Ntfs!NtfsVolumeCheckpointDpc函数分析到调用Ntfs!NtfsCheckpointAllVolumes函数
第一部分:
0: kd> g
Breakpoint 22 hit
Ntfs!NtfsVolumeCheckpointDpc:
f71413a6 33c0 xor eax,eax
0: kd> dv
Dpc = 0x00000000
DeferredContext = 0x10f9a2e0
SystemArgument1 = 0x01dbd5c9
SystemArgument2 = 0xffdff980
0: kd> kc
#
00 Ntfs!NtfsVolumeCheckpointDpc
01 nt!KiTimerExpiration
02 nt!KiRetireDpcList
03 nt!KiIdleLoop
第二部分:
0: kd> g
Breakpoint 28 hit
nt!ExQueueWorkItem:
80af292a 55 push ebp
0: kd> dv
WorkItem = 0xf7169a9c
QueueType = CriticalWorkQueue (0n0)
0: kd> dx -r1 ((ntkrnlmp!_WORK_QUEUE_ITEM *)0xf7169a9c)
((ntkrnlmp!_WORK_QUEUE_ITEM *)0xf7169a9c) : 0xf7169a9c [Type: _WORK_QUEUE_ITEM *]
[+0x000] List [Type: _LIST_ENTRY]
[+0x008] WorkerRoutine : 0xf717b1b6 [Type: void (*)(void *)]
[+0x00c] Parameter : 0x0 [Type: void *]
0: kd> u f717b1b6
Ntfs!NtfsCheckpointAllVolumes [d:\srv03rtm\base\fs\ntfs\verfysup.c @ 1335]:
f717b1b6 6848010000 push 148h
f717b1bb 68482b16f7 push offset Ntfs!`string'+0x14c (f7162b48)
f717b1c0 e84303feff call Ntfs!__SEH_prolog (f715b508)
f717b1c5 8d85a8feffff lea eax,[ebp-158h]
f717b1cb 8945e4 mov dword ptr [ebp-1Ch],eax
f717b1ce c645e200 mov byte ptr [ebp-1Eh],0
f717b1d2 c645e300 mov byte ptr [ebp-1Dh],0
f717b1d6 8b351c0016f7 mov esi,dword ptr [Ntfs!_imp__KeGetCurrentIrql (f716001c)]
第三部分:
0: kd> g
Breakpoint 23 hit
Ntfs!NtfsCheckpointAllVolumes:
f717b1b6 6848010000 push 148h
1: kd> kc
#
00 Ntfs!NtfsCheckpointAllVolumes
01 nt!ExpWorkerThread
02 nt!PspSystemThreadStartup
03 nt!KiThreadStartup
for (Links = NtfsData.VcbQueue.Flink;
Links != &NtfsData.VcbQueue;
Links = Links->Flink) {
ASSERT( FlagOn( IrpContext->TopLevelIrpContext->State, IRP_CONTEXT_STATE_OWNS_TOP_LEVEL ));
Vcb = CONTAINING_RECORD(Links, VCB, VcbLinks);
IrpContext->Vcb = Vcb;
1: kd> x ntfs!NtfsData
f7169980 Ntfs!NtfsData = struct _NTFS_DATA
1: kd> dx -r1 (*((Ntfs!_NTFS_DATA *)0xf7169980))
(*((Ntfs!_NTFS_DATA *)0xf7169980)) [Type: _NTFS_DATA]
[+0x000] NodeTypeCode : 1792 [Type: short]
[+0x002] NodeByteSize : 504 [Type: short]
[+0x004] DriverObject : 0x89630390 : Driver "\FileSystem\Ntfs" [Type: _DRIVER_OBJECT *]
[+0x008] VcbQueue [Type: _LIST_ENTRY]
1: kd> dx -r1 (*((Ntfs!_LIST_ENTRY *)0xf7169988))
(*((Ntfs!_LIST_ENTRY *)0xf7169988)) [Type: _LIST_ENTRY]
[+0x000] Flink : 0x8962e108 [Type: _LIST_ENTRY *]
[+0x004] Blink : 0x8962e108 [Type: _LIST_ENTRY *]
1: kd> dt ntfs!_vcb 0x8962e108-8
+0x000 NodeTypeCode : 0n1793
+0x002 NodeByteSize : 0n2008
+0x004 VcbState : 0x10031001
+0x008 VcbLinks : _LIST_ENTRY [ 0xf7169988 - 0xf7169988 ]
+0x010 RootIndexScb : 0xe1350658 _SCB
+0x014 UsnJournal : (null)
+0x018 MftScb : 0x895c5c40 _SCB
+0x01c Mft2Scb : 0x895c5968 _SCB
+0x020 LogFileScb : 0x89469700 _SCB
+0x024 BitmapScb : 0x895c4220 _SCB
+0x028 AttributeDefTableScb : (null)
+0x02c BadClusterFileScb : 0x8962ba10 _SCB
+0x030 ExtendDirectory : 0xe135ed20 _SCB
+0x034 SecurityDescriptorStream : 0xe1362d20 _SCB
+0x038 SecurityIdIndex : 0xe13503f0 _SCB
+0x03c SecurityDescriptorHashIndex : 0xe135ce68 _SCB
参考:
dx -r1 ((Ntfs!_VCB *)0x8962e100)
第四部分:
VOID
NtfsCheckpointVolume (
IN PIRP_CONTEXT IrpContext,
IN PVCB Vcb,
IN BOOLEAN OwnsCheckpoint,
IN BOOLEAN CleanVolume,
IN BOOLEAN FlushVolume,
IN ULONG LfsFlags,
IN LSN LastKnownLsn
)
1: kd> t
Breakpoint 24 hit
Ntfs!NtfsCheckpointVolume:
f71d7f48 6834020000 push 234h
1: kd> kc
#
00 Ntfs!NtfsCheckpointVolume
01 Ntfs!NtfsCheckpointAllVolumes
02 nt!ExpWorkerThread
03 nt!PspSystemThreadStartup
04 nt!KiThreadStartup
1: kd> dv
IrpContext = 0xf78d2c28
Vcb = 0x8962e100
OwnsCheckpoint = 0x00 ''
CleanVolume = 0x00 ''
FlushVolume = 0x01 ''
LfsFlags = 0
LastKnownLsn = {0}