当前位置: 首页 > news >正文

nt!MiFlushSectionInternal函数分析从nt!IoSynchronousPageWrite函数到Ntfs!NtfsFsdWrite函数

news 来源:原创 2025/6/28 6:53:34

第一部分:

                while (TRUE) {

                    KeClearEvent (&IoEvent);

                    Status = IoSynchronousPageWrite (FilePointer,
                                                     Mdl,
                                                     (PLARGE_INTEGER)&StartingOffset,
                                                     &IoEvent,
                                                     IoStatus);

1: kd> p
nt!MiFlushSectionInternal+0x6f6:
80a72410 e8c74bfbff      call    nt!IoSynchronousPageWrite (80a26fdc)
1: kd> t
Breakpoint 43 hit
nt!IoSynchronousPageWrite:
80a26fdc 55              push    ebp
1: kd> kc
 #
00 nt!IoSynchronousPageWrite
01 nt!MiFlushSectionInternal
02 nt!MmFlushSection
03 nt!CcFlushCache
04 Ntfs!LfsFlushLfcb
05 Ntfs!LfsFlushToLsnPriv
06 Ntfs!LfsWriteLfsRestart
07 Ntfs!LfsWriteRestartArea
08 Ntfs!NtfsCheckpointVolume
09 Ntfs!NtfsCheckpointAllVolumes
0a nt!ExpWorkerThread
0b nt!PspSystemThreadStartup
0c nt!KiThreadStartup
1: kd> dv
          FileObject = 0x89469688
MemoryDescriptorList = 0xf78d263c
      StartingOffset = 0xf78d26bc {7884800}
               Event = 0xf78d26a0
       IoStatusBlock = 0xf78d2834


1: kd> dx -r1 ((ntkrnlmp!_MDL *)0xf78d263c)
((ntkrnlmp!_MDL *)0xf78d263c)                 : 0xf78d263c [Type: _MDL *]
    [+0x000] Next             : 0x0 [Type: _MDL *]
    [+0x004] Size             : 92 [Type: short]
    [+0x006] MdlFlags         : 2 [Type: short]
    [+0x008] Process          : 0x0 [Type: _EPROCESS *]
    [+0x00c] MappedSystemVa   : 0x0 [Type: void *]
    [+0x010] StartVa          : 0x0 [Type: void *]
    [+0x014] ByteCount        : 0x2000 [Type: unsigned long]
    [+0x018] ByteOffset       : 0x0 [Type: unsigned long]


    if (CcIsFileCached(FileObject)) {
        CcDataFlushes += 1;
        CcDataPages += (MemoryDescriptorList->ByteCount + PAGE_SIZE - 1) >> PAGE_SHIFT;    eax=00000002
    }


1: kd> x nt!CcDataFlushes
80b1ca50          nt!CcDataFlushes = 0xb

1: kd> p
nt!IoSynchronousPageWrite+0x27:
80a27003 c1e80c          shr     eax,0Ch
1: kd> p
nt!IoSynchronousPageWrite+0x2a:
80a27006 01054ccab180    add     dword ptr [nt!CcDataPages (80b1ca4c)],eax
1: kd> r
eax=00000002


第二部分:

1: kd> p
nt!IoSynchronousPageWrite+0x43:
80a2701f ff150888b180    call    dword ptr [nt!pIoAllocateIrp (80b18808)]
1: kd> p
nt!IoSynchronousPageWrite+0x49:
80a27025 85c0            test    eax,eax
1: kd> r
eax=894c7980


1: kd> dt _irp 894c7980
ntdll!_IRP
   +0x000 Type             : 0n6
   +0x002 Size             : 0x190
   +0x004 MdlAddress       : (null)
   +0x008 Flags            : 0
   +0x00c AssociatedIrp    : __unnamed
   +0x010 ThreadListEntry  : _LIST_ENTRY [ 0x894c7990 - 0x894c7990 ]
   +0x018 IoStatus         : _IO_STATUS_BLOCK
   +0x020 RequestorMode    : 0 ''
   +0x021 PendingReturned  : 0 ''
   +0x022 StackCount       : 7 ''
   +0x023 CurrentLocation  : 8 ''
   +0x024 Cancel           : 0 ''
   +0x025 CancelIrql       : 0 ''
   +0x026 ApcEnvironment   : 0 ''
   +0x027 AllocationFlags  : 0x4 ''
   +0x028 UserIosb         : (null)
   +0x02c UserEvent        : (null)
   +0x030 Overlay          : __unnamed
   +0x038 CancelRoutine    : (null)
   +0x03c UserBuffer       : (null)
   +0x040 Tail             : __unnamed

第三部分:

    irp->MdlAddress = MemoryDescriptorList;
    irp->Flags = IRP_PAGING_IO | IRP_NOCACHE | IRP_SYNCHRONOUS_PAGING_IO;

    irp->RequestorMode = KernelMode;
    irp->UserIosb = IoStatusBlock;
    irp->UserEvent = Event;
    irp->UserBuffer = (PVOID) ((PCHAR) MemoryDescriptorList->StartVa + MemoryDescriptorList->ByteOffset);
    irp->Tail.Overlay.OriginalFileObject = FileObject;
    irp->Tail.Overlay.Thread = PsGetCurrentThread();

1: kd> dt _irp 894c7980
ntdll!_IRP
   +0x000 Type             : 0n6
   +0x002 Size             : 0x190
   +0x004 MdlAddress       : 0xf78d263c _MDL
   +0x008 Flags            : 0x43
   +0x00c AssociatedIrp    : __unnamed
   +0x010 ThreadListEntry  : _LIST_ENTRY [ 0x894c7990 - 0x894c7990 ]
   +0x018 IoStatus         : _IO_STATUS_BLOCK
   +0x020 RequestorMode    : 0 ''
   +0x021 PendingReturned  : 0 ''
   +0x022 StackCount       : 7 ''
   +0x023 CurrentLocation  : 8 ''
   +0x024 Cancel           : 0 ''
   +0x025 CancelIrql       : 0 ''
   +0x026 ApcEnvironment   : 0 ''
   +0x027 AllocationFlags  : 0x4 ''
   +0x028 UserIosb         : 0xf78d2834 _IO_STATUS_BLOCK
   +0x02c UserEvent        : 0xf78d26a0 _KEVENT
   +0x030 Overlay          : __unnamed
   +0x038 CancelRoutine    : (null)
   +0x03c UserBuffer       : (null)
   +0x040 Tail             : __unnamed
1: kd> dx -id 0,0,899a2278 -r1 ((ntdll!_MDL *)0xf78d263c)
((ntdll!_MDL *)0xf78d263c)                 : 0xf78d263c [Type: _MDL *]
    [+0x000] Next             : 0x0 [Type: _MDL *]
    [+0x004] Size             : 92 [Type: short]
    [+0x006] MdlFlags         : 2 [Type: short]
    [+0x008] Process          : 0x0 [Type: _EPROCESS *]
    [+0x00c] MappedSystemVa   : 0x0 [Type: void *]
    [+0x010] StartVa          : 0x0 [Type: void *]
    [+0x014] ByteCount        : 0x2000 [Type: unsigned long]
    [+0x018] ByteOffset       : 0x0 [Type: unsigned long]


第四部分:

    //
    // Fill in the normal write parameters.
    //

    irpSp->MajorFunction = IRP_MJ_WRITE;
    irpSp->Parameters.Write.Length = MemoryDescriptorList->ByteCount;
    irpSp->Parameters.Write.ByteOffset = *StartingOffset;
    irpSp->FileObject = FileObject;
dv
      StartingOffset = 0xf78d26bc {7884800}

1: kd> dt _io_stack_location 894c7ac8
ntdll!_IO_STACK_LOCATION
   +0x000 MajorFunction    : 0x4 ''
   +0x001 MinorFunction    : 0 ''
   +0x002 Flags            : 0 ''
   +0x003 Control          : 0 ''
   +0x004 Parameters       : __unnamed
   +0x014 DeviceObject     : (null)
   +0x018 FileObject       : (null)
   +0x01c CompletionRoutine : (null)
   +0x020 Context          : (null)


1: kd> dt _io_stack_location 894c7ac8
ntdll!_IO_STACK_LOCATION
   +0x000 MajorFunction    : 0x4 ''
   +0x001 MinorFunction    : 0 ''
   +0x002 Flags            : 0 ''
   +0x003 Control          : 0 ''
   +0x004 Parameters       : __unnamed
   +0x014 DeviceObject     : (null)
   +0x018 FileObject       : 0x89469688 _FILE_OBJECT
   +0x01c CompletionRoutine : (null)
   +0x020 Context          : (null)


1: kd> dt _io_stack_location 894c7ac8 -r
ntdll!_IO_STACK_LOCATION
   +0x000 MajorFunction    : 0x4 ''
   +0x001 MinorFunction    : 0 ''
   +0x002 Flags            : 0 ''
   +0x003 Control          : 0 ''
   +0x004 Parameters       : __unnamed

      +0x000 Write            : __unnamed
         +0x000 Length           : 0x2000
         +0x004 Key              : 0
         +0x008 ByteOffset       : _LARGE_INTEGER 0x785000


第五部分:

1: kd> p
nt!IoSynchronousPageWrite+0xa8:
80a27084 e871f6ffff      call    nt!IofCallDriver (80a266fa)
1: kd> t
nt!IofCallDriver:
80a266fa 55              push    ebp
1: kd> kc
 #
00 nt!IofCallDriver
01 nt!IoSynchronousPageWrite
02 nt!MiFlushSectionInternal
03 nt!MmFlushSection
04 nt!CcFlushCache
05 Ntfs!LfsFlushLfcb
06 Ntfs!LfsFlushToLsnPriv
07 Ntfs!LfsWriteLfsRestart
08 Ntfs!LfsWriteRestartArea
09 Ntfs!NtfsCheckpointVolume
0a Ntfs!NtfsCheckpointAllVolumes
0b nt!ExpWorkerThread
0c nt!PspSystemThreadStartup
0d nt!KiThreadStartup
1: kd> dv
   DeviceObject = 0x894c7980 Device for {...}
            Irp = 0x8962e020

NTSTATUS
FASTCALL
IofCallDriver(
    IN PDEVICE_OBJECT DeviceObject,
    IN OUT PIRP Irp
    )
{
    if (pIofCallDriver != NULL) {

        //
        // This routine will either jump immediately to IovCallDriver or
        // IoPerfCallDriver.
        //
        return pIofCallDriver(DeviceObject, Irp, _ReturnAddress());
    }

    return IopfCallDriver(DeviceObject, Irp);
}

1: kd> p
nt!IofCallDriver+0x5c:
80a26756 56              push    esi
1: kd> p
nt!IofCallDriver+0x5d:
80a26757 57              push    edi
1: kd> p
nt!IofCallDriver+0x5e:
80a26758 ff548138        call    dword ptr [ecx+eax*4+38h]
1: kd> r
eax=00000004 ebx=00000000 ecx=89630390 edx=894c7980 esi=894c7980 edi=8962e020
eip=80a26758 esp=f78d25ec ebp=f78d2600 iopl=0         nv up ei ng nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000282
nt!IofCallDriver+0x5e:
80a26758 ff548138        call    dword ptr [ecx+eax*4+38h] ds:0023:896303d8={Ntfs!NtfsFsdWrite (f714171a)}

1: kd> t
Ntfs!NtfsFsdWrite:
f714171a 6a48            push    48h
1: kd> kc
 #
00 Ntfs!NtfsFsdWrite
01 nt!IofCallDriver
02 nt!IoSynchronousPageWrite
03 nt!MiFlushSectionInternal
04 nt!MmFlushSection
05 nt!CcFlushCache
06 Ntfs!LfsFlushLfcb
07 Ntfs!LfsFlushToLsnPriv
08 Ntfs!LfsWriteLfsRestart
09 Ntfs!LfsWriteRestartArea
0a Ntfs!NtfsCheckpointVolume
0b Ntfs!NtfsCheckpointAllVolumes
0c nt!ExpWorkerThread
0d nt!PspSystemThreadStartup
0e nt!KiThreadStartup
1: kd> dv
   VolumeDeviceObject = 0x8962e020
                  Irp = 0x894c7980

相关文章:

  • PHP「Not enough Memory」实战排错笔记
  • 便利的隐形代价?智能设备正在“偷听”你的生活——物联网时代的隐私深度危机
  • window显示驱动开发—DirectX 图形内核子系统(三)
  • clion与keil分别配置项目宏定义
  • 问卷调查[mqtt dht]
  • 【C/C++】单元测试实战:Stub与Mock框架解析
  • AI+实时计算如何赋能金融系统?DolphinDB 在国泰君安期货年度中期策略会的演讲
  • 安心联车辆监控管理平台应用场景分析
  • IPv6配置
  • 每天一个前端小知识 Day 14 - 前端状态管理深入实践
  • 网络安全的两大威胁:XSS与CSRF攻击实例解析
  • 【大数据】大数据产品基础篇
  • 电脑远程控制另一台电脑无法连接怎么办
  • 【github】从本地更新仓库里的文件笔记
  • 微信小程序:实现树形结构组件
  • P27:RNN实现阿尔茨海默病诊断
  • Spring,Spring MVC,Spring Boot 之间什么关系?
  • Linux信号机制:从入门到精通
  • vscode把less文件生成css文件配置,设置生成自定义文件名称和路径
  • 移动端测试——如何解决iOS端无法打开弹窗式网页(Webkit)