nt!CcGetDirtyPages函数分析
nt!CcGetDirtyPages函数分析
第一部分:
1: kd> t
Breakpoint 31 hit
nt!CcGetDirtyPages:
80a15bbe 6a48 push 48h
1: kd> kc
#
00 nt!CcGetDirtyPages
01 Ntfs!NtfsCheckpointVolume
02 Ntfs!NtfsCheckpointAllVolumes
03 nt!ExpWorkerThread
04 nt!PspSystemThreadStartup
05 nt!KiThreadStartup
1: kd> dv
LogHandle = 0xe1293300
DirtyPageRoutine = 0xf71451f2
Context1 = 0xf78d2c28
Context2 = 0xf78d2aa4
SavedNewestLsn = {0}
SavedFileOffset = {0}
第二部分:
1: kd> x nt!CcDirtySharedCacheMapList
80b1cbc0 nt!CcDirtySharedCacheMapList = struct _SHARED_CACHE_MAP_LIST_CURSOR
1: kd> dx -r1 (*((ntkrnlmp!_SHARED_CACHE_MAP_LIST_CURSOR *)0x80b1cbc0))
(*((ntkrnlmp!_SHARED_CACHE_MAP_LIST_CURSOR *)0x80b1cbc0)) [Type: _SHARED_CACHE_MAP_LIST_CURSOR]
[+0x000] SharedCacheMapLinks [Type: _LIST_ENTRY]
[+0x008] Flags : 0x800 [Type: unsigned long]
1: kd> dx -r1 (*((ntkrnlmp!_LIST_ENTRY *)0x80b1cbc0))
(*((ntkrnlmp!_LIST_ENTRY *)0x80b1cbc0)) [Type: _LIST_ENTRY]
[+0x000] Flink : 0x80b1cbb0 [Type: _LIST_ENTRY *]
[+0x004] Blink : 0x894d006c [Type: _LIST_ENTRY *]
1: kd> dd 0x80b1cbb0
80b1cbb0 89455cfc
1: kd> dd 89455cfc-64
89455c98 013002ff 00000001 00002000 00000000
89455ca8 89486bb8 89469228 00100000 00000000
89455cb8 ffffffff 7fffffff ffffffff 7fffffff
1: kd> dt SHARED_CACHE_MAP 89455cfc-64
nt!SHARED_CACHE_MAP
+0x000 NodeTypeCode : 0n767
+0x002 NodeByteSize : 0n304
+0x004 OpenCount : 1
+0x008 FileSize : _LARGE_INTEGER 0x2000
+0x010 BcbList : _LIST_ENTRY [ 0x89486bb8 - 0x89469228 ]
+0x018 SectionSize : _LARGE_INTEGER 0x100000
+0x020 ValidDataLength : _LARGE_INTEGER 0x7fffffff`ffffffff
+0x028 ValidDataGoal : _LARGE_INTEGER 0x7fffffff`ffffffff
+0x030 InitialVacbs : [4] 0x899880d8 _VACB
+0x040 Vacbs : 0x89455cc8 -> 0x899880d8 _VACB
+0x044 FileObject : 0x89455df0 _FILE_OBJECT
+0x048 ActiveVacb : (null)
+0x04c NeedToZero : (null)
+0x050 ActivePage : 0
+0x054 NeedToZeroPage : 0
+0x058 ActiveVacbSpinLock : 0
+0x05c VacbActiveCount : 0
+0x060 DirtyPages : 2
+0x064 SharedCacheMapLinks : _LIST_ENTRY [ 0x895d580c - 0x80b1cbb0 ]
1: kd> dt _vacb 0x899880d8
nt!_VACB
+0x000 BaseAddress : 0xc14c0000 Void
+0x004 SharedCacheMap : 0x89455c98 _SHARED_CACHE_MAP
+0x008 Overlay : __unnamed
+0x010 LruList : _LIST_ENTRY [ 0x89988178 - 0x899883a0 ]
第三部分:
[+0x010] BcbList [Type: _LIST_ENTRY]
1: kd> dx -r1 (*((ntkrnlmp!_LIST_ENTRY *)0x89455ca8))
(*((ntkrnlmp!_LIST_ENTRY *)0x89455ca8)) [Type: _LIST_ENTRY]
[+0x000] Flink : 0x89486bb8 [Type: _LIST_ENTRY *]
[+0x004] Blink : 0x89469228 [Type: _LIST_ENTRY *]
1: kd> dt _bcb 0x89486bb8-10
nt!_BCB
+0x000 Dummy : _MBCB
+0x000 NodeTypeCode : 0n765 000002fd #define CACHE_NTC_BCB (0x2FD)
+0x002 Dirty : 0x1 ''
+0x003 Reserved : 0 ''
+0x004 ByteLength : 0x1000
+0x008 FileOffset : _LARGE_INTEGER 0x1000
+0x010 BcbLinks : _LIST_ENTRY [ 0x89469228 - 0x89455ca8 ]
+0x018 BeyondLastByte : _LARGE_INTEGER 0x2000
+0x020 OldestLsn : _LARGE_INTEGER 0x80ee35b
+0x028 NewestLsn : _LARGE_INTEGER 0x80ef490
+0x030 Vacb : (null)
+0x034 PinCount : 0
+0x038 Resource : _ERESOURCE
+0x070 SharedCacheMap : 0x89455c98 _SHARED_CACHE_MAP
+0x074 BaseAddress : (null)
1: kd> ?0n765
Evaluate expression: 765 = 000002fd
第四部分:
if ((Bcb->NodeTypeCode == CACHE_NTC_BCB) && Bcb->Dirty) {
SavedFileOffset = Bcb->FileOffset;
SavedByteLength = Bcb->ByteLength;
SavedOldestLsn = Bcb->OldestLsn;
SavedNewestLsn = Bcb->NewestLsn;
//
// Increment PinCount so the Bcb sticks around
//
Bcb->PinCount += 1;
1: kd> dt _bcb 0x89486bb8-10
nt!_BCB
+0x000 Dummy : _MBCB
+0x000 NodeTypeCode : 0n765
+0x002 Dirty : 0x1 ''
+0x003 Reserved : 0 ''
+0x004 ByteLength : 0x1000
+0x008 FileOffset : _LARGE_INTEGER 0x1000
+0x010 BcbLinks : _LIST_ENTRY [ 0x89469228 - 0x89455ca8 ]
+0x018 BeyondLastByte : _LARGE_INTEGER 0x2000
+0x020 OldestLsn : _LARGE_INTEGER 0x80ee35b
+0x028 NewestLsn : _LARGE_INTEGER 0x80ef490
+0x030 Vacb : (null)
+0x034 PinCount : 0
+0x038 Resource : _ERESOURCE
+0x070 SharedCacheMap : 0x89455c98 _SHARED_CACHE_MAP
+0x074 BaseAddress : (null)