第一部分:
??? NtfsMapStream( IrpContext,
?????????????????? Scb,
?????????????????? LlBytesFromIndexBlocks( IndexBlock, Scb->ScbType.Index.IndexBlockByteShift ),
?????????????????? Scb->ScbType.Index.BytesPerIndexBuffer,
?????????????????? &Sp->Bcb,
?????????????????? &Sp->StartOfBuffer );
0: kd> dv
???? IrpContext = 0x89797aa8
??????????? Scb = 0xe1350658
???? IndexBlock = 0n0
???????? Reread = 0x00 ''
???????????? Sp = 0xf78d6824
0: kd> dx -r1 ((Ntfs!_INDEX_LOOKUP_STACK *)0xf78d6824)
((Ntfs!_INDEX_LOOKUP_STACK *)0xf78d6824)???????????????? : 0xf78d6824 [Type: _INDEX_LOOKUP_STACK *]
??? [+0x000] Bcb????????????? : 0x0 [Type: void *]
??? [+0x004] StartOfBuffer??? : 0x0 [Type: void *]
??? [+0x008] IndexHeader????? : 0x0 [Type: _INDEX_HEADER *]
??? [+0x00c] IndexEntry?????? : 0x0 [Type: _INDEX_ENTRY *]
??? [+0x010] IndexBlock?????? : 0 [Type: __int64]
??? [+0x018] CapturedLsn????? : {0} [Type: _LARGE_INTEGER]
0: kd> r
eax=00000000 ebx=e1350658 ecx=0000000c edx=00000000 esi=f78d6824 edi=00000000
eip=f7173948 esp=f78d6764 ebp=f78d6770 iopl=0???????? nv up ei pl zr na pe nc
cs=0008? ss=0010? ds=0023? es=0023? fs=0030? gs=0000???????????? efl=00000246
Ntfs!ReadIndexBuffer+0xc2:
f7173948 8d7e04????????? lea???? edi,[esi+4]
0: kd> r
eax=00000000 ebx=e1350658 ecx=0000000c edx=00000000 esi=f78d6824 edi=f78d6828
0: kd> dd 0xf78d6824
f78d6824? 00000000 00000000 00000000 00000000
f78d6834? 00000000 00000000 00000000 00000000
f78d6844? 00000000 00000000 00000000 00000000
BOOLEAN
ReadIndexBuffer (
??? IN PIRP_CONTEXT IrpContext,
??? IN PSCB Scb,
??? IN LONGLONG IndexBlock,
??? IN BOOLEAN Reread,
??? OUT PINDEX_LOOKUP_STACK Sp
??? )
0: kd> dv
???? IrpContext = 0x89797aa8
??????????? Scb = 0xe1350658
???? FileOffset = 0n0
???????? Length = 0x1000
??????????? Bcb = 0xf78d6824
???????? Buffer = 0xf78d6828
0: kd> dx -r1 ((Ntfs!_SCB *)0xe1350658)
((Ntfs!_SCB *)0xe1350658)???????????????? : 0xe1350658 [Type: _SCB *]
??? [+0x000] Header?????????? [Type: _NTFS_ADVANCED_FCB_HEADER]
??? [+0x040] FcbLinks???????? [Type: _LIST_ENTRY]
??? [+0x048] Fcb????????????? : 0xe1350590 [Type: _FCB *]
??? [+0x04c] Vcb????????????? : 0x8962e100 [Type: _VCB *]
??? [+0x050] ScbState???????? : 0x6a0 [Type: unsigned long]
??? [+0x054] NonCachedCleanupCount : 0x0 [Type: unsigned long]
??? [+0x058] CleanupCount???? : 0x0 [Type: unsigned long]
??? [+0x05c] CloseCount?????? : 0x1 [Type: unsigned long]
??? [+0x060] ShareAccess????? [Type: _SHARE_ACCESS]
??? [+0x07c] AttributeTypeCode : 0xa0 [Type: unsigned long]
??? [+0x080] AttributeName??? : "$I30" [Type: _UNICODE_STRING]
??? [+0x088] FileObject?????? : 0x89455df0 [Type: _FILE_OBJECT *]
0: kd> dx -r1 ((Ntfs!_FILE_OBJECT *)0x89455df0)
((Ntfs!_FILE_OBJECT *)0x89455df0)???????????????? : 0x89455df0 [Type: _FILE_OBJECT *]
??? [+0x000] Type???????????? : 5 [Type: short]
??? [+0x002] Size???????????? : 112 [Type: short]
??? [+0x004] DeviceObject???? : 0x894d1c08 : Device for "\Driver\Ftdisk" [Type: _DEVICE_OBJECT *]
??? [+0x008] Vpb????????????? : 0x899a7008 [Type: _VPB *]
??? [+0x00c] FsContext??????? : 0xe1350658 [Type: void *]
??? [+0x010] FsContext2?????? : 0x0 [Type: void *]
??? [+0x014] SectionObjectPointer : 0x89927294 [Type: _SECTION_OBJECT_POINTERS *]
0: kd> dx -r1 ((Ntfs!_SECTION_OBJECT_POINTERS *)0x89927294)
((Ntfs!_SECTION_OBJECT_POINTERS *)0x89927294)???????????????? : 0x89927294 [Type: _SECTION_OBJECT_POINTERS *]
??? [+0x000] DataSectionObject : 0x89455c30 [Type: void *]
??? [+0x004] SharedCacheMap?? : 0x89455c98 [Type: void *]
??? [+0x008] ImageSectionObject : 0x0 [Type: void *]
0: kd> dt SHARED_CACHE_MAP 0x89455c98
nt!SHARED_CACHE_MAP
?? +0x000 NodeTypeCode???? : 0n767
?? +0x002 NodeByteSize???? : 0n304
?? +0x004 OpenCount??????? : 1
?? +0x008 FileSize???????? : _LARGE_INTEGER 0x2000
?? +0x010 BcbList????????? : _LIST_ENTRY [ 0x89455ca8 - 0x89455ca8 ]
?? +0x018 SectionSize????? : _LARGE_INTEGER 0x100000
?? +0x020 ValidDataLength? : _LARGE_INTEGER 0x7fffffff`ffffffff
?? +0x028 ValidDataGoal??? : _LARGE_INTEGER 0x7fffffff`ffffffff
?? +0x030 InitialVacbs???? : [4] (null)
?? +0x040 Vacbs??????????? : 0x89455cc8? -> (null)
?? +0x044 FileObject?????? : 0x89455df0 _FILE_OBJECT
第二部分:
??? //
??? //? Call local routine to Map or Access the file data.? If we cannot map
??? //? the data because of a Wait condition, return FALSE.
??? //
??? if (FlagOn(Flags, MAP_WAIT)) {
??????? *Buffer = CcGetVirtualAddress( SharedCacheMap,
?????????????????????????????????????? *FileOffset,
?????????????????????????????????????? (PVACB *)&TempBcb,
?????????????????????????????????????? &ReceivedLength );
0: kd> kc
?#
00 nt!CcGetVirtualAddress
01 nt!CcMapData
02 Ntfs!NtfsMapStream
03 Ntfs!ReadIndexBuffer
04 Ntfs!FindFirstIndexEntry
05 Ntfs!NtfsUpdateFileNameInIndex
06 Ntfs!NtfsUpdateDuplicateInfo
07 Ntfs!NtfsInitializeSecurity
08 Ntfs!NtfsInitializeSecurityFile
09 Ntfs!NtfsMountVolume
0a Ntfs!NtfsCommonFileSystemControl
0b Ntfs!NtfsFspDispatch
0c nt!ExpWorkerThread
0d nt!PspSystemThreadStartup
0e nt!KiThreadStartup
??? if ((TempVacb = GetVacb( SharedCacheMap, FileOffset )) == NULL) {
??????? TempVacb = CcGetVacbMiss( SharedCacheMap, FileOffset, &OldIrql );?? ?//關鍵代碼:第一次需要調用CcGetVacbMiss函數
#define GetVacb(SCM,OFF) (??????????????????????????????????????????????????????????????? \
??? ((SCM)->SectionSize.QuadPart > VACB_SIZE_OF_FIRST_LEVEL) ???????????????????????????? \
??? CcGetVacbLargeOffset((SCM),(OFF).QuadPart) :????????????????????????????????????????? \
??? (SCM)->Vacbs[(OFF).LowPart >> VACB_OFFSET_SHIFT]????????????????????????????????????? \
)
#define VACB_SIZE_OF_FIRST_LEVEL???????? (1 << (VACB_OFFSET_SHIFT + VACB_LEVEL_SHIFT))
#define VACB_OFFSET_SHIFT??????????????? (18)
#define VACB_LEVEL_SHIFT????????????????? (7)
10?? ?0000?? ?0000?? ?0000?? ?0000?? ?0000?? ?0000
2000000
100 0000 0000 0000 0000
0x40000=256k
0: kd> dt SHARED_CACHE_MAP 0x89455c98
nt!SHARED_CACHE_MAP
?? +0x000 NodeTypeCode???? : 0n767
?? +0x002 NodeByteSize???? : 0n304
?? +0x004 OpenCount??????? : 1
?? +0x008 FileSize???????? : _LARGE_INTEGER 0x2000
?? +0x010 BcbList????????? : _LIST_ENTRY [ 0x89455ca8 - 0x89455ca8 ]
?? +0x018 SectionSize????? : _LARGE_INTEGER 0x100000?? ??? ??? ?1M
0: kd> dv
?SharedCacheMap = 0x89455d68
???? FileOffset = {0}
0: kd> p
nt!CcGetVirtualAddress+0x93:
80a1a913 817f1800000002? cmp???? dword ptr [edi+18h],2000000h
0: kd> r
eax=00000000 ebx=89455d68 ecx=80b16100 edx=00000000 esi=00000000 edi=89455c98
0: kd> p
nt!CcGetVirtualAddress+0xad:
80a1a92d c1ee12????????? shr???? esi,12h
0: kd> r
eax=89455cc8 ebx=89455d68 ecx=80b16100 edx=00000000 esi=00000000
第三部分:
0: kd> t
Breakpoint 13 hit
nt!CcGetVacbMiss:
80a1a19e 6a30??????????? push??? 30h
0: kd> kc
?#
00 nt!CcGetVacbMiss
01 nt!CcGetVirtualAddress
02 nt!CcMapData
03 Ntfs!NtfsMapStream
04 Ntfs!ReadIndexBuffer
05 Ntfs!FindFirstIndexEntry
06 Ntfs!NtfsUpdateFileNameInIndex
07 Ntfs!NtfsUpdateDuplicateInfo
08 Ntfs!NtfsInitializeSecurity
09 Ntfs!NtfsInitializeSecurityFile
0a Ntfs!NtfsMountVolume
0b Ntfs!NtfsCommonFileSystemControl
0c Ntfs!NtfsFspDispatch
0d nt!ExpWorkerThread
0e nt!PspSystemThreadStartup
0f nt!KiThreadStartup
0: kd> dv
?? SharedCacheMap = 0x89455c98
?????? FileOffset = {0}
????????? OldIrql = 0xf78d66ab ""
????? PageIsDirty = 0xf78d6704
??? ULONG VacbOffset = FileOffset.LowPart & (VACB_MAPPING_GRANULARITY - 1);?? ?=0
??? if ((TempVacb = GetVacb( SharedCacheMap, NormalOffset )) == NULL) {
??????? Vacb->SharedCacheMap = SharedCacheMap;
??????? Vacb->Overlay.FileOffset = NormalOffset;
??????? Vacb->Overlay.ActiveCount = 1;
??????? SetVacb( SharedCacheMap, NormalOffset, Vacb );
??? //
??? //? If there is a free view, move it to the LRU and we're done.
??? //
??? if (!IsListEmpty(&CcVacbFreeList)) {
?? ?
??????? Vacb = CONTAINING_RECORD( CcVacbFreeList.Flink, VACB, LruList );?? ?//關鍵代碼:空閑列表里面得到一個vacb結構
??????? CcMoveVacbToReuseTail( Vacb );
0: kd> x nt!CcVacbFreeList
80b1cb58????????? nt!CcVacbFreeList = struct _LIST_ENTRY [ 0x899880e8 - 0x89993fc8 ]
0: kd> dx -r1 (*((ntkrnlmp!_LIST_ENTRY *)0x80b1cb58))
(*((ntkrnlmp!_LIST_ENTRY *)0x80b1cb58))???????????????? [Type: _LIST_ENTRY]
??? [+0x000] Flink??????????? : 0x899880e8 [Type: _LIST_ENTRY *]
??? [+0x004] Blink??????????? : 0x89993fc8 [Type: _LIST_ENTRY *]
0: kd> dt _vacb 0x899880e8-10
nt!_VACB
?? +0x000 BaseAddress????? : (null)
?? +0x004 SharedCacheMap?? : (null)
?? +0x008 Overlay????????? : __unnamed
?? +0x010 LruList????????? : _LIST_ENTRY [ 0x89988100 - 0x80b1cb58 ]
0: kd> p
nt!CcGetVacbMiss+0x8e:
80a1a22c 8d4610????????? lea???? eax,[esi+10h]
0: kd> pr
eax=899880e8 ebx=89455d68 ecx=00000000 edx=00000000 esi=899880d8
??? Vacb->Overlay.ActiveCount = 1;
??? SharedCacheMap->VacbActiveCount += 1;
0: kd> dt SHARED_CACHE_MAP 0x89455c98
nt!SHARED_CACHE_MAP
?? +0x000 NodeTypeCode???? : 0n767
?? +0x002 NodeByteSize???? : 0n304
?? +0x004 OpenCount??????? : 1
?? +0x008 FileSize???????? : _LARGE_INTEGER 0x2000
?? +0x010 BcbList????????? : _LIST_ENTRY [ 0x89455ca8 - 0x89455ca8 ]
?? +0x018 SectionSize????? : _LARGE_INTEGER 0x100000
?? +0x020 ValidDataLength? : _LARGE_INTEGER 0x7fffffff`ffffffff
?? +0x028 ValidDataGoal??? : _LARGE_INTEGER 0x7fffffff`ffffffff
?? +0x030 InitialVacbs???? : [4] (null)
?? +0x040 Vacbs??????????? : 0x89455cc8? -> (null)
?? +0x044 FileObject?????? : 0x89455df0 _FILE_OBJECT
?? +0x048 ActiveVacb?????? : (null)
?? +0x04c NeedToZero?????? : (null)
?? +0x050 ActivePage?????? : 0
?? +0x054 NeedToZeroPage?? : 0
?? +0x058 ActiveVacbSpinLock : 0
?? +0x05c VacbActiveCount? : 1
第四部分:
??????? Status = MmMapViewInSystemCache (SharedCacheMap->Section,
???????????????????????????????????????? &Vacb->BaseAddress,
???????????????????????????????????????? &NormalOffset,
???????????????????????????????????????? &MappedLength.LowPart);
0: kd> t
Breakpoint 14 hit
nt!MmMapViewInSystemCache:
80aaecf2 55????????????? push??? ebp
0: kd> kc
?#
00 nt!MmMapViewInSystemCache
01 nt!CcGetVacbMiss
02 nt!CcGetVirtualAddress
03 nt!CcMapData
04 Ntfs!NtfsMapStream
05 Ntfs!ReadIndexBuffer
06 Ntfs!FindFirstIndexEntry
07 Ntfs!NtfsUpdateFileNameInIndex
08 Ntfs!NtfsUpdateDuplicateInfo
09 Ntfs!NtfsInitializeSecurity
0a Ntfs!NtfsInitializeSecurityFile
0b Ntfs!NtfsMountVolume
0c Ntfs!NtfsCommonFileSystemControl
0d Ntfs!NtfsFspDispatch
0e nt!ExpWorkerThread
0f nt!PspSystemThreadStartup
10 nt!KiThreadStartup
0: kd> dv
??? SectionToMap = 0xe13603d0
??? CapturedBase = 0x899880d8
?? SectionOffset = 0xf78d6648 {0}
CapturedViewSize = 0xf78d6640
?????? PteOffset = 0xf78d6680`ffffffff
?????? LastProto = 0x80aaecf2
???? PteContents = struct _MMPTE
???????? OldIrql = 0x48 'H'
???????? LastPte = 0x899880d8
?? LastPteOffset = 0x80aaecf2`00000000
????????? Waited = 8
??????? ProtoPte = 0xf78d6648
?? NumberOfPages = 0xf78d6640
0: kd> dx -r1 ((ntkrnlmp!unsigned long *)0xf78d6640)
((ntkrnlmp!unsigned long *)0xf78d6640)???????????????? : 0xf78d6640 : 0x40000 [Type: unsigned long *]
??? 0x40000 [Type: unsigned long]
0: kd> dx -r1 ((ntkrnlmp!void * *)0x899880d8)
((ntkrnlmp!void * *)0x899880d8)???????????????? : 0x899880d8 [Type: void * *]
??? 0x0 [Type: void *]
??????? Status = MmMapViewInSystemCache (SharedCacheMap->Section,
???????????????????????????????????????? &Vacb->BaseAddress,
???????????????????????????????????????? &NormalOffset,
???????????????????????????????????????? &MappedLength.LowPart);
0: kd> dt section 0xe13603d0
nt!SECTION
?? +0x000 Address????????? : _MMADDRESS_NODE
?? +0x014 Segment????????? : 0xe1291b48 _SEGMENT
?? +0x018 SizeOfSection??? : _LARGE_INTEGER 0x100000
?? +0x020 u??????????????? : __unnamed
?? +0x024 InitialPageProtection : 4
0: kd> dx -id 0,0,899a2278 -r1 ((ntkrnlmp!_SEGMENT *)0xe1291b48)
((ntkrnlmp!_SEGMENT *)0xe1291b48)???????????????? : 0xe1291b48 [Type: _SEGMENT *]
??? [+0x000] ControlArea????? : 0x89455c30 [Type: _CONTROL_AREA *]
??? [+0x004] TotalNumberOfPtes : 0x100 [Type: unsigned long]
??? [+0x008] NonExtendedPtes? : 0x100 [Type: unsigned long]
??? [+0x00c] WritableUserReferences : 0x0 [Type: unsigned long]
??? [+0x010] SizeOfSegment??? : 0x100000 [Type: unsigned __int64]
??? [+0x018] SegmentPteTemplate [Type: _MMPTE]
??? [+0x01c] NumberOfCommittedPages : 0x0 [Type: unsigned long]
??? [+0x020] ExtendInfo?????? : 0x0 [Type: _MMEXTEND_INFO *]
??? [+0x024] SegmentFlags???? [Type: _SEGMENT_FLAGS]
??? [+0x028] BasedAddress???? : 0x0 [Type: void *]
??? [+0x02c] u1?????????????? [Type: __unnamed]
??? [+0x030] u2?????????????? [Type: __unnamed]
??? [+0x034] PrototypePte???? : 0x61444d43 [Type: _MMPTE *]
??? [+0x038] ThePtes????????? [Type: _MMPTE [1]]
0: kd> dx -id 0,0,899a2278 -r1 ((ntkrnlmp!_CONTROL_AREA *)0x89455c30)
((ntkrnlmp!_CONTROL_AREA *)0x89455c30)???????????????? : 0x89455c30 [Type: _CONTROL_AREA *]
??? [+0x000] Segment????????? : 0xe1291b48 [Type: _SEGMENT *]
??? [+0x004] DereferenceList? [Type: _LIST_ENTRY]
??? [+0x00c] NumberOfSectionReferences : 0x1 [Type: unsigned long]
??? [+0x010] NumberOfPfnReferences : 0x0 [Type: unsigned long]
??? [+0x014] NumberOfMappedViews : 0x0 [Type: unsigned long]
??? [+0x018] NumberOfSystemCacheViews : 0x0 [Type: unsigned long]
??? [+0x01c] NumberOfUserReferences : 0x0 [Type: unsigned long]
??? [+0x020] u??????????????? [Type: __unnamed]
??? [+0x024] FilePointer????? : 0x89455df0 [Type: _FILE_OBJECT *]?? ??? ??? ?FilePointer????? : 0x89455df0
??? [+0x028] WaitingForDeletion : 0x0 [Type: _EVENT_COUNTER *]
??? [+0x02c] ModifiedWriteCount : 0x0 [Type: unsigned short]
??? [+0x02e] FlushInProgressCount : 0x0 [Type: unsigned short]
??? if (ControlArea->u.Flags.Rom == 0) {
??????? Subsection = (PSUBSECTION)(ControlArea + 1);
??? }
??? else {
??????? Subsection = (PSUBSECTION)((PLARGE_CONTROL_AREA)ControlArea + 1);
??? }
0: kd> dt subsection 0x89455c30+30
nt!SUBSECTION
?? +0x000 ControlArea????? : 0x89455c30 _CONTROL_AREA
?? +0x004 u??????????????? : __unnamed
?? +0x008 StartingSector?? : 0
?? +0x00c NumberOfFullSectors : 0x100
?? +0x010 SubsectionBase?? : (null)
?? +0x014 UnusedPtes?????? : 0
?? +0x018 PtesInSubsection : 0x100
?? +0x01c NextSubsection?? : (null)
?? NumberOfPages = BYTES_TO_PAGES (*CapturedViewSize);?? ?=eax=00000040
0: kd> p
nt!MmMapViewInSystemCache+0xab:
80aaed9d 03f0??????????? add???? esi,eax
0: kd> r
eax=00000040 ebx=00000000 ecx=00000000 edx=00000000 esi=00000000 edi=89455c30
?? SectionOffset = 0xf78d6648 {0}
??? PteOffset = (UINT64)(SectionOffset->QuadPart >> PAGE_SHIFT);?? ?0x0
??? LastPteOffset = PteOffset + NumberOfPages;?? ??? ??? ?0x40
??? PointerPte = MmFirstFreeSystemCache;?? ??? ??? ?//關鍵代碼:得到PointerPte
??? //
??? // Update next free entry.
??? //
??? ASSERT (PointerPte->u.Hard.Valid == 0);
??? MmFirstFreeSystemCache = MmSystemCachePteBase + PointerPte->u.List.NextEntry;
??? ASSERT (MmFirstFreeSystemCache <= MiGetPteAddress (MmSystemCacheEnd));
0: kd> x nt!MmFirstFreeSystemCache
80b23594????????? nt!MmFirstFreeSystemCache = 0xc0305300
0: kd> dd 0xc0305300
c0305300? c1500000 00000000 00000000 00000000
c0305310? 00000000 00000000 00000000 00000000
c0305320? 00000000 00000000 00000000 00000000
c0305330? 00000000 00000000 00000000 00000000
c0305340? 00000000 00000000 00000000 00000000
0: kd> x nt!MmSystemCachePteBase
80b2358c????????? nt!MmSystemCachePteBase = 0xc0000000
????? +0x000 List???????????? : _MMPTE_LIST
???????? +0x000 Valid??????????? : Pos 0, 1 Bit
???????? +0x000 OneEntry???????? : Pos 1, 1 Bit
???????? +0x000 filler0????????? : Pos 2, 8 Bits
???????? +0x000 Prototype??????? : Pos 10, 1 Bit
???????? +0x000 filler1????????? : Pos 11, 1 Bit
???????? +0x000 NextEntry??????? : Pos 12, 20 Bits
c1500
1100 0001 0101 0000 0000
1100 0001 0101 0000 0000 00
11?? ?00 00?? ?01 01?? ?01 00?? ?00 00?? ?00 00
305400
c0305400
0: kd> dd c0305400
c0305400? c1540000 00000000 00000000 00000000
0: kd> p
nt!MmMapViewInSystemCache+0x229:
80aaef1b 8d0481????????? lea???? eax,[ecx+eax*4]
0: kd> p
nt!MmMapViewInSystemCache+0x22c:
80aaef1e 8b0da003bf80??? mov???? ecx,dword ptr [nt!MmSystemCacheEnd (80bf03a0)]
0: kd> r
eax=c0305400
??? MmFirstFreeSystemCache = MmSystemCachePteBase + PointerPte->u.List.NextEntry;?? ?=eax=c0305400
第五部分:
0: kd> p
nt!MmMapViewInSystemCache+0x296:
80aaef88 e8bfa8feff????? call??? nt!MiAddViewsForSection (80a9984c)
0: kd> t
nt!MiAddViewsForSection:
80a9984c 55????????????? push??? ebp
0: kd> dv
StartMappedSubsection = 0x89455c60
??????? LastPteOffset = 0x40
????????????? OldIrql = 0x00 ''
?????????????? Waited = 0xf78d6618
??????????? Size = (MappedSubsection->PtesInSubsection + MappedSubsection->UnusedPtes) * sizeof(MMPTE);
??????????? ASSERT (Size != 0);
??????????? ProtoPtes = (PMMPTE)ExAllocatePoolWithTag (PagedPool | POOL_MM_ALLOCATION,
?????????????????????????????????????????????????????? Size,
?????????????????????????????????????????????????????? MMSECT);
0: kd> p
nt!MiAddViewsForSection+0x17f:
80a999cb e808190700????? call??? nt!ExAllocatePoolWithTag (80b0b2d8)
0: kd> p
Breakpoint 3 hit
nt!MmAccessFault:
80abcfda 55????????????? push??? ebp
0: kd> kc
?#
00 nt!MmAccessFault
01 nt!_KiTrap0E
02 nt!ExAllocatePoolWithTag
03 nt!MiAddViewsForSection
04 nt!MmMapViewInSystemCache
05 nt!CcGetVacbMiss
06 nt!CcGetVirtualAddress
07 nt!CcMapData
08 Ntfs!NtfsMapStream
09 Ntfs!ReadIndexBuffer
0a Ntfs!FindFirstIndexEntry
0b Ntfs!NtfsUpdateFileNameInIndex
0c Ntfs!NtfsUpdateDuplicateInfo
0d Ntfs!NtfsInitializeSecurity
0e Ntfs!NtfsInitializeSecurityFile
0f Ntfs!NtfsMountVolume
10 Ntfs!NtfsCommonFileSystemControl
11 Ntfs!NtfsFspDispatch
12 nt!ExpWorkerThread
13 nt!PspSystemThreadStartup
14 nt!KiThreadStartup
0: kd> dv
??? FaultStatus = 1
?VirtualAddress = 0xe13c3000
0: kd> gu
nt!MiAddViewsForSection+0x184:
80a999d0 8bd8??????????? mov???? ebx,eax
0: kd> r
eax=e13c3008
??????????? ProtoPtes = (PMMPTE)ExAllocatePoolWithTag (PagedPool | POOL_MM_ALLOCATION,
?????????????????????????????????????????????????????? Size,
?????????????????????????????????????????????????????? MMSECT);?? ?=eax=e13c3008?? ?//關鍵代碼,是隨機分配來的。
第六部分:
??????????? TempPte.u.Long = MiGetSubsectionAddressForPte (MappedSubsection);
??????????? TempPte.u.Soft.Prototype = 1;
0: kd> p
nt!MiAddViewsForSection+0x1b1:
80a999fd 0bc1??????????? or????? eax,ecx
0: kd> r
eax=7854c000 ebx=e13c3008 ecx=00000018 edx=0000017f esi=89455c60 edi=00000400
#define MiGetSubsectionAddressForPte(VA)?????????????????? \
??????????? (((ULONG)(VA) < (ULONG)MmSubsectionBase + 128*1024*1024) ?????????????????? \
?? (((((ULONG)VA - (ULONG)MmSubsectionBase)>>2) & (ULONG)0x0000001E) |? \
?? ((((((ULONG)VA - (ULONG)MmSubsectionBase)<<4) & (ULONG)0x7ffff800)))| \
?? 0x80000000) \
??????????? : \
?? (((((ULONG)MmNonPagedPoolEnd - (ULONG)VA)>>2) & (ULONG)0x0000001E) |? \
?? ((((((ULONG)MmNonPagedPoolEnd - (ULONG)VA)<<4) & (ULONG)0x7ffff800)))))
0: kd> x nt!MmSubsectionBase
80be3860????????? nt!MmSubsectionBase = 0x81c01000
0: kd> p
nt!MiAddViewsForSection+0x1b3:
80a999ff 0d00000080????? or????? eax,80000000h
0: kd> p
nt!MiAddViewsForSection+0x1b8:
80a99a04 eb1a??????????? jmp???? nt!MiAddViewsForSection+0x1d4 (80a99a20)
0: kd> r
eax=f854c018
??????????? TempPte.u.Long = MiGetSubsectionAddressForPte (MappedSubsection);?? ??? ?=eax=f854c018
??????????? TempPte.u.Soft.Prototype = 1;
??????????? MiFillMemoryPte (ProtoPtes, Size / sizeof (MMPTE), TempPte.u.Long);
0: kd> dd e13c3008
e13c3008? f854c4d8 f854c4d8 f854c4d8 f854c4d8
e13c3018? f854c4d8 f854c4d8 f854c4d8 f854c4d8
e13c3028? f854c4d8 f854c4d8 f854c4d8 f854c4d8
e13c3038? f854c4d8 f854c4d8 f854c4d8 f854c4d8
e13c3048? f854c4d8 f854c4d8 f854c4d8 f854c4d8
e13c3058? f854c4d8 f854c4d8 f854c4d8 f854c4d8
e13c3068? f854c4d8 f854c4d8 f854c4d8 f854c4d8
e13c3078? f854c4d8 f854c4d8 f854c4d8 f854c4d8
0: kd> dd e13c3008+80*7
e13c3388? f854c4d8 f854c4d8 f854c4d8 f854c4d8
e13c3398? f854c4d8 f854c4d8 f854c4d8 f854c4d8
e13c33a8? f854c4d8 f854c4d8 f854c4d8 f854c4d8
e13c33b8? f854c4d8 f854c4d8 f854c4d8 f854c4d8
e13c33c8? f854c4d8 f854c4d8 f854c4d8 f854c4d8
e13c33d8? f854c4d8 f854c4d8 f854c4d8 f854c4d8
e13c33e8? f854c4d8 f854c4d8 f854c4d8 f854c4d8
e13c33f8? f854c4d8 f854c4d8 f854c4d8 f854c4d8
0: kd> ?0n256/0n32
Evaluate expression: 8 = 00000008
??????????? if (MappedSubsection->SubsectionBase == NULL) {
??????????????? ASSERT (MappedSubsection->NumberOfMappedViews == 1);
??????????????? MappedSubsection->SubsectionBase = ProtoPtes;
??????????? }
0: kd> dt subsection 0x89455c30+30
nt!SUBSECTION
?? +0x000 ControlArea????? : 0x89455c30 _CONTROL_AREA
?? +0x004 u??????????????? : __unnamed
?? +0x008 StartingSector?? : 0
?? +0x00c NumberOfFullSectors : 0x100
?? +0x010 SubsectionBase?? : 0xe13c3008 _MMPTE?? ??? ??? ?//+0x010 SubsectionBase?? : 0xe13c3008 _MMPTE
?? +0x014 UnusedPtes?????? : 0
?? +0x018 PtesInSubsection : 0x100
?? +0x01c NextSubsection?? : (null)
第七部分:
返回到這里:
??????? Status = MiAddViewsForSection ((PMSUBSECTION)Subsection,
?????????????????????????????????????? LastPteOffset,
?????????????????????????????????????? OldIrql,
?????????????????????????????????????? &Waited);
返回到這里:
??? //
??? // Zero this explicitly now since the number of pages may be only 1.
??? //
??? (PointerPte + 1)->u.List.NextEntry = 0;
??? *CapturedBase = MiGetVirtualAddressMappedByPte (PointerPte);?? ??? ?//關鍵代碼:
#define MiGetVirtualAddressMappedByPte(PTE) ((PVOID)((ULONG)(PTE) << 10))
esi=c0305300
0: kd> x nt!MmFirstFreeSystemCache
80b23594????????? nt!MmFirstFreeSystemCache = 0xc0305300
c0305300
1100 0000 0011 0000 0101 0011 0000 0000
11 0000 0101 0011 0000 0000 00 0000 0000
11 00?? ?00 01?? ?01 00?? ?11 00?? ?00 00?? ?00 00 0000 0000
0xc14c0000
0: kd> p
nt!MmMapViewInSystemCache+0x37c:
80aaf06e 8901??????????? mov???? dword ptr [ecx],eax
0: kd> p
nt!MmMapViewInSystemCache+0x37e:
80aaf070 8b4310????????? mov???? eax,dword ptr [ebx+10h]
0: kd> r
eax=c14c0000
??? *CapturedBase = MiGetVirtualAddressMappedByPte (PointerPte);?? ?=eax=c14c0000
??? ProtoPte = &Subsection->SubsectionBase[PteOffset];
??? LastProto = &Subsection->SubsectionBase[Subsection->PtesInSubsection];
??? LastPte = PointerPte + NumberOfPages;
dv
??????? ProtoPte = 0xe13c3008
???????? LastPte = 0xc0305400
?????? LastProto = 0xe13c3408
??????? PteContents.u.Long = MiProtoAddressForKernelPte (ProtoPte);
??????? MI_WRITE_INVALID_PTE (PointerPte, PteContents);
#define MiProtoAddressForKernelPte(proto_va)? MiProtoAddressForPte(proto_va)
#define MiProtoAddressForPte(proto_va)? \
?? ((((((ULONG)proto_va - MmProtopte_Base) >> 1) & (ULONG)0x000000FE)?? | \
??? (((((ULONG)proto_va - MmProtopte_Base) << 2) & (ULONG)0xfffff800))) | \
??? MM_PTE_PROTOTYPE_MASK)
#define MmProtopte_Base ((ULONG)MmPagedPoolStart)
0: kd> x nt!MmPagedPoolStart
80b15028????????? nt!MmPagedPoolStart = 0xe1000000
3c3008
0011 1100 0011 0000 0000 1000
0011 1100 0011 0000 0000 100
04
0011 1100 0011 0000 0000 1000 00
00?? ?11 11?? ?00 00?? ?11 00?? ?00 00?? ?00 10?? ?00 00
f0c000
f0c004
0: kd> dd c0305300
c0305300? c1500000 00000000 00000000 00000000
c0305310? 00000000 00000000 00000000 00000000
c0305320? 00000000 00000000 00000000 00000000
c0305330? 00000000 00000000 00000000 00000000
c0305340? 00000000 00000000 00000000 00000000
c0305350? 00000000 00000000 00000000 00000000
c0305360? 00000000 00000000 00000000 00000000
c0305370? 00000000 00000000 00000000 00000000
0: kd> gu
nt!CcGetVacbMiss+0x300:
80a1a49e 8945d4????????? mov???? dword ptr [ebp-2Ch],eax
0: kd> dd c0305300
c0305300? 00f0c404 00f0c406 00f0c408 00f0c40a
c0305310? 00f0c40c 00f0c40e 00f0c410 00f0c412
c0305320? 00f0c414 00f0c416 00f0c418 00f0c41a
c0305330? 00f0c41c 00f0c41e 00f0c420 00f0c422
c0305340? 00f0c424 00f0c426 00f0c428 00f0c42a
c0305350? 00f0c42c 00f0c42e 00f0c430 00f0c432
c0305360? 00f0c434 00f0c436 00f0c438 00f0c43a
c0305370? 00f0c43c 00f0c43e 00f0c440 00f0c442
第八部分:
??? if ((TempVacb = GetVacb( SharedCacheMap, NormalOffset )) == NULL) {
??????? Vacb->SharedCacheMap = SharedCacheMap;
??????? Vacb->Overlay.FileOffset = NormalOffset;
??????? Vacb->Overlay.ActiveCount = 1;
??????? SetVacb( SharedCacheMap, NormalOffset, Vacb );
0: kd> dt SHARED_CACHE_MAP 0x89455c98
nt!SHARED_CACHE_MAP
?? +0x000 NodeTypeCode???? : 0n767
?? +0x002 NodeByteSize???? : 0n304
?? +0x004 OpenCount??????? : 1
?? +0x008 FileSize???????? : _LARGE_INTEGER 0x2000
?? +0x010 BcbList????????? : _LIST_ENTRY [ 0x89455ca8 - 0x89455ca8 ]
?? +0x018 SectionSize????? : _LARGE_INTEGER 0x100000
?? +0x020 ValidDataLength? : _LARGE_INTEGER 0x7fffffff`ffffffff
?? +0x028 ValidDataGoal??? : _LARGE_INTEGER 0x7fffffff`ffffffff
?? +0x030 InitialVacbs???? : [4] (null)
?? +0x040 Vacbs??????????? : 0x89455cc8? -> (null)
??????? Vacb->SharedCacheMap = SharedCacheMap;?? ?esi=899880d8
??????? Vacb->Overlay.FileOffset = NormalOffset;
??????? Vacb->Overlay.ActiveCount = 1;
??????? SetVacb( SharedCacheMap, NormalOffset, Vacb );
回顧:
??????? Status = MmMapViewInSystemCache (SharedCacheMap->Section,
???????????????????????????????????????? &Vacb->BaseAddress,?? ??? ??? ??? ?+0x000 BaseAddress????? : 0xc14c0000 Void
???????????????????????????????????????? &NormalOffset,
???????????????????????????????????????? &MappedLength.LowPart);
0: kd> dt _vacb 899880d8
nt!_VACB
?? +0x000 BaseAddress????? : 0xc14c0000 Void
?? +0x004 SharedCacheMap?? : 0x89455c98 _SHARED_CACHE_MAP
?? +0x008 Overlay????????? : __unnamed
?? +0x010 LruList????????? : _LIST_ENTRY [ 0x80b1cb60 - 0x89988010 ]
0: kd> dt SHARED_CACHE_MAP 0x89455c98
nt!SHARED_CACHE_MAP
?? +0x000 NodeTypeCode???? : 0n767
?? +0x002 NodeByteSize???? : 0n304
?? +0x004 OpenCount??????? : 1
?? +0x008 FileSize???????? : _LARGE_INTEGER 0x2000
?? +0x010 BcbList????????? : _LIST_ENTRY [ 0x89455ca8 - 0x89455ca8 ]
?? +0x018 SectionSize????? : _LARGE_INTEGER 0x100000
?? +0x020 ValidDataLength? : _LARGE_INTEGER 0x7fffffff`ffffffff
?? +0x028 ValidDataGoal??? : _LARGE_INTEGER 0x7fffffff`ffffffff
?? +0x030 InitialVacbs???? : [4] 0x899880d8 _VACB
?? +0x040 Vacbs??????????? : 0x89455cc8? -> 0x899880d8 _VACB
0: kd> dd 0x89455cc8
89455cc8? 899880d8 00000000 00000000 00000000
0: kd> p
nt!CcGetVacbMiss+0x59d:
80a1a73b c21000????????? ret???? 10h
0: kd> p
nt!CcGetVirtualAddress+0xc7:
80a1a947 8bf0??????????? mov???? esi,eax
0: kd> r
eax=899880d8
--Java版)
)
——更多深度強化學習的算法)
)
