第一部分:
0: kd> dv
IrpContext = 0xf793291c
Scb = 0xe1363d20
Value = 0xe13559b0
IndexContext = 0xe1352348
Attribute = 0x00000000
IndexRoot = 0xe1352348
Sp = 0xe1363d20
0: kd> dx -r1 ((Ntfs!_INDEX_LOOKUP_STACK *)0xe1352388)
((Ntfs!_INDEX_LOOKUP_STACK *)0xe1352388) : 0xe1352388 [Type: _INDEX_LOOKUP_STACK *]
[+0x000] Bcb : 0x0 [Type: void *]
[+0x004] StartOfBuffer : 0xc1241400 [Type: void *]
[+0x008] IndexHeader : 0xc1241580 [Type: _INDEX_HEADER *]
[+0x00c] IndexEntry : 0xc1241590 [Type: _INDEX_ENTRY *]
[+0x010] IndexBlock : 0 [Type: __int64]
[+0x018] CapturedLsn : {135165098} [Type: _LARGE_INTEGER]
0: kd> dt Ntfs!_INDEX_ENTRY 0xc1241590
+0x000 FileReference : _MFT_SEGMENT_REFERENCE
+0x000 DataOffset : 0xd4a
+0x002 DataLength : 0
+0x004 ReservedForZero : 0x10000
+0x008 Length : 0x88
+0x00a AttributeLength : 0x6e
+0x00c Flags : 1
+0x00e Reserved : 0
0: kd> dt Ntfs!_INDEX_ENTRY 0xc1241590+88
+0x000 FileReference : _MFT_SEGMENT_REFERENCE
+0x000 DataOffset : 0
+0x002 DataLength : 0
+0x004 ReservedForZero : 0
+0x008 Length : 0x18
+0x00a AttributeLength : 0
+0x00c Flags : 3
+0x00e Reserved : 0
0: kd> dt file_name 0xc1241550+20+20+10
Ntfs!FILE_NAME
+0x000 ParentDirectory : _MFT_SEGMENT_REFERENCE
+0x008 Info : _DUPLICATED_INFORMATION
+0x040 FileNameLength : 0x16 ''
+0x041 Flags : 0x1 ''
+0x042 FileName : [1] 0x44
0: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!unsigned short (*)[1])0xc12415e2))
(*((Ntfs!unsigned short (*)[1])0xc12415e2)) [Type: unsigned short [1]]
[0] : 0x44 [Type: unsigned short]
0: kd> db 0xc12415e2
c12415e2 44 00 6f 00 63 00 75 00-6d 00 65 00 6e 00 74 00 D.o.c.u.m.e.n.t.
c12415f2 73 00 20 00 61 00 6e 00-64 00 20 00 53 00 65 00 s. .a.n.d. .S.e.
c1241602 74 00 74 00 69 00 6e 00-67 00 73 00 00 00 00 00 t.t.i.n.g.s.....
c1241612 00 00 00 00 00 00 00 00-00 00 00 00 00 00 18 00 ................
c1241622 00 00 03 00 00 00 01 00-00 00 00 00 00 00 a0 00 ................
c1241632 00 00 58 00 00 00 01 04-40 00 00 00 08 00 00 00 ..X.....@.......
c1241642 00 00 00 00 00 00 01 00-00 00 00 00 00 00 48 00 ..............H.
c1241652 00 00 00 00 00 00 00 20-00 00 00 00 00 00 00 20 ....... .......
0: kd> db 0xc1241550+20+20
c1241590 4a 0d 00 00 00 00 01 00-88 00 6e 00 01 00 00 00 J.........n.....
c12415a0 05 00 00 00 00 00 05 00
第二部分:
0: kd> dt index_entry 0xc1241550+20+20+88
Ntfs!INDEX_ENTRY
+0x000 FileReference : _MFT_SEGMENT_REFERENCE
+0x000 DataOffset : 0
+0x002 DataLength : 0
+0x004 ReservedForZero : 0
+0x008 Length : 0x18
+0x00a AttributeLength : 0
+0x00c Flags : 3
+0x00e Reserved : 0
0: kd> db 0xc1241550+20+20+88
c1241618 00 00 00 00 00 00 00 00-18 00 00 00 03 00 00 00 ................
c1241628 01 00 00 00 00 00 00 00
0: kd> dv
SharedCacheMap = 0x89455ed0
FileOffset = {4096}
0: kd> dt SHARED_CACHE_MAP 0x89455ed0
nt!SHARED_CACHE_MAP
+0x000 NodeTypeCode : 0n767
+0x002 NodeByteSize : 0n304
+0x004 OpenCount : 1
+0x008 FileSize : _LARGE_INTEGER 0x2000
+0x010 BcbList : _LIST_ENTRY [ 0x894d17d8 - 0x894d17d8 ]
+0x018 SectionSize : _LARGE_INTEGER 0x100000
+0x020 ValidDataLength : _LARGE_INTEGER 0x7fffffff`ffffffff
+0x028 ValidDataGoal : _LARGE_INTEGER 0x7fffffff`ffffffff
+0x030 InitialVacbs : [4] 0x899880d8 _VACB
+0x040 Vacbs : 0x89455f00 -> 0x899880d8 _VACB
0: kd> dd 0x89455f00
89455f00 899880d8 00000000 00000000 00000000
89455f10 89455f00 8962b128 00000000 00000000
89455f20 00000000 00000000 00000000 00000000
89455f30 00000001 898f1334 80b1cbb0 00000204
0: kd> dt _VACB 899880d8
nt!_VACB
+0x000 BaseAddress : 0xc14c0000 Void
+0x004 SharedCacheMap : 0x89455ed0 _SHARED_CACHE_MAP
+0x008 Overlay : __unnamed
+0x010 LruList : _LIST_ENTRY [ 0x89988130 - 0x89988100 ]
第三部分:
0: kd> dx -r1 ((Ntfs!_INDEX_LOOKUP_STACK *)0xe1352388)
((Ntfs!_INDEX_LOOKUP_STACK *)0xe1352388) : 0xe1352388 [Type: _INDEX_LOOKUP_STACK *]
[+0x000] Bcb : 0x0 [Type: void *]
[+0x004] StartOfBuffer : 0xc1241400 [Type: void *]
[+0x008] IndexHeader : 0xc1241580 [Type: _INDEX_HEADER *]
[+0x00c] IndexEntry : 0xc1241590 [Type: _INDEX_ENTRY *]
[+0x010] IndexBlock : 0 [Type: __int64]
[+0x018] CapturedLsn : {135165098} [Type: _LARGE_INTEGER]
0: kd> dt Ntfs!_INDEX_LOOKUP_STACK 0xe1352388+20
+0x000 Bcb : (null)
+0x004 StartOfBuffer : (null)
+0x008 IndexHeader : (null)
+0x00c IndexEntry : (null)
+0x010 IndexBlock : 0n0
+0x018 CapturedLsn : _LARGE_INTEGER 0x0
//
// Otherwise, read the index buffer pointed to by the current
// Index Entry.
//
ReadIndexBuffer( IrpContext,
Scb,
NtfsIndexEntryBlock((Sp-1)->IndexEntry), //第三个参数和(Sp-1)的IndexEntry的Block
FALSE,
Sp ); //第五个参数Sp
}
}
#define NtfsIndexEntryBlock(IE) ( \
*(PLONGLONG)((PCHAR)(IE) + (ULONG)(IE)->Length - sizeof(LONGLONG)) \
)
0: kd> t
Breakpoint 3 hit
Ntfs!ReadIndexBuffer:
f7173886 55 push ebp
0: kd> kc
#
00 Ntfs!ReadIndexBuffer
01 Ntfs!FindFirstIndexEntry
02 Ntfs!NtfsRestartIndexEnumeration
03 Ntfs!NtfsQueryDirectory
04 Ntfs!NtfsCommonDirectoryControl
05 Ntfs!NtfsFsdDirectoryControl
06 nt!IofCallDriver
07 nt!IopSynchronousServiceTail
08 nt!NtQueryDirectoryFile
09 nt!_KiSystemService
0a nt!ZwQueryDirectoryFile
0b nt!CcPfPrefetchDirectoryContents
0c nt!CcPfPrefetchMetadata
0d nt!CcPfBootWorker
0e nt!PspSystemThreadStartup
0f nt!KiThreadStartup
0: kd> dv
IrpContext = 0xf793291c
Scb = 0xe1363d20
IndexBlock = 0n0
Reread = 0x00 ''
Sp = 0xe13523a8
BOOLEAN
ReadIndexBuffer (
IN PIRP_CONTEXT IrpContext,
IN PSCB Scb,
IN LONGLONG IndexBlock,
IN BOOLEAN Reread,
OUT PINDEX_LOOKUP_STACK Sp
)
0: kd> dt index_entry 0xc1241590
Ntfs!INDEX_ENTRY
+0x000 FileReference : _MFT_SEGMENT_REFERENCE
+0x000 DataOffset : 0xd4a
+0x002 DataLength : 0
+0x004 ReservedForZero : 0x10000
+0x008 Length : 0x88
+0x00a AttributeLength : 0x6e
+0x00c Flags : 1
+0x00e Reserved : 0
0: kd> db 0xc1241590+88-8
c1241610 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
c1241620 18 00 00 00 03 00 00 00-01 00 00 00 00 00 00 00 ................
c1241630 a0 00 00 00 58 00 00 00-01 04 40 00 00 00 08 00 ....X.....@.....
c1241640 00 00 00 00 00 00 00 00-01 00 00 00 00 00 00 00 ................
c1241650 48 00 00 00 00 00 00 00-00 20 00 00 00 00 00 00 H........ ......
c1241660 00 20 00 00 00 00 00 00-00 20 00 00 00 00 00 00 . ....... ......
c1241670 24 00 49 00 33 00 30 00-31 01 5d 71 51 31 01 8c $.I.3.0.1.]qQ1..
c1241680 6a b0 00 e1 48 d9 17 ba-b0 00 00 00 28 00 00 00 j...H.......(...
0: kd> db 0xc1241590
c1241590 4a 0d 00 00 00 00 01 00-88 00 6e 00 01 00 00 00 J.........n.....
c12415a0 05 00 00 00 00 00 05 00-de 12 cc ba 8b 06 db 01 ................
c12415b0 2c c0 6e 8f c8 06 db 01-2c c0 6e 8f c8 06 db 01 ,.n.....,.n.....
c12415c0 ec 2a fb b2 e4 be db 01-00 00 00 00 00 00 00 00 .*..............
c12415d0 00 00 00 00 00 00 00 00-00 00 00 10 00 00 00 00 ................
c12415e0 16 01 44 00 6f 00 63 00-75 00 6d 00 65 00 6e 00 ..D.o.c.u.m.e.n.
c12415f0 74 00 73 00 20 00 61 00-6e 00 64 00 20 00 53 00 t.s. .a.n.d. .S.
c1241600 65 00 74 00 74 00 69 00-6e 00 67 00 73 00 00 00 e.t.t.i.n.g.s...
0: kd> db 0xc1241590+80
c1241610 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
c1241620 18 00 00 00 03 00 00 00-01 00 00 00 00 00 00 00 ................
c1241630 a0 00 00 00 58 00 00 00-01 04 40 00 00 00 08 00 ....X.....@.....
c1241640 00 00 00 00 00 00 00 00-01 00 00 00 00 00 00 00 ................
c1241650 48 00 00 00 00 00 00 00-00 20 00 00 00 00 00 00 H........ ......
c1241660 00 20 00 00 00 00 00 00-00 20 00 00 00 00 00 00 . ....... ......
c1241670 24 00 49 00 33 00 30 00-31 01 5d 71 51 31 01 8c $.I.3.0.1.]qQ1..
c1241680 6a b0 00 e1 48 d9 17 ba-b0 00 00 00 28 00 00 00 j...H.......(...
0: kd> dt index_entry 0xc1241590+88
Ntfs!INDEX_ENTRY
+0x000 FileReference : _MFT_SEGMENT_REFERENCE
+0x000 DataOffset : 0
+0x002 DataLength : 0
+0x004 ReservedForZero : 0
+0x008 Length : 0x18
+0x00a AttributeLength : 0
+0x00c Flags : 3
+0x00e Reserved : 0
0: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!_MFT_SEGMENT_REFERENCE *)0xc1241618))
(*((Ntfs!_MFT_SEGMENT_REFERENCE *)0xc1241618)) [Type: _MFT_SEGMENT_REFERENCE]
[+0x000] SegmentNumberLowPart : 0x0 [Type: unsigned long]
[+0x004] SegmentNumberHighPart : 0x0 [Type: unsigned short]
[+0x006] SequenceNumber : 0x0 [Type: unsigned short]
第四部分:
0: kd> t
Ntfs!NtfsCheckIndexBuffer:
f71b2f90 55 push ebp
0: kd> kc
#
00 Ntfs!NtfsCheckIndexBuffer
01 Ntfs!ReadIndexBuffer
02 Ntfs!FindNextIndexEntry
03 Ntfs!NtfsContinueIndexEnumeration
04 Ntfs!NtfsQueryDirectory
05 Ntfs!NtfsCommonDirectoryControl
06 Ntfs!NtfsFsdDirectoryControl
07 nt!IofCallDriver
08 nt!IopSynchronousServiceTail
09 nt!NtQueryDirectoryFile
0a nt!_KiSystemService
0b nt!ZwQueryDirectoryFile
0c nt!CcPfPrefetchDirectoryContents
0d nt!CcPfPrefetchMetadata
0e nt!CcPfBootWorker
0f nt!PspSystemThreadStartup
10 nt!KiThreadStartup
0: kd> dv
Scb = 0xe1363d20
IndexBuffer = 0xc14c1000
0: kd> kv
# ChildEBP RetAddr Args to Child
00 f7932604 f7173967 e1363d20 c14c1000 00000000 Ntfs!NtfsCheckIndexBuffer (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\fs\ntfs\checksup.c @ 599]
01 f7932620 f7174726 f793291c e1363d20 00000001 Ntfs!ReadIndexBuffer+0xe1 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\fs\ntfs\indexsup.c @ 2830]
02 f7932670 f71782b8 f793291c e1363d20 e13559b0 Ntfs!FindNextIndexEntry+0x164 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\fs\ntfs\indexsup.c @ 3679]
03 f79326c4 f7176259 f793291c e1363eb8 e1363d20 Ntfs!NtfsContinueIndexEnumeration+0x90 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\fs\ntfs\indexsup.c @ 1844]
04 f79328cc f7176c21 f793291c 894d1a40 895d5100 Ntfs!NtfsQueryDirectory+0x54f (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\fs\ntfs\dirctrl.c @ 1036]
05 f7932900 f71772c4 f793291c e1363d20 895d5020 Ntfs!NtfsCommonDirectoryControl+0xfd (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\fs\ntfs\dirctrl.c @ 315]
06 f7932a70 80a2675c 895d5020 894d1a40 f7932afc Ntfs!NtfsFsdDirectoryControl+0xde (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\fs\ntfs\dirctrl.c @ 155]
07 f7932a8c 80c70bed f7932afc f7932bac 80c68436 nt!IofCallDriver+0x62 (FPO: [Non-Fpo]) (CONV: fastcall) [d:\srv03rtm\base\ntos\io\iomgr\iosubs.c @ 2237]
08 f7932aa4 80c684c7 895d5020 894d1a40 8947e2b0 nt!IopSynchronousServiceTail+0x159 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\iomgr\internal.c @ 7384]
09 f7932ac8 80afbcb2 800007c4 00000000 00000000 nt!NtQueryDirectoryFile+0x91 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\iomgr\dir.c @ 836]
0a f7932ac8 80a3dab5 800007c4 00000000 00000000 nt!_KiSystemService+0x13f (FPO: [0,3] TrapFrame @ f7932b08) (CONV: cdecl) [d:\srv03rtm\base\ntos\ke\i386\trap.asm @ 1328]
0b f7932b78 80dc9a83 800007c4 00000000 00000000 nt!ZwQueryDirectoryFile+0x11 (FPO: [11,0,0]) [d:\srv03rtm\base\ntos\ke\mp\obj\i386\sysstubs.asm @ 1331]
0c f7932bf0 80dccb0d e1417252 00000018 00000000 nt!CcPfPrefetchDirectoryContents+0xb5 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\cache\prefetch.c @ 5896]
0d f7932c18 80dc8c52 f7932d5c 00000000 8963bb70 nt!CcPfPrefetchMetadata+0xeb (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\cache\prefetch.c @ 5562]
0e f7932dac 80d391f0 89910c28 00000000 00000000 nt!CcPfBootWorker+0x33c (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\cache\prefboot.c @ 753]
0f f7932ddc 80b00d52 80dc8916 89910c28 00000000 nt!PspSystemThreadStartup+0x2e (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ps\create.c @ 2213]
10 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16 [d:\srv03rtm\base\ntos\ke\i386\threadbg.asm @ 81]
windbg> .open -a fffffffff7173967
BOOLEAN
FindNextIndexEntry (
IN PIRP_CONTEXT IrpContext,
IN PSCB Scb,
IN PVOID Value,
IN BOOLEAN ValueContainsWildcards,
IN BOOLEAN IgnoreCase,
IN OUT PINDEX_CONTEXT IndexContext,
IN BOOLEAN NextFlag,
OUT PBOOLEAN MustRestart OPTIONAL
)
{
while (FlagOn(IndexEntry->Flags, INDEX_ENTRY_NODE)) {
IndexBlock = NtfsIndexEntryBlock(IndexEntry);
Sp += 1;
//
// If the tree is balanced we cannot go too far here.
//
if (Sp >= IndexContext->Base + (ULONG)IndexContext->NumberEntries) {
ASSERT(Sp < IndexContext->Base + (ULONG)IndexContext->NumberEntries);
NtfsRaiseStatus( IrpContext, STATUS_FILE_CORRUPT_ERROR, NULL, Scb->Fcb );
}
NtfsUnpinBcb( IrpContext, &Sp->Bcb );
ReadIndexBuffer( IrpContext,
Scb,
IndexBlock, //第三个参数和(Sp-1)的IndexEntry的Block
FALSE,
Sp ); //第五个参数的Sp
IndexEntry = Sp->IndexEntry;
NtfsCheckIndexBound( IndexEntry, Sp->IndexHeader );
}
0: kd> dt index_entry 0xc1241590+88
Ntfs!INDEX_ENTRY
+0x000 FileReference : _MFT_SEGMENT_REFERENCE
+0x000 DataOffset : 0
+0x002 DataLength : 0
+0x004 ReservedForZero : 0
+0x008 Length : 0x18
+0x00a AttributeLength : 0
+0x00c Flags : 3
+0x00e Reserved : 0
0: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!_MFT_SEGMENT_REFERENCE *)0xc1241618))
(*((Ntfs!_MFT_SEGMENT_REFERENCE *)0xc1241618)) [Type: _MFT_SEGMENT_REFERENCE]
[+0x000] SegmentNumberLowPart : 0x0 [Type: unsigned long]
[+0x004] SegmentNumberHighPart : 0x0 [Type: unsigned short]
[+0x006] SequenceNumber : 0x0 [Type: unsigned short]
0: kd> dd 0xc1241590+88
c1241618 00000000 00000000 00000018 00000003
c1241628 00000001 00000000
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
