nt!MiPfExecuteReadList函数分析中IoAsynchronousPageRead函数会读取文件到物理页面!!!

于 2025-05-18 09:04:44 发布
阅读量377 收藏 5
点赞数 10
分类专栏: nt4源代码分析 文章标签: PfExecuteReadLi IoAsynchronous ronousPageRead
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/oldlinux/article/details/148039438
版权

第一部分:

1: kd> kc
 #
00 nt!MiPfExecuteReadList
01 nt!MmPrefetchPages
02 nt!CcPfPrefetchSections
03 nt!CcPfBootWorker
04 nt!PspSystemThreadStartup
05 nt!KiThreadStartup
1: kd> dv
       ReadList = 0x8980d8c0
      NextEntry = 0x00000008
1: kd> dx -r1 ((ntkrnlmp!_MI_READ_LIST *)0x8980d8c0)
((ntkrnlmp!_MI_READ_LIST *)0x8980d8c0)                 : 0x8980d8c0 [Type: _MI_READ_LIST *]
    [+0x000] ControlArea      : 0x89531e20 [Type: _CONTROL_AREA *]
    [+0x004] FileObject       : 0x89503790 [Type: _FILE_OBJECT *]
    [+0x008] LastPteOffsetReferenced : 0x1 [Type: unsigned long]
    [+0x00c] InPageSupportHead [Type: _SINGLE_LIST_ENTRY]
    [+0x010] List             [Type: _MI_READ_LIST_ENTRY [1]]
1: kd> dx -r1 (*((ntkrnlmp!_SINGLE_LIST_ENTRY *)0x8980d8cc))
(*((ntkrnlmp!_SINGLE_LIST_ENTRY *)0x8980d8cc))                 [Type: _SINGLE_LIST_ENTRY]
    [+0x000] Next             : 0x89540994 [Type: _SINGLE_LIST_ENTRY *]
1: kd> dx -r1 ((ntkrnlmp!_SINGLE_LIST_ENTRY *)0x89540994)
((ntkrnlmp!_SINGLE_LIST_ENTRY *)0x89540994)                 : 0x89540994 [Type: _SINGLE_LIST_ENTRY *]
    [+0x000] Next             : 0x0 [Type: _SINGLE_LIST_ENTRY *]

1: kd> dt MMINPAGE_SUPPORT 0x89540994-94
nt!MMINPAGE_SUPPORT
   +0x000 Event            : _KEVENT
   +0x010 IoStatus         : _IO_STATUS_BLOCK
   +0x018 ReadOffset       : _LARGE_INTEGER 0x0
   +0x020 WaitCount        : 0n1
   +0x024 Thread           : 0x8989e020 _ETHREAD
   +0x028 FilePointer      : 0x89503790 _FILE_OBJECT
   +0x02c BasePte          : 0xe13a70a0 _MMPTE
   +0x030 Pfn              : (null)
   +0x034 u1               : __unnamed
   +0x038 Mdl              : _MDL
   +0x054 Page             : [16] 0x7b19b
   +0x094 ListEntry        : _SINGLE_LIST_ENTRY


        InPageSupport = CONTAINING_RECORD(NextEntry,
                                          MMINPAGE_SUPPORT,
                                          ListEntry);


第二部分:

#define MI_EXTRACT_PREFETCH_MDL(_Support) ((PMDL)((ULONG_PTR)(_Support->u1.PrefetchMdl) & ~(sizeof(QUAD) - 1)))
111

1: kd> dt QUAD -v
basesrv!QUAD
struct _QUAD, 1 elements, 0x8 bytes
   +0x000 DoNotUseThisField : Float

   +0x034 u1               : __unnamed
      +0x000 e1               : _MMINPAGE_FLAGS
      +0x000 LongFlags        : Uint4B
      +0x000 PrefetchMdl      : Ptr32 _MDL
   +0x038 Mdl              : _MDL
      +0x000 Next             : Ptr32 _MDL
      +0x004 Size             : Int2B
      +0x006 MdlFlags         : Int2B
      +0x008 Process          : Ptr32 _EPROCESS
      +0x00c MappedSystemVa   : Ptr32 Void
      +0x010 StartVa          : Ptr32 Void
      +0x014 ByteCount        : Uint4B
      +0x018 ByteOffset       : Uint4B

1: kd> dd 0x89540994-94+34
89540934  89540938 00000000 00000020 89811788
89540944  00000000 00000000 00001000 00000000


1: kd> dt mdl 89540938
basesrv!MDL
   +0x000 Next             : (null)
   +0x004 Size             : 0n32
   +0x006 MdlFlags         : 0n0
   +0x008 Process          : 0x89811788 _EPROCESS
   +0x00c MappedSystemVa   : (null)
   +0x010 StartVa          : (null)
   +0x014 ByteCount        : 0x1000
   +0x018 ByteOffset       : 0


    NextEntry = ReadList->InPageSupportHead.Next;        esi=89540994
    while (NextEntry != NULL) {

1: kd> p
nt!MiPfExecuteReadList+0x2d:
80cf67ad 3bf3            cmp     esi,ebx
1: kd> r
eax=8980d8c0 ebx=00000000 ecx=00000000 edx=00000000 esi=89540994

        //
        // Initialize the prefetch MDL.
        //
    
        Mdl = MI_EXTRACT_PREFETCH_MDL (InPageSupport);        edi=89540938

1: kd> p
nt!MiPfExecuteReadList+0x3e:
80cf67be 8b7ea0          mov     edi,dword ptr [esi-60h]
1: kd> r
eax=8980d8c0 ebx=00000000 ecx=00000000 edx=00000000 esi=89540994 edi=80a03598
1: kd>
nt!MiPfExecuteReadList+0x47:
80cf67c7 83e7f8          and     edi,0FFFFFFF8h
1: kd> r
eax=8980d8c0 ebx=00000000 ecx=00000000 edx=00000000 esi=89540900 edi=89540938


第三部分:

        Mdl->MdlFlags |= (MDL_PAGES_LOCKED | MDL_IO_PAGE_READ);

#define MDL_PAGES_LOCKED            0x0002
#define MDL_IO_PAGE_READ            0x0040

1: kd> dt mdl 89540938
basesrv!MDL
   +0x000 Next             : (null)
   +0x004 Size             : 0n32
   +0x006 MdlFlags         : 0n66                0x42
   +0x008 Process          : 0x89811788 _EPROCESS
   +0x00c MappedSystemVa   : (null)
   +0x010 StartVa          : (null)
   +0x014 ByteCount        : 0x1000
   +0x018 ByteOffset       : 0

第四部分:


1: kd> dt MMINPAGE_SUPPORT 0x89540994-94
nt!MMINPAGE_SUPPORT
   +0x000 Event            : _KEVENT
   +0x010 IoStatus         : _IO_STATUS_BLOCK
   +0x018 ReadOffset       : _LARGE_INTEGER 0x0
   +0x020 WaitCount        : 0n1
   +0x024 Thread           : 0x8989e020 _ETHREAD
   +0x028 FilePointer      : 0x89503790 _FILE_OBJECT
   +0x02c BasePte          : 0xe13a70a0 _MMPTE

        //
        // Initialize the inpage support block fields we overloaded.
        //

        ASSERT (InPageSupport->FilePointer == ReadList->FileObject);
        LocalPrototypePte = InPageSupport->BasePte;        关键代码1:物理页面在7b19b000


1: kd> dd 0xe13a70a0
e13a70a0  7b19b8c0

        PageFrameIndex = MI_GET_PAGE_FRAME_FROM_TRANSITION_PTE(LocalPrototypePte);    7b19b
        Pfn1 = MI_PFN_ELEMENT (PageFrameIndex);                    81000000+7b19b*18=81b8a688


#define MI_GET_PAGE_FRAME_FROM_TRANSITION_PTE(PTE) ((PTE)->u.Trans.PageFrameNumber)


1: kd> p
nt!MiPfExecuteReadList+0x148:
80cf68c8 8d0440          lea     eax,[eax+eax*2]
1: kd> p
nt!MiPfExecuteReadList+0x14b:
80cf68cb 8d04c1          lea     eax,[ecx+eax*8]
1: kd> p
nt!MiPfExecuteReadList+0x14e:
80cf68ce 8d5e10          lea     ebx,[esi+10h]
1: kd> r
eax=81b8a688


1: kd> dd 81000000+7b19b*18
81b8a688  89540900 e13a70a0 00000000 0001100a
81b8a698  f930e4d4 200007d8

第五部分:

1: kd> dt MMINPAGE_SUPPORT 0x89540994-94
nt!MMINPAGE_SUPPORT
   +0x000 Event            : _KEVENT
   +0x010 IoStatus         : _IO_STATUS_BLOCK
   +0x018 ReadOffset       : _LARGE_INTEGER 0x0
   +0x020 WaitCount        : 0n1
   +0x024 Thread           : 0x8989e020 _ETHREAD
   +0x028 FilePointer      : 0x89503790 _FILE_OBJECT
   +0x02c BasePte          : 0xe13a70a0 _MMPTE
   +0x030 Pfn              : (null)
   +0x034 u1               : __unnamed
   +0x038 Mdl              : _MDL
   +0x054 Page             : [16] 0x7b19b
   +0x094 ListEntry        : _SINGLE_LIST_ENTRY

        InPageSupport->Pfn = Pfn1;            关键代码2:


1: kd> dt MMINPAGE_SUPPORT 0x89540994-94
nt!MMINPAGE_SUPPORT
   +0x000 Event            : _KEVENT
   +0x010 IoStatus         : _IO_STATUS_BLOCK
   +0x018 ReadOffset       : _LARGE_INTEGER 0x0
   +0x020 WaitCount        : 0n1
   +0x024 Thread           : 0x8989e020 _ETHREAD
   +0x028 FilePointer      : 0x89503790 _FILE_OBJECT
   +0x02c BasePte          : 0xe13a70a0 _MMPTE
   +0x030 Pfn              : 0x81b8a688 _MMPFN
   +0x034 u1               : __unnamed
   +0x038 Mdl              : _MDL
   +0x054 Page             : [16] 0x7b19b
   +0x094 ListEntry        : _SINGLE_LIST_ENTRY


1: kd> !dc 7b19b000                        现在还是0页面
#7b19b000 00000000 00000000 00000000 00000000 ................
#7b19b010 00000000 00000000 00000000 00000000 ................
#7b19b020 00000000 00000000 00000000 00000000 ................
#7b19b030 00000000 00000000 00000000 00000000 ................
#7b19b040 00000000 00000000 00000000 00000000 ................
#7b19b050 00000000 00000000 00000000 00000000 ................
#7b19b060 00000000 00000000 00000000 00000000 ................
#7b19b070 00000000 00000000 00000000 00000000 ................


第六部分:IoAsynchronousPageRead函数会读取文件到物理页面!!!

        status = IoAsynchronousPageRead (InPageSupport->FilePointer,
                                         Mdl,
                                         &InPageSupport->ReadOffset,
                                         &InPageSupport->Event,
                                         &InPageSupport->IoStatus);


1: kd>  !dc 7b19b000
#7b19b000 68532e5b 436c6c65 7373616c 6f666e49 [.ShellClassInfo
#7b19b010 4c0a0d5d 6c61636f 64657a69 6f736552 ]..LocalizedReso
#7b19b020 65637275 656d614e 5325403d 65747379 urceName=@%Syste
#7b19b030 6f6f526d 735c2574 65747379 5c32336d mRoot%\system32\
#7b19b040 6c656873 2e32336c 2c6c6c64 3731322d shell32.dll,-217
#7b19b050 0a0d3036 636f4c5b 7a696c61 69466465 60..[LocalizedFi
#7b19b060 614e656c 5d73656d 614d0a0d 66696e67 leNames]..Magnif
#7b19b070 2e726569 3d6b6e6c 79532540 6d657473 ier.lnk=@%System
1: kd>  !dc 7b19b000+80
#7b19b080 746f6f52 79735c25 6d657473 735c3233 Root%\system32\s
#7b19b090 6c6c6568 642e3233 2d2c6c6c 34303232 hell32.dll,-2204
#7b19b0a0 4e0a0d31 61727261 2e726f74 3d6b6e6c 1..Narrator.lnk=
#7b19b0b0 79532540 6d657473 746f6f52 79735c25 @%SystemRoot%\sy
#7b19b0c0 6d657473 735c3233 6c6c6568 642e3233 stem32\shell32.d
#7b19b0d0 2d2c6c6c 34303232 4f0a0d38 63532d6e ll,-22048..On-Sc
#7b19b0e0 6e656572 79654b20 72616f62 6e6c2e64 reen Keyboard.ln
#7b19b0f0 25403d6b 74737953 6f526d65 5c25746f k=@%SystemRoot%\
1: kd>  !dc 7b19b000+80*2
#7b19b100 74737973 32336d65 6568735c 32336c6c system32\shell32
#7b19b110 6c6c642e 32322d2c 0d323530 6974550a .dll,-22052..Uti
#7b19b120 7974696c 6e614d20 72656761 6b6e6c2e lity Manager.lnk
#7b19b130 5325403d 65747379 6f6f526d 735c2574 =@%SystemRoot%\s
#7b19b140 65747379 5c32336d 6c656873 2e32336c ystem32\shell32.
#7b19b150 2c6c6c64 3032322d 0a0d3536 00000000 dll,-22065......
#7b19b160 00000000 00000000 00000000 00000000 ................
#7b19b170 00000000 00000000 00000000 00000000 ................


1: kd> dd 0x81b8a688
81b8a688  89540900 e13a70a0 00000000 0001100a
81b8a698  f930e4d4 200007d8

1: kd> dd e13a70a0
e13a70a0  7b19b8c0


第七部分:


1: kd> dt MMINPAGE_SUPPORT 0x89540994-94
nt!MMINPAGE_SUPPORT
   +0x000 Event            : _KEVENT
   +0x010 IoStatus         : _IO_STATUS_BLOCK
   +0x018 ReadOffset       : _LARGE_INTEGER 0x0
   +0x020 WaitCount        : 0n1
   +0x024 Thread           : 0x8989e020 _ETHREAD
   +0x028 FilePointer      : 0x89503790 _FILE_OBJECT
   +0x02c BasePte          : 0xe13a70a0 _MMPTE
   +0x030 Pfn              : 0x81b8a688 _MMPFN
   +0x034 u1               : __unnamed
   +0x038 Mdl              : _MDL
   +0x054 Page             : [16] 0x7b19b
   +0x094 ListEntry        : _SINGLE_LIST_ENTRY
1: kd> dx -id 0,0,899a2278 -r1 ((ntkrnlmp!_FILE_OBJECT *)0x89503790)
((ntkrnlmp!_FILE_OBJECT *)0x89503790)                 : 0x89503790 [Type: _FILE_OBJECT *]
    [+0x000] Type             : 5 [Type: short]
    [+0x002] Size             : 112 [Type: short]
    [+0x004] DeviceObject     : 0x89811788 : Device for "\Driver\Ftdisk" [Type: _DEVICE_OBJECT *]
    [+0x008] Vpb              : 0x89909178 [Type: _VPB *]
    [+0x00c] FsContext        : 0xe15e40d0 [Type: void *]
    [+0x010] FsContext2       : 0xe15e4220 [Type: void *]
    [+0x014] SectionObjectPointer : 0x896240b4 [Type: _SECTION_OBJECT_POINTERS *]
    [+0x018] PrivateCacheMap  : 0x0 [Type: void *]
    [+0x01c] FinalStatus      : 0 [Type: long]
    [+0x020] RelatedFileObject : 0x0 [Type: _FILE_OBJECT *]
    [+0x024] LockOperation    : 0x0 [Type: unsigned char]
    [+0x025] DeletePending    : 0x0 [Type: unsigned char]
    [+0x026] ReadAccess       : 0x1 [Type: unsigned char]
    [+0x027] WriteAccess      : 0x0 [Type: unsigned char]
    [+0x028] DeleteAccess     : 0x0 [Type: unsigned char]
    [+0x029] SharedRead       : 0x1 [Type: unsigned char]
    [+0x02a] SharedWrite      : 0x1 [Type: unsigned char]
    [+0x02b] SharedDelete     : 0x1 [Type: unsigned char]
    [+0x02c] Flags            : 0x40040 [Type: unsigned long]
    [+0x030] FileName         : "\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\desktop.ini" [Type: _UNICODE_STRING]
    [+0x038] CurrentByteOffset : {0} [Type: _LARGE_INTEGER]
    [+0x040] Waiters          : 0x0 [Type: unsigned long]
    [+0x044] Busy             : 0x0 [Type: unsigned long]
    [+0x048] LastLock         : 0x0 [Type: void *]
    [+0x04c] Lock             [Type: _KEVENT]
    [+0x05c] Event            [Type: _KEVENT]
    [+0x06c] CompletionContext : 0x0 [Type: _IO_COMPLETION_CONTEXT *]

1: kd> dx -id 0,0,899a2278 -r1 ((ntkrnlmp!_SECTION_OBJECT_POINTERS *)0x896240b4)
((ntkrnlmp!_SECTION_OBJECT_POINTERS *)0x896240b4)                 : 0x896240b4 [Type: _SECTION_OBJECT_POINTERS *]
    [+0x000] DataSectionObject : 0x89531e20 [Type: void *]
    [+0x004] SharedCacheMap   : 0x0 [Type: void *]
    [+0x008] ImageSectionObject : 0x0 [Type: void *]
1: kd> dt control_area 0x89531e20
nt!CONTROL_AREA
   +0x000 Segment          : 0xe1605960 _SEGMENT
   +0x004 DereferenceList  : _LIST_ENTRY [ 0x0 - 0x0 ]
   +0x00c NumberOfSectionReferences : 1
   +0x010 NumberOfPfnReferences : 1
   +0x014 NumberOfMappedViews : 0
   +0x018 NumberOfSystemCacheViews : 0
   +0x01c NumberOfUserReferences : 1
   +0x020 u                : __unnamed
   +0x024 FilePointer      : 0x89503790 _FILE_OBJECT
   +0x028 WaitingForDeletion : (null)
   +0x02c ModifiedWriteCount : 0
   +0x02e FlushInProgressCount : 0
1: kd> dt subsection 0x89531e20+30
nt!SUBSECTION
   +0x000 ControlArea      : 0x89531e20 _CONTROL_AREA
   +0x004 u                : __unnamed
   +0x008 StartingSector   : 0
   +0x00c NumberOfFullSectors : 0
   +0x010 SubsectionBase   : 0xe13a70a0 _MMPTE        //SubsectionBase   : 0xe13a70a0
   +0x014 UnusedPtes       : 0
   +0x018 PtesInSubsection : 1
   +0x01c NextSubsection   : (null)
1: kd> dd 0xe13a70a0
e13a70a0  7b19b8c0

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值