第一部分:
????????????????? LfsUpdateLfcbFromRestart( ThisLfcb,
FileSize,
DiskRestartArea,
FirstRestar
1: kd> p
Ntfs!LfsRestartLogFile+0x317:
f71fc8dd e820e5ffff????? call??? Ntfs!LfsUpdateLfcbFromRestart (f71fae02)
1: kd> t
Ntfs!LfsUpdateLfcbFromRestart:
f71fae02 55????????????? push??? ebp
1: kd> kc
#
00 Ntfs!LfsUpdateLfcbFromRestart
01 Ntfs!LfsRestartLogFile
02 Ntfs!LfsOpenLogFile
03 Ntfs!NtfsStartLogFile
04 Ntfs!NtfsMountVolume
05 Ntfs!NtfsCommonFileSystemControl
06 Ntfs!NtfsFspDispatch
07 nt!ExpWorkerThread
08 nt!PspSystemThreadStartup
09 nt!KiThreadStartup
1: kd> dv
Lfcb = 0xe1364008
FileSize = 0n67108864
RestartArea = 0xc1140030
RestartOffset = 0x30
LsnFileOffset = 0n67108864
Wrapped = 0x00 ''
LsnFinalOffset = 0n38505786882
第二部分:
??? Lfcb->SeqNumber = LfsLsnToSeqNumber( Lfcb, Lfcb->LastFlushedLsn );
#define LfsLsnToSeqNumber(LFCB,LSN)???????????????????????????????????????????? \
/*xxShr*/Int64ShrlMod32( ((ULONGLONG)(LSN).QuadPart), (LFCB)->FileDataBits )
邏輯右移:數字向右移動,左邊補0。Windows中支持的函數為:Int64ShrlMod32
1: kd> dt _LFS_RESTART_AREA? 0xc1140030
Ntfs!_LFS_RESTART_AREA
+0x000 CurrentLsn?????? : _LARGE_INTEGER 0x8117464
+0x008 LogClients?????? : 1
+0x00a ClientFreeList?? : 0xffff
+0x00c ClientInUseList? : 0
+0x00e Flags??????????? : 0
+0x010 SeqNumberBits??? : 0x28
+0x014 RestartAreaLength : 0xe0
+0x016 ClientArrayOffset : 0x40
+0x018 FileSize???????? : 0n67108864
+0x020 LastLsnDataLength : 0x68
+0x024 RecordHeaderLength : 0x30
+0x026 LogPageDataOffset : 0x40
+0x028 RestartOpenLogCount : 0x85e1225b
+0x02c LastFailedFlushStatus : 0
+0x030 LastFailedFlushOffset : 0n0
+0x038 LastFailedFlushLsn : _LARGE_INTEGER 0x0
+0x040 LogClientArray?? : [1] _LFS_CLIENT_RECORD
第三部分:
??? Lfcb->SeqNumberBits = RestartArea->SeqNumberBits;
Lfcb->FileDataBits = (sizeof( LSN ) * 8) - Lfcb->SeqNumberBits;
?? +0x010 SeqNumberBits??? : 0x28
1: kd> dt _LARGE_INTEGER -v
hal!_LARGE_INTEGER
union _LARGE_INTEGER, 4 elements, 0x8 bytes
+0x000 LowPart????????? : Uint4B
+0x004 HighPart???????? : Int4B
+0x000 u??????????????? : struct __unnamed, 2 elements, 0x8 bytes
+0x000 QuadPart???????? : Int8B
0x40-0x28=0x18
第四部分:
} else {
Lfcb->FileSize = min( FileSize, RestartArea->FileSize );
}
[+0x018] FileSize???????? : 67108864 [Type: __int64]
第五部分:
??? //
//? We get the sequence number bits from the restart area and compute the
//? file data bits.
//
??? Lfcb->SeqNumberBits = RestartArea->SeqNumberBits;
Lfcb->FileDataBits = (sizeof( LSN ) * 8) - Lfcb->SeqNumberBits;
[+0x080] SeqNumberBits??? : 0x28 [Type: unsigned long]
[+0x084] FileDataBits???? : 0x18 [Type: unsigned long]
Lfcb->SeqNumber = LfsLsnToSeqNumber( Lfcb, Lfcb->LastFlushedLsn );?? ?=0x8
[+0x0c8] LastFlushedLsn?? : {135361636} [Type: _LARGE_INTEGER]
1: kd> ?0n135361636
Evaluate expression: 135361636 = 08117464
#define LfsLsnToSeqNumber(LFCB,LSN)???????????????????????????????????????????? \
/*xxShr*/Int64ShrlMod32( ((ULONGLONG)(LSN).QuadPart), (LFCB)->FileDataBits )
邏輯右移:數字向右移動,左邊補0。Windows中支持的函數為:Int64ShrlMod32
??? Lfcb->SeqNumber = LfsLsnToSeqNumber( Lfcb, Lfcb->LastFlushedLsn );
Lfcb->SeqNumberForWrap = Lfcb->SeqNumber + 1;
[+0x070] SeqNumber??????? : 8 [Type: __int64]
[+0x078] SeqNumberForWrap : 9 [Type: __int64]
第六部分:
1: kd> dv
Lfcb = 0x00000018
FileSize = 0n135361636
RestartArea = 0xc1140030
RestartOffset = 0x30
//
//? Compute the restart page values from the restart offset.
//
??? Lfcb->RestartDataOffset = RestartOffset;
Lfcb->RestartDataSize = (ULONG)Lfcb->LogPageSize - RestartOffset;
??? [+0x04c] RestartDataOffset : 0x30 [Type: unsigned long]
[+0x050] LogPageDataOffset : 0 [Type: __int64]
[+0x058] RestartDataSize? : 0xfd0 [Type: unsigned long]
if (FlagOn( Lfcb->Flags, LFCB_PACK_LOG )) {
??????? Lfcb->RecordHeaderLength = RestartArea->RecordHeaderLength;
??????? Lfcb->ClientArrayOffset = RestartArea->ClientArrayOffset;
??????? Lfcb->RestartAreaSize = RestartArea->RestartAreaLength;
?????? (ULONG)Lfcb->LogPageDataOffset = RestartArea->LogPageDataOffset;
Lfcb->LogPageDataSize = Lfcb->LogPageSize - Lfcb->LogPageDataOffset;
[+0x024] RecordHeaderLength : 0x30 [Type: unsigned short]
??? [+0x016] ClientArrayOffset : 0x40 [Type: unsigned short]
??? [+0x014] RestartAreaLength : 0xe0 [Type: unsigned short]
??? [+0x026] LogPageDataOffset : 0x40 [Type: unsigned short]
第七部分:
LfsAllocateLbcb( Lfcb, &Lfcb->PrevTail );
Lfcb->PrevTail->FileOffset = Lfcb->FirstLogPage - Lfcb->LogPageSize;
??????? LfsAllocateLbcb( Lfcb, &Lfcb->ActiveTail );
Lfcb->ActiveTail->FileOffset = Lfcb->PrevTail->FileOffset - Lfcb->LogPageSize;
1: kd> dt _LFCB 0xe1364008
Ntfs!_LFCB
+0x000 NodeTypeCode???? : 0n2051
+0x002 NodeByteSize???? : 0n352
+0x004 LfcbLinks??????? : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x00c LchLinks???????? : _LIST_ENTRY [ 0xe1364014 - 0xe1364014 ]
+0x014 FileObject?????? : 0x89811f90 _FILE_OBJECT
+0x018 FileSize???????? : 0n67108864
+0x020 LogPageSize????? : 0n4096
+0x028 LogPageMask????? : 0xfff
+0x02c LogPageInverseMask : 0n-4096
+0x030 LogPageShift???? : 0xc
+0x038 FirstLogPage???? : 0n16384
1: kd> ?0n16384
Evaluate expression: 16384 = 00004000
?? +0x098 ActiveTail?????? : 0xe13417e8 _LBCB
+0x09c PrevTail???????? : 0xe1278640 _LBCB
1: kd> dx -id 0,0,899a2278 -r1 ((Ntfs!_LBCB *)0xe1278640)
((Ntfs!_LBCB *)0xe1278640)???????????????? : 0xe1278640 [Type: _LBCB *]
[+0x000] NodeTypeCode???? : 2050 [Type: short]
[+0x002] NodeByteSize???? : 96 [Type: short]
[+0x004] WorkqueLinks???? [Type: _LIST_ENTRY]
[+0x00c] ActiveLinks????? [Type: _LIST_ENTRY]
[+0x018] FileOffset?????? : 12288 [Type: __int64]?? ??? ??? ?0x3000
[+0x020] Length?????????? : 0 [Type: __int64]
[+0x028] SeqNumber??????? : 0 [Type: __int64]
[+0x030] BufferOffset???? : 0 [Type: __int64]
[+0x038] PageHeader?????? : 0x0 [Type: void *]
[+0x03c] LogPageBcb?????? : 0x0 [Type: void *]
[+0x040] LastLsn????????? : {0} [Type: _LARGE_INTEGER]
[+0x048] LastEndLsn?????? : {0} [Type: _LARGE_INTEGER]
[+0x050] Flags??????????? : 0x0 [Type: unsigned long]
[+0x054] LbcbFlags??????? : 0x0 [Type: unsigned long]
[+0x058] ResourceThread?? : 0x0 [Type: unsigned long]
1: kd> dx -id 0,0,899a2278 -r1 ((Ntfs!_LBCB *)0xe13417e8)
((Ntfs!_LBCB *)0xe13417e8)???????????????? : 0xe13417e8 [Type: _LBCB *]
[+0x000] NodeTypeCode???? : 2050 [Type: short]
[+0x002] NodeByteSize???? : 96 [Type: short]
[+0x004] WorkqueLinks???? [Type: _LIST_ENTRY]
[+0x00c] ActiveLinks????? [Type: _LIST_ENTRY]
[+0x018] FileOffset?????? : 8192 [Type: __int64]?? ??? ??? ?0x2000
[+0x020] Length?????????? : 0 [Type: __int64]
[+0x028] SeqNumber??????? : 0 [Type: __int64]
[+0x030] BufferOffset???? : 0 [Type: __int64]
[+0x038] PageHeader?????? : 0x0 [Type: void *]
[+0x03c] LogPageBcb?????? : 0x0 [Type: void *]
[+0x040] LastLsn????????? : {0} [Type: _LARGE_INTEGER]
[+0x048] LastEndLsn?????? : {0} [Type: _LARGE_INTEGER]
[+0x050] Flags??????????? : 0x0 [Type: unsigned long]
[+0x054] LbcbFlags??????? : 0x0 [Type: unsigned long]
[+0x058] ResourceThread?? : 0x0 [Type: unsigned long]
第八部分:
??????? (ULONG)Lfcb->ReservedLogPageSize = (ULONG)Lfcb->LogPageDataSize - Lfcb->RecordHeaderLength;
?? +0x060 LogPageDataSize? : 0n4032
1: kd> ?0n4032
Evaluate expression: 4032 = 00000fc0
[+0x100] ReservedLogPageSize : 3984 [Type: __int64]?? ?00000f90
#define LfsLsnToFileOffset(LFCB,LSN)??????????????????????????????????????????? \
/*xxShr*/( ((ULONGLONG)/*xxShl*/( (LSN).QuadPart << (LFCB)->SeqNumberBits )) >> ((LFCB)->SeqNumberBits - 3) )
第九部分:
??? LsnFileOffset = LfsLsnToFileOffset( Lfcb, Lfcb->LastFlushedLsn );
[+0x0c8] LastFlushedLsn?? : {135361636} [Type: _LARGE_INTEGER]
1: kd> ?0n135361636
Evaluate expression: 135361636 = 08117464
??? [+0x080] SeqNumberBits??? : 0x28 [Type: unsigned long]
[+0x084] FileDataBits???? : 0x18 [Type: unsigned long]
0x8117464
1000 0001 0001 0111 0100 0110 0100
1000 0001 0001 0111 0100 0110 0100 000
100?? ?0 000?? ?1 000?? ?1 011?? ?1 010?? ?0 011?? ?0 010?? ?0 000
1: kd> ?0x117464*8
Evaluate expression: 9151264 = 008ba320
1: kd> p
Ntfs!LfsUpdateLfcbFromRestart+0x1f9:
f71faffb e8c0b8f4ff????? call??? Ntfs!aullshr (f71468c0)
1: kd> p
Ntfs!LfsUpdateLfcbFromRestart+0x1fe:
f71fb000 8b4e38????????? mov???? ecx,dword ptr [esi+38h]
1: kd> r
eax=008ba320
1: kd> dv
Lfcb = 0x00000018
FileSize = 0n9151264
RestartArea = 0xc1140030
RestartOffset = 0x30
LsnFileOffset = 0n9151264
Wrapped = 0x00 ''
LsnFinalOffset = 0n38654705673
1: kd> ?0n9151264
Evaluate expression: 9151264 = 008ba320
第十部分:
??? } else {
??????? LONGLONG LsnFinalOffset;
BOOLEAN Wrapped;
??????? ULONG DataLength;
ULONG RemainingPageBytes;
??????? DataLength = RestartArea->LastLsnDataLength;
??????? //
//? Find the end of this log record.
//
??????? LfsLsnFinalOffset( Lfcb,
Lfcb->LastFlushedLsn,
DataLength,
&LsnFinalOffset );
??? [+0x020] LastLsnDataLength : 0x68 [Type: unsigned long]
1: kd> p
Ntfs!LfsUpdateLfcbFromRestart+0x23b:
f71fb03d e8183a0000????? call??? Ntfs!LfsLsnFinalOffset (f71fea5a)
1: kd> t
Ntfs!LfsLsnFinalOffset:
f71fea5a 55????????????? push??? ebp
1: kd> kc
#
00 Ntfs!LfsLsnFinalOffset
01 Ntfs!LfsUpdateLfcbFromRestart
02 Ntfs!LfsRestartLogFile
03 Ntfs!LfsOpenLogFile
04 Ntfs!NtfsStartLogFile
05 Ntfs!NtfsMountVolume
06 Ntfs!NtfsCommonFileSystemControl
07 Ntfs!NtfsFspDispatch
08 nt!ExpWorkerThread
09 nt!PspSystemThreadStartup
0a nt!KiThreadStartup
1: kd> dv
Lfcb = 0xe1364008
Lsn = {135361636}
DataLength = 0x68
FinalOffset = 0xf78d2934
RemainingPageBytes = 0xf78d2934
Wrapped = 0xe1 ''
)
))
