NtfsLookupAttributeByName函數分析之和Scb-＞AttributeName的關系

第一部分：

VOID
FindFirstIndexEntry (
??? IN PIRP_CONTEXT IrpContext,
??? IN PSCB Scb,
??? IN PVOID Value,
??? IN OUT PINDEX_CONTEXT IndexContext
??? )
{

。。。。。。

??? //
??? //? Lookup the attribute record from the Scb.
??? //

??? if (!NtfsLookupAttributeByName( IrpContext,
??????????????????????????????????? Scb->Fcb,
??????????????????????????????????? &Scb->Fcb->FileReference,
??????????????????????????????????? $INDEX_ROOT,
??????????????????????????????????? &Scb->AttributeName,
??????????????????????????????????? NULL,
??????????????????????????????????? FALSE,
??????????????????????????????????? &IndexContext->AttributeContext )) {

第二部分：

0: kd> p
Ntfs!FindFirstIndexEntry+0x68:
f71740d2 84c0??????????? test??? al,al
0: kd> dv

???? IrpContext = 0xf793291c
??????????? Scb = 0xe1363d20
????????? Value = 0xe13559b0
?? IndexContext = 0xe1352348
????? Attribute = 0x00000000
????? IndexRoot = 0xe1352348
???????????? Sp = 0xe1363d20
0: kd> dx -r1 ((Ntfs!_SCB *)0xe1363d20)
((Ntfs!_SCB *)0xe1363d20)???????????????? : 0xe1363d20 [Type: _SCB *]
??? [+0x000] Header?????????? [Type: _NTFS_ADVANCED_FCB_HEADER]
??? [+0x040] FcbLinks???????? [Type: _LIST_ENTRY]
??? [+0x048] Fcb????????????? : 0xe1363c58 [Type: _FCB *]
??? [+0x04c] Vcb????????????? : 0x895d5100 [Type: _VCB *]
??? [+0x050] ScbState???????? : 0x100006a0 [Type: unsigned long]
??? [+0x054] NonCachedCleanupCount : 0x0 [Type: unsigned long]
??? [+0x058] CleanupCount???? : 0x1 [Type: unsigned long]
??? [+0x05c] CloseCount?????? : 0x2 [Type: unsigned long]
??? [+0x060] ShareAccess????? [Type: _SHARE_ACCESS]
??? [+0x07c] AttributeTypeCode : 0xa0 [Type: unsigned long]
??? [+0x080] AttributeName??? : "$I30" [Type: _UNICODE_STRING]
??? [+0x088] FileObject?????? : 0x8962b128 [Type: _FILE_OBJECT *]
??? [+0x08c] NonpagedScb????? : 0x89954e60 [Type: _SCB_NONPAGED *]
??? [+0x090] Mcb????????????? [Type: _NTFS_MCB]
??? [+0x0a8] McbStructs?????? [Type: NTFS_MCB_INITIAL_STRUCTS]
??? [+0x0f0] CompressionUnit? : 0x0 [Type: unsigned long]
??? [+0x0f4] AttributeFlags?? : 0x0 [Type: unsigned short]
??? [+0x0f6] CompressionUnitShift : 0x0 [Type: unsigned char]
??? [+0x0f7] PadUchar???????? : 0x0 [Type: unsigned char]
??? [+0x0f8] ValidDataToDisk? : 0 [Type: __int64]
??? [+0x100] TotalAllocated?? : 8192 [Type: __int64]
??? [+0x108] EofListHead????? [Type: _LIST_ENTRY]
??? [+0x110] CcbQueue???????? [Type: _LIST_ENTRY]
??? [+0x118] ScbSnapshot????? : 0x0 [Type: _SCB_SNAPSHOT *]
??? [+0x11c] EncryptionContext : 0x0 [Type: void *]
??? [+0x120] EncryptionContextLength : 0x0 [Type: unsigned long]
??? [+0x124] ScbPersist?????? : 0x0 [Type: unsigned long]
??? [+0x128] IoAtEofThread??? : 0x0 [Type: unsigned long *]
??? [+0x130] ScbType????????? [Type: __unnamed]

第三部分：

BOOLEAN
NtfsFindInFileRecord (
??? IN PIRP_CONTEXT IrpContext,
??? IN PATTRIBUTE_RECORD_HEADER Attribute,
??? OUT PATTRIBUTE_RECORD_HEADER *ReturnAttribute,
??? IN ATTRIBUTE_TYPE_CODE QueriedTypeCode,
??? IN PCUNICODE_STRING QueriedName OPTIONAL,
??? IN BOOLEAN IgnoreCase,
??? IN PVOID QueriedValue OPTIONAL,
??? IN ULONG QueriedValueLength
??? )
{

??? while ( TRUE ) {

。。。。。。

??????????????? NtfsInitializeStringFromAttribute( &AttributeName, Attribute );

??????????????? //
??????????????? //? See if we have a name match.
??????????????? //

??????????????? if (NtfsAreNamesEqual( UpcaseTable,
?????????????????????????????????????? &AttributeName,
?????????????????????????????????????? QueriedName,
?????????????????????????????????????? IgnoreCase )) {

??????????????????? break;
??????????????? }

??? return TRUE;
}

第四部分：

??????????????? NtfsInitializeStringFromAttribute( &AttributeName, Attribute );

#define NtfsInitializeStringFromAttribute(NAME,ATTRIBUTE) {??????????????? \
??? (NAME)->Length = (USHORT)(ATTRIBUTE)->NameLength << 1;???????????????? \
??? (NAME)->MaximumLength = (NAME)->Length;??????????????????????????????? \?? ??? ??? ?
??? (NAME)->Buffer = (PWSTR)Add2Ptr((ATTRIBUTE), (ATTRIBUTE)->NameOffset); \
}

(NAME)->Buffer?? ??? ?(ATTRIBUTE)->NameLength?? ??? ??? ?+0x009 NameLength?????? : 0x4 ''
(NAME)->Buffer?? ??? ?(ATTRIBUTE)->NameOffset?? ??? ??? ?+0x00a NameOffset?????? : 0x18

0: kd> dt Ntfs!_ATTRIBUTE_RECORD_HEADER? 0xc1241438+48+60+28+48
?? +0x000 TypeCode???????? : 0x90
?? +0x004 RecordLength???? : 0xe0
?? +0x008 FormCode???????? : 0 ''
?? +0x009 NameLength?????? : 0x4 ''
?? +0x00a NameOffset?????? : 0x18
?? +0x00c Flags??????????? : 0
?? +0x00e Instance???????? : 6
?? +0x010 Form???????????? : __unnamed

0: kd> db 0xc1241438+48+60+28+48+18
c1241568? 24 00 49 00 33 00 30 00-30 00 00 00 01 00 00 00? $.I.3.0.0.......

第五部分：

0: kd> p
Ntfs!NtfsFindInFileRecord+0x92:
f7171ac2 384d1c????????? cmp???? byte ptr [ebp+1Ch],cl
0: kd> dv
??????? IrpContext = 0xf793291c
???????? Attribute = 0xc1241438

0: kd> dx -r1 ((Ntfs!_ATTRIBUTE_RECORD_HEADER *)0xc1241438)
((Ntfs!_ATTRIBUTE_RECORD_HEADER *)0xc1241438)???????????????? : 0xc1241438 [Type: _ATTRIBUTE_RECORD_HEADER *]
??? [+0x000] TypeCode???????? : 0x10 [Type: unsigned long]
??? [+0x004] RecordLength???? : 0x48 [Type: unsigned long]
??? [+0x008] FormCode???????? : 0x0 [Type: unsigned char]
??? [+0x009] NameLength?????? : 0x0 [Type: unsigned char]
??? [+0x00a] NameOffset?????? : 0x18 [Type: unsigned short]
??? [+0x00c] Flags??????????? : 0x0 [Type: unsigned short]
??? [+0x00e] Instance???????? : 0x0 [Type: unsigned short]
??? [+0x010] Form???????????? [Type: __unnamed]
0: kd> dt Ntfs!_ATTRIBUTE_RECORD_HEADER? 0xc1241438
?? +0x000 TypeCode???????? : 0x10
?? +0x004 RecordLength???? : 0x48
?? +0x008 FormCode???????? : 0 ''
?? +0x009 NameLength?????? : 0 ''
?? +0x00a NameOffset?????? : 0x18
?? +0x00c Flags??????????? : 0
?? +0x00e Instance???????? : 0
?? +0x010 Form???????????? : __unnamed
0: kd> dt Ntfs!_ATTRIBUTE_RECORD_HEADER? 0xc1241438+48
?? +0x000 TypeCode???????? : 0x30
?? +0x004 RecordLength???? : 0x60
?? +0x008 FormCode???????? : 0 ''
?? +0x009 NameLength?????? : 0 ''
?? +0x00a NameOffset?????? : 0x18
?? +0x00c Flags??????????? : 0
?? +0x00e Instance???????? : 1
?? +0x010 Form???????????? : __unnamed
0: kd> dt Ntfs!_ATTRIBUTE_RECORD_HEADER? 0xc1241438+48+60
?? +0x000 TypeCode???????? : 0x40
?? +0x004 RecordLength???? : 0x28
?? +0x008 FormCode???????? : 0 ''
?? +0x009 NameLength?????? : 0 ''
?? +0x00a NameOffset?????? : 0
?? +0x00c Flags??????????? : 0
?? +0x00e Instance???????? : 9
?? +0x010 Form???????????? : __unnamed
0: kd> dt Ntfs!_ATTRIBUTE_RECORD_HEADER? 0xc1241438+48+60+28
?? +0x000 TypeCode???????? : 0x50
?? +0x004 RecordLength???? : 0x48
?? +0x008 FormCode???????? : 0x1 ''
?? +0x009 NameLength?????? : 0 ''
?? +0x00a NameOffset?????? : 0x40
?? +0x00c Flags??????????? : 0
?? +0x00e Instance???????? : 2
?? +0x010 Form???????????? : __unnamed
0: kd> dt Ntfs!_ATTRIBUTE_RECORD_HEADER? 0xc1241438+48+60+28+48
?? +0x000 TypeCode???????? : 0x90
?? +0x004 RecordLength???? : 0xe0
?? +0x008 FormCode???????? : 0 ''
?? +0x009 NameLength?????? : 0x4 ''
?? +0x00a NameOffset?????? : 0x18
?? +0x00c Flags??????????? : 0
?? +0x00e Instance???????? : 6
?? +0x010 Form???????????? : __unnamed

本文來自互聯網用戶投稿，該文觀點僅代表作者本人，不代表本站立場。本站僅提供信息存儲空間服務，不擁有所有權，不承擔相關法律責任。
如若轉載，請注明出處：http://www.pswp.cn/web/80950.shtml
繁體地址，請注明出處：http://hk.pswp.cn/web/80950.shtml
英文地址，請注明出處：http://en.pswp.cn/web/80950.shtml

如若內容造成侵權/違法違規/事實不符，請聯系多彩編程網進行投訴反饋email:809451989@qq.com，一經查實，立即刪除！