NtfsLookupAttributeByName函数分析之和Scb->AttributeName的关系
第一部分:
VOID
FindFirstIndexEntry (
IN PIRP_CONTEXT IrpContext,
IN PSCB Scb,
IN PVOID Value,
IN OUT PINDEX_CONTEXT IndexContext
)
{
。。。。。。
//
// Lookup the attribute record from the Scb.
//
if (!NtfsLookupAttributeByName( IrpContext,
Scb->Fcb,
&Scb->Fcb->FileReference,
$INDEX_ROOT,
&Scb->AttributeName,
NULL,
FALSE,
&IndexContext->AttributeContext )) {
第二部分:
0: kd> p
Ntfs!FindFirstIndexEntry+0x68:
f71740d2 84c0 test al,al
0: kd> dv
IrpContext = 0xf793291c
Scb = 0xe1363d20
Value = 0xe13559b0
IndexContext = 0xe1352348
Attribute = 0x00000000
IndexRoot = 0xe1352348
Sp = 0xe1363d20
0: kd> dx -r1 ((Ntfs!_SCB *)0xe1363d20)
((Ntfs!_SCB *)0xe1363d20) : 0xe1363d20 [Type: _SCB *]
[+0x000] Header [Type: _NTFS_ADVANCED_FCB_HEADER]
[+0x040] FcbLinks [Type: _LIST_ENTRY]
[+0x048] Fcb : 0xe1363c58 [Type: _FCB *]
[+0x04c] Vcb : 0x895d5100 [Type: _VCB *]
[+0x050] ScbState : 0x100006a0 [Type: unsigned long]
[+0x054] NonCachedCleanupCount : 0x0 [Type: unsigned long]
[+0x058] CleanupCount : 0x1 [Type: unsigned long]
[+0x05c] CloseCount : 0x2 [Type: unsigned long]
[+0x060] ShareAccess [Type: _SHARE_ACCESS]
[+0x07c] AttributeTypeCode : 0xa0 [Type: unsigned long]
[+0x080] AttributeName : "$I30" [Type: _UNICODE_STRING]
[+0x088] FileObject : 0x8962b128 [Type: _FILE_OBJECT *]
[+0x08c] NonpagedScb : 0x89954e60 [Type: _SCB_NONPAGED *]
[+0x090] Mcb [Type: _NTFS_MCB]
[+0x0a8] McbStructs [Type: NTFS_MCB_INITIAL_STRUCTS]
[+0x0f0] CompressionUnit : 0x0 [Type: unsigned long]
[+0x0f4] AttributeFlags : 0x0 [Type: unsigned short]
[+0x0f6] CompressionUnitShift : 0x0 [Type: unsigned char]
[+0x0f7] PadUchar : 0x0 [Type: unsigned char]
[+0x0f8] ValidDataToDisk : 0 [Type: __int64]
[+0x100] TotalAllocated : 8192 [Type: __int64]
[+0x108] EofListHead [Type: _LIST_ENTRY]
[+0x110] CcbQueue [Type: _LIST_ENTRY]
[+0x118] ScbSnapshot : 0x0 [Type: _SCB_SNAPSHOT *]
[+0x11c] EncryptionContext : 0x0 [Type: void *]
[+0x120] EncryptionContextLength : 0x0 [Type: unsigned long]
[+0x124] ScbPersist : 0x0 [Type: unsigned long]
[+0x128] IoAtEofThread : 0x0 [Type: unsigned long *]
[+0x130] ScbType [Type: __unnamed]
第三部分:
BOOLEAN
NtfsFindInFileRecord (
IN PIRP_CONTEXT IrpContext,
IN PATTRIBUTE_RECORD_HEADER Attribute,
OUT PATTRIBUTE_RECORD_HEADER *ReturnAttribute,
IN ATTRIBUTE_TYPE_CODE QueriedTypeCode,
IN PCUNICODE_STRING QueriedName OPTIONAL,
IN BOOLEAN IgnoreCase,
IN PVOID QueriedValue OPTIONAL,
IN ULONG QueriedValueLength
)
{
while ( TRUE ) {
。。。。。。
NtfsInitializeStringFromAttribute( &AttributeName, Attribute );
//
// See if we have a name match.
//
if (NtfsAreNamesEqual( UpcaseTable,
&AttributeName,
QueriedName,
IgnoreCase )) {
break;
}
return TRUE;
}
第四部分:
NtfsInitializeStringFromAttribute( &AttributeName, Attribute );
#define NtfsInitializeStringFromAttribute(NAME,ATTRIBUTE) { \
(NAME)->Length = (USHORT)(ATTRIBUTE)->NameLength << 1; \
(NAME)->MaximumLength = (NAME)->Length; \
(NAME)->Buffer = (PWSTR)Add2Ptr((ATTRIBUTE), (ATTRIBUTE)->NameOffset); \
}
(NAME)->Buffer (ATTRIBUTE)->NameLength +0x009 NameLength : 0x4 ''
(NAME)->Buffer (ATTRIBUTE)->NameOffset +0x00a NameOffset : 0x18
0: kd> dt Ntfs!_ATTRIBUTE_RECORD_HEADER 0xc1241438+48+60+28+48
+0x000 TypeCode : 0x90
+0x004 RecordLength : 0xe0
+0x008 FormCode : 0 ''
+0x009 NameLength : 0x4 ''
+0x00a NameOffset : 0x18
+0x00c Flags : 0
+0x00e Instance : 6
+0x010 Form : __unnamed
0: kd> db 0xc1241438+48+60+28+48+18
c1241568 24 00 49 00 33 00 30 00-30 00 00 00 01 00 00 00 $.I.3.0.0.......
第五部分:
0: kd> p
Ntfs!NtfsFindInFileRecord+0x92:
f7171ac2 384d1c cmp byte ptr [ebp+1Ch],cl
0: kd> dv
IrpContext = 0xf793291c
Attribute = 0xc1241438
0: kd> dx -r1 ((Ntfs!_ATTRIBUTE_RECORD_HEADER *)0xc1241438)
((Ntfs!_ATTRIBUTE_RECORD_HEADER *)0xc1241438) : 0xc1241438 [Type: _ATTRIBUTE_RECORD_HEADER *]
[+0x000] TypeCode : 0x10 [Type: unsigned long]
[+0x004] RecordLength : 0x48 [Type: unsigned long]
[+0x008] FormCode : 0x0 [Type: unsigned char]
[+0x009] NameLength : 0x0 [Type: unsigned char]
[+0x00a] NameOffset : 0x18 [Type: unsigned short]
[+0x00c] Flags : 0x0 [Type: unsigned short]
[+0x00e] Instance : 0x0 [Type: unsigned short]
[+0x010] Form [Type: __unnamed]
0: kd> dt Ntfs!_ATTRIBUTE_RECORD_HEADER 0xc1241438
+0x000 TypeCode : 0x10
+0x004 RecordLength : 0x48
+0x008 FormCode : 0 ''
+0x009 NameLength : 0 ''
+0x00a NameOffset : 0x18
+0x00c Flags : 0
+0x00e Instance : 0
+0x010 Form : __unnamed
0: kd> dt Ntfs!_ATTRIBUTE_RECORD_HEADER 0xc1241438+48
+0x000 TypeCode : 0x30
+0x004 RecordLength : 0x60
+0x008 FormCode : 0 ''
+0x009 NameLength : 0 ''
+0x00a NameOffset : 0x18
+0x00c Flags : 0
+0x00e Instance : 1
+0x010 Form : __unnamed
0: kd> dt Ntfs!_ATTRIBUTE_RECORD_HEADER 0xc1241438+48+60
+0x000 TypeCode : 0x40
+0x004 RecordLength : 0x28
+0x008 FormCode : 0 ''
+0x009 NameLength : 0 ''
+0x00a NameOffset : 0
+0x00c Flags : 0
+0x00e Instance : 9
+0x010 Form : __unnamed
0: kd> dt Ntfs!_ATTRIBUTE_RECORD_HEADER 0xc1241438+48+60+28
+0x000 TypeCode : 0x50
+0x004 RecordLength : 0x48
+0x008 FormCode : 0x1 ''
+0x009 NameLength : 0 ''
+0x00a NameOffset : 0x40
+0x00c Flags : 0
+0x00e Instance : 2
+0x010 Form : __unnamed
0: kd> dt Ntfs!_ATTRIBUTE_RECORD_HEADER 0xc1241438+48+60+28+48
+0x000 TypeCode : 0x90
+0x004 RecordLength : 0xe0
+0x008 FormCode : 0 ''
+0x009 NameLength : 0x4 ''
+0x00a NameOffset : 0x18
+0x00c Flags : 0
+0x00e Instance : 6
+0x010 Form : __unnamed