Ntfs!ATTRIBUTE_RECORD_HEADER结构$INDEX_ROOT=0x90的一个例子
1: kd> dx -id 0,0,899a2278 -r1 ((Ntfs!_FILE_RECORD_SEGMENT_HEADER *)0xc431a400)
((Ntfs!_FILE_RECORD_SEGMENT_HEADER *)0xc431a400) : 0xc431a400 [Type: _FILE_RECORD_SEGMENT_HEADER *]
+0x000\] MultiSectorHeader \[Type: _MULTI_SECTOR_HEADER
+0x008\] Lsn : {135166234} \[Type: _LARGE_INTEGER
+0x010\] SequenceNumber : 0x1 \[Type: unsigned short
+0x012\] ReferenceCount : 0x1 \[Type: unsigned short
+0x014\] FirstAttributeOffset : 0x38 \[Type: unsigned short
+0x016\] Flags : 0x3 \[Type: unsigned short
+0x018\] FirstFreeByte : 0x2b0 \[Type: unsigned long
+0x01c\] BytesAvailable : 0x400 \[Type: unsigned long
+0x020\] BaseFileRecordSegment \[Type: _MFT_SEGMENT_REFERENCE
+0x028\] NextAttributeInstance : 0x3 \[Type: unsigned short
+0x02a\] SegmentNumberHighPart : 0x0 \[Type: unsigned short
+0x02c\] SegmentNumberLowPart : 0x2769 \[Type: unsigned long
+0x030\] UpdateArrayForCreateOnly \[Type: unsigned short \[1\]
1: kd> dt Attribute_RECORD_HEADER 0xc431a400+38
Ntfs!ATTRIBUTE_RECORD_HEADER
+0x000 TypeCode : 0x10
+0x004 RecordLength : 0x60
+0x008 FormCode : 0 ''
+0x009 NameLength : 0 ''
+0x00a NameOffset : 0
+0x00c Flags : 0
+0x00e Instance : 0
+0x010 Form : __unnamed
1: kd> dt Attribute_RECORD_HEADER 0xc431a400+38+60
Ntfs!ATTRIBUTE_RECORD_HEADER
+0x000 TypeCode : 0x30
+0x004 RecordLength : 0x68
+0x008 FormCode : 0 ''
+0x009 NameLength : 0 ''
+0x00a NameOffset : 0
+0x00c Flags : 0
+0x00e Instance : 2
+0x010 Form : __unnamed
1: kd> dt Attribute_RECORD_HEADER 0xc431a400+38+60+68
Ntfs!ATTRIBUTE_RECORD_HEADER
+0x000 TypeCode : 0x90
+0x004 RecordLength : 0x1a8
+0x008 FormCode : 0 ''
+0x009 NameLength : 0x4 ''
+0x00a NameOffset : 0x18
+0x00c Flags : 0
+0x00e Instance : 1
+0x010 Form : __unnamed
1: kd> dd 0xc431a400+38+60+68
c431a500 00000090 000001a8 00180400 00010000
c431a510 00000188 00000020 00490024 00300033
c431a520 00000030 00000001 00001000 00000001
c431a530 00000010 00000178 00000178 00000000
c431a540 0000276a 00010000 005a0070 00000000
c431a550 00002769 00010000 8fa0d18e 01db06c8
c431a560 c148aca4 01dba6c6 a8e2bafe 01db06c8
c431a570 c148aca4 01dba6c6 00040000 00000000
1: kd> db 0xc431a400+38+60+68
c431a500 90 00 00 00 a8 01 00 00-00 04 18 00 00 00 01 00 ................
c431a510 88 01 00 00 20 00 00 00-24 00 49 00 33 00 30 00 .... ...$.I.3.0.
c431a520 30 00 00 00 01 00 00 00-00 10 00 00 01 00 00 00 0...............
c431a530 10 00 00 00 78 01 00 00-78 01 00 00 00 00 00 00 ....x...x.......
c431a540 6a 27 00 00 00 00 01 00-70 00 5a 00 00 00 00 00 j'......p.Z.....
c431a550 69 27 00 00 00 00 01 00-8e d1 a0 8f c8 06 db 01 i'..............
c431a560 a4 ac 48 c1 c6 a6 db 01-fe ba e2 a8 c8 06 db 01 ..H.............
c431a570 a4 ac 48 c1 c6 a6 db 01-00 00 04 00 00 00 00 00 ..H.............
1: kd> db 0xc431a400+38+60+68+80
c431a580 00 00 04 00 00 00 00 00-22 00 00 00 00 00 00 00 ........".......
c431a590 0c 03 55 00 73 00 72 00-43 00 6c 00 61 00 73 00 ..U.s.r.C.l.a.s.
c431a5a0 73 00 2e 00 64 00 61 00-74 00 00 00 00 00 00 00 s...d.a.t.......
c431a5b0 6b 27 00 00 00 00 01 00-78 00 62 00 00 00 00 00 k'......x.b.....
c431a5c0 69 27 00 00 00 00 01 00-e8 33 a3 8f c8 06 db 01 i'.......3......
c431a5d0 a4 ac 48 c1 c6 a6 db 01-a4 ac 48 c1 c6 a6 db 01 ..H.......H.....
c431a5e0 a4 ac 48 c1 c6 a6 db 01-00 10 00 00 00 00 00 00 ..H.............
c431a5f0 00 04 00 00 00 00 00 00-22 00 00 00 00 00 00 00 ........".......
1: kd> db 0xc431a400+38+60+68+80*2
c431a600 10 01 55 00 73 00 72 00-43 00 6c 00 61 00 73 00 ..U.s.r.C.l.a.s.
c431a610 73 00 2e 00 64 00 61 00-74 00 2e 00 4c 00 4f 00 s...d.a.t...L.O.
c431a620 47 00 00 00 00 00 00 00-6b 27 00 00 00 00 01 00 G.......k'......
c431a630 70 00 5a 00 00 00 00 00-69 27 00 00 00 00 01 00 p.Z.....i'......
c431a640 e8 33 a3 8f c8 06 db 01-a4 ac 48 c1 c6 a6 db 01 .3........H.....
c431a650 a4 ac 48 c1 c6 a6 db 01-a4 ac 48 c1 c6 a6 db 01 ..H.......H.....
c431a660 00 10 00 00 00 00 00 00-00 04 00 00 00 00 00 00 ................
c431a670 22 00 00 00 00 00 00 00-0c 02 55 00 53 00 52 00 ".........U.S.R.
1: kd> db 0xc431a400+38+60+68+80*3
c431a680 43 00 4c 00 41 00 7e 00-31 00 2e 00 4c 00 4f 00 C.L.A.~.1...L.O.
c431a690 47 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 G...............
c431a6a0 10 00 00 00 02 00 00 00-ff ff ff ff 82 79 47 11 .............yG.
c431a6b0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
c431a6c0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
c431a6d0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
c431a6e0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
c431a6f0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
1: kd> dt Attribute_RECORD_HEADER 0xc431a400+38+60+68
Ntfs!ATTRIBUTE_RECORD_HEADER
+0x000 TypeCode : 0x90
+0x004 RecordLength : 0x1a8
+0x008 FormCode : 0 ''
+0x009 NameLength : 0x4 ''
+0x00a NameOffset : 0x18
+0x00c Flags : 0
+0x00e Instance : 1
+0x010 Form : __unnamed
1: kd> dt Attribute_RECORD_HEADER 0xc431a400+38+60+68+1a8
Ntfs!ATTRIBUTE_RECORD_HEADER
+0x000 TypeCode : 0xffffffff
+0x004 RecordLength : 0x11477982
+0x008 FormCode : 0 ''
+0x009 NameLength : 0 ''
+0x00a NameOffset : 0
+0x00c Flags : 0
+0x00e Instance : 0
+0x010 Form : __unnamed
1: kd> dt _INDEX_ROOT 0xc431a400+38+60+68+20
Ntfs!_INDEX_ROOT
+0x000 IndexedAttributeType : 0x30
+0x004 CollationRule : 1
+0x008 BytesPerIndexBuffer : 0x1000
+0x00c BlocksPerIndexBuffer : 0x1 ''
+0x00d Reserved : [3] ""
+0x010 IndexHeader : _INDEX_HEADER
1: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!_INDEX_HEADER *)0xc431a530))
(*((Ntfs!_INDEX_HEADER *)0xc431a530)) [Type: _INDEX_HEADER]
+0x000\] FirstIndexEntry : 0x10 \[Type: unsigned long
+0x004\] FirstFreeByte : 0x178 \[Type: unsigned long
+0x008\] BytesAvailable : 0x178 \[Type: unsigned long
+0x00c\] Flags : 0x0 \[Type: unsigned char
+0x00d\] Reserved \[Type: unsigned char \[3\]
1: kd> dd 0xc431a400+38+60+68+20+20
c431a540 0000276a 00010000 005a0070 00000000
c431a550 00002769 00010000 8fa0d18e 01db06c8
c431a560 c148aca4 01dba6c6 a8e2bafe 01db06c8
c431a570 c148aca4 01dba6c6 00040000 00000000
c431a580 00040000 00000000 00000022 00000000
c431a590 0055030c 00720073 006c0043 00730061
c431a5a0 002e0073 00610064 00000074 00000000
c431a5b0 0000276b 00010000 00620078 00000000
1: kd> dd 0xc431a400+38+60+68+20+20+80
c431a5c0 00002769 00010000 8fa333e8 01db06c8
c431a5d0 c148aca4 01dba6c6 c148aca4 01dba6c6
c431a5e0 c148aca4 01dba6c6 00001000 00000000
c431a5f0 00000400 00000000 00000022 00000000
c431a600 00550110 00720073 006c0043 00730061
c431a610 002e0073 00610064 002e0074 004f004c
c431a620 00000047 00000000 0000276b 00010000
c431a630 005a0070 00000000 00002769 00010000
1: kd> dd 0xc431a400+38+60+68+20+20+80*2
c431a640 8fa333e8 01db06c8 c148aca4 01dba6c6
c431a650 c148aca4 01dba6c6 c148aca4 01dba6c6
c431a660 00001000 00000000 00000400 00000000
c431a670 00000022 00000000 0055020c 00520053
c431a680 004c0043 007e0041 002e0031 004f004c
c431a690 00000047 00000000 00000000 00000000
c431a6a0 00000010 00000002 ffffffff 11477982
c431a6b0 00000000 00000000 00000000 00000000
1: kd> dt _INDEX_ENTRY 0xc431a400+38+60+68+20+20
Ntfs!_INDEX_ENTRY
+0x000 FileReference : _MFT_SEGMENT_REFERENCE
+0x000 DataOffset : 0x276a
+0x002 DataLength : 0
+0x004 ReservedForZero : 0x10000
+0x008 Length : 0x70
+0x00a AttributeLength : 0x5a
+0x00c Flags : 0
+0x00e Reserved : 0
1: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!_MFT_SEGMENT_REFERENCE *)0xc431a540))
(*((Ntfs!_MFT_SEGMENT_REFERENCE *)0xc431a540)) [Type: _MFT_SEGMENT_REFERENCE]
+0x000\] SegmentNumberLowPart : 0x276a \[Type: unsigned long
+0x004\] SegmentNumberHighPart : 0x0 \[Type: unsigned short
+0x006\] SequenceNumber : 0x1 \[Type: unsigned short
1: kd> dt _INDEX_ENTRY 0xc431a400+38+60+68+20+20+70
Ntfs!_INDEX_ENTRY
+0x000 FileReference : _MFT_SEGMENT_REFERENCE
+0x000 DataOffset : 0x276b
+0x002 DataLength : 0
+0x004 ReservedForZero : 0x10000
+0x008 Length : 0x78
+0x00a AttributeLength : 0x62
+0x00c Flags : 0
+0x00e Reserved : 0
1: kd> dt _INDEX_ENTRY 0xc431a400+38+60+68+20+20+70+78
Ntfs!_INDEX_ENTRY
+0x000 FileReference : _MFT_SEGMENT_REFERENCE
+0x000 DataOffset : 0x276b
+0x002 DataLength : 0
+0x004 ReservedForZero : 0x10000
+0x008 Length : 0x70
+0x00a AttributeLength : 0x5a
+0x00c Flags : 0
+0x00e Reserved : 0
1: kd> dt _INDEX_ENTRY 0xc431a400+38+60+68+20+20+70+78+70
Ntfs!_INDEX_ENTRY
+0x000 FileReference : _MFT_SEGMENT_REFERENCE
+0x000 DataOffset : 0
+0x002 DataLength : 0
+0x004 ReservedForZero : 0
+0x008 Length : 0x10
+0x00a AttributeLength : 0
+0x00c Flags : 2
+0x00e Reserved : 0
1: kd> db 0xc431a400+38+60+68+20+20
c431a540 6a 27 00 00 00 00 01 00-70 00 5a 00 00 00 00 00 j'......p.Z.....
c431a550 69 27 00 00 00 00 01 00-8e d1 a0 8f c8 06 db 01 i'..............
c431a560 a4 ac 48 c1 c6 a6 db 01-fe ba e2 a8 c8 06 db 01 ..H.............
c431a570 a4 ac 48 c1 c6 a6 db 01-00 00 04 00 00 00 00 00 ..H.............
c431a580 00 00 04 00 00 00 00 00-22 00 00 00 00 00 00 00 ........".......
c431a590 0c 03 55 00 73 00 72 00-43 00 6c 00 61 00 73 00 ..U.s.r.C.l.a.s.
c431a5a0 73 00 2e 00 64 00 61 00-74 00 00 00 00 00 00 00 s...d.a.t.......
MFT参考号 8 6a 27 00 00 00 00 01 00
索引项大小 2 70 00
文件名偏移 2 5a 00
索引标志 2 00 00
保留 2 00 00
父目录MFT参考号 8 69 27 00 00 00 00 01 00
创建时间 8 8e d1 a0 8f c8 06 db 01
修改时间 8 a4 ac 48 c1 c6 a6 db 01
最后修改时间 8 fe ba e2 a8 c8 06 db 01
最后访问时间 8 a4 ac 48 c1 c6 a6 db 01
分配大小 8 00 00 04 00 00 00 00 00
实际大小 8 00 00 04 00 00 00 00 00
标志 4 22 00 00 00
ER 4 00 00 00 00
文件名长度 1 0c
文件命名空间类型 1 03
文件名
c431a590 0c 03 55 00 73 00 72 00-43 00 6c 00 61 00 73 00 ..U.s.r.C.l.a.s.
c431a5a0 73 00 2e 00 64 00 61 00-74 00 s...d.a.t.......
1: kd> dt _file_name 0xc431a400+38+60+68+20+20+10
Ntfs!_FILE_NAME
+0x000 ParentDirectory : _MFT_SEGMENT_REFERENCE
+0x008 Info : _DUPLICATED_INFORMATION
+0x040 FileNameLength : 0xc ''
+0x041 Flags : 0x3 ''
+0x042 FileName : [1] 0x55
1: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!unsigned short (*)[1])0xc431a592))
(*((Ntfs!unsigned short (*)[1])0xc431a592)) [Type: unsigned short [1]]
0\] : 0x55 \[Type: unsigned short
1: kd> db 0xc431a592
c431a592 55 00 73 00 72 00 43 00-6c 00 61 00 73 00 73 00 U.s.r.C.l.a.s.s.
c431a5a2 2e 00 64 00 61 00 74 00-00 00 00 00 00 00 6b 27 ..d.a.t.......k'
1: kd> db 0xc431a400+38+60+68+20+20+70
c431a5b0 6b 27 00 00 00 00 01 00-78 00 62 00 00 00 00 00 k'......x.b.....
c431a5c0 69 27 00 00 00 00 01 00-e8 33 a3 8f c8 06 db 01 i'.......3......
c431a5d0 a4 ac 48 c1 c6 a6 db 01-a4 ac 48 c1 c6 a6 db 01 ..H.......H.....
c431a5e0 a4 ac 48 c1 c6 a6 db 01-00 10 00 00 00 00 00 00 ..H.............
c431a5f0 00 04 00 00 00 00 00 00-22 00 00 00 00 00 00 00 ........".......
c431a600 10 01 55 00 73 00 72 00-43 00 6c 00 61 00 73 00 ..U.s.r.C.l.a.s.
c431a610 73 00 2e 00 64 00 61 00-74 00 2e 00 4c 00 4f 00 s...d.a.t...L.O.
c431a620 47 00 00 00 00 00 00 00-6b 27 00 00 00 00 01 00 G.......k'......
MFT参考号 8 6b 27 00 00 00 00 01 00
索引项大小 2 78 00
文件名偏移 2 62 00
索引标志 2 00 00
保留 2 00 00
父目录MFT参考号 8 69 27 00 00 00 00 01 00
创建时间 8 e8 33 a3 8f c8 06 db 01
修改时间 8 a4 ac 48 c1 c6 a6 db 01
最后修改时间 8 a4 ac 48 c1 c6 a6 db 01
最后访问时间 8 a4 ac 48 c1 c6 a6 db 01
分配大小 8 00 10 00 00 00 00 00 00
实际大小 8 00 04 00 00 00 00 00 00
标志 4 22 00 00 00
ER 4 00 00 00 00
文件名长度 1 10
文件命名空间类型 1 01
文件名
c431a600 10 01 55 00 73 00 72 00-43 00 6c 00 61 00 73 00 ..U.s.r.C.l.a.s.
c431a610 73 00 2e 00 64 00 61 00-74 00 2e 00 4c 00 4f 00 s...d.a.t...L.O.
c431a620 47 00 G.......k'......
1: kd> dt _file_name 0xc431a400+38+60+68+20+20+70+10
Ntfs!_FILE_NAME
+0x000 ParentDirectory : _MFT_SEGMENT_REFERENCE
+0x008 Info : _DUPLICATED_INFORMATION
+0x040 FileNameLength : 0x10 ''
+0x041 Flags : 0x1 ''
+0x042 FileName : [1] 0x55
1: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!unsigned short (*)[1])0xc431a602))
(*((Ntfs!unsigned short (*)[1])0xc431a602)) [Type: unsigned short [1]]
0\] : 0x55 \[Type: unsigned short
1: kd> db 0xc431a602
c431a602 55 00 73 00 72 00 43 00-6c 00 61 00 73 00 73 00 U.s.r.C.l.a.s.s.
c431a612 2e 00 64 00 61 00 74 00-2e 00 4c 00 4f 00 47 00 ..d.a.t...L.O.G.
c431a622 00 00 00 00 00 00 6b 27-00 00 00 00 01 00 70 00 ......k'......p.
#define $UNUSED (0X0)
#define $STANDARD_INFORMATION (0x10)
#define $ATTRIBUTE_LIST (0x20)
#define $FILE_NAME (0x30)
#define $OBJECT_ID (0x40)
#define $SECURITY_DESCRIPTOR (0x50)
#define $VOLUME_NAME (0x60)
#define $VOLUME_INFORMATION (0x70)
#define $DATA (0x80)
#define $INDEX_ROOT (0x90)
#define $INDEX_ALLOCATION (0xA0)
#define $BITMAP (0xB0)
#define $REPARSE_POINT (0xC0)
#define $EA_INFORMATION (0xD0)
#define $EA (0xE0)
// #define $LOGGED_UTILITY_STREAM (0x100) // defined in ntfsexp.h
#define $FIRST_USER_DEFINED_ATTRIBUTE (0x1000)
#define $END (0xFFFFFFFF)
第二部分:
BOOLEAN
FindNextIndexEntry (
IN PIRP_CONTEXT IrpContext,
IN PSCB Scb,
IN PVOID Value,
IN BOOLEAN ValueContainsWildcards,
IN BOOLEAN IgnoreCase,
IN OUT PINDEX_CONTEXT IndexContext,
IN BOOLEAN NextFlag,
OUT PBOOLEAN MustRestart OPTIONAL
)
{
Sp->IndexEntry =
IndexEntry = NtfsNextIndexEntry( IndexEntry );
#define NtfsNextIndexEntry(IE) ( \
(PINDEX_ENTRY)((PCHAR)(IE) + (ULONG)(IE)->Length) \
)
#define NtfsFirstIndexEntry(IH) ( \
(PINDEX_ENTRY)((PCHAR)(IH) + (IH)->FirstIndexEntry) \
)