ntfs!CcGetDirtyPages函数分析之DirtyPages=0x1和TargetAttribute=0xe0的一个例子

第一部分：

LARGE_INTEGER
CcGetDirtyPages (
    IN PVOID LogHandle,
    IN PDIRTY_PAGE_ROUTINE DirtyPageRoutine,
    IN PVOID Context1,
    IN PVOID Context2
    )
{

    try {

        while (&SharedCacheMap->SharedCacheMapLinks != &CcDirtySharedCacheMapList.SharedCacheMapLinks) {

            //
            //  Skip over cursors, SharedCacheMaps for other LogHandles, and ones with
            //  no dirty pages
            //

            if (!FlagOn(SharedCacheMap->Flags, IS_CURSOR) && (SharedCacheMap->LogHandle == LogHandle) &&
                (SharedCacheMap->DirtyPages != 0)) {

                //
                //  This SharedCacheMap should stick around for a while in the dirty list.
                //

                CcIncrementOpenCount( SharedCacheMap, 'pdGS' );
                SharedCacheMap->DirtyPages += 1;

第二部分：

1: kd> r
eax=00000000 ebx=00001000 ecx=080ee41a edx=080ee41a esi=8962bd70 edi=8962d400
eip=80a15cd3 esp=f78d2928 ebp=f78d298c iopl=0         nv up ei pl nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000206
nt!CcGetDirtyPages+0x115:
80a15cd3 8b45c4          mov     eax,dword ptr [ebp-3Ch] ss:0010:f78d2950=080ee41a
1: kd> dt _bcb 8962bd70
nt!_BCB
   +0x000 Dummy            : _MBCB
   +0x000 NodeTypeCode     : 0n765
   +0x002 Dirty            : 0x1 ''
   +0x003 Reserved         : 0 ''
   +0x004 ByteLength       : 0x1000
   +0x008 FileOffset       : _LARGE_INTEGER 0x0
   +0x010 BcbLinks         : _LIST_ENTRY [ 0x8962d410 - 0x8962d410 ]
   +0x018 BeyondLastByte   : _LARGE_INTEGER 0x1000
   +0x020 OldestLsn        : _LARGE_INTEGER 0x80ee41a
   +0x028 NewestLsn        : _LARGE_INTEGER 0x80ee948
   +0x030 Vacb             : (null)
   +0x034 PinCount         : 1
   +0x038 Resource         : _ERESOURCE
   +0x070 SharedCacheMap   : 0x8962d400 _SHARED_CACHE_MAP
   +0x074 BaseAddress      : (null)
1: kd> dx -id 0,0,899a2278 -r1 ((ntkrnlmp!_SHARED_CACHE_MAP *)0x8962d400)
((ntkrnlmp!_SHARED_CACHE_MAP *)0x8962d400)                 : 0x8962d400 [Type: _SHARED_CACHE_MAP *]
    [+0x000] NodeTypeCode     : 767 [Type: short]
    [+0x002] NodeByteSize     : 304 [Type: short]
    [+0x004] OpenCount        : 0x2 [Type: unsigned long]
    [+0x008] FileSize         : {4096} [Type: _LARGE_INTEGER]
    [+0x010] BcbList          [Type: _LIST_ENTRY]
    [+0x018] SectionSize      : {1048576} [Type: _LARGE_INTEGER]
    [+0x020] ValidDataLength  : {9223372036854775807} [Type: _LARGE_INTEGER]
    [+0x028] ValidDataGoal    : {9223372036854775807} [Type: _LARGE_INTEGER]
    [+0x030] InitialVacbs     [Type: _VACB * [4]]
    [+0x040] Vacbs            : 0x8962d430 [Type: _VACB * *]
    [+0x044] FileObject       : 0x894699e0 [Type: _FILE_OBJECT *]
    [+0x048] ActiveVacb       : 0x0 [Type: _VACB *]
    [+0x04c] NeedToZero       : 0x0 [Type: void *]
    [+0x050] ActivePage       : 0x0 [Type: unsigned long]
    [+0x054] NeedToZeroPage   : 0x0 [Type: unsigned long]
    [+0x058] ActiveVacbSpinLock : 0x0 [Type: unsigned long]
    [+0x05c] VacbActiveCount  : 0x0 [Type: unsigned long]
    [+0x060] DirtyPages       : 0x2 [Type: unsigned long]        // [+0x060] DirtyPages       : 0x2
    [+0x064] SharedCacheMapLinks [Type: _LIST_ENTRY]
    [+0x06c] Flags            : 0x204 [Type: unsigned long]
    [+0x070] Status           : 0 [Type: long]
    [+0x074] Mbcb             : 0x0 [Type: _MBCB *]
    [+0x078] Section          : 0xe1368140 [Type: void *]
    [+0x07c] CreateEvent      : 0x0 [Type: _KEVENT *]
    [+0x080] WaitOnActiveCount : 0x0 [Type: _KEVENT *]
    [+0x084] PagesToWrite     : 0x0 [Type: unsigned long]
    [+0x088] BeyondLastFlush  : 0 [Type: __int64]
    [+0x090] Callbacks        : 0xf7169a2c [Type: _CACHE_MANAGER_CALLBACKS *]
    [+0x094] LazyWriteContext : 0xe135f510 [Type: void *]
    [+0x098] PrivateList      [Type: _LIST_ENTRY]
    [+0x0a0] LogHandle        : 0xe1293300 [Type: void *]
    [+0x0a4] FlushToLsnRoutine : 0xf718f6ec [Type: void (*)(void *,_LARGE_INTEGER)]
    [+0x0a8] DirtyPageThreshold : 0x0 [Type: unsigned long]
    [+0x0ac] LazyWritePassCount : 0x2 [Type: unsigned long]
    [+0x0b0] UninitializeEvent : 0x0 [Type: _CACHE_UNINITIALIZE_EVENT *]
    [+0x0b4] NeedToZeroVacb   : 0x0 [Type: _VACB *]
    [+0x0b8] BcbSpinLock      : 0x0 [Type: unsigned long]
    [+0x0bc] Reserved         : 0x0 [Type: void *]
    [+0x0c0] Event            [Type: _KEVENT]
    [+0x0d0] VacbPushLock     [Type: _EX_PUSH_LOCK]
    [+0x0d8] PrivateCacheMap  [Type: _PRIVATE_CACHE_MAP]

第三部分：

1: kd> dt DIRTY_PAGE_CONTEXT 0xf78d2aa4
Ntfs!DIRTY_PAGE_CONTEXT
   +0x000 DirtyPageTable   : 0xf78d2b90 _RESTART_POINTERS
   +0x004 DirtyPageIndex   : 0x44
   +0x008 OldestFileObject : 0x89455df0 _FILE_OBJECT
   +0x010 OldestLsn        : _LARGE_INTEGER 0x80ee220
   +0x018 Overflow         : 0 ''
1: kd> dx -id 0,0,899a2278 -r1 ((Ntfs!_RESTART_POINTERS *)0xf78d2b90)
((Ntfs!_RESTART_POINTERS *)0xf78d2b90)                 : 0xf78d2b90 [Type: _RESTART_POINTERS *]
    [+0x000] Resource         [Type: _ERESOURCE]
    [+0x038] Table            : 0x89539000 [Type: _RESTART_TABLE *]
    [+0x03c] SpinLock         : 0x0 [Type: unsigned long]
    [+0x040] ResourceInitialized : 0x1 [Type: unsigned char]
    [+0x041] DrainPending     : 0x0 [Type: unsigned char]
    [+0x042] Unused           [Type: unsigned char [6]]

1: kd>  dt DIRTY_PAGE_ENTRY_V0 0x89539000+18+2c*60
Ntfs!DIRTY_PAGE_ENTRY_V0
   +0x000 AllocatedOrNextFree : 0xffffffff
   +0x004 TargetAttribute  : 0xe0            //+0x004 TargetAttribute  : 0xe0
   +0x008 LengthOfTransfer : 0x1000
   +0x00c LcnsToFollow     : 0
   +0x010 Reserved         : 0
   +0x014 Vcn              : 0n0
   +0x01c OldestLsn        : _LARGE_INTEGER 0x80ee480
   +0x024 LcnsForPage      : [1] 0n0

第四部分：

1: kd> dx -id 0,0,899a2278 -r1 ((Ntfs!_VCB *)0x8962e100)

    [+0x218] OpenAttributeTable [Type: _RESTART_POINTERS]

1: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!_RESTART_POINTERS *)0x8962e318))
(*((Ntfs!_RESTART_POINTERS *)0x8962e318))                 [Type: _RESTART_POINTERS]
    [+0x000] Resource         [Type: _ERESOURCE]
    [+0x038] Table            : 0x899004c8 [Type: _RESTART_TABLE *]
    [+0x03c] SpinLock         : 0x0 [Type: unsigned long]
    [+0x040] ResourceInitialized : 0x1 [Type: unsigned char]
    [+0x041] DrainPending     : 0x0 [Type: unsigned char]
    [+0x042] Unused           [Type: unsigned char [6]]

1: kd> dx -id 0,0,899a2278 -r1 ((Ntfs!_RESTART_TABLE *)0x899004c8)
((Ntfs!_RESTART_TABLE *)0x899004c8)                 : 0x899004c8 [Type: _RESTART_TABLE *]
    [+0x000] EntrySize        : 0x28 [Type: unsigned short]
    [+0x002] NumberEntries    : 0x28 [Type: unsigned short]
    [+0x004] NumberAllocated  : 0x1a [Type: unsigned short]
    [+0x006] Reserved         [Type: unsigned short [3]]
    [+0x00c] FreeGoal         : 0xffffffff [Type: unsigned long]
    [+0x010] FirstFree        : 0x428 [Type: unsigned long]
    [+0x014] LastFree         : 0x630 [Type: unsigned long]

1: kd> dt OPEN_ATTRIBUTE_ENTRY 0x899004c8+e0
Ntfs!OPEN_ATTRIBUTE_ENTRY
   +0x000 AllocatedOrNextFree : 0xffffffff
   +0x004 BytesPerIndexBuffer : 0x1000
   +0x008 AttributeTypeCode : 0xa0
   +0x00c DirtyPagesSeen   : 0 ''
   +0x00d Unused           : [3]  ""
   +0x010 FileReference    : _MFT_SEGMENT_REFERENCE
   +0x018 LsnOfOpenRecord  : _LARGE_INTEGER 0x80ee457
   +0x020 OatData          : 0xe1307ea8 OPEN_ATTRIBUTE_DATA
   +0x020 Alignment        : 0xe1307ea8