nt!CcGetVirtualAddressIfMapped函数中的nt!CcGetVacbLargeOffset函数分析--重要
第一部分:
1: kd> kc
#
00 nt!CcGetVirtualAddressIfMapped
01 nt!CcFlushCache
02 Ntfs!LfsFlushLfcb
03 Ntfs!LfsFlushToLsnPriv
04 Ntfs!LfsWriteLfsRestart
05 Ntfs!LfsWriteRestartArea
06 Ntfs!NtfsCheckpointVolume
07 Ntfs!NtfsCheckpointAllVolumes
08 nt!ExpWorkerThread
09 nt!PspSystemThreadStartup
0a nt!KiThreadStartup
1: kd> dv
SharedCacheMap = 0x89469530
FileOffset = 0n7884800
Vacb = 0xf78d279c
ReceivedLength = 0xf78d27ac
VacbOffset = 8
OldIrql = 0xf7 ''
if ((*Vacb = GetVacb( SharedCacheMap, *(PLARGE_INTEGER)&FileOffset )) != NULL) {
if ((*Vacb)->Overlay.ActiveCount == 0) {
SharedCacheMap->VacbActiveCount += 1;
}
#define GetVacb(SCM,OFF) ( \
((SCM)->SectionSize.QuadPart > VACB_SIZE_OF_FIRST_LEVEL) ? \
CcGetVacbLargeOffset((SCM),(OFF).QuadPart) : \
(SCM)->Vacbs[(OFF).LowPart >> VACB_OFFSET_SHIFT] \
)
第二部分:
1: kd> dx -r1 ((ntkrnlmp!_SHARED_CACHE_MAP *)0x89469530)
((ntkrnlmp!_SHARED_CACHE_MAP *)0x89469530) : 0x89469530 [Type: _SHARED_CACHE_MAP *]
[+0x000] NodeTypeCode : 767 [Type: short]
[+0x002] NodeByteSize : 304 [Type: short]
[+0x004] OpenCount : 0x2 [Type: unsigned long]
[+0x008] FileSize : {67108864} [Type: _LARGE_INTEGER]
[+0x010] BcbList [Type: _LIST_ENTRY]
[+0x018] SectionSize : {67108864} [Type: _LARGE_INTEGER]
[+0x020] ValidDataLength : {9223372036854775807} [Type: _LARGE_INTEGER]
[+0x028] ValidDataGoal : {9223372036854775807} [Type: _LARGE_INTEGER]
[+0x030] InitialVacbs [Type: _VACB * [4]]
[+0x040] Vacbs : 0x89469320 [Type: _VACB * *]
1: kd> dd 0x89469320
89469320 894d1008 00000000 00000000 00000000
89469330 00000000 00000000 00000000 00000000
1: kd> p
nt!CcGetVirtualAddressIfMapped+0xa7:
80a19007 e8eefbffff call nt!CcGetVacbLargeOffset (80a18bfa)
1: kd> t
nt!CcGetVacbLargeOffset:
80a18bfa 55 push ebp
1: kd> kc
#
00 nt!CcGetVacbLargeOffset
01 nt!CcGetVirtualAddressIfMapped
02 nt!CcFlushCache
03 Ntfs!LfsFlushLfcb
04 Ntfs!LfsFlushToLsnPriv
05 Ntfs!LfsWriteLfsRestart
06 Ntfs!LfsWriteRestartArea
07 Ntfs!NtfsCheckpointVolume
08 Ntfs!NtfsCheckpointAllVolumes
09 nt!ExpWorkerThread
0a nt!PspSystemThreadStartup
0b nt!KiThreadStartup
1: kd> dv
SharedCacheMap = 0x89469530
FileOffset = 0x00785000
Level = 8
Shift -= VACB_LEVEL_SHIFT;
while (((Vacb = (PVACB)VacbArray[FileOffset >> Shift]) != NULL) && (Level != 0)) {
Level -= 1;
VacbArray = (PVACB *)Vacb;
FileOffset &= ((LONGLONG)1 << Shift) - 1;
Shift -= VACB_LEVEL_SHIFT;
}
1: kd> p
nt!CcGetVacbLargeOffset+0x6d:
80a18c67 e8c4af0d00 call nt!_allshr (80af3c30)
1: kd> r
eax=00785000 ebx=89469320 ecx=00000019
1: kd> p
nt!CcGetVacbLargeOffset+0x94:
80a18c8e 21450c and dword ptr [ebp+0Ch],eax
1: kd> r
eax=01ffffff ebx=00000000 ecx=00000019 edx=00000000 esi=894d1008 edi=00000019
eip=80a18c8e esp=f78d26f4 ebp=f78d270c
1: kd> dd f78d270c+0Ch
f78d2718 00785000
1: kd> p
nt!CcGetVacbLargeOffset+0xa0:
80a18c9a 83ef07 sub edi,7
1: kd> p
nt!CcGetVacbLargeOffset+0xa3:
80a18c9d 8bcf mov ecx,edi
1: kd> r
eax=00785000 ebx=00000000 ecx=00000019 edx=00000000 esi=894d1008 edi=00000012
edi=00000012
Shift -= VACB_LEVEL_SHIFT; =edi=00000012
第三部分:第二次循环
00785000
0111 1000 1001 0000 0000 0000
01 11 10
0x1e
1: kd> dd 0x894d1008
894d1008 89988018 00000000 00000000 00000000
894d1018 00000000 00000000 00000000 00000000
894d1028 00000000 00000000 00000000 00000000
894d1038 00000000 00000000 00000000 00000000
894d1048 00000000 00000000 00000000 00000000
894d1058 00000000 00000000 00000000 00000000
894d1068 00000000 00000000 00000000 00000000
894d1078 00000000 89988048 89988498 00000000
1: kd> dd 0x894d1008+1e*4
894d1080 89988498
1: kd> dt _vacb 89988498
nt!_VACB
+0x000 BaseAddress : 0xc2c40000 Void
+0x004 SharedCacheMap : 0x89469530 _SHARED_CACHE_MAP
+0x008 Overlay : __unnamed
+0x010 LruList : _LIST_ENTRY [ 0x80b1cb60 - 0x89988010 ]
1: kd> p
nt!CcGetVacbLargeOffset+0xb1:
80a18cab 3bf3 cmp esi,ebx
1: kd> r
eax=0000001e ebx=00000000 ecx=00000012 edx=00000000 esi=89988498 edi=00000012
esi=89988498