系统线程nt!CcPfBootWorker里面的nt!MmPrefetchPages函数分析
第一部分:
CcPfBeginBootPhase函数分析之创建了系统线程CcPfBootWorker
NTSTATUS
CcPfBeginBootPhase(
PF_BOOT_PHASE_ID Phase
)
//
// Kick off the boot worker in paralel.
//
Status = PsCreateSystemThread(&ThreadHandle,
THREAD_ALL_ACCESS,
NULL,
NULL,
NULL,
CcPfBootWorker,
BootPrefetcher);
第二部分:
1: kd> kc
#
00 nt!MmPrefetchPages
01 nt!CcPfPrefetchSections
02 nt!CcPfBootWorker
03 nt!PspSystemThreadStartup
04 nt!KiThreadStartup
1: kd> p
nt!MmPrefetchPages+0x229:
80cf7d25 8d1c88 lea ebx,[eax+ecx*4]
1: kd> r
eax=898d7870 ebx=898d78b0 ecx=00000011 edx=04fb0000 esi=8989e020 edi=80a03598
eip=80cf7d25 esp=f705fb50 ebp=f705fb74 iopl=0 nv up ei ng nz ac po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000293
nt!MmPrefetchPages+0x229:
80cf7d25 8d1c88 lea ebx,[eax+ecx*4]
1: kd> dd 898d7870
898d7870 8973a008 895ef848 895efce8 895ef820
898d7880 89808e58 8946f268 8952e3f8 8962bf80
898d7890 8962b4c0 8952e760 898d7848 89492210
898d78a0 89439988 894921a8 89505e18 8989b1f8
898d78b0 898fefa8 8980d8c0 89840310 895f1200
898d78c0 895f1310 895881d0 89941e10 898d7820
898d78d0 898d7d08 898d7ce0 8951d310 8945cb20
898d78e0 896242c0 8945c508 898457e0 895c70e8
1: kd> dt _MI_READ_LIST 895ef848
nt!_MI_READ_LIST
+0x000 ControlArea : 0x895ae810 _CONTROL_AREA
+0x004 FileObject : 0x89624698 _FILE_OBJECT
+0x008 LastPteOffsetReferenced : 0x128
+0x00c InPageSupportHead : _SINGLE_LIST_ENTRY
+0x010 List : [1] _MI_READ_LIST_ENTRY
1: kd> dx -id 0,0,899a2278 -r1 ((ntkrnlmp!_FILE_OBJECT *)0x89624698)
((ntkrnlmp!_FILE_OBJECT *)0x89624698) : 0x89624698 [Type: _FILE_OBJECT *]
[+0x000] Type : 5 [Type: short]
[+0x002] Size : 112 [Type: short]
[+0x004] DeviceObject : 0x89811788 : Device for "\Driver\Ftdisk" [Type: _DEVICE_OBJECT *]
[+0x008] Vpb : 0x89909178 [Type: _VPB *]
[+0x00c] FsContext : 0xe15bd7c8 [Type: void *]
[+0x010] FsContext2 : 0xe15bd918 [Type: void *]
[+0x014] SectionObjectPointer : 0x899ad3dc [Type: _SECTION_OBJECT_POINTERS *]
[+0x018] PrivateCacheMap : 0x0 [Type: void *]
[+0x01c] FinalStatus : 0 [Type: long]
[+0x020] RelatedFileObject : 0x0 [Type: _FILE_OBJECT *]
[+0x024] LockOperation : 0x0 [Type: unsigned char]
[+0x025] DeletePending : 0x0 [Type: unsigned char]
[+0x026] ReadAccess : 0x1 [Type: unsigned char]
[+0x027] WriteAccess : 0x0 [Type: unsigned char]
[+0x028] DeleteAccess : 0x0 [Type: unsigned char]
[+0x029] SharedRead : 0x1 [Type: unsigned char]
[+0x02a] SharedWrite : 0x1 [Type: unsigned char]
[+0x02b] SharedDelete : 0x1 [Type: unsigned char]
[+0x02c] Flags : 0x40040 [Type: unsigned long]
[+0x030] FileName : "\WINDOWS\AppPatch\sysmain.sdb" [Type: _UNICODE_STRING]
[+0x038] CurrentByteOffset : {0} [Type: _LARGE_INTEGER]
[+0x040] Waiters : 0x0 [Type: unsigned long]
[+0x044] Busy : 0x0 [Type: unsigned long]
[+0x048] LastLock : 0x0 [Type: void *]
[+0x04c] Lock [Type: _KEVENT]
[+0x05c] Event [Type: _KEVENT]
[+0x06c] CompletionContext : 0x0 [Type: _IO_COMPLETION_CONTEXT *]
1: kd> dt _MI_READ_LIST 895efce8
nt!_MI_READ_LIST
+0x000 ControlArea : 0x898ef598 _CONTROL_AREA
+0x004 FileObject : 0x8962bd38 _FILE_OBJECT
+0x008 LastPteOffsetReferenced : 0x23
+0x00c InPageSupportHead : _SINGLE_LIST_ENTRY
+0x010 List : [1] _MI_READ_LIST_ENTRY
1: kd> dx -id 0,0,899a2278 -r1 ((ntkrnlmp!_FILE_OBJECT *)0x8962bd38)
((ntkrnlmp!_FILE_OBJECT *)0x8962bd38) : 0x8962bd38 [Type: _FILE_OBJECT *]
[+0x000] Type : 5 [Type: short]
[+0x002] Size : 112 [Type: short]
[+0x004] DeviceObject : 0x89811788 : Device for "\Driver\Ftdisk" [Type: _DEVICE_OBJECT *]
[+0x008] Vpb : 0x89909178 [Type: _VPB *]
[+0x00c] FsContext : 0xe1466d98 [Type: void *]
[+0x010] FsContext2 : 0xe1551ec0 [Type: void *]
[+0x014] SectionObjectPointer : 0x89453aec [Type: _SECTION_OBJECT_POINTERS *]
[+0x018] PrivateCacheMap : 0x0 [Type: void *]
[+0x01c] FinalStatus : 0 [Type: long]
[+0x020] RelatedFileObject : 0x0 [Type: _FILE_OBJECT *]
[+0x024] LockOperation : 0x0 [Type: unsigned char]
[+0x025] DeletePending : 0x0 [Type: unsigned char]
[+0x026] ReadAccess : 0x1 [Type: unsigned char]
[+0x027] WriteAccess : 0x0 [Type: unsigned char]
[+0x028] DeleteAccess : 0x0 [Type: unsigned char]
[+0x029] SharedRead : 0x1 [Type: unsigned char]
[+0x02a] SharedWrite : 0x1 [Type: unsigned char]
[+0x02b] SharedDelete : 0x1 [Type: unsigned char]
[+0x02c] Flags : 0x40040 [Type: unsigned long]
[+0x030] FileName : "\WINDOWS\system32\desk.cpl" [Type: _UNICODE_STRING]
[+0x038] CurrentByteOffset : {0} [Type: _LARGE_INTEGER]
[+0x040] Waiters : 0x0 [Type: unsigned long]
[+0x044] Busy : 0x0 [Type: unsigned long]
[+0x048] LastLock : 0x0 [Type: void *]
[+0x04c] Lock [Type: _KEVENT]
[+0x05c] Event [Type: _KEVENT]
[+0x06c] CompletionContext : 0x0 [Type: _IO_COMPLETION_CONTEXT *]
第三部分:nt!CcPfPrefetchSections函数分析
1: kd> dt CCPF_PREFETCH_HEADER f705fd5c
nt!CCPF_PREFETCH_HEADER
+0x000 Scenario : 0xe13dc000 _PF_SCENARIO_HEADER
+0x004 VolumeNodes : 0xe1293d18 _CCPF_PREFETCH_VOLUME_INFO
+0x008 BadVolumeList : _LIST_ENTRY [ 0xf705fd64 - 0xf705fd64 ]
+0x010 OpenedVolumeList : _LIST_ENTRY [ 0xe1293d18 - 0xe1293d18 ]
1: kd> dx -id 0,0,899a2278 -r1 ((ntkrnlmp!_PF_SCENARIO_HEADER *)0xe13dc000)
((ntkrnlmp!_PF_SCENARIO_HEADER *)0xe13dc000) : 0xe13dc000 [Type: _PF_SCENARIO_HEADER *]
[+0x000] Version : 0x11 [Type: unsigned long]
[+0x004] MagicNumber : 0x41434353 [Type: unsigned long]
[+0x008] ServiceVersion : 0xf [Type: unsigned long]
[+0x00c] Size : 0x4c6fa [Type: unsigned long]
[+0x010] ScenarioId [Type: _PF_SCENARIO_ID]
[+0x050] ScenarioType : PfSystemBootScenarioType (1) [Type: _PF_SCENARIO_TYPE]
[+0x054] SectionInfoOffset : 0x98 [Type: unsigned long]
[+0x058] NumSections : 0x21f [Type: unsigned long]
[+0x05c] PageInfoOffset : 0x2b04 [Type: unsigned long]
[+0x060] NumPages : 0x45b6 [Type: unsigned long]
[+0x064] FileNameInfoOffset : 0x36f8c [Type: unsigned long]
[+0x068] FileNameInfoSize : 0x1052c [Type: unsigned long]
[+0x06c] MetadataInfoOffset : 0x474b8 [Type: unsigned long]
[+0x070] NumMetadataRecords : 0x1 [Type: unsigned long]
[+0x074] MetadataInfoSize : 0x5242 [Type: unsigned long]
[+0x078] LastLaunchTime : {133862567540312500} [Type: _LARGE_INTEGER]
[+0x080] MinRePrefetchTime : {0} [Type: _LARGE_INTEGER]
[+0x088] MinReTraceTime : {0} [Type: _LARGE_INTEGER]
[+0x090] NumLaunches : 0x45 [Type: unsigned long]
[+0x094] Sensitivity : 0x2 [Type: unsigned long]
Scenario = PrefetchHeader->Scenario;
NumberOfSections = Scenario->NumSections; NumSections : 0x21f
SectionRecords = (PPF_SECTION_RECORD)
((PCHAR) Scenario + Scenario->SectionInfoOffset);
1: kd> dt nt!_PF_SECTION_RECORD 0xe13dc000+0x98
+0x000 FirstPageIdx : 0n0
+0x004 NumPages : 0x1d8
+0x008 FileNameOffset : 0
+0x00c FileNameLength : 0x1c
+0x010 IsIgnore : 0y1
+0x010 IsImage : 0y0
+0x010 IsData : 0y1
1: kd> dt nt!_PF_SECTION_RECORD 0xe13dc000+0x98+14*1
+0x000 FirstPageIdx : 0n472
+0x004 NumPages : 0x4e
+0x008 FileNameOffset : 0x3a
+0x00c FileNameLength : 0x3d
+0x010 IsIgnore : 0y0
+0x010 IsImage : 0y0
+0x010 IsData : 0y1
1: kd> dt nt!_PF_SECTION_RECORD 0xe13dc000+0x98+14*2
+0x000 FirstPageIdx : 0n550
+0x004 NumPages : 0x31
+0x008 FileNameOffset : 0xb6
+0x00c FileNameLength : 0x3d
+0x010 IsIgnore : 0y0
+0x010 IsImage : 0y1
+0x010 IsData : 0y1
第四部分:
SectionRecords = (PPF_SECTION_RECORD)
((PCHAR) Scenario + Scenario->SectionInfoOffset);
PageRecords = (PPF_PAGE_RECORD)
((PCHAR) Scenario + Scenario->PageInfoOffset);
FileNameData = (PCHAR) Scenario + Scenario->FileNameInfoOffset;
1: kd> dt PF_PAGE_RECORD 0xe13dc000+0x2b04
basesrv!PF_PAGE_RECORD
+0x000 NextPageIdx : 0n1
+0x004 FileOffset : 0
+0x008 IsIgnore : 0y0
+0x008 IsImage : 0y0
+0x008 IsData : 0y1
+0x008 UsageHistory : 0y11011111 (0xdf)
+0x008 PrefetchHistory : 0y11111111 (0xff)
1: kd> dt PF_PAGE_RECORD 0xe13dc000+0x2b04+c*1
basesrv!PF_PAGE_RECORD
+0x000 NextPageIdx : 0n2
+0x004 FileOffset : 0x1000
+0x008 IsIgnore : 0y0
+0x008 IsImage : 0y0
+0x008 IsData : 0y1
+0x008 UsageHistory : 0y11011111 (0xdf)
+0x008 PrefetchHistory : 0y11111111 (0xff)
1: kd> dt PF_PAGE_RECORD 0xe13dc000+0x2b04+c*2
basesrv!PF_PAGE_RECORD
+0x000 NextPageIdx : 0n3
+0x004 FileOffset : 0x2000
+0x008 IsIgnore : 0y0
+0x008 IsImage : 0y0
+0x008 IsData : 0y1
+0x008 UsageHistory : 0y11011111 (0xdf)
+0x008 PrefetchHistory : 0y11111111 (0xff)
1: kd> db 0xe13dc000+0x36f8c
e1412f8c 5c 00 44 00 45 00 56 00-49 00 43 00 45 00 5c 00 \.D.E.V.I.C.E.\.
FileNameData = (PCHAR) Scenario + Scenario->FileNameInfoOffset;=e1412f8c
1: kd> dt nt!_PF_SECTION_RECORD 0xe13dc000+0x98
+0x000 FirstPageIdx : 0n0
+0x004 NumPages : 0x1d8
+0x008 FileNameOffset : 0
+0x00c FileNameLength : 0x1c
+0x010 IsIgnore : 0y1
+0x010 IsImage : 0y0
+0x010 IsData : 0y1
1: kd> dt nt!_PF_SECTION_RECORD 0xe13dc000+0x98+14*1
+0x000 FirstPageIdx : 0n472
+0x004 NumPages : 0x4e
+0x008 FileNameOffset : 0x3a
+0x00c FileNameLength : 0x3d
+0x010 IsIgnore : 0y0
+0x010 IsImage : 0y0
+0x010 IsData : 0y1
1: kd> db e1412f8c+0x3a
e1412fc6 5c 00 44 00 45 00 56 00-49 00 43 00 45 00 5c 00 \.D.E.V.I.C.E.\.
e1412fd6 48 00 41 00 52 00 44 00-44 00 49 00 53 00 4b 00 H.A.R.D.D.I.S.K.
e1412fe6 56 00 4f 00 4c 00 55 00-4d 00 45 00 31 00 5c 00 V.O.L.U.M.E.1.\.
e1412ff6 57 00 49 00 4e 00 44 00-4f 00 57 00 53 00 5c 00 W.I.N.D.O.W.S.\.
e1413006 50 00 52 00 45 00 46 00-45 00 54 00 43 00 48 00 P.R.E.F.E.T.C.H.
e1413016 5c 00 4e 00 54 00 4f 00-53 00 42 00 4f 00 4f 00 \.N.T.O.S.B.O.O.
e1413026 54 00 2d 00 42 00 30 00-30 00 44 00 46 00 41 00 T.-.B.0.0.D.F.A.
e1413036 41 00 44 00 2e 00 50 00-46 00 00 00 5c 00 44 00 A.D...P.F...\.D.
1: kd> dt nt!_PF_SECTION_RECORD 0xe13dc000+0x98+14*2
+0x000 FirstPageIdx : 0n550
+0x004 NumPages : 0x31
+0x008 FileNameOffset : 0xb6
+0x00c FileNameLength : 0x3d
+0x010 IsIgnore : 0y0
+0x010 IsImage : 0y1
+0x010 IsData : 0y1
1: kd> db e1412f8c+0xb6
e1413042 5c 00 44 00 45 00 56 00-49 00 43 00 45 00 5c 00 \.D.E.V.I.C.E.\.
e1413052 48 00 41 00 52 00 44 00-44 00 49 00 53 00 4b 00 H.A.R.D.D.I.S.K.
e1413062 56 00 4f 00 4c 00 55 00-4d 00 45 00 31 00 5c 00 V.O.L.U.M.E.1.\.
e1413072 57 00 49 00 4e 00 44 00-4f 00 57 00 53 00 5c 00 W.I.N.D.O.W.S.\.
e1413082 53 00 59 00 53 00 54 00-45 00 4d 00 33 00 32 00 S.Y.S.T.E.M.3.2.
e1413092 5c 00 44 00 52 00 49 00-56 00 45 00 52 00 53 00 \.D.R.I.V.E.R.S.
e14130a2 5c 00 49 00 38 00 30 00-34 00 32 00 50 00 52 00 \.I.8.0.4.2.P.R.
e14130b2 54 00 2e 00 53 00 59 00-53 00 00 00 5c 00 44 00 T...S.Y.S...\.D.
1: kd> dt PF_PAGE_RECORD 0xe13dc000+0x2b04+c*0n550
basesrv!PF_PAGE_RECORD
+0x000 NextPageIdx : 0n551
+0x004 FileOffset : 0
+0x008 IsIgnore : 0y0
+0x008 IsImage : 0y1
+0x008 IsData : 0y1
+0x008 UsageHistory : 0y11111111 (0xff)
+0x008 PrefetchHistory : 0y11111111 (0xff)
第五部分:MiReadLists数组
1: kd> dv
NumberOfLists = 0x49
ReadLists = 0x00000000
ReadBuilt = 1
CauseOfReadBuildFailures = 0n0
status = 0n0
ApcNeeded = 0
MiReadLists = 0x898d7870
1: kd> dx -r1 ((ntkrnlmp!_MI_READ_LIST * *)0x898d7870)
((ntkrnlmp!_MI_READ_LIST * *)0x898d7870) : 0x898d7870 [Type: _MI_READ_LIST * *]
0x8973a008 [Type: _MI_READ_LIST *]
1: kd> dd 0x898d7870
898d7870 8973a008 895ef848 895efce8 895ef820
898d7880 89808e58 8946f268 8952e3f8 8962bf80
898d7890 8962b4c0 8952e760 898d7848 89492210
898d78a0 89439988 894921a8 89505e18 8989b1f8
898d78b0 898fefa8 8980d8c0 89840310 895f1200
898d78c0 895f1310 895881d0 89941e10 898d7820
898d78d0 898d7d08 898d7ce0 8951d310 8945cb20
898d78e0 896242c0 8945c508 898457e0 895c70e8
1: kd> dt _MI_READ_LIST 894921a8
nt!_MI_READ_LIST
+0x000 ControlArea : 0x89466a48 _CONTROL_AREA
+0x004 FileObject : 0x89466458 _FILE_OBJECT
+0x008 LastPteOffsetReferenced : 1
+0x00c InPageSupportHead : _SINGLE_LIST_ENTRY
+0x010 List : [1] _MI_READ_LIST_ENTRY
1: kd> dt _MI_READ_LIST_ENTRY -r
nt!_MI_READ_LIST_ENTRY
+0x000 u1 : __unnamed
+0x000 PrototypePte : Ptr32 _MMPTE
+0x000 u : __unnamed
+0x000 e1 : _RLETYPE
+0x000 Partial : Pos 0, 1 Bit
+0x000 NewSubsection : Pos 1, 1 Bit
+0x000 DontUse : Pos 2, 30 Bits
1: kd> dx -id 0,0,899a2278 -r1 ((ntkrnlmp!_FILE_OBJECT *)0x89466458)
((ntkrnlmp!_FILE_OBJECT *)0x89466458) : 0x89466458 [Type: _FILE_OBJECT *]
[+0x000] Type : 5 [Type: short]
[+0x002] Size : 112 [Type: short]
[+0x004] DeviceObject : 0x89811788 : Device for "\Driver\Ftdisk" [Type: _DEVICE_OBJECT *]
[+0x008] Vpb : 0x89909178 [Type: _VPB *]
[+0x00c] FsContext : 0xe15e77f8 [Type: void *]
[+0x010] FsContext2 : 0xe15e7948 [Type: void *]
[+0x014] SectionObjectPointer : 0x8989126c [Type: _SECTION_OBJECT_POINTERS *]
[+0x018] PrivateCacheMap : 0x0 [Type: void *]
[+0x01c] FinalStatus : 0 [Type: long]
[+0x020] RelatedFileObject : 0x0 [Type: _FILE_OBJECT *]
[+0x024] LockOperation : 0x0 [Type: unsigned char]
[+0x025] DeletePending : 0x0 [Type: unsigned char]
[+0x026] ReadAccess : 0x1 [Type: unsigned char]
[+0x027] WriteAccess : 0x0 [Type: unsigned char]
[+0x028] DeleteAccess : 0x0 [Type: unsigned char]
[+0x029] SharedRead : 0x1 [Type: unsigned char]
[+0x02a] SharedWrite : 0x1 [Type: unsigned char]
[+0x02b] SharedDelete : 0x1 [Type: unsigned char]
[+0x02c] Flags : 0x40040 [Type: unsigned long]
[+0x030] FileName : "\Documents and Settings\All Users\Start Menu\desktop.ini" [Type: _UNICODE_STRING]
[+0x038] CurrentByteOffset : {0} [Type: _LARGE_INTEGER]
[+0x040] Waiters : 0x0 [Type: unsigned long]
[+0x044] Busy : 0x0 [Type: unsigned long]
[+0x048] LastLock : 0x0 [Type: void *]
[+0x04c] Lock [Type: _KEVENT]
[+0x05c] Event [Type: _KEVENT]
[+0x06c] CompletionContext : 0x0 [Type: _IO_COMPLETION_CONTEXT *]