第一部分：

??????????????? while (TRUE) {

??????????????????? KeClearEvent (&IoEvent);

??????????????????? Status = IoSynchronousPageWrite (FilePointer,
???????????????????????????????????????????????????? Mdl,
???????????????????????????????????????????????????? (PLARGE_INTEGER)&StartingOffset,
???????????????????????????????????????????????????? &IoEvent,
???????????????????????????????????????????????????? IoStatus);

1: kd> p
nt!MiFlushSectionInternal+0x6f6:
80a72410 e8c74bfbff????? call??? nt!IoSynchronousPageWrite (80a26fdc)
1: kd> t
Breakpoint 43 hit
nt!IoSynchronousPageWrite:
80a26fdc 55????????????? push??? ebp
1: kd> kc
?#
00 nt!IoSynchronousPageWrite
01 nt!MiFlushSectionInternal
02 nt!MmFlushSection
03 nt!CcFlushCache
04 Ntfs!LfsFlushLfcb
05 Ntfs!LfsFlushToLsnPriv
06 Ntfs!LfsWriteLfsRestart
07 Ntfs!LfsWriteRestartArea
08 Ntfs!NtfsCheckpointVolume
09 Ntfs!NtfsCheckpointAllVolumes
0a nt!ExpWorkerThread
0b nt!PspSystemThreadStartup
0c nt!KiThreadStartup
1: kd> dv
????????? FileObject = 0x89469688
MemoryDescriptorList = 0xf78d263c
????? StartingOffset = 0xf78d26bc {7884800}
?????????????? Event = 0xf78d26a0
?????? IoStatusBlock = 0xf78d2834

1: kd> dx -r1 ((ntkrnlmp!_MDL *)0xf78d263c)
((ntkrnlmp!_MDL *)0xf78d263c)???????????????? : 0xf78d263c [Type: _MDL *]
??? [+0x000] Next???????????? : 0x0 [Type: _MDL *]
??? [+0x004] Size???????????? : 92 [Type: short]
??? [+0x006] MdlFlags???????? : 2 [Type: short]
??? [+0x008] Process????????? : 0x0 [Type: _EPROCESS *]
??? [+0x00c] MappedSystemVa?? : 0x0 [Type: void *]
??? [+0x010] StartVa????????? : 0x0 [Type: void *]
??? [+0x014] ByteCount??????? : 0x2000 [Type: unsigned long]
??? [+0x018] ByteOffset?????? : 0x0 [Type: unsigned long]

??? if (CcIsFileCached(FileObject)) {
??????? CcDataFlushes += 1;
??????? CcDataPages += (MemoryDescriptorList->ByteCount + PAGE_SIZE - 1) >> PAGE_SHIFT;?? ?eax=00000002
??? }

1: kd> x nt!CcDataFlushes
80b1ca50????????? nt!CcDataFlushes = 0xb

1: kd> p
nt!IoSynchronousPageWrite+0x27:
80a27003 c1e80c????????? shr???? eax,0Ch
1: kd> p
nt!IoSynchronousPageWrite+0x2a:
80a27006 01054ccab180??? add???? dword ptr [nt!CcDataPages (80b1ca4c)],eax
1: kd> r
eax=00000002

第二部分：

1: kd> p
nt!IoSynchronousPageWrite+0x43:
80a2701f ff150888b180??? call??? dword ptr [nt!pIoAllocateIrp (80b18808)]
1: kd> p
nt!IoSynchronousPageWrite+0x49:
80a27025 85c0??????????? test??? eax,eax
1: kd> r
eax=894c7980

1: kd> dt _irp 894c7980
ntdll!_IRP
?? +0x000 Type???????????? : 0n6
?? +0x002 Size???????????? : 0x190
?? +0x004 MdlAddress?????? : (null)
?? +0x008 Flags??????????? : 0
?? +0x00c AssociatedIrp??? : __unnamed
?? +0x010 ThreadListEntry? : _LIST_ENTRY [ 0x894c7990 - 0x894c7990 ]
?? +0x018 IoStatus???????? : _IO_STATUS_BLOCK
?? +0x020 RequestorMode??? : 0 ''
?? +0x021 PendingReturned? : 0 ''
?? +0x022 StackCount?????? : 7 ''
?? +0x023 CurrentLocation? : 8 ''
?? +0x024 Cancel?????????? : 0 ''
?? +0x025 CancelIrql?????? : 0 ''
?? +0x026 ApcEnvironment?? : 0 ''
?? +0x027 AllocationFlags? : 0x4 ''
?? +0x028 UserIosb???????? : (null)
?? +0x02c UserEvent??????? : (null)
?? +0x030 Overlay????????? : __unnamed
?? +0x038 CancelRoutine??? : (null)
?? +0x03c UserBuffer?????? : (null)
?? +0x040 Tail???????????? : __unnamed

第三部分：

??? irp->MdlAddress = MemoryDescriptorList;
??? irp->Flags = IRP_PAGING_IO | IRP_NOCACHE | IRP_SYNCHRONOUS_PAGING_IO;

??? irp->RequestorMode = KernelMode;
??? irp->UserIosb = IoStatusBlock;
??? irp->UserEvent = Event;
??? irp->UserBuffer = (PVOID) ((PCHAR) MemoryDescriptorList->StartVa + MemoryDescriptorList->ByteOffset);
??? irp->Tail.Overlay.OriginalFileObject = FileObject;
??? irp->Tail.Overlay.Thread = PsGetCurrentThread();

1: kd> dt _irp 894c7980
ntdll!_IRP
?? +0x000 Type???????????? : 0n6
?? +0x002 Size???????????? : 0x190
?? +0x004 MdlAddress?????? : 0xf78d263c _MDL
?? +0x008 Flags??????????? : 0x43
?? +0x00c AssociatedIrp??? : __unnamed
?? +0x010 ThreadListEntry? : _LIST_ENTRY [ 0x894c7990 - 0x894c7990 ]
?? +0x018 IoStatus???????? : _IO_STATUS_BLOCK
?? +0x020 RequestorMode??? : 0 ''
?? +0x021 PendingReturned? : 0 ''
?? +0x022 StackCount?????? : 7 ''
?? +0x023 CurrentLocation? : 8 ''
?? +0x024 Cancel?????????? : 0 ''
?? +0x025 CancelIrql?????? : 0 ''
?? +0x026 ApcEnvironment?? : 0 ''
?? +0x027 AllocationFlags? : 0x4 ''
?? +0x028 UserIosb???????? : 0xf78d2834 _IO_STATUS_BLOCK
?? +0x02c UserEvent??????? : 0xf78d26a0 _KEVENT
?? +0x030 Overlay????????? : __unnamed
?? +0x038 CancelRoutine??? : (null)
?? +0x03c UserBuffer?????? : (null)
?? +0x040 Tail???????????? : __unnamed
1: kd> dx -id 0,0,899a2278 -r1 ((ntdll!_MDL *)0xf78d263c)
((ntdll!_MDL *)0xf78d263c)???????????????? : 0xf78d263c [Type: _MDL *]
??? [+0x000] Next???????????? : 0x0 [Type: _MDL *]
??? [+0x004] Size???????????? : 92 [Type: short]
??? [+0x006] MdlFlags???????? : 2 [Type: short]
??? [+0x008] Process????????? : 0x0 [Type: _EPROCESS *]
??? [+0x00c] MappedSystemVa?? : 0x0 [Type: void *]
??? [+0x010] StartVa????????? : 0x0 [Type: void *]
??? [+0x014] ByteCount??????? : 0x2000 [Type: unsigned long]
??? [+0x018] ByteOffset?????? : 0x0 [Type: unsigned long]

第四部分：

??? //
??? // Fill in the normal write parameters.
??? //

??? irpSp->MajorFunction = IRP_MJ_WRITE;
??? irpSp->Parameters.Write.Length = MemoryDescriptorList->ByteCount;
??? irpSp->Parameters.Write.ByteOffset = *StartingOffset;
??? irpSp->FileObject = FileObject;
dv
????? StartingOffset = 0xf78d26bc {7884800}

1: kd> dt _io_stack_location 894c7ac8
ntdll!_IO_STACK_LOCATION
?? +0x000 MajorFunction??? : 0x4 ''
?? +0x001 MinorFunction??? : 0 ''
?? +0x002 Flags??????????? : 0 ''
?? +0x003 Control????????? : 0 ''
?? +0x004 Parameters?????? : __unnamed
?? +0x014 DeviceObject???? : (null)
?? +0x018 FileObject?????? : (null)
?? +0x01c CompletionRoutine : (null)
?? +0x020 Context????????? : (null)

1: kd> dt _io_stack_location 894c7ac8
ntdll!_IO_STACK_LOCATION
?? +0x000 MajorFunction??? : 0x4 ''
?? +0x001 MinorFunction??? : 0 ''
?? +0x002 Flags??????????? : 0 ''
?? +0x003 Control????????? : 0 ''
?? +0x004 Parameters?????? : __unnamed
?? +0x014 DeviceObject???? : (null)
?? +0x018 FileObject?????? : 0x89469688 _FILE_OBJECT
?? +0x01c CompletionRoutine : (null)
?? +0x020 Context????????? : (null)

1: kd> dt _io_stack_location 894c7ac8 -r
ntdll!_IO_STACK_LOCATION
?? +0x000 MajorFunction??? : 0x4 ''
?? +0x001 MinorFunction??? : 0 ''
?? +0x002 Flags??????????? : 0 ''
?? +0x003 Control????????? : 0 ''
?? +0x004 Parameters?????? : __unnamed

????? +0x000 Write??????????? : __unnamed
???????? +0x000 Length?????????? : 0x2000
???????? +0x004 Key????????????? : 0
???????? +0x008 ByteOffset?????? : _LARGE_INTEGER 0x785000

第五部分：

1: kd> p
nt!IoSynchronousPageWrite+0xa8:
80a27084 e871f6ffff????? call??? nt!IofCallDriver (80a266fa)
1: kd> t
nt!IofCallDriver:
80a266fa 55????????????? push??? ebp
1: kd> kc
?#
00 nt!IofCallDriver
01 nt!IoSynchronousPageWrite
02 nt!MiFlushSectionInternal
03 nt!MmFlushSection
04 nt!CcFlushCache
05 Ntfs!LfsFlushLfcb
06 Ntfs!LfsFlushToLsnPriv
07 Ntfs!LfsWriteLfsRestart
08 Ntfs!LfsWriteRestartArea
09 Ntfs!NtfsCheckpointVolume
0a Ntfs!NtfsCheckpointAllVolumes
0b nt!ExpWorkerThread
0c nt!PspSystemThreadStartup
0d nt!KiThreadStartup
1: kd> dv
?? DeviceObject = 0x894c7980 Device for {...}
??????????? Irp = 0x8962e020

NTSTATUS
FASTCALL
IofCallDriver(
??? IN PDEVICE_OBJECT DeviceObject,
??? IN OUT PIRP Irp
??? )
{
??? if (pIofCallDriver != NULL) {

??????? //
??????? // This routine will either jump immediately to IovCallDriver or
??????? // IoPerfCallDriver.
??????? //
??????? return pIofCallDriver(DeviceObject, Irp, _ReturnAddress());
??? }

??? return IopfCallDriver(DeviceObject, Irp);
}

1: kd> p
nt!IofCallDriver+0x5c:
80a26756 56????????????? push??? esi
1: kd> p
nt!IofCallDriver+0x5d:
80a26757 57????????????? push??? edi
1: kd> p
nt!IofCallDriver+0x5e:
80a26758 ff548138??????? call??? dword ptr [ecx+eax*4+38h]
1: kd> r
eax=00000004 ebx=00000000 ecx=89630390 edx=894c7980 esi=894c7980 edi=8962e020
eip=80a26758 esp=f78d25ec ebp=f78d2600 iopl=0???????? nv up ei ng nz na po nc
cs=0008? ss=0010? ds=0023? es=0023? fs=0030? gs=0000???????????? efl=00000282
nt!IofCallDriver+0x5e:
80a26758 ff548138??????? call??? dword ptr [ecx+eax*4+38h] ds:0023:896303d8={Ntfs!NtfsFsdWrite (f714171a)}

1: kd> t
Ntfs!NtfsFsdWrite:
f714171a 6a48??????????? push??? 48h
1: kd> kc
?#
00 Ntfs!NtfsFsdWrite
01 nt!IofCallDriver
02 nt!IoSynchronousPageWrite
03 nt!MiFlushSectionInternal
04 nt!MmFlushSection
05 nt!CcFlushCache
06 Ntfs!LfsFlushLfcb
07 Ntfs!LfsFlushToLsnPriv
08 Ntfs!LfsWriteLfsRestart
09 Ntfs!LfsWriteRestartArea
0a Ntfs!NtfsCheckpointVolume
0b Ntfs!NtfsCheckpointAllVolumes
0c nt!ExpWorkerThread
0d nt!PspSystemThreadStartup
0e nt!KiThreadStartup
1: kd> dv
?? VolumeDeviceObject = 0x8962e020
????????????????? Irp = 0x894c7980