nt!CcInitializeCacheMap函数分析初始化Vacbs结构
第一部分:
0: kd> p
Ntfs!NtfsCreateInternalStreamCommon+0x20e:
f71b15fa ff15f40016f7 call dword ptr [Ntfs!_imp__CcInitializeCacheMap (f71600f4)]
0: kd> t
Breakpoint 5 hit
nt!CcInitializeCacheMap:
80a165e6 55 push ebp
0: kd> kc
#
00 nt!CcInitializeCacheMap
01 Ntfs!NtfsCreateInternalStreamCommon
02 Ntfs!ReadIndexBuffer
03 Ntfs!FindFirstIndexEntry
04 Ntfs!NtfsUpdateFileNameInIndex
05 Ntfs!NtfsUpdateDuplicateInfo
06 Ntfs!NtfsInitializeSecurity
07 Ntfs!NtfsInitializeSecurityFile
08 Ntfs!NtfsMountVolume
09 Ntfs!NtfsCommonFileSystemControl
0a Ntfs!NtfsFspDispatch
0b nt!ExpWorkerThread
0c nt!PspSystemThreadStartup
0d nt!KiThreadStartup
0: kd> dv
FileObject = 0x89455df0
FileSizes = 0xf78d6704
PinAccess = 0x01 ''
Callbacks = 0xf7169a2c
LazyWriteContext = 0xe1350658
LocalSizes = struct _CC_FILE_SIZES
WeSetBeingCreated = 0xf78d6748
OldIrql = 0xf7 ''
Status = 0n-2136906266
CacheMapToFree = 0x00000008
MustUninitialize = 0
SharedListOwned = 1
0: kd> dx -r1 ((ntkrnlmp!_CC_FILE_SIZES *)0xf78d6704)
((ntkrnlmp!_CC_FILE_SIZES *)0xf78d6704) : 0xf78d6704 [Type: _CC_FILE_SIZES *]
[+0x000] AllocationSize : {8192} [Type: _LARGE_INTEGER]
[+0x008] FileSize : {8192} [Type: _LARGE_INTEGER]
[+0x010] ValidDataLength : {9223372036854775807} [Type: _LARGE_INTEGER]
0: kd> ?0n8192
Evaluate expression: 8192 = 00002000
0: kd> dx -r1 ((ntkrnlmp!_FILE_OBJECT *)0x89455df0)
((ntkrnlmp!_FILE_OBJECT *)0x89455df0) : 0x89455df0 [Type: _FILE_OBJECT *]
[+0x000] Type : 5 [Type: short]
[+0x002] Size : 112 [Type: short]
[+0x004] DeviceObject : 0x894d1c08 : Device for "\Driver\Ftdisk" [Type: _DEVICE_OBJECT *]
[+0x008] Vpb : 0x899a7008 [Type: _VPB *]
[+0x00c] FsContext : 0xe1350658 [Type: void *]
[+0x010] FsContext2 : 0x0 [Type: void *]
[+0x014] SectionObjectPointer : 0x89927294 [Type: _SECTION_OBJECT_POINTERS *]
0: kd> dx -r1 ((ntkrnlmp!_SECTION_OBJECT_POINTERS *)0x89927294)
((ntkrnlmp!_SECTION_OBJECT_POINTERS *)0x89927294) : 0x89927294 [Type: _SECTION_OBJECT_POINTERS *]
[+0x000] DataSectionObject : 0x0 [Type: void *]
[+0x004] SharedCacheMap : 0x0 [Type: void *]
[+0x008] ImageSectionObject : 0x0 [Type: void *]
第二部分:
if (FileObject->SectionObjectPointer->SharedCacheMap == NULL) {
restart:
ASSERT (CacheMapToFree == NULL);
SharedCacheMap = ExAllocatePoolWithTag( NonPagedPool, sizeof(SHARED_CACHE_MAP), 'cScC' );
//
// Now initialize the Shared Cache Map.
//
SharedCacheMap->NodeTypeCode = CACHE_NTC_SHARED_CACHE_MAP;
SharedCacheMap->NodeByteSize = sizeof(SHARED_CACHE_MAP);
SharedCacheMap->FileObject = FileObject;
SharedCacheMap->FileSize = LocalSizes.FileSize;
SharedCacheMap->ValidDataLength = LocalSizes.ValidDataLength;
SharedCacheMap->ValidDataGoal = LocalSizes.ValidDataLength;
0: kd> p
nt!CcInitializeCacheMap+0x139:
80a1671f 898694000000 mov dword ptr [esi+94h],eax
0: kd> r
eax=e1350658 ebx=00000000 ecx=7fffffff edx=0000000a esi=89455c98
0: kd> dt SHARED_CACHE_MAP 89455c98
nt!SHARED_CACHE_MAP
+0x000 NodeTypeCode : 0n767
+0x002 NodeByteSize : 0n304
+0x004 OpenCount : 0
+0x008 FileSize : _LARGE_INTEGER 0x2000
+0x010 BcbList : _LIST_ENTRY [ 0x89455ca8 - 0x89455ca8 ]
+0x018 SectionSize : _LARGE_INTEGER 0x0
+0x020 ValidDataLength : _LARGE_INTEGER 0x7fffffff`ffffffff
+0x028 ValidDataGoal : _LARGE_INTEGER 0x7fffffff`ffffffff
+0x030 InitialVacbs : [4] (null)
+0x040 Vacbs : (null)
+0x044 FileObject : 0x89455df0 _FILE_OBJECT
+0x048 ActiveVacb : (null)
+0x04c NeedToZero : (null)
+0x050 ActivePage : 0
+0x054 NeedToZeroPage : 0
+0x058 ActiveVacbSpinLock : 0
+0x05c VacbActiveCount : 0
+0x060 DirtyPages : 0
+0x064 SharedCacheMapLinks : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x06c Flags : 4
+0x070 Status : 0n0
+0x074 Mbcb : (null)
+0x078 Section : (null)
+0x07c CreateEvent : (null)
+0x080 WaitOnActiveCount : (null)
+0x084 PagesToWrite : 0
+0x088 BeyondLastFlush : 0n0
+0x090 Callbacks : 0xf7169a2c _CACHE_MANAGER_CALLBACKS
+0x094 LazyWriteContext : (null)
+0x098 PrivateList : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x0a0 LogHandle : (null)
+0x0a4 FlushToLsnRoutine : (null)
+0x0a8 DirtyPageThreshold : 0
+0x0ac LazyWritePassCount : 0
+0x0b0 UninitializeEvent : (null)
+0x0b4 NeedToZeroVacb : (null)
+0x0b8 BcbSpinLock : 0
+0x0bc Reserved : (null)
+0x0c0 Event : _KEVENT
+0x0d0 VacbPushLock : _EX_PUSH_LOCK
+0x0d8 PrivateCacheMap : _PRIVATE_CACHE_MAP
LazyWriteContext = 0xe1350658
//
// Get current Shared Cache Map pointer indirectly off of the file object.
// (The actual pointer is typically in a file system data structure, such
// as an Fcb.)
//
SharedCacheMap = FileObject->SectionObjectPointer->SharedCacheMap;
第三部分:
InsertTailList( &CcCleanSharedCacheMapList,
&SharedCacheMap->SharedCacheMapLinks );
0: kd> x nt!CcCleanSharedCacheMapList
80b1cbd0 nt!CcCleanSharedCacheMapList = struct _LIST_ENTRY [ 0x895c5894 - 0x89455f34 ]
0: kd> dx -r1 (*((ntkrnlmp!_LIST_ENTRY *)0x80b1cbd0))
(*((ntkrnlmp!_LIST_ENTRY *)0x80b1cbd0)) [Type: _LIST_ENTRY]
[+0x000] Flink : 0x895c5894 [Type: _LIST_ENTRY *]
[+0x004] Blink : 0x89455f34 [Type: _LIST_ENTRY *]
+0x064 SharedCacheMapLinks : _LIST_ENTRY [ 0x0 - 0x89455f34 ]
0: kd> x nt!CcCleanSharedCacheMapList
80b1cbd0 nt!CcCleanSharedCacheMapList = struct _LIST_ENTRY [ 0x895c5894 - 0x89455f34 ]
0: kd> dx -r1 (*((ntkrnlmp!_LIST_ENTRY *)0x80b1cbd0))
(*((ntkrnlmp!_LIST_ENTRY *)0x80b1cbd0)) [Type: _LIST_ENTRY]
[+0x000] Flink : 0x895c5894 [Type: _LIST_ENTRY *] [+0x030] FileName : "\$MftMirr" [Type: _UNICODE_STRING]
[+0x004] Blink : 0x89455f34 [Type: _LIST_ENTRY *]
0: kd> dx -r1 ((ntkrnlmp!_LIST_ENTRY *)0x895c5894)
((ntkrnlmp!_LIST_ENTRY *)0x895c5894) : 0x895c5894 [Type: _LIST_ENTRY *]
[+0x000] Flink : 0x89469594 [Type: _LIST_ENTRY *] [+0x030] FileName : "\$LogFile" [Type: _UNICODE_STRING]
[+0x004] Blink : 0x80b1cbd0 [Type: _LIST_ENTRY *]
0: kd> dx -r1 ((ntkrnlmp!_LIST_ENTRY *)0x89469594)
((ntkrnlmp!_LIST_ENTRY *)0x89469594) : 0x89469594 [Type: _LIST_ENTRY *]
[+0x000] Flink : 0x895d580c [Type: _LIST_ENTRY *] [+0x030] FileName : "\$Mft" [Type: _UNICODE_STRING]
[+0x004] Blink : 0x895c5894 [Type: _LIST_ENTRY *]
0: kd> dx -r1 ((ntkrnlmp!_LIST_ENTRY *)0x895d580c)
((ntkrnlmp!_LIST_ENTRY *)0x895d580c) : 0x895d580c [Type: _LIST_ENTRY *]
[+0x000] Flink : 0x895c44ac [Type: _LIST_ENTRY *] [+0x030] FileName : "\$UpCase" [Type: _UNICODE_STRING]
[+0x004] Blink : 0x89469594 [Type: _LIST_ENTRY *]
0: kd> dx -r1 ((ntkrnlmp!_LIST_ENTRY *)0x895c44ac)
((ntkrnlmp!_LIST_ENTRY *)0x895c44ac) : 0x895c44ac [Type: _LIST_ENTRY *]
[+0x000] Flink : 0x8962b06c [Type: _LIST_ENTRY *] [+0x030] FileName : "\$BitMap" [Type: _UNICODE_STRING]
[+0x004] Blink : 0x895d580c [Type: _LIST_ENTRY *]
0: kd> dx -r1 ((ntkrnlmp!_LIST_ENTRY *)0x8962b06c)
((ntkrnlmp!_LIST_ENTRY *)0x8962b06c) : 0x8962b06c [Type: _LIST_ENTRY *]
[+0x000] Flink : 0x8962b74c [Type: _LIST_ENTRY *] [+0x030] FileName : "\$Mft" [Type: _UNICODE_STRING]
[+0x004] Blink : 0x895c44ac [Type: _LIST_ENTRY *]
0: kd> dx -r1 ((ntkrnlmp!_LIST_ENTRY *)0x8962b74c)
((ntkrnlmp!_LIST_ENTRY *)0x8962b74c) : 0x8962b74c [Type: _LIST_ENTRY *]
[+0x000] Flink : 0x8962b494 [Type: _LIST_ENTRY *] [+0x030] FileName : "\$MapAttributeValue" [Type: _UNICODE_STRING]
[+0x004] Blink : 0x8962b06c [Type: _LIST_ENTRY *]
0: kd> dx -r1 ((ntkrnlmp!_LIST_ENTRY *)0x8962b494)
((ntkrnlmp!_LIST_ENTRY *)0x8962b494) : 0x8962b494 [Type: _LIST_ENTRY *]
[+0x000] Flink : 0x8962b25c [Type: _LIST_ENTRY *]
[+0x004] Blink : 0x8962b74c [Type: _LIST_ENTRY *]
0: kd> dx -r1 ((ntkrnlmp!_LIST_ENTRY *)0x8962b25c)
((ntkrnlmp!_LIST_ENTRY *)0x8962b25c) : 0x8962b25c [Type: _LIST_ENTRY *]
[+0x000] Flink : 0x89455f34 [Type: _LIST_ENTRY *] [+0x030] FileName : "\$Directory" [Type: _UNICODE_STRING]
[+0x004] Blink : 0x8962b494 [Type: _LIST_ENTRY *]
0: kd> dx -r1 ((ntkrnlmp!_LIST_ENTRY *)0x89455f34)
((ntkrnlmp!_LIST_ENTRY *)0x89455f34) : 0x89455f34 [Type: _LIST_ENTRY *]
[+0x000] Flink : 0x80b1cbd0 [Type: _LIST_ENTRY *]
[+0x004] Blink : 0x8962b25c [Type: _LIST_ENTRY *]
0: kd> dt _vacb 0x89988030
nt!_VACB
+0x000 BaseAddress : 0xc1100000 Void
+0x004 SharedCacheMap : 0x895c5830 _SHARED_CACHE_MAP
+0x008 Overlay : __unnamed
+0x010 LruList : _LIST_ENTRY [ 0x89988058 - 0x89988028 ]
+0x040 Vacbs : 0x895d5640 -> 0x89988000 _VACB
0: kd> dt _vacb 0x89988000
nt!_VACB
+0x000 BaseAddress : 0xc1240000 Void
+0x004 SharedCacheMap : 0x895d57a8 _SHARED_CACHE_MAP
+0x008 Overlay : __unnamed
+0x010 LruList : _LIST_ENTRY [ 0x80b1cb60 - 0x89988088 ]
0: kd> dt _vacb 0x89988060
nt!_VACB
+0x000 BaseAddress : 0xc1280000 Void
+0x004 SharedCacheMap : 0x895c4448 _SHARED_CACHE_MAP
+0x008 Overlay : __unnamed
+0x010 LruList : _LIST_ENTRY [ 0x899880d0 - 0x89988058 ]
0: kd> dt SHARED_CACHE_MAP 0x8962b06c-64
nt!SHARED_CACHE_MAP
+0x000 NodeTypeCode : 0n767
+0x002 NodeByteSize : 0n304
+0x004 OpenCount : 1
+0x008 FileSize : _LARGE_INTEGER 0x13fe60
+0x010 BcbList : _LIST_ENTRY [ 0x8962b018 - 0x8962b018 ]
+0x018 SectionSize : _LARGE_INTEGER 0x200000
+0x020 ValidDataLength : _LARGE_INTEGER 0x7fffffff`ffffffff
+0x028 ValidDataGoal : _LARGE_INTEGER 0x7fffffff`ffffffff
+0x030 InitialVacbs : [4] (null)
+0x040 Vacbs : 0x895d5428 -> (null)
0: kd> dt SHARED_CACHE_MAP 0x8962b74c-64
nt!SHARED_CACHE_MAP
+0x000 NodeTypeCode : 0n767
+0x002 NodeByteSize : 0n304
+0x004 OpenCount : 1
+0x008 FileSize : _LARGE_INTEGER 0x518
+0x010 BcbList : _LIST_ENTRY [ 0x8962b6f8 - 0x8962b6f8 ]
+0x018 SectionSize : _LARGE_INTEGER 0x100000
+0x020 ValidDataLength : _LARGE_INTEGER 0x7fffffff`ffffffff
+0x028 ValidDataGoal : _LARGE_INTEGER 0x7fffffff`ffffffff
+0x030 InitialVacbs : [4] 0x899880a8 _VACB
+0x040 Vacbs : 0x8962b718 -> 0x899880a8 _VACB
0: kd> dt _vacb 0x899880a8
nt!_VACB
+0x000 BaseAddress : 0xc1400000 Void
+0x004 SharedCacheMap : 0x8962b6e8 _SHARED_CACHE_MAP
+0x008 Overlay : __unnamed
+0x010 LruList : _LIST_ENTRY [ 0x899880a0 - 0x899880d0 ]
0: kd> dt SHARED_CACHE_MAP 0x8962b494-64
nt!SHARED_CACHE_MAP
+0x000 NodeTypeCode : 0n767
+0x002 NodeByteSize : 0n304
+0x004 OpenCount : 1
+0x008 FileSize : _LARGE_INTEGER 0x1030
+0x010 BcbList : _LIST_ENTRY [ 0x8962b440 - 0x8962b440 ]
+0x018 SectionSize : _LARGE_INTEGER 0x100000
+0x020 ValidDataLength : _LARGE_INTEGER 0x7fffffff`ffffffff
+0x028 ValidDataGoal : _LARGE_INTEGER 0x7fffffff`ffffffff
+0x030 InitialVacbs : [4] 0x89988090 _VACB
+0x040 Vacbs : 0x8962b460 -> 0x89988090 _VACB
0: kd> dt _vacb 0x89988090
nt!_VACB
+0x000 BaseAddress : 0xc1440000 Void
+0x004 SharedCacheMap : 0x8962b430 _SHARED_CACHE_MAP
+0x008 Overlay : __unnamed
+0x010 LruList : _LIST_ENTRY [ 0x89988088 - 0x899880b8 ]
0: kd> dt SHARED_CACHE_MAP 0x8962b25c-64
nt!SHARED_CACHE_MAP
+0x000 NodeTypeCode : 0n767
+0x002 NodeByteSize : 0n304
+0x004 OpenCount : 1
+0x008 FileSize : _LARGE_INTEGER 0x48170
+0x010 BcbList : _LIST_ENTRY [ 0x8962b208 - 0x8962b208 ]
+0x018 SectionSize : _LARGE_INTEGER 0x100000
+0x020 ValidDataLength : _LARGE_INTEGER 0x7fffffff`ffffffff
+0x028 ValidDataGoal : _LARGE_INTEGER 0x7fffffff`ffffffff
+0x030 InitialVacbs : [4] (null)
+0x040 Vacbs : 0x8962b228 -> (null)
0: kd> dt SHARED_CACHE_MAP 0x89455f34-64
nt!SHARED_CACHE_MAP
+0x000 NodeTypeCode : 0n767
+0x002 NodeByteSize : 0n304
+0x004 OpenCount : 1
+0x008 FileSize : _LARGE_INTEGER 0x3000
+0x010 BcbList : _LIST_ENTRY [ 0x89455ee0 - 0x89455ee0 ]
+0x018 SectionSize : _LARGE_INTEGER 0x100000
+0x020 ValidDataLength : _LARGE_INTEGER 0x7fffffff`ffffffff
+0x028 ValidDataGoal : _LARGE_INTEGER 0x7fffffff`ffffffff
+0x030 InitialVacbs : [4] 0x89988078 _VACB
+0x040 Vacbs : 0x89455f00 -> 0x89988078 _VACB
0: kd> dt _vacb 0x89988078
nt!_VACB
+0x000 BaseAddress : 0xc1480000 Void
+0x004 SharedCacheMap : 0x89455ed0 _SHARED_CACHE_MAP
+0x008 Overlay : __unnamed
+0x010 LruList : _LIST_ENTRY [ 0x89988010 - 0x899880a0 ]
第四部分:
0: kd> dx -r1 ((ntkrnlmp!_LIST_ENTRY *)0x8962b25c)
((ntkrnlmp!_LIST_ENTRY *)0x8962b25c) : 0x8962b25c [Type: _LIST_ENTRY *]
[+0x000] Flink : 0x89455f34 [Type: _LIST_ENTRY *]
[+0x004] Blink : 0x8962b494 [Type: _LIST_ENTRY *]
0: kd> dx -r1 ((ntkrnlmp!_LIST_ENTRY *)0x89455f34)
((ntkrnlmp!_LIST_ENTRY *)0x89455f34) : 0x89455f34 [Type: _LIST_ENTRY *]
[+0x000] Flink : 0x89455cfc [Type: _LIST_ENTRY *] [+0x000] Flink : 0x89455cfc 新添加的
[+0x004] Blink : 0x8962b25c [Type: _LIST_ENTRY *]
0: kd> dx -r1 ((ntkrnlmp!_LIST_ENTRY *)0x89455cfc)
((ntkrnlmp!_LIST_ENTRY *)0x89455cfc) : 0x89455cfc [Type: _LIST_ENTRY *]
[+0x000] Flink : 0x80b1cbd0 [Type: _LIST_ENTRY *]
[+0x004] Blink : 0x89455f34 [Type: _LIST_ENTRY *]
0: kd> dt SHARED_CACHE_MAP 0x89455cfc-64
nt!SHARED_CACHE_MAP
+0x000 NodeTypeCode : 0n767
+0x002 NodeByteSize : 0n304
+0x004 OpenCount : 0
+0x008 FileSize : _LARGE_INTEGER 0x2000
+0x010 BcbList : _LIST_ENTRY [ 0x89455ca8 - 0x89455ca8 ]
+0x018 SectionSize : _LARGE_INTEGER 0x0
+0x020 ValidDataLength : _LARGE_INTEGER 0x7fffffff`ffffffff
+0x028 ValidDataGoal : _LARGE_INTEGER 0x7fffffff`ffffffff
+0x030 InitialVacbs : [4] (null)
+0x040 Vacbs : (null)
[+0x030] FileName : "\$Directory" [Type: _UNICODE_STRING]
第五部分:
SharedCacheMap->Status = MmCreateSection( &SharedCacheMap->Section,
SECTION_MAP_READ
| SECTION_MAP_WRITE
| SECTION_QUERY,
NULL,
&LocalSizes.AllocationSize,
PAGE_READWRITE,
SEC_COMMIT,
NULL,
FileObject );
0: kd> kc
#
00 nt!ObCreateObject
01 nt!MmCreateSection
02 nt!CcInitializeCacheMap
03 Ntfs!NtfsCreateInternalStreamCommon
04 Ntfs!ReadIndexBuffer
05 Ntfs!FindFirstIndexEntry
06 Ntfs!NtfsUpdateFileNameInIndex
07 Ntfs!NtfsUpdateDuplicateInfo
08 Ntfs!NtfsInitializeSecurity
09 Ntfs!NtfsInitializeSecurityFile
0a Ntfs!NtfsMountVolume
0b Ntfs!NtfsCommonFileSystemControl
0c Ntfs!NtfsFspDispatch
0d nt!ExpWorkerThread
0e nt!PspSystemThreadStartup
0f nt!KiThreadStartup
0: kd> dt SHARED_CACHE_MAP 0x89455cfc-64
nt!SHARED_CACHE_MAP
+0x000 NodeTypeCode : 0n767
+0x002 NodeByteSize : 0n304
+0x004 OpenCount : 1
+0x008 FileSize : _LARGE_INTEGER 0x2000
+0x010 BcbList : _LIST_ENTRY [ 0x89455ca8 - 0x89455ca8 ]
+0x018 SectionSize : _LARGE_INTEGER 0x0
+0x020 ValidDataLength : _LARGE_INTEGER 0x7fffffff`ffffffff
+0x028 ValidDataGoal : _LARGE_INTEGER 0x7fffffff`ffffffff
+0x030 InitialVacbs : [4] (null)
+0x040 Vacbs : (null)
+0x044 FileObject : 0x89455df0 _FILE_OBJECT
+0x048 ActiveVacb : (null)
+0x04c NeedToZero : (null)
+0x050 ActivePage : 0
+0x054 NeedToZeroPage : 0
+0x058 ActiveVacbSpinLock : 0
+0x05c VacbActiveCount : 0
+0x060 DirtyPages : 0
+0x064 SharedCacheMapLinks : _LIST_ENTRY [ 0x80b1cbd0 - 0x89455f34 ]
+0x06c Flags : 0x104
+0x070 Status : 0n0
+0x074 Mbcb : (null)
+0x078 Section : 0xe13603d0 Void
0: kd> dt section 0xe13603d0
nt!SECTION
+0x000 Address : _MMADDRESS_NODE
+0x014 Segment : 0xe1291b48 _SEGMENT
+0x018 SizeOfSection : _LARGE_INTEGER 0x100000
+0x020 u : __unnamed
+0x024 InitialPageProtection : 4
0: kd> dx -id 0,0,899a2278 -r1 ((ntkrnlmp!_SEGMENT *)0xe1291b48)
((ntkrnlmp!_SEGMENT *)0xe1291b48) : 0xe1291b48 [Type: _SEGMENT *]
[+0x000] ControlArea : 0x89455c30 [Type: _CONTROL_AREA *]
[+0x004] TotalNumberOfPtes : 0x100 [Type: unsigned long]
[+0x008] NonExtendedPtes : 0x100 [Type: unsigned long]
[+0x00c] WritableUserReferences : 0x0 [Type: unsigned long]
[+0x010] SizeOfSegment : 0x100000 [Type: unsigned __int64]
[+0x018] SegmentPteTemplate [Type: _MMPTE]
[+0x01c] NumberOfCommittedPages : 0x0 [Type: unsigned long]
[+0x020] ExtendInfo : 0x0 [Type: _MMEXTEND_INFO *]
[+0x024] SegmentFlags [Type: _SEGMENT_FLAGS]
[+0x028] BasedAddress : 0x0 [Type: void *]
[+0x02c] u1 [Type: __unnamed]
[+0x030] u2 [Type: __unnamed]
[+0x034] PrototypePte : 0x61444d43 [Type: _MMPTE *]
[+0x038] ThePtes [Type: _MMPTE [1]]
0: kd> dx -id 0,0,899a2278 -r1 ((ntkrnlmp!_CONTROL_AREA *)0x89455c30)
((ntkrnlmp!_CONTROL_AREA *)0x89455c30) : 0x89455c30 [Type: _CONTROL_AREA *]
[+0x000] Segment : 0xe1291b48 [Type: _SEGMENT *]
[+0x004] DereferenceList [Type: _LIST_ENTRY]
[+0x00c] NumberOfSectionReferences : 0x1 [Type: unsigned long]
[+0x010] NumberOfPfnReferences : 0x0 [Type: unsigned long]
[+0x014] NumberOfMappedViews : 0x0 [Type: unsigned long]
[+0x018] NumberOfSystemCacheViews : 0x0 [Type: unsigned long]
[+0x01c] NumberOfUserReferences : 0x0 [Type: unsigned long]
[+0x020] u [Type: __unnamed]
[+0x024] FilePointer : 0x89455df0 [Type: _FILE_OBJECT *] [+0x024] FilePointer : 0x89455df0
[+0x028] WaitingForDeletion : 0x0 [Type: _EVENT_COUNTER *]
[+0x02c] ModifiedWriteCount : 0x0 [Type: unsigned short]
[+0x02e] FlushInProgressCount : 0x0 [Type: unsigned short]
第六部分:
//
// Create the Vacb array.
//
Status = CcCreateVacbArray( SharedCacheMap, LocalSizes.AllocationSize );
if (!NT_SUCCESS(Status)) {
goto exitfinally;
}
0: kd> dx -r1 (*((ntkrnlmp!_CC_FILE_SIZES *)0xf78d66b0))
(*((ntkrnlmp!_CC_FILE_SIZES *)0xf78d66b0)) [Type: _CC_FILE_SIZES]
[+0x000] AllocationSize : {1048576} [Type: _LARGE_INTEGER]
[+0x008] FileSize : {8192} [Type: _LARGE_INTEGER]
[+0x010] ValidDataLength : {9223372036854775807} [Type: _LARGE_INTEGER]
0: kd> ?0n8192
Evaluate expression: 8192 = 00002000
0: kd> t
nt!CcCreateVacbArray:
80bfa1dc 55 push ebp
0: kd> dv
SharedCacheMap = 0x00000000
NewSectionSize = {1048576}
CreateBcbListHeads = 0xf78d66dc
NewSize = 8
CreateReference = 0x80bfa1dc
0: kd> dt SHARED_CACHE_MAP 0x89455cfc-64
nt!SHARED_CACHE_MAP
+0x000 NodeTypeCode : 0n767
+0x002 NodeByteSize : 0n304
+0x004 OpenCount : 1
+0x008 FileSize : _LARGE_INTEGER 0x2000
+0x010 BcbList : _LIST_ENTRY [ 0x89455ca8 - 0x89455ca8 ]
+0x018 SectionSize : _LARGE_INTEGER 0x100000
+0x020 ValidDataLength : _LARGE_INTEGER 0x7fffffff`ffffffff
+0x028 ValidDataGoal : _LARGE_INTEGER 0x7fffffff`ffffffff
+0x030 InitialVacbs : [4] (null)
+0x040 Vacbs : 0x89455cc8 -> (null)
第七部分:
RtlZeroMemory( PrivateCacheMap, sizeof(PRIVATE_CACHE_MAP) );
PrivateCacheMap->NodeTypeCode = CACHE_NTC_PRIVATE_CACHE_MAP;
PrivateCacheMap->FileObject = FileObject;
PrivateCacheMap->ReadAheadMask = PAGE_SIZE - 1;
//
// Initialize the spin lock.
//
KeInitializeSpinLock( &PrivateCacheMap->ReadAheadSpinLock );
InsertTailList( &SharedCacheMap->PrivateList, &PrivateCacheMap->PrivateLinks );
FileObject->PrivateCacheMap = PrivateCacheMap;
0: kd> dx -r1 ((ntkrnlmp!_FILE_OBJECT *)0x89455df0)
((ntkrnlmp!_FILE_OBJECT *)0x89455df0) : 0x89455df0 [Type: _FILE_OBJECT *]
[+0x000] Type : 5 [Type: short]
[+0x002] Size : 112 [Type: short]
[+0x004] DeviceObject : 0x894d1c08 : Device for "\Driver\Ftdisk" [Type: _DEVICE_OBJECT *]
[+0x008] Vpb : 0x899a7008 [Type: _VPB *]
[+0x00c] FsContext : 0xe1350658 [Type: void *]
[+0x010] FsContext2 : 0x0 [Type: void *]
[+0x014] SectionObjectPointer : 0x89927294 [Type: _SECTION_OBJECT_POINTERS *]
[+0x018] PrivateCacheMap : 0x89455d70 [Type: void *]
0: kd> dt SHARED_CACHE_MAP 0x89455cfc-64
nt!SHARED_CACHE_MAP
+0x000 NodeTypeCode : 0n767
+0x002 NodeByteSize : 0n304
+0x098 PrivateList : _LIST_ENTRY [ 0x89455dbc - 0x89455dbc ]
0: kd> dx -id 0,0,899a2278 -r1 (*((ntkrnlmp!_LIST_ENTRY *)0x89455d30))
(*((ntkrnlmp!_LIST_ENTRY *)0x89455d30)) [Type: _LIST_ENTRY]
[+0x000] Flink : 0x89455dbc [Type: _LIST_ENTRY *]
[+0x004] Blink : 0x89455dbc [Type: _LIST_ENTRY *]
PPRIVATE_CACHE_MAP PrivateCacheMap;
0: kd> dt PRIVATE_CACHE_MAP 0x89455dbc-4c
nt!PRIVATE_CACHE_MAP
+0x000 NodeTypeCode : 0n766
+0x000 Flags : _PRIVATE_CACHE_MAP_FLAGS
+0x000 UlongFlags : 0x2fe
+0x004 ReadAheadMask : 0xfff
+0x008 FileObject : 0x89455df0 _FILE_OBJECT
+0x010 FileOffset1 : _LARGE_INTEGER 0x0
+0x018 BeyondLastByte1 : _LARGE_INTEGER 0x0
+0x020 FileOffset2 : _LARGE_INTEGER 0x0
+0x028 BeyondLastByte2 : _LARGE_INTEGER 0x0
+0x030 ReadAheadOffset : [2] _LARGE_INTEGER 0x0
+0x040 ReadAheadLength : [2] 0
+0x048 ReadAheadSpinLock : 0
+0x04c PrivateLinks : _LIST_ENTRY [ 0x89455d30 - 0x89455d30 ]
0: kd> dd 0x89455dbc-4c
89455d70 000002fe 00000fff 89455df0 00000000
89455d70 [+0x018] PrivateCacheMap : 0x89455d70 [Type: void *]
第八部分:返回
CcInitializeCacheMap( UnwindStreamFile,
&CcFileSizes,
PinAccess,
&NtfsData.CacheManagerCallbacks,
(PCHAR)Scb + CompressedStream );
UnwindInitializeCacheMap = TRUE;