当前位置：首页 > news >正文

Ntfs!LfsRestartLogFile函数分析之两次调用Ntfs!LfsReadRestart函数的目的

news 2025/7/9 14:56:10

第一部分：

                DoubleRestart = LfsReadRestart( ThisLfcb,
                                                FileSize,
                                                FALSE,
                                                &SecondRestartOffset,
                                                &SecondRestartPage,
                                                &SecondRestartPageBcb,
                                                &SecondChkdskWasRun,
                                                &SecondValidPage,
                                                &UninitializedFile,
                                                &SecondLogPacked,
                                                &SecondRestartLastLsn );

0: kd> g
Breakpoint 2 hit
Ntfs!LfsReadRestart:
f7193f74 6a30 push 30h
0: kd> kc
#
00 Ntfs!LfsReadRestart
01 Ntfs!LfsRestartLogFile
02 Ntfs!LfsOpenLogFile
03 Ntfs!NtfsStartLogFile
04 Ntfs!NtfsMountVolume
05 Ntfs!NtfsCommonFileSystemControl
06 Ntfs!NtfsFspDispatch
07 nt!ExpWorkerThread
08 nt!PspSystemThreadStartup
09 nt!KiThreadStartup
0: kd> kv
# ChildEBP RetAddr Args to Child
00 f78d6920 f71fc733 e1365008 04000000 00000000 Ntfs!LfsReadRestart (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\fs\lfs\cachesup.c @ 1406]
01 f78d6a08 f71fcecb 895db950 00000001 00001000 Ntfs!LfsRestartLogFile+0x16d (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\fs\lfs\registry.c @ 1469]
02 f78d6a80 f7193f12 895db950 000a0008 f7193e48 Ntfs!LfsOpenLogFile+0xbd (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\fs\lfs\registry.c @ 287]
03 f78d6acc f719279e 894553f0 895db100 89456310 Ntfs!NtfsStartLogFile+0xc0 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\fs\ntfs\logsup.c @ 3632]
04 f78d6cec f717c5aa 894a9af8 89456310 894a9af8 Ntfs!NtfsMountVolume+0xbba (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\fs\ntfs\fsctrl.c @ 1900]
05 f78d6d04 f71484b0 894a9af8 89456310 8999d020 Ntfs!NtfsCommonFileSystemControl+0x8c (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\fs\ntfs\fsctrl.c @ 837]
06 f78d6d80 80af2bb9 894a9af8 00000000 8999d020 Ntfs!NtfsFspDispatch+0x1fe (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\fs\ntfs\fspdisp.c @ 336]
07 f78d6dac 80d391f0 894a9af8 00000000 00000000 nt!ExpWorkerThread+0x10f (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ex\worker.c @ 1153]
08 f78d6ddc 80b00d52 80af2aaa 00000000 00000000 nt!PspSystemThreadStartup+0x2e (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ps\create.c @ 2213]
09 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16 [d:\srv03rtm\base\ntos\ke\i386\threadbg.asm @ 81]

第二部分：

        //
        // Remember this log file in the Lfcb.
        //

ThisLfcb->FileObject = LogFile;

        SetFlag( ThisLfcb->Flags,
                 (LFCB_READ_FIRST_RESTART |
                  LFCB_READ_SECOND_RESTART) );

第三部分：

            //
            // If the restart offset above wasn't zero then we
            // won't look for a second restart.
            //

if (FirstRestartOffset == 0) {

ClearFlag( ThisLfcb->Flags, LFCB_READ_FIRST_RESTART );

if (DoubleRestart) {

ClearFlag( ThisLfcb->Flags, LFCB_READ_SECOND_RESTART );
}

第四部分：

0: kd> p
Ntfs!LfsRestartLogFile+0x16d:
f71fc733 8845d1 mov byte ptr [ebp-2Fh],al
0: kd> r
eax=c1141001

if (DoubleRestart) {

ClearFlag( ThisLfcb->Flags, LFCB_READ_SECOND_RESTART );
}

#define LFCB_READ_FIRST_RESTART (0x00000100)
#define LFCB_READ_SECOND_RESTART (0x00000200)

[+0x114] Flags : 0x200 [Type: unsigned long]

第五部分：

            //
            // Determine which restart area to use.
            //

if (DoubleRestart && (SecondRestartLastLsn.QuadPart > FirstRestartLastLsn.QuadPart)) {

                BOOLEAN UseSecondPage = TRUE;
                PULONG SecondPage;
                PBCB SecondPageBcb = NULL;
                BOOLEAN UsaError;

FirstRestartLastLsn = {135318955}

SecondRestartLastLsn = {135307178}

查看全文

http://www.dtcms.com/a/270131.html