当前位置: 首页 > news >正文

Ntfs!ReadIndexBuffer函数分析之根目录读取索引缓冲区的一个例子

news 来源:原创 2025/5/25 15:48:54

Ntfs!ReadIndexBuffer函数分析之根目录读取索引缓冲区的一个例子


第一部分:

0: kd> p
Ntfs!ReadIndexBuffer+0xdc:
f7173962 e829f60300      call    Ntfs!NtfsCheckIndexBuffer (f71b2f90)
0: kd> t
Ntfs!NtfsCheckIndexBuffer:
f71b2f90 55              push    ebp
0: kd> kc
 #
00 Ntfs!NtfsCheckIndexBuffer
01 Ntfs!ReadIndexBuffer
02 Ntfs!FindNextIndexEntry
03 Ntfs!NtfsContinueIndexEnumeration
04 Ntfs!NtfsQueryDirectory
05 Ntfs!NtfsCommonDirectoryControl
06 Ntfs!NtfsFsdDirectoryControl
07 nt!IofCallDriver
08 nt!IopSynchronousServiceTail
09 nt!NtQueryDirectoryFile
0a nt!_KiSystemService
0b nt!ZwQueryDirectoryFile
0c nt!CcPfPrefetchDirectoryContents
0d nt!CcPfPrefetchMetadata
0e nt!CcPfBootWorker
0f nt!PspSystemThreadStartup
10 nt!KiThreadStartup
0: kd> dv
            Scb = 0xe1363d20
    IndexBuffer = 0xc14c1000

0: kd> dv
            Scb = 0xe1363d20
    IndexBuffer = 0xc14c1000
0: kd> dx -r1 ((Ntfs!_INDEX_ALLOCATION_BUFFER *)0xc14c1000)
((Ntfs!_INDEX_ALLOCATION_BUFFER *)0xc14c1000)                 : 0xc14c1000 [Type: _INDEX_ALLOCATION_BUFFER *]
    [+0x000] MultiSectorHeader [Type: _MULTI_SECTOR_HEADER]
    [+0x008] Lsn              : {124511565} [Type: _LARGE_INTEGER]
    [+0x010] ThisBlock        : 1 [Type: __int64]
    [+0x018] IndexHeader      [Type: _INDEX_HEADER]
    [+0x028] UpdateSequenceArray [Type: unsigned short [1]]
0: kd> dx -r1 (*((Ntfs!_INDEX_HEADER *)0xc14c1018))
(*((Ntfs!_INDEX_HEADER *)0xc14c1018))                 [Type: _INDEX_HEADER]
    [+0x000] FirstIndexEntry  : 0x28 [Type: unsigned long]
    [+0x004] FirstFreeByte    : 0x828 [Type: unsigned long]
    [+0x008] BytesAvailable   : 0xfe8 [Type: unsigned long]
    [+0x00c] Flags            : 0x0 [Type: unsigned char]
    [+0x00d] Reserved         [Type: unsigned char [3]]


第二部分:


0: kd> dv
            Scb = 0xe1363d20
    IndexBuffer = 0xc14c1000
0: kd> dx -r1 ((Ntfs!_INDEX_ALLOCATION_BUFFER *)0xc14c1000)
((Ntfs!_INDEX_ALLOCATION_BUFFER *)0xc14c1000)                 : 0xc14c1000 [Type: _INDEX_ALLOCATION_BUFFER *]
    [+0x000] MultiSectorHeader [Type: _MULTI_SECTOR_HEADER]
    [+0x008] Lsn              : {124511565} [Type: _LARGE_INTEGER]
    [+0x010] ThisBlock        : 1 [Type: __int64]
    [+0x018] IndexHeader      [Type: _INDEX_HEADER]
    [+0x028] UpdateSequenceArray [Type: unsigned short [1]]
0: kd> dx -r1 (*((Ntfs!_INDEX_HEADER *)0xc14c1018))
(*((Ntfs!_INDEX_HEADER *)0xc14c1018))                 [Type: _INDEX_HEADER]
    [+0x000] FirstIndexEntry  : 0x28 [Type: unsigned long]
    [+0x004] FirstFreeByte    : 0x828 [Type: unsigned long]
    [+0x008] BytesAvailable   : 0xfe8 [Type: unsigned long]
    [+0x00c] Flags            : 0x0 [Type: unsigned char]
    [+0x00d] Reserved         [Type: unsigned char [3]]


0: kd> dt index_entry 0xc14c1018+28
Ntfs!INDEX_ENTRY
   +0x000 FileReference    : _MFT_SEGMENT_REFERENCE
   +0x000 DataOffset       : 0xd4a
   +0x002 DataLength       : 0
   +0x004 ReservedForZero  : 0x10000
   +0x008 Length           : 0x68
   +0x00a AttributeLength  : 0x52
   +0x00c Flags            : 0
   +0x00e Reserved         : 0
0: kd> dt file_name 0xc14c1018+28+10
Ntfs!FILE_NAME
   +0x000 ParentDirectory  : _MFT_SEGMENT_REFERENCE
   +0x008 Info             : _DUPLICATED_INFORMATION
   +0x040 FileNameLength   : 0x8 ''
   +0x041 Flags            : 0x2 ''
   +0x042 FileName         : [1] 0x44
0: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!unsigned short (*)[1])0xc14c1092))
(*((Ntfs!unsigned short (*)[1])0xc14c1092))                 [Type: unsigned short [1]]
    [0]              : 0x44 [Type: unsigned short]
0: kd> db 0xc14c1092
c14c1092  44 00 4f 00 43 00 55 00-4d 00 45 00 7e 00 31 00  D.O.C.U.M.E.~.1.
c14c10a2  2e 00 43 00 4f 00 16 28-00 00 00 00 0e 00 68 00  ..C.O..(......h.
c14c10b2  54 00 00 00 00 00 05 00-00 00 00 00 05 00 fe d9  T...............
c14c10c2  ee 98 50 27 db 01 76 ef-9a a1 b4 30 db 01 d4 44  ..P'..v....0...D
c14c10d2  b9 5b 60 62 db 01 1e d6-3b b7 23 63 db 01 a0 00  .[`b....;.#c....
c14c10e2  00 00 00 00 00 00 9a 00-00 00 00 00 00 00 20 00  .............. .
c14c10f2  00 00 00 00 00 00 09 03-65 00 76 00 65 00 6e 00  ........e.v.e.n.
c14c1102  74 00 2e 00 74 00 78 00-74 00 00 00 01 00 51 1b  t...t.x.t.....Q.


0: kd> dt index_entry 0xc14c1018+28
Ntfs!INDEX_ENTRY
   +0x000 FileReference    : _MFT_SEGMENT_REFERENCE
   +0x000 DataOffset       : 0xd4a
   +0x002 DataLength       : 0
   +0x004 ReservedForZero  : 0x10000
   +0x008 Length           : 0x68
   +0x00a AttributeLength  : 0x52
   +0x00c Flags            : 0
   +0x00e Reserved         : 0
0: kd> dt index_entry 0xc14c1018+28+68
Ntfs!INDEX_ENTRY
   +0x000 FileReference    : _MFT_SEGMENT_REFERENCE
   +0x000 DataOffset       : 0x2816
   +0x002 DataLength       : 0
   +0x004 ReservedForZero  : 0xe0000
   +0x008 Length           : 0x68
   +0x00a AttributeLength  : 0x54
   +0x00c Flags            : 0
   +0x00e Reserved         : 0
0: kd> dt file_name 0xc14c1018+28+68+10
Ntfs!FILE_NAME
   +0x000 ParentDirectory  : _MFT_SEGMENT_REFERENCE
   +0x008 Info             : _DUPLICATED_INFORMATION
   +0x040 FileNameLength   : 0x9 ''
   +0x041 Flags            : 0x3 ''
   +0x042 FileName         : [1] 0x65
0: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!unsigned short (*)[1])0xc14c10fa))
(*((Ntfs!unsigned short (*)[1])0xc14c10fa))                 [Type: unsigned short [1]]
    [0]              : 0x65 [Type: unsigned short]
0: kd> db 0xc14c10fa
c14c10fa  65 00 76 00 65 00 6e 00-74 00 2e 00 74 00 78 00  e.v.e.n.t...t.x.
c14c110a  74 00 00 00 01 00 51 1b-00 00 00 00 01 00 60 00  t.....Q.......`.
c14c111a  4e 00 00 00 00 00 05 00-00 00 00 00 05 00 b4 4a  N..............J
c14c112a  1a cd c7 06 db 01 b4 4a-1a cd c7 06 db 01 b4 4a  .......J.......J
c14c113a  1a cd c7 06 db 01 f0 84-74 d5 23 63 db 01 00 00  ........t.#c....
c14c114a  00 00 00 00 00 00 00 00-00 00 00 00 00 00 27 00  ..............'.
c14c115a  00 00 00 00 00 00 06 03-49 00 4f 00 2e 00 53 00  ........I.O...S.
c14c116a  59 00 53 00 43 00 52 1b-00 00 00 00 01 00 68 00  Y.S.C.R.......h.


0: kd> dt index_entry 0xc14c1018+28+68
Ntfs!INDEX_ENTRY
   +0x000 FileReference    : _MFT_SEGMENT_REFERENCE
   +0x000 DataOffset       : 0x2816
   +0x002 DataLength       : 0
   +0x004 ReservedForZero  : 0xe0000
   +0x008 Length           : 0x68
   +0x00a AttributeLength  : 0x54
   +0x00c Flags            : 0
   +0x00e Reserved         : 0
0: kd> dt index_entry 0xc14c1018+28+68+68
Ntfs!INDEX_ENTRY
   +0x000 FileReference    : _MFT_SEGMENT_REFERENCE
   +0x000 DataOffset       : 0x1b51
   +0x002 DataLength       : 0
   +0x004 ReservedForZero  : 0x10000
   +0x008 Length           : 0x60
   +0x00a AttributeLength  : 0x4e
   +0x00c Flags            : 0
   +0x00e Reserved         : 0
0: kd> dt file_name 0xc14c1018+28+68+68+10
Ntfs!FILE_NAME
   +0x000 ParentDirectory  : _MFT_SEGMENT_REFERENCE
   +0x008 Info             : _DUPLICATED_INFORMATION
   +0x040 FileNameLength   : 0x6 ''
   +0x041 Flags            : 0x3 ''
   +0x042 FileName         : [1] 0x49
0: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!unsigned short (*)[1])0xc14c1162))
(*((Ntfs!unsigned short (*)[1])0xc14c1162))                 [Type: unsigned short [1]]
    [0]              : 0x49 [Type: unsigned short]
0: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!_MFT_SEGMENT_REFERENCE *)0xc14c1120))
(*((Ntfs!_MFT_SEGMENT_REFERENCE *)0xc14c1120))                 [Type: _MFT_SEGMENT_REFERENCE]
    [+0x000] SegmentNumberLowPart : 0x5 [Type: unsigned long]
    [+0x004] SegmentNumberHighPart : 0x0 [Type: unsigned short]
    [+0x006] SequenceNumber   : 0x5 [Type: unsigned short]
0: kd> db 0xc14c1162
c14c1162  49 00 4f 00 2e 00 53 00-59 00 53 00 43 00 52 1b  I.O...S.Y.S.C.R.
c14c1172  00 00 00 00 01 00 68 00-54 00 00 00 00 00 05 00  ......h.T.......
c14c1182  00 00 00 00 05 00 b4 4a-1a cd c7 06 db 01 b4 4a  .......J.......J
c14c1192  1a cd c7 06 db 01 b4 4a-1a cd c7 06 db 01 e4 da  .......J........
c14c11a2  54 cb b7 63 db 01 00 00-00 00 00 00 00 00 00 00  T..c............
c14c11b2  00 00 00 00 00 00 27 00-00 00 00 00 00 00 09 03  ......'.........
c14c11c2  4d 00 53 00 44 00 4f 00-53 00 2e 00 53 00 59 00  M.S.D.O.S...S.Y.
c14c11d2  53 00 43 00 4f 00 a9 28-00 00 00 00 02 00 80 00  S.C.O..(........


0: kd> dt index_entry 0xc14c1018+28+68+68
Ntfs!INDEX_ENTRY
   +0x000 FileReference    : _MFT_SEGMENT_REFERENCE
   +0x000 DataOffset       : 0x1b51
   +0x002 DataLength       : 0
   +0x004 ReservedForZero  : 0x10000
   +0x008 Length           : 0x60
   +0x00a AttributeLength  : 0x4e
   +0x00c Flags            : 0
   +0x00e Reserved         : 0
0: kd> dt index_entry 0xc14c1018+28+68+68+60
Ntfs!INDEX_ENTRY
   +0x000 FileReference    : _MFT_SEGMENT_REFERENCE
   +0x000 DataOffset       : 0x1b52
   +0x002 DataLength       : 0
   +0x004 ReservedForZero  : 0x10000
   +0x008 Length           : 0x68
   +0x00a AttributeLength  : 0x54
   +0x00c Flags            : 0
   +0x00e Reserved         : 0
0: kd> dt file_name 0xc14c1018+28+68+68+60+10
Ntfs!FILE_NAME
   +0x000 ParentDirectory  : _MFT_SEGMENT_REFERENCE
   +0x008 Info             : _DUPLICATED_INFORMATION
   +0x040 FileNameLength   : 0x9 ''
   +0x041 Flags            : 0x3 ''
   +0x042 FileName         : [1] 0x4d
0: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!_MFT_SEGMENT_REFERENCE *)0xc14c1180))
(*((Ntfs!_MFT_SEGMENT_REFERENCE *)0xc14c1180))                 [Type: _MFT_SEGMENT_REFERENCE]
    [+0x000] SegmentNumberLowPart : 0x5 [Type: unsigned long]
    [+0x004] SegmentNumberHighPart : 0x0 [Type: unsigned short]
    [+0x006] SequenceNumber   : 0x5 [Type: unsigned short]
0: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!unsigned short (*)[1])0xc14c11c2))
(*((Ntfs!unsigned short (*)[1])0xc14c11c2))                 [Type: unsigned short [1]]
    [0]              : 0x4d [Type: unsigned short]
0: kd> db 0xc14c11c2
c14c11c2  4d 00 53 00 44 00 4f 00-53 00 2e 00 53 00 59 00  M.S.D.O.S...S.Y.
c14c11d2  53 00 43 00 4f 00 a9 28-00 00 00 00 02 00 80 00  S.C.O..(........
c14c11e2  6c 00 00 00 00 00 05 00-00 00 00 00 05 00 6a f7  l.............j.
c14c11f2  f9 4d a9 8e db 01 6a f7-f9 4d a9 8e db 01 6a f7  .M....j..M....j.
c14c1202  f9 4d a9 8e db 01 6a f7-f9 4d a9 8e db 01 00 00  .M....j..M......
c14c1212  00 00 00 00 00 00 00 00-00 00 00 00 00 00 20 00  .............. .
c14c1222  00 00 00 00 00 00 15 01-4e 00 65 00 77 00 20 00  ........N.e.w. .
c14c1232  54 00 65 00 78 00 74 00-20 00 44 00 6f 00 63 00  T.e.x.t. .D.o.c.


0: kd> dt index_entry 0xc14c1018+28+68+68+60
Ntfs!INDEX_ENTRY
   +0x000 FileReference    : _MFT_SEGMENT_REFERENCE
   +0x000 DataOffset       : 0x1b52
   +0x002 DataLength       : 0
   +0x004 ReservedForZero  : 0x10000
   +0x008 Length           : 0x68
   +0x00a AttributeLength  : 0x54
   +0x00c Flags            : 0
   +0x00e Reserved         : 0
0: kd> dt index_entry 0xc14c1018+28+68+68+60+68
Ntfs!INDEX_ENTRY
   +0x000 FileReference    : _MFT_SEGMENT_REFERENCE
   +0x000 DataOffset       : 0x28a9
   +0x002 DataLength       : 0
   +0x004 ReservedForZero  : 0x20000
   +0x008 Length           : 0x80
   +0x00a AttributeLength  : 0x6c
   +0x00c Flags            : 0
   +0x00e Reserved         : 0
0: kd> dt file_name 0xc14c1018+28+68+68+60+68+10
Ntfs!FILE_NAME
   +0x000 ParentDirectory  : _MFT_SEGMENT_REFERENCE
   +0x008 Info             : _DUPLICATED_INFORMATION
   +0x040 FileNameLength   : 0x15 ''
   +0x041 Flags            : 0x1 ''
   +0x042 FileName         : [1] 0x4e
0: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!_MFT_SEGMENT_REFERENCE *)0xc14c11e8))
(*((Ntfs!_MFT_SEGMENT_REFERENCE *)0xc14c11e8))                 [Type: _MFT_SEGMENT_REFERENCE]
    [+0x000] SegmentNumberLowPart : 0x5 [Type: unsigned long]
    [+0x004] SegmentNumberHighPart : 0x0 [Type: unsigned short]
    [+0x006] SequenceNumber   : 0x5 [Type: unsigned short]
0: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!unsigned short (*)[1])0xc14c122a))
(*((Ntfs!unsigned short (*)[1])0xc14c122a))                 [Type: unsigned short [1]]
    [0]              : 0x4e [Type: unsigned short]
0: kd> db 0xc14c122a
c14c122a  4e 00 65 00 77 00 20 00-54 00 65 00 78 00 74 00  N.e.w. .T.e.x.t.
c14c123a  20 00 44 00 6f 00 63 00-75 00 6d 00 65 00 6e 00   .D.o.c.u.m.e.n.
c14c124a  74 00 2e 00 74 00 78 00-74 00 00 00 00 00 a9 28  t...t.x.t......(
c14c125a  00 00 00 00 02 00 70 00-5a 00 00 00 00 00 05 00  ......p.Z.......
c14c126a  00 00 00 00 05 00 6a f7-f9 4d a9 8e db 01 6a f7  ......j..M....j.
c14c127a  f9 4d a9 8e db 01 6a f7-f9 4d a9 8e db 01 6a f7  .M....j..M....j.
c14c128a  f9 4d a9 8e db 01 00 00-00 00 00 00 00 00 00 00  .M..............
c14c129a  00 00 00 00 00 00 20 00-00 00 00 00 00 00 0c 02  ...... .........


0: kd> dt index_entry 0xc14c1018+28+68+68+60+68
Ntfs!INDEX_ENTRY
   +0x000 FileReference    : _MFT_SEGMENT_REFERENCE
   +0x000 DataOffset       : 0x28a9
   +0x002 DataLength       : 0
   +0x004 ReservedForZero  : 0x20000
   +0x008 Length           : 0x80
   +0x00a AttributeLength  : 0x6c
   +0x00c Flags            : 0
   +0x00e Reserved         : 0
0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80
Ntfs!INDEX_ENTRY
   +0x000 FileReference    : _MFT_SEGMENT_REFERENCE
   +0x000 DataOffset       : 0x28a9
   +0x002 DataLength       : 0
   +0x004 ReservedForZero  : 0x20000
   +0x008 Length           : 0x70
   +0x00a AttributeLength  : 0x5a
   +0x00c Flags            : 0
   +0x00e Reserved         : 0
0: kd> dt file_name 0xc14c1018+28+68+68+60+68+80+10
Ntfs!FILE_NAME
   +0x000 ParentDirectory  : _MFT_SEGMENT_REFERENCE
   +0x008 Info             : _DUPLICATED_INFORMATION
   +0x040 FileNameLength   : 0xc ''
   +0x041 Flags            : 0x2 ''
   +0x042 FileName         : [1] 0x4e
0: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!unsigned short (*)[1])0xc14c12aa))
(*((Ntfs!unsigned short (*)[1])0xc14c12aa))                 [Type: unsigned short [1]]
    [0]              : 0x4e [Type: unsigned short]
0: kd> db 0xc14c12aa
c14c12aa  4e 00 45 00 57 00 54 00-45 00 58 00 7e 00 31 00  N.E.W.T.E.X.~.1.
c14c12ba  2e 00 54 00 58 00 54 00-5a 00 00 00 00 00 d3 0c  ..T.X.T.Z.......
c14c12ca  00 00 00 00 01 00 70 00-5a 00 00 00 00 00 05 00  ......p.Z.......
c14c12da  00 00 00 00 05 00 00 62-1c 3c b2 06 db 01 00 62  .......b.<.....b
c14c12ea  1c 3c b2 06 db 01 ea 3a-17 d7 8b 06 db 01 84 97  .<.....:........
c14c12fa  37 98 8b 06 db 01 00 c0-00 00 00 00 00 00 bc b9  7...............
c14c130a  00 00 00 00 00 00 27 00-00 00 00 00 00 00 0c 03  ......'.........
c14c131a  4e 00 54 00 44 00 45 00-54 00 45 00 43 00 54 00  N.T.D.E.T.E.C.T.


0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80
Ntfs!INDEX_ENTRY
   +0x000 FileReference    : _MFT_SEGMENT_REFERENCE
   +0x000 DataOffset       : 0x28a9
   +0x002 DataLength       : 0
   +0x004 ReservedForZero  : 0x20000
   +0x008 Length           : 0x70
   +0x00a AttributeLength  : 0x5a
   +0x00c Flags            : 0
   +0x00e Reserved         : 0
0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70
Ntfs!INDEX_ENTRY
   +0x000 FileReference    : _MFT_SEGMENT_REFERENCE
   +0x000 DataOffset       : 0xcd3
   +0x002 DataLength       : 0
   +0x004 ReservedForZero  : 0x10000
   +0x008 Length           : 0x70
   +0x00a AttributeLength  : 0x5a
   +0x00c Flags            : 0
   +0x00e Reserved         : 0
0: kd> dt file_name 0xc14c1018+28+68+68+60+68+80+70+10
Ntfs!FILE_NAME
   +0x000 ParentDirectory  : _MFT_SEGMENT_REFERENCE
   +0x008 Info             : _DUPLICATED_INFORMATION
   +0x040 FileNameLength   : 0xc ''
   +0x041 Flags            : 0x3 ''
   +0x042 FileName         : [1] 0x4e
0: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!unsigned short (*)[1])0xc14c131a))
(*((Ntfs!unsigned short (*)[1])0xc14c131a))                 [Type: unsigned short [1]]
    [0]              : 0x4e [Type: unsigned short]
0: kd> db 0xc14c131a
c14c131a  4e 00 54 00 44 00 45 00-54 00 45 00 43 00 54 00  N.T.D.E.T.E.C.T.
c14c132a  2e 00 43 00 4f 00 4d 00-5a 00 00 00 00 00 cf 0c  ..C.O.M.Z.......
c14c133a  00 00 00 00 01 00 60 00-4c 00 00 00 00 00 05 00  ......`.L.......
c14c134a  00 00 00 00 05 00 00 07-05 b9 c5 06 db 01 00 07  ................
c14c135a  05 b9 c5 06 db 01 ea 3a-17 d7 8b 06 db 01 e4 71  .......:.......q
c14c136a  11 98 8b 06 db 01 00 c0-04 00 00 00 00 00 a0 b4  ................
c14c137a  04 00 00 00 00 00 27 00-00 00 00 00 00 00 05 03  ......'.........
c14c138a  6e 00 74 00 6c 00 64 00-72 00 49 00 4c 00 c8 27  n.t.l.d.r.I.L..'


0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70
Ntfs!INDEX_ENTRY
   +0x000 FileReference    : _MFT_SEGMENT_REFERENCE
   +0x000 DataOffset       : 0xcd3
   +0x002 DataLength       : 0
   +0x004 ReservedForZero  : 0x10000
   +0x008 Length           : 0x70
   +0x00a AttributeLength  : 0x5a
   +0x00c Flags            : 0
   +0x00e Reserved         : 0
0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70+70
Ntfs!INDEX_ENTRY
   +0x000 FileReference    : _MFT_SEGMENT_REFERENCE
   +0x000 DataOffset       : 0xccf
   +0x002 DataLength       : 0
   +0x004 ReservedForZero  : 0x10000
   +0x008 Length           : 0x60
   +0x00a AttributeLength  : 0x4c
   +0x00c Flags            : 0
   +0x00e Reserved         : 0
0: kd> dt file_name 0xc14c1018+28+68+68+60+68+80+70+70+10
Ntfs!FILE_NAME
   +0x000 ParentDirectory  : _MFT_SEGMENT_REFERENCE
   +0x008 Info             : _DUPLICATED_INFORMATION
   +0x040 FileNameLength   : 0x5 ''
   +0x041 Flags            : 0x3 ''
   +0x042 FileName         : [1] 0x6e
0: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!unsigned short (*)[1])0xc14c138a))
(*((Ntfs!unsigned short (*)[1])0xc14c138a))                 [Type: unsigned short [1]]
    [0]              : 0x6e [Type: unsigned short]
0: kd> db 0xc14c138a
c14c138a  6e 00 74 00 6c 00 64 00-72 00 49 00 4c 00 c8 27  n.t.l.d.r.I.L..'
c14c139a  00 00 00 00 07 00 70 00-5a 00 00 00 00 00 05 00  ......p.Z.......
c14c13aa  00 00 00 00 05 00 c0 2b-54 88 8b 06 db 01 f2 cf  .......+T.......
c14c13ba  03 b4 e4 be db 01 f2 cf-03 b4 e4 be db 01 f2 cf  ................
c14c13ca  03 b4 e4 be db 01 00 00-e0 7f 00 00 00 00 00 00  ................
c14c13da  e0 7f 00 00 00 00 26 00-00 00 00 00 00 00 0c 03  ......&.........
c14c13ea  70 00 61 00 67 00 65 00-66 00 69 00 6c 00 65 00  p.a.g.e.f.i.l.e.
c14c13fa  2e 00 73 00 79 00 73 00-73 00 20 00 49 00 ca 0e  ..s.y.s.s. .I...


0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70+70
Ntfs!INDEX_ENTRY
   +0x000 FileReference    : _MFT_SEGMENT_REFERENCE
   +0x000 DataOffset       : 0xccf
   +0x002 DataLength       : 0
   +0x004 ReservedForZero  : 0x10000
   +0x008 Length           : 0x60
   +0x00a AttributeLength  : 0x4c
   +0x00c Flags            : 0
   +0x00e Reserved         : 0
0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70+70+60
Ntfs!INDEX_ENTRY
   +0x000 FileReference    : _MFT_SEGMENT_REFERENCE
   +0x000 DataOffset       : 0x27c8
   +0x002 DataLength       : 0
   +0x004 ReservedForZero  : 0x70000
   +0x008 Length           : 0x70
   +0x00a AttributeLength  : 0x5a
   +0x00c Flags            : 0
   +0x00e Reserved         : 0
0: kd> dt file_name 0xc14c1018+28+68+68+60+68+80+70+70+60+10
Ntfs!FILE_NAME
   +0x000 ParentDirectory  : _MFT_SEGMENT_REFERENCE
   +0x008 Info             : _DUPLICATED_INFORMATION
   +0x040 FileNameLength   : 0xc ''
   +0x041 Flags            : 0x3 ''
   +0x042 FileName         : [1] 0x70
0: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!unsigned short (*)[1])0xc14c13ea))
(*((Ntfs!unsigned short (*)[1])0xc14c13ea))                 [Type: unsigned short [1]]
    [0]              : 0x70 [Type: unsigned short]
0: kd> db 0xc14c13ea
c14c13ea  70 00 61 00 67 00 65 00-66 00 69 00 6c 00 65 00  p.a.g.e.f.i.l.e.
c14c13fa  2e 00 73 00 79 00 73 00-73 00 20 00 49 00 ca 0e  ..s.y.s.s. .I...
c14c140a  00 00 00 00 01 00 70 00-5c 00 00 00 00 00 05 00  ......p.\.......
c14c141a  00 00 00 00 05 00 64 c4-1d cd 8b 06 db 01 72 d1  ......d.......r.
c14c142a  a9 8f c7 06 db 01 72 d1-a9 8f c7 06 db 01 46 8d  ......r.......F.
c14c143a  fd b2 e4 be db 01 00 00-00 00 00 00 00 00 00 00  ................
c14c144a  00 00 00 00 00 00 01 00-00 10 00 00 00 00 0d 01  ................
c14c145a  50 00 72 00 6f 00 67 00-72 00 61 00 6d 00 20 00  P.r.o.g.r.a.m. .

0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70+70+60
Ntfs!INDEX_ENTRY
   +0x000 FileReference    : _MFT_SEGMENT_REFERENCE
   +0x000 DataOffset       : 0x27c8
   +0x002 DataLength       : 0
   +0x004 ReservedForZero  : 0x70000
   +0x008 Length           : 0x70
   +0x00a AttributeLength  : 0x5a
   +0x00c Flags            : 0
   +0x00e Reserved         : 0
0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70+70+60+70
Ntfs!INDEX_ENTRY
   +0x000 FileReference    : _MFT_SEGMENT_REFERENCE
   +0x000 DataOffset       : 0xeca
   +0x002 DataLength       : 0
   +0x004 ReservedForZero  : 0x10000
   +0x008 Length           : 0x70
   +0x00a AttributeLength  : 0x5c
   +0x00c Flags            : 0
   +0x00e Reserved         : 0
0: kd> dt file_name 0xc14c1018+28+68+68+60+68+80+70+70+60+70+10
Ntfs!FILE_NAME
   +0x000 ParentDirectory  : _MFT_SEGMENT_REFERENCE
   +0x008 Info             : _DUPLICATED_INFORMATION
   +0x040 FileNameLength   : 0xd ''
   +0x041 Flags            : 0x1 ''
   +0x042 FileName         : [1] 0x50
0: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!unsigned short (*)[1])0xc14c145a))
(*((Ntfs!unsigned short (*)[1])0xc14c145a))                 [Type: unsigned short [1]]
    [0]              : 0x50 [Type: unsigned short]
0: kd> db 0xc14c145a
c14c145a  50 00 72 00 6f 00 67 00-72 00 61 00 6d 00 20 00  P.r.o.g.r.a.m. .
c14c146a  46 00 69 00 6c 00 65 00-73 00 20 00 49 00 ca 0e  F.i.l.e.s. .I...
c14c147a  00 00 00 00 01 00 68 00-52 00 00 00 00 00 05 00  ......h.R.......
c14c148a  00 00 00 00 05 00 64 c4-1d cd 8b 06 db 01 72 d1  ......d.......r.
c14c149a  a9 8f c7 06 db 01 72 d1-a9 8f c7 06 db 01 46 8d  ......r.......F.
c14c14aa  fd b2 e4 be db 01 00 00-00 00 00 00 00 00 00 00  ................
c14c14ba  00 00 00 00 00 00 01 00-00 10 00 00 00 00 08 02  ................
c14c14ca  50 00 52 00 4f 00 47 00-52 00 41 00 7e 00 31 00  P.R.O.G.R.A.~.1.


0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70+70+60+70
Ntfs!INDEX_ENTRY
   +0x000 FileReference    : _MFT_SEGMENT_REFERENCE
   +0x000 DataOffset       : 0xeca
   +0x002 DataLength       : 0
   +0x004 ReservedForZero  : 0x10000
   +0x008 Length           : 0x70
   +0x00a AttributeLength  : 0x5c
   +0x00c Flags            : 0
   +0x00e Reserved         : 0
0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70
Ntfs!INDEX_ENTRY
   +0x000 FileReference    : _MFT_SEGMENT_REFERENCE
   +0x000 DataOffset       : 0xeca
   +0x002 DataLength       : 0
   +0x004 ReservedForZero  : 0x10000
   +0x008 Length           : 0x68
   +0x00a AttributeLength  : 0x52
   +0x00c Flags            : 0
   +0x00e Reserved         : 0
0: kd> dt file_name 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+10
Ntfs!FILE_NAME
   +0x000 ParentDirectory  : _MFT_SEGMENT_REFERENCE
   +0x008 Info             : _DUPLICATED_INFORMATION
   +0x040 FileNameLength   : 0x8 ''
   +0x041 Flags            : 0x2 ''
   +0x042 FileName         : [1] 0x50
0: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!unsigned short (*)[1])0xc14c14ca))
(*((Ntfs!unsigned short (*)[1])0xc14c14ca))                 [Type: unsigned short [1]]
    [0]              : 0x50 [Type: unsigned short]
0: kd> db 0xc14c14ca
c14c14ca  50 00 52 00 4f 00 47 00-52 00 41 00 7e 00 31 00  P.R.O.G.R.A.~.1.
c14c14da  6f 00 6c 00 75 00 d5 27-00 00 00 00 07 00 68 00  o.l.u..'......h.
c14c14ea  52 00 00 00 00 00 05 00-00 00 00 00 05 00 ca 1f  R...............
c14c14fa  d1 e1 f6 16 db 01 ca 1f-d1 e1 f6 16 db 01 7a 42  ..............zB
c14c150a  28 c7 e8 88 db 01 46 8d-fd b2 e4 be db 01 00 00  (.....F.........
c14c151a  00 00 00 00 00 00 00 00-00 00 00 00 00 00 06 00  ................
c14c152a  00 10 00 00 00 00 08 03-52 00 45 00 43 00 59 00  ........R.E.C.Y.
c14c153a  43 00 4c 00 45 00 52 00-42 00 47 00 75 00 60 19  C.L.E.R.B.G.u.`.


0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70
Ntfs!INDEX_ENTRY
   +0x000 FileReference    : _MFT_SEGMENT_REFERENCE
   +0x000 DataOffset       : 0xeca
   +0x002 DataLength       : 0
   +0x004 ReservedForZero  : 0x10000
   +0x008 Length           : 0x68
   +0x00a AttributeLength  : 0x52
   +0x00c Flags            : 0
   +0x00e Reserved         : 0
0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+68
Ntfs!INDEX_ENTRY
   +0x000 FileReference    : _MFT_SEGMENT_REFERENCE
   +0x000 DataOffset       : 0x27d5
   +0x002 DataLength       : 0
   +0x004 ReservedForZero  : 0x70000
   +0x008 Length           : 0x68
   +0x00a AttributeLength  : 0x52
   +0x00c Flags            : 0
   +0x00e Reserved         : 0
0: kd> dt file_name 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+68+10
Ntfs!FILE_NAME
   +0x000 ParentDirectory  : _MFT_SEGMENT_REFERENCE
   +0x008 Info             : _DUPLICATED_INFORMATION
   +0x040 FileNameLength   : 0x8 ''
   +0x041 Flags            : 0x3 ''
   +0x042 FileName         : [1] 0x52
0: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!unsigned short (*)[1])0xc14c1532))
(*((Ntfs!unsigned short (*)[1])0xc14c1532))                 [Type: unsigned short [1]]
    [0]              : 0x52 [Type: unsigned short]
0: kd> db 0xc14c1532
c14c1532  52 00 45 00 43 00 59 00-43 00 4c 00 45 00 52 00  R.E.C.Y.C.L.E.R.
c14c1542  42 00 47 00 75 00 60 19-00 00 00 00 01 00 68 00  B.G.u.`.......h.
c14c1552  56 00 00 00 00 00 05 00-00 00 00 00 05 00 8c 99  V...............
c14c1562  68 a8 c7 06 db 01 ea a4-73 b1 c7 06 db 01 ea a4  h.......s.......
c14c1572  73 b1 c7 06 db 01 50 8c-7f d6 23 63 db 01 00 20  s.....P...#c...
c14c1582  00 00 00 00 00 00 a8 15-00 00 00 00 00 00 20 00  .............. .
c14c1592  00 00 00 00 00 00 0a 03-53 00 49 00 50 00 4f 00  ........S.I.P.O.
c14c15a2  42 00 4a 00 2e 00 44 00-42 00 47 00 75 00 48 0d  B.J...D.B.G.u.H.


0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+68
Ntfs!INDEX_ENTRY
   +0x000 FileReference    : _MFT_SEGMENT_REFERENCE
   +0x000 DataOffset       : 0x27d5
   +0x002 DataLength       : 0
   +0x004 ReservedForZero  : 0x70000
   +0x008 Length           : 0x68
   +0x00a AttributeLength  : 0x52
   +0x00c Flags            : 0
   +0x00e Reserved         : 0
0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+68+68
Ntfs!INDEX_ENTRY
   +0x000 FileReference    : _MFT_SEGMENT_REFERENCE
   +0x000 DataOffset       : 0x1960
   +0x002 DataLength       : 0
   +0x004 ReservedForZero  : 0x10000
   +0x008 Length           : 0x68
   +0x00a AttributeLength  : 0x56
   +0x00c Flags            : 0
   +0x00e Reserved         : 0
0: kd> dt file_name 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+68+68+10
Ntfs!FILE_NAME
   +0x000 ParentDirectory  : _MFT_SEGMENT_REFERENCE
   +0x008 Info             : _DUPLICATED_INFORMATION
   +0x040 FileNameLength   : 0xa ''
   +0x041 Flags            : 0x3 ''
   +0x042 FileName         : [1] 0x53
0: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!unsigned short (*)[1])0xc14c159a))
(*((Ntfs!unsigned short (*)[1])0xc14c159a))                 [Type: unsigned short [1]]
    [0]              : 0x53 [Type: unsigned short]
0: kd> db 0xc14c159a
c14c159a  53 00 49 00 50 00 4f 00-42 00 4a 00 2e 00 44 00  S.I.P.O.B.J...D.
c14c15aa  42 00 47 00 75 00 48 0d-00 00 00 00 01 00 88 00  B.G.u.H.........
c14c15ba  74 00 00 00 00 00 05 00-00 00 00 00 05 00 f2 b1  t...............
c14c15ca  aa ba 8b 06 db 01 58 ee-b9 5b 03 b4 db 01 58 ee  ......X..[....X.
c14c15da  b9 5b 03 b4 db 01 46 8d-fd b2 e4 be db 01 00 00  .[....F.........
c14c15ea  00 00 00 00 00 00 00 00-00 00 00 00 00 00 06 00  ................
c14c15fa  00 10 00 00 00 00 19 01-53 00 79 00 73 00 74 00  ........S.y.s.t.
c14c160a  65 00 6d 00 20 00 56 00-6f 00 6c 00 75 00 6d 00  e.m. .V.o.l.u.m.


0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+68+68
Ntfs!INDEX_ENTRY
   +0x000 FileReference    : _MFT_SEGMENT_REFERENCE
   +0x000 DataOffset       : 0x1960
   +0x002 DataLength       : 0
   +0x004 ReservedForZero  : 0x10000
   +0x008 Length           : 0x68
   +0x00a AttributeLength  : 0x56
   +0x00c Flags            : 0
   +0x00e Reserved         : 0
0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+68+68+68
Ntfs!INDEX_ENTRY
   +0x000 FileReference    : _MFT_SEGMENT_REFERENCE
   +0x000 DataOffset       : 0xd48
   +0x002 DataLength       : 0
   +0x004 ReservedForZero  : 0x10000
   +0x008 Length           : 0x88
   +0x00a AttributeLength  : 0x74
   +0x00c Flags            : 0
   +0x00e Reserved         : 0
0: kd> dt file_name 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+68+68+68+10
Ntfs!FILE_NAME
   +0x000 ParentDirectory  : _MFT_SEGMENT_REFERENCE
   +0x008 Info             : _DUPLICATED_INFORMATION
   +0x040 FileNameLength   : 0x19 ''
   +0x041 Flags            : 0x1 ''
   +0x042 FileName         : [1] 0x53
0: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!unsigned short (*)[1])0xc14c1602))
(*((Ntfs!unsigned short (*)[1])0xc14c1602))                 [Type: unsigned short [1]]
    [0]              : 0x53 [Type: unsigned short]
0: kd> db 0xc14c1602
c14c1602  53 00 79 00 73 00 74 00-65 00 6d 00 20 00 56 00  S.y.s.t.e.m. .V.
c14c1612  6f 00 6c 00 75 00 6d 00-65 00 20 00 49 00 6e 00  o.l.u.m.e. .I.n.
c14c1622  66 00 6f 00 72 00 6d 00-61 00 74 00 69 00 6f 00  f.o.r.m.a.t.i.o.
c14c1632  6e 00 00 00 00 00 48 0d-00 00 00 00 01 00 68 00  n.....H.......h.
c14c1642  52 00 00 00 00 00 05 00-00 00 00 00 05 00 f2 b1  R...............
c14c1652  aa ba 8b 06 db 01 58 ee-b9 5b 03 b4 db 01 58 ee  ......X..[....X.
c14c1662  b9 5b 03 b4 db 01 46 8d-fd b2 e4 be db 01 00 00  .[....F.........
c14c1672  00 00 00 00 00 00 00 00-00 00 00 00 00 00 06 00  ................


0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+68+68+68
Ntfs!INDEX_ENTRY
   +0x000 FileReference    : _MFT_SEGMENT_REFERENCE
   +0x000 DataOffset       : 0xd48
   +0x002 DataLength       : 0
   +0x004 ReservedForZero  : 0x10000
   +0x008 Length           : 0x88
   +0x00a AttributeLength  : 0x74
   +0x00c Flags            : 0
   +0x00e Reserved         : 0
0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+68+68+68+88
Ntfs!INDEX_ENTRY
   +0x000 FileReference    : _MFT_SEGMENT_REFERENCE
   +0x000 DataOffset       : 0xd48
   +0x002 DataLength       : 0
   +0x004 ReservedForZero  : 0x10000
   +0x008 Length           : 0x68
   +0x00a AttributeLength  : 0x52
   +0x00c Flags            : 0
   +0x00e Reserved         : 0
0: kd> dt file_name 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+68+68+68+88+10
Ntfs!FILE_NAME
   +0x000 ParentDirectory  : _MFT_SEGMENT_REFERENCE
   +0x008 Info             : _DUPLICATED_INFORMATION
   +0x040 FileNameLength   : 0x8 ''
   +0x041 Flags            : 0x2 ''
   +0x042 FileName         : [1] 0x53
0: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!unsigned short (*)[1])0xc14c168a))
(*((Ntfs!unsigned short (*)[1])0xc14c168a))                 [Type: unsigned short [1]]
    [0]              : 0x53 [Type: unsigned short]
0: kd> db 0xc14c168a
c14c168a  53 00 59 00 53 00 54 00-45 00 4d 00 7e 00 31 00  S.Y.S.T.E.M.~.1.
c14c169a  00 00 00 00 00 00 f4 27-00 00 00 00 0e 00 68 00  .......'......h.
c14c16aa  54 00 00 00 00 00 05 00-00 00 00 00 05 00 9a b0  T...............
c14c16ba  99 05 66 23 db 01 74 64-82 83 40 27 db 01 74 64  ..f#..td..@'..td
c14c16ca  82 83 40 27 db 01 4e c2-2d 35 ff 6e db 01 00 00  ..@'..N.-5.n....
c14c16da  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
c14c16ea  00 10 00 00 00 00 09 01-74 00 66 00 74 00 70 00  ........t.f.t.p.
c14c16fa  64 00 72 00 6f 00 6f 00-74 00 00 00 01 00 f4 27  d.r.o.o.t......'


0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+68+68+68+88
Ntfs!INDEX_ENTRY
   +0x000 FileReference    : _MFT_SEGMENT_REFERENCE
   +0x000 DataOffset       : 0xd48
   +0x002 DataLength       : 0
   +0x004 ReservedForZero  : 0x10000
   +0x008 Length           : 0x68
   +0x00a AttributeLength  : 0x52
   +0x00c Flags            : 0
   +0x00e Reserved         : 0
0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+68+68+68+88+68
Ntfs!INDEX_ENTRY
   +0x000 FileReference    : _MFT_SEGMENT_REFERENCE
   +0x000 DataOffset       : 0x27f4
   +0x002 DataLength       : 0
   +0x004 ReservedForZero  : 0xe0000
   +0x008 Length           : 0x68
   +0x00a AttributeLength  : 0x54
   +0x00c Flags            : 0
   +0x00e Reserved         : 0
0: kd> dt file_name 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+68+68+68+88+68+10
Ntfs!FILE_NAME
   +0x000 ParentDirectory  : _MFT_SEGMENT_REFERENCE
   +0x008 Info             : _DUPLICATED_INFORMATION
   +0x040 FileNameLength   : 0x9 ''
   +0x041 Flags            : 0x1 ''
   +0x042 FileName         : [1] 0x74
0: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!_MFT_SEGMENT_REFERENCE *)0xc14c16b0))
(*((Ntfs!_MFT_SEGMENT_REFERENCE *)0xc14c16b0))                 [Type: _MFT_SEGMENT_REFERENCE]
    [+0x000] SegmentNumberLowPart : 0x5 [Type: unsigned long]
    [+0x004] SegmentNumberHighPart : 0x0 [Type: unsigned short]
    [+0x006] SequenceNumber   : 0x5 [Type: unsigned short]
0: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!unsigned short (*)[1])0xc14c16f2))
(*((Ntfs!unsigned short (*)[1])0xc14c16f2))                 [Type: unsigned short [1]]
    [0]              : 0x74 [Type: unsigned short]
0: kd> db 0xc14c16f2
c14c16f2  74 00 66 00 74 00 70 00-64 00 72 00 6f 00 6f 00  t.f.t.p.d.r.o.o.
c14c1702  74 00 00 00 01 00 f4 27-00 00 00 00 0e 00 68 00  t......'......h.
c14c1712  52 00 00 00 00 00 05 00-00 00 00 00 05 00 9a b0  R...............
c14c1722  99 05 66 23 db 01 74 64-82 83 40 27 db 01 74 64  ..f#..td..@'..td
c14c1732  82 83 40 27 db 01 4e c2-2d 35 ff 6e db 01 00 00  ..@'..N.-5.n....
c14c1742  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
c14c1752  00 10 00 00 00 00 08 02-54 00 46 00 54 00 50 00  ........T.F.T.P.
c14c1762  44 00 52 00 7e 00 31 00-00 00 00 00 01 00 1c 00  D.R.~.1.........


0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+68+68+68+88+68
Ntfs!INDEX_ENTRY
   +0x000 FileReference    : _MFT_SEGMENT_REFERENCE
   +0x000 DataOffset       : 0x27f4
   +0x002 DataLength       : 0
   +0x004 ReservedForZero  : 0xe0000
   +0x008 Length           : 0x68
   +0x00a AttributeLength  : 0x54
   +0x00c Flags            : 0
   +0x00e Reserved         : 0
0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+68+68+68+88+68+68
Ntfs!INDEX_ENTRY
   +0x000 FileReference    : _MFT_SEGMENT_REFERENCE
   +0x000 DataOffset       : 0x27f4
   +0x002 DataLength       : 0
   +0x004 ReservedForZero  : 0xe0000
   +0x008 Length           : 0x68
   +0x00a AttributeLength  : 0x52
   +0x00c Flags            : 0
   +0x00e Reserved         : 0
0: kd> dt file_name 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+68+68+68+88+68+68+10
Ntfs!FILE_NAME
   +0x000 ParentDirectory  : _MFT_SEGMENT_REFERENCE
   +0x008 Info             : _DUPLICATED_INFORMATION
   +0x040 FileNameLength   : 0x8 ''
   +0x041 Flags            : 0x2 ''
   +0x042 FileName         : [1] 0x54
0: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!unsigned short (*)[1])0xc14c175a))
(*((Ntfs!unsigned short (*)[1])0xc14c175a))                 [Type: unsigned short [1]]
    [0]              : 0x54 [Type: unsigned short]
0: kd> db 0xc14c175a
c14c175a  54 00 46 00 54 00 50 00-44 00 52 00 7e 00 31 00  T.F.T.P.D.R.~.1.
c14c176a  00 00 00 00 01 00 1c 00-00 00 00 00 01 00 60 00  ..............`.
c14c177a  50 00 00 00 00 00 05 00-00 00 00 00 05 00 82 17  P...............
c14c178a  60 88 8b 06 db 01 c0 4c-84 b5 43 93 db 01 c0 4c  `......L..C....L
c14c179a  84 b5 43 93 db 01 46 8d-fd b2 e4 be db 01 00 00  ..C...F.........
c14c17aa  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
c14c17ba  00 10 00 00 00 00 07 03-57 00 49 00 4e 00 44 00  ........W.I.N.D.
c14c17ca  4f 00 57 00 53 00 da 1b-00 00 00 00 01 00 60 00  O.W.S.........`.


0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+68+68+68+88+68+68
Ntfs!INDEX_ENTRY
   +0x000 FileReference    : _MFT_SEGMENT_REFERENCE
   +0x000 DataOffset       : 0x27f4
   +0x002 DataLength       : 0
   +0x004 ReservedForZero  : 0xe0000
   +0x008 Length           : 0x68
   +0x00a AttributeLength  : 0x52
   +0x00c Flags            : 0
   +0x00e Reserved         : 0
0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+68+68+68+88+68+68+68
Ntfs!INDEX_ENTRY
   +0x000 FileReference    : _MFT_SEGMENT_REFERENCE
   +0x000 DataOffset       : 0x1c
   +0x002 DataLength       : 0
   +0x004 ReservedForZero  : 0x10000
   +0x008 Length           : 0x60
   +0x00a AttributeLength  : 0x50
   +0x00c Flags            : 0
   +0x00e Reserved         : 0
0: kd> dt file_name 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+68+68+68+88+68+68+68+10
Ntfs!FILE_NAME
   +0x000 ParentDirectory  : _MFT_SEGMENT_REFERENCE
   +0x008 Info             : _DUPLICATED_INFORMATION
   +0x040 FileNameLength   : 0x7 ''
   +0x041 Flags            : 0x3 ''
   +0x042 FileName         : [1] 0x57
0: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!unsigned short (*)[1])0xc14c17c2))
(*((Ntfs!unsigned short (*)[1])0xc14c17c2))                 [Type: unsigned short [1]]
    [0]              : 0x57 [Type: unsigned short]
0: kd> db 0xc14c17c2
c14c17c2  57 00 49 00 4e 00 44 00-4f 00 57 00 53 00 da 1b  W.I.N.D.O.W.S...
c14c17d2  00 00 00 00 01 00 60 00-4c 00 00 00 00 00 05 00  ......`.L.......
c14c17e2  00 00 00 00 05 00 6e 76-13 da c7 06 db 01 6e 76  ......nv......nv
c14c17f2  13 da c7 06 db 01 6e 76-13 da c7 06 db 01 4e c2  ......nv......N.
c14c1802  2d 35 ff 6e db 01 00 00-00 00 00 00 00 00 00 00  -5.n............
c14c1812  00 00 00 00 00 00 00 00-00 10 00 00 00 00 05 03  ................
c14c1822  77 00 6d 00 70 00 75 00-62 00 00 00 00 00 00 00  w.m.p.u.b.......
c14c1832  00 00 00 00 00 00 10 00-00 00 02 00 00 00 10 00  ................


0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+68+68+68+88+68+68+68
Ntfs!INDEX_ENTRY
   +0x000 FileReference    : _MFT_SEGMENT_REFERENCE
   +0x000 DataOffset       : 0x1c
   +0x002 DataLength       : 0
   +0x004 ReservedForZero  : 0x10000
   +0x008 Length           : 0x60
   +0x00a AttributeLength  : 0x50
   +0x00c Flags            : 0
   +0x00e Reserved         : 0
0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+68+68+68+88+68+68+68+60
Ntfs!INDEX_ENTRY
   +0x000 FileReference    : _MFT_SEGMENT_REFERENCE
   +0x000 DataOffset       : 0x1bda
   +0x002 DataLength       : 0
   +0x004 ReservedForZero  : 0x10000
   +0x008 Length           : 0x60
   +0x00a AttributeLength  : 0x4c
   +0x00c Flags            : 0
   +0x00e Reserved         : 0
0: kd> dt file_name 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+68+68+68+88+68+68+68+60+10
Ntfs!FILE_NAME
   +0x000 ParentDirectory  : _MFT_SEGMENT_REFERENCE
   +0x008 Info             : _DUPLICATED_INFORMATION
   +0x040 FileNameLength   : 0x5 ''
   +0x041 Flags            : 0x3 ''
   +0x042 FileName         : [1] 0x77
0: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!unsigned short (*)[1])0xc14c1822))
(*((Ntfs!unsigned short (*)[1])0xc14c1822))                 [Type: unsigned short [1]]
    [0]              : 0x77 [Type: unsigned short]
0: kd> db 0xc14c1822
c14c1822  77 00 6d 00 70 00 75 00-62 00 00 00 00 00 00 00  w.m.p.u.b.......
c14c1832  00 00 00 00 00 00 10 00-00 00 02 00 00 00 10 00  ................
c14c1842  00 00 02 00 00 00 60 00-4c 00 00 00 00 00 05 00  ......`.L.......
c14c1852  00 00 00 00 05 00 6e 76-13 da c7 06 db 01 6e 76  ......nv......nv
c14c1862  13 da c7 06 db 01 6e 76-13 da c7 06 db 01 4e c2  ......nv......N.
c14c1872  2d 35 ff 6e db 01 00 00-00 00 00 00 00 00 00 00  -5.n............
c14c1882  00 00 00 00 00 00 00 00-00 10 00 00 00 00 05 03  ................
c14c1892  77 00 6d 00 70 00 75 00-62 00 00 00 00 00 00 00  w.m.p.u.b.......


0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+68+68+68+88+68+68+68+60
Ntfs!INDEX_ENTRY
   +0x000 FileReference    : _MFT_SEGMENT_REFERENCE
   +0x000 DataOffset       : 0x1bda
   +0x002 DataLength       : 0
   +0x004 ReservedForZero  : 0x10000
   +0x008 Length           : 0x60
   +0x00a AttributeLength  : 0x4c
   +0x00c Flags            : 0
   +0x00e Reserved         : 0
0: kd> dt index_entry 0xc14c1018+28+68+68+60+68+80+70+70+60+70+70+68+68+68+88+68+68+68+60+60
Ntfs!INDEX_ENTRY
   +0x000 FileReference    : _MFT_SEGMENT_REFERENCE
   +0x000 DataOffset       : 0
   +0x002 DataLength       : 0
   +0x004 ReservedForZero  : 0
   +0x008 Length           : 0x10
   +0x00a AttributeLength  : 0
   +0x00c Flags            : 2
   +0x00e Reserved         : 0

相关文章:

  • 给定终点和时间的DoubleS轨迹
  • 51页 @《人工智能生命体 新启点》中國龍 原创连载
  • 实验7 HTTP协议分析与测量
  • 国际前沿知识系列二:基于不同类型头部碰撞中的运动学特征预测能力统计分析
  • 【踩坑记录】nvidia-smi 能识别 GPU,但 torch.cuda.is_available() 报错的终极解决方案
  • Selenium 测试框架 - Python
  • 语音合成之十六 语音合成(TTS)跳跃与重复问题的解析:成因、机制及解决方案
  • C语言学习之数据在内存中的存储
  • ModbusRTU转profibusDP网关与RAC400控制器06功能码的应用
  • Level1.7列表
  • Java IO流学习指南:从小白到入门
  • Java程序员学从0学AI(三)
  • 【信息系统项目管理师】一文掌握高项常考题型-项目进度类计算
  • python数据结构-列表详解
  • C++:共享指针unique_ptr的理解与应用
  • C++:虚函数与纯虚函数
  • SpringAI核心
  • Pr -- 耳机没有Pr输出的声音
  • 对比Redis与向量数据库(如Milvus)在AI中的应用
  • 6.3.2图的深度优先遍历
  • 无码一级a做爰片免费网站/搜索引擎营销的特点有
  • wordpress 软件站主题/java培训机构
  • 做品牌文化的网站/互联网销售平台
  • 免费做请帖的网站/太原seo团队
  • 网站二级栏目数量/企查查在线查询
  • 哈尔滨市建设网/深圳优化公司哪家好