01 4e c2? ......nv......N.
c14c1802? 2d 35 ff 6e db 01 00 00-00 00 00 00 00 00 00 00? -5.n............
c14c1812? 00 00 00 00 00 00 00 00-00 10 00 00 00 00 05 03? ................
c14c1822? 77 00 6d 00 70 00 75 00-62 00 00 00 00 00 00 00? w.m.p.u.b.......
c14c1832? 00 00 00 00 00 00 10 00-00 00 02 00 00 00 10 00? ................


0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+68+68+68+88+68+68+68
Ntfs!INDEX_ENTRY
?? +0x000 FileReference??? : _MFT_SEGMENT_REFERENCE
?? +0x000 DataOffset?????? : 0x1c
?? +0x002 DataLength?????? : 0
?? +0x004 ReservedForZero? : 0x10000
?? +0x008 Length?????????? : 0x60
?? +0x00a AttributeLength? : 0x50
?? +0x00c Flags??????????? : 0
?? +0x00e Reserved???????? : 0
0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+68+68+68+88+68+68+68+60
Ntfs!INDEX_ENTRY
?? +0x000 FileReference??? : _MFT_SEGMENT_REFERENCE
?? +0x000 DataOffset?????? : 0x1bda
?? +0x002 DataLength?????? : 0
?? +0x004 ReservedForZero? : 0x10000
?? +0x008 Length?????????? : 0x60
?? +0x00a AttributeLength? : 0x4c
?? +0x00c Flags??????????? : 0
?? +0x00e Reserved???????? : 0
0: kd> dt file_name 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+68+68+68+88+68+68+68+60+10
Ntfs!FILE_NAME
?? +0x000 ParentDirectory? : _MFT_SEGMENT_REFERENCE
?? +0x008 Info???????????? : _DUPLICATED_INFORMATION
?? +0x040 FileNameLength?? : 0x5 ''
?? +0x041 Flags??????????? : 0x3 ''
?? +0x042 FileName???????? : [1] 0x77
0: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!unsigned short (*)[1])0xc14c1822))
(*((Ntfs!unsigned short (*)[1])0xc14c1822))???????????????? [Type: unsigned short [1]]
??? [0]????????????? : 0x77 [Type: unsigned short]
0: kd> db 0xc14c1822
c14c1822? 77 00 6d 00 70 00 75 00-62 00 00 00 00 00 00 00? w.m.p.u.b.......
c14c1832? 00 00 00 00 00 00 10 00-00 00 02 00 00 00 10 00? ................
c14c1842? 00 00 02 00 00 00 60 00-4c 00 00 00 00 00 05 00? ......`.L.......
c14c1852? 00 00 00 00 05 00 6e 76-13 da c7 06 db 01 6e 76? ......nv......nv
c14c1862? 13 da c7 06 db 01 6e 76-13 da c7 06 db 01 4e c2? ......nv......N.
c14c1872? 2d 35 ff 6e db 01 00 00-00 00 00 00 00 00 00 00? -5.n............
c14c1882? 00 00 00 00 00 00 00 00-00 10 00 00 00 00 05 03? ................
c14c1892? 77 00 6d 00 70 00 75 00-62 00 00 00 00 00 00 00? w.m.p.u.b.......


0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+68+68+68+88+68+68+68+60
Ntfs!INDEX_ENTRY
?? +0x000 FileReference??? : _MFT_SEGMENT_REFERENCE
?? +0x000 DataOffset?????? : 0x1bda
?? +0x002 DataLength?????? : 0
?? +0x004 ReservedForZero? : 0x10000
?? +0x008 Length?????????? : 0x60
?? +0x00a AttributeLength? : 0x4c
?? +0x00c Flags??????????? : 0
?? +0x00e Reserved???????? : 0
0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+68+68+68+88+68+68+68+60+60
Ntfs!INDEX_ENTRY
?? +0x000 FileReference??? : _MFT_SEGMENT_REFERENCE
?? +0x000 DataOffset?????? : 0
?? +0x002 DataLength?????? : 0
?? +0x004 ReservedForZero? : 0
?? +0x008 Length?????????? : 0x10
?? +0x00a AttributeLength? : 0
?? +0x00c Flags??????????? : 2
?? +0x00e Reserved???????? : 0

本文來自互聯網用戶投稿,該文觀點僅代表作者本人,不代表本站立場。本站僅提供信息存儲空間服務,不擁有所有權,不承擔相關法律責任。
如若轉載,請注明出處:http://www.pswp.cn/news/906748.shtml
繁體地址,請注明出處:http://hk.pswp.cn/news/906748.shtml
英文地址,請注明出處:http://en.pswp.cn/news/906748.shtml

如若內容造成侵權/違法違規/事實不符,請聯系多彩編程網進行投訴反饋email:809451989@qq.com,一經查實,立即刪除!

相關文章

LumaDot (亮度可調的屏幕圓點)

LumaDot (亮度可調的屏幕圓點)

應用名稱 LumaDot &#xff08;源自 “Luminance”&#xff08;亮度&#xff09; “Dot”&#xff08;圓點&#xff09;&#xff0c;強調其核心功能&#xff1a;亮度可調的屏幕圓點&#xff09; 應用說明 LumaDot 是一款輕量級 Windows 桌面工具&#xff0c;專為需要屏幕標記…
閱讀更多...
HarmonyOS 鴻蒙應用開發基礎:EventHub,優雅解決跨組件通信難題

HarmonyOS 鴻蒙應用開發基礎:EventHub,優雅解決跨組件通信難題

EventHub是鴻蒙開發中用于線程內通信的事件中心模塊&#xff0c;基于發布訂閱模式實現組件間的高效通信。它完美解決了傳統回調方式在多層嵌套場景下的痛點&#xff0c;使得組件間的通信更加靈活和易于管理。 核心特性 事件中心機制&#xff1a;通過事件名進行通信&#xff0c…
閱讀更多...
前端框架token相關bug,前后端本地聯調

前端框架token相關bug,前后端本地聯調

今天我搭建框架的時候&#xff0c;我想請求我自己的本地&#xff01;然后我自己想鏈接我自己的本地后端&#xff0c;我之前用的前端項目&#xff0c;都是鏈別人的后端&#xff0c;基本上很少情況會鏈接自己的后端&#xff01;所以我當時想的是&#xff0c;我前后端接口一樣&…
閱讀更多...
【數據結構初階】順序表專題

【數據結構初階】順序表專題

文章目錄 順序表1.數據結構相關概念1、什么是數據結構2、為什么需要數據結構&#xff1f; 2.順序表1、順序表的概念及結構2、順序表分類3、動態順序表的實現1.定義一個動態順序表2.順序表的初始化3.順序表的銷毀4.順序表達的尾插5.順序表的頭插6.空間大小檢查函數7.順序表的尾刪…
閱讀更多...
從神經生物學到社會心理學:游戲沉迷機制的深度解構

從神經生物學到社會心理學:游戲沉迷機制的深度解構

你是否曾在深夜放下手機時驚覺&#xff1a;"明明只想玩10分鐘&#xff0c;怎么天都亮了&#xff1f;"這不是意志力薄弱的表現&#xff0c;而是價值數十億美元的游戲產業用神經科學精心設計的認知陷阱。 當《王者榮耀》的Victory音效讓你心跳加速&#xff0c;當《原神…
閱讀更多...
15.集合框架的學習

15.集合框架的學習

一、簡介 集合框架&#xff08;Collection Framework&#xff09; 是 Java 提供的一套用于存儲、操作和處理數據集合的標準化架構。它主要位于 java.util 包中&#xff0c;提供了一組 接口 和 實現類&#xff0c;用于操作不同類型的數據集合&#xff0c;如列表&#xff08;List…
閱讀更多...
【方案分享】展廳智能講解:基于BLE藍牙Beacon的自動講解觸發技術實現

【方案分享】展廳智能講解:基于BLE藍牙Beacon的自動講解觸發技術實現

【方案分享】展廳智能講解&#xff1a;基于BLE藍牙Beacon的自動講解觸發技術實現 讓觀眾靠近展品即可自動彈出講解頁面&#xff0c;是智能展廳的核心功能之一。本文將從軟硬件技術、BLE Beacon原理、微信小程序實現、優劣對比與拓展方案五個維度&#xff0c;系統講解“靠近展臺…
閱讀更多...
微前端架構:從單體到模塊化的前端新革命

微前端架構:從單體到模塊化的前端新革命

在信息技術&#xff08;IT&#xff09;的迅猛發展中&#xff0c;前端開發領域正迎來一場顛覆性的變革 —— 微前端架構&#xff08;Micro - Frontends&#xff09;。2025 年&#xff0c;隨著 Web 應用的復雜性激增、團隊協作需求的增長以及用戶對無縫體驗的期待&#xff0c;微前…
閱讀更多...
React中常用的鉤子函數:

React中常用的鉤子函數:

一. 基礎鉤子 (1)useState 用于在函數組件中添加局部狀態。useState可以傳遞一個參數&#xff0c;做為狀態的初始值&#xff0c;返回一個數組&#xff0c;數組的第一個元素是返回的狀態變量&#xff0c;第二個是修改狀態變量的函數。 const [state, setState] useState(ini…
閱讀更多...
如何在 Windows 11 或 10 上通過 PowerShell 安裝 Docker Desktop

如何在 Windows 11 或 10 上通過 PowerShell 安裝 Docker Desktop

了解如何使用 PowerShell 或命令提示符在 Windows 11 或 10 上安裝 Docker CLI 和 Docker Desktop GUI,以創建容器運行虛擬機。無需手動訪問網站下載安裝程序,所有操作都將在命令終端完成。 Docker 是一個強大的容器化平臺,允許開發人員將應用程序及其依賴項打包為輕量級容…
閱讀更多...
Python實例題:人機對戰初體驗Python基于Pygame實現四子棋游戲

Python實例題:人機對戰初體驗Python基于Pygame實現四子棋游戲

目錄 Python實例題 題目 代碼實現 實現原理 游戲邏輯&#xff1a; AI 算法&#xff1a; 界面渲染&#xff1a; 關鍵代碼解析 游戲棋盤渲染 AI 決策算法 勝利條件檢查 使用說明 安裝依賴&#xff1a; 運行游戲&#xff1a; 游戲操作&#xff1a; 擴展建議 增強…
閱讀更多...
一文詳解 HLS

一文詳解 HLS

1 HLS的簡介 1.1 HLS的背景 從 RTMP&#xff08;Real-Time Messaging Protocol&#xff0c;實時消息傳輸協議&#xff09; 到 HLS&#xff08;HTTP Live Streaming&#xff0c;HTTP直播流&#xff09; 的技術演進&#xff0c;本質上是直播協議從 專有協議 向 通用 Web 協議 的…
閱讀更多...
go 訪問 sftp 服務 github.com/pkg/sftp 的使用踩坑,連接未關閉(含 sftp 服務測試環境搭建)

go 訪問 sftp 服務 github.com/pkg/sftp 的使用踩坑,連接未關閉(含 sftp 服務測試環境搭建)

前言 最近在使用 sftp 服務時&#xff0c;被告知發起了海量的連接&#xff0c;直接把服務器搞崩&#xff0c;ip 被封了。 這是啥情況&#xff1f; golang 寫的代碼&#xff0c;我就正常的訪問 sftp 服務&#xff0c;連接使用過后也都關閉了&#xff0c;咋會出現連接一直連著…
閱讀更多...
Android 直接通過 app_process 啟動的應用如何使用 Context

Android 直接通過 app_process 啟動的應用如何使用 Context

文章目錄 一、問題背景二、代碼實現三、代碼詳解 一、問題背景 在 Android 中&#xff0c;可以使用 Android Studio 編寫 Java 應用程序&#xff0c;通過編譯打包成 apk 文件&#xff0c;然后將文件推送至 /data/local/tmp 等可執行的目錄或安裝打包出來的應用&#xff0c;隨后…
閱讀更多...
【數據結構與算法】LeetCode 每日三題

【數據結構與算法】LeetCode 每日三題

如果你已經對數據結構與算法略知一二&#xff0c;現在正在復習數據結構與算法的一些重點知識 ------------------------------------------------------------------------------------------------------------------------- 點贊收藏&#x1f308;&#xff0c;每天更新總結文…
閱讀更多...
深度“求索”:DeepSeek+Dify構建個人知識庫

深度“求索”:DeepSeek+Dify構建個人知識庫

目錄 前言 環境部署 安裝Docker 安裝Dify 配置Dify 部署知識庫 創建應用 前言 在當今數字化信息爆炸的時代&#xff0c;數據隱私和個性化知識管理成為企業和個人關注的焦點。Dify&#xff0c;作為一款備受矚目的開源 AI 應用開發平臺&#xff0c;為用戶提供了完整的私有…
閱讀更多...
【Redis8】最新安裝版與手動運行版

【Redis8】最新安裝版與手動運行版

目錄 一、直接運行 1. 下載 Redis百度網盤 2. 解壓后直接運行 redis-server.exe?編輯 二、安裝版運行 雙擊 install_redis_service.bat 輸入安裝路徑&#xff08;請提前創建好安裝路徑&#xff09;后直接回車?編輯 下一步直接回車即可&#xff0c;因為是使用配置模板…
閱讀更多...
@Column 注解屬性詳解

@Column 注解屬性詳解

提示&#xff1a;文章旨在說明 Column 注解屬性如何在日常開發中使用&#xff0c;數據庫類型為 MySql&#xff0c;其他類型數據庫可能存在偏差&#xff0c;需要注意。 文章目錄 一、name 方法二、unique 方法三、nullable 方法四、insertable 方法五、updatable 方法六、column…
閱讀更多...
使用Gemini, LangChain, Gradio打造一個書籍推薦系統 (第二部分)

使用Gemini, LangChain, Gradio打造一個書籍推薦系統 (第二部分)

建立向量嵌入數據庫 from langchain_community.document_loaders import TextLoader from langchain_text_splitters import CharacterTextSplitter from langchain.docstore.document import Document from langchain_chroma.vectorstores import Chromaimport vertexai from…
閱讀更多...
【Go-4】函數

【Go-4】函數

函數 函數是編程中的基本構建塊&#xff0c;用于封裝可重用的代碼邏輯。Go語言中的函數功能強大&#xff0c;支持多種特性&#xff0c;如多返回值、可變參數、匿名函數、閉包以及將函數作為值和類型傳遞。理解和掌握函數的使用對于編寫高效、可維護的Go程序至關重要。本章將詳…
閱讀更多...
最新文章

Copyright @ 2022~2023