NtfsLookupAttributeByName函数分析之和Scb->AttributeName的关系

sitelist2025-05-25 10:12

第一部分:

VOID

FindFirstIndexEntry (

IN PIRP_CONTEXT IrpContext,

IN PSCB Scb,

IN PVOID Value,

IN OUT PINDEX_CONTEXT IndexContext

)

{

。。。。。。

//

// Lookup the attribute record from the Scb.

//

if (!NtfsLookupAttributeByName( IrpContext,

Scb->Fcb,

&Scb->Fcb->FileReference,

$INDEX_ROOT,

&Scb->AttributeName,

NULL,

FALSE,

&IndexContext->AttributeContext )) {

第二部分:

0: kd> p

Ntfs!FindFirstIndexEntry+0x68:

f71740d2 84c0 test al,al

0: kd> dv

IrpContext = 0xf793291c

Scb = 0xe1363d20

Value = 0xe13559b0

IndexContext = 0xe1352348

Attribute = 0x00000000

IndexRoot = 0xe1352348

Sp = 0xe1363d20

0: kd> dx -r1 ((Ntfs!_SCB *)0xe1363d20)

((Ntfs!_SCB *)0xe1363d20) : 0xe1363d20 [Type: _SCB *]

+0x000\] Header \[Type: _NTFS_ADVANCED_FCB_HEADER

+0x040\] FcbLinks \[Type: _LIST_ENTRY

+0x048\] Fcb : 0xe1363c58 \[Type: _FCB \*

+0x04c\] Vcb : 0x895d5100 \[Type: _VCB \*

+0x050\] ScbState : 0x100006a0 \[Type: unsigned long

+0x054\] NonCachedCleanupCount : 0x0 \[Type: unsigned long

+0x058\] CleanupCount : 0x1 \[Type: unsigned long

+0x05c\] CloseCount : 0x2 \[Type: unsigned long

+0x060\] ShareAccess \[Type: _SHARE_ACCESS

+0x07c\] AttributeTypeCode : 0xa0 \[Type: unsigned long

+0x080\] **AttributeName : "$I30"** \[Type: _UNICODE_STRING

+0x088\] FileObject : 0x8962b128 \[Type: _FILE_OBJECT \*

+0x08c\] NonpagedScb : 0x89954e60 \[Type: _SCB_NONPAGED \*

+0x090\] Mcb \[Type: _NTFS_MCB

+0x0a8\] McbStructs \[Type: NTFS_MCB_INITIAL_STRUCTS

+0x0f0\] CompressionUnit : 0x0 \[Type: unsigned long

+0x0f4\] AttributeFlags : 0x0 \[Type: unsigned short

+0x0f6\] CompressionUnitShift : 0x0 \[Type: unsigned char

+0x0f7\] PadUchar : 0x0 \[Type: unsigned char

+0x0f8\] ValidDataToDisk : 0 \[Type: __int64

+0x100\] TotalAllocated : 8192 \[Type: __int64

+0x108\] EofListHead \[Type: _LIST_ENTRY

+0x110\] CcbQueue \[Type: _LIST_ENTRY

+0x118\] ScbSnapshot : 0x0 \[Type: _SCB_SNAPSHOT \*

+0x11c\] EncryptionContext : 0x0 \[Type: void \*

+0x120\] EncryptionContextLength : 0x0 \[Type: unsigned long

+0x124\] ScbPersist : 0x0 \[Type: unsigned long

+0x128\] IoAtEofThread : 0x0 \[Type: unsigned long \*

+0x130\] ScbType \[Type: __unnamed

第三部分:

BOOLEAN

NtfsFindInFileRecord (

IN PIRP_CONTEXT IrpContext,

IN PATTRIBUTE_RECORD_HEADER Attribute,

OUT PATTRIBUTE_RECORD_HEADER *ReturnAttribute,

IN ATTRIBUTE_TYPE_CODE QueriedTypeCode,

IN PCUNICODE_STRING QueriedName OPTIONAL,

IN BOOLEAN IgnoreCase,

IN PVOID QueriedValue OPTIONAL,

IN ULONG QueriedValueLength

)

{

while ( TRUE ) {

。。。。。。

NtfsInitializeStringFromAttribute( &AttributeName,Attribute);

//

// See if we have a name match.

//

if (NtfsAreNamesEqual( UpcaseTable,

&AttributeName,

QueriedName,

IgnoreCase )) {

break;

}

return TRUE;

}

第四部分:

NtfsInitializeStringFromAttribute( &AttributeName, Attribute );

#define NtfsInitializeStringFromAttribute(NAME,ATTRIBUTE) { \

(NAME)->Length = (USHORT)(ATTRIBUTE)->NameLength << 1; \

(NAME)->MaximumLength = (NAME)->Length; \

(NAME)->Buffer = (PWSTR)Add2Ptr((ATTRIBUTE), (ATTRIBUTE)->NameOffset); \

}

(NAME)->Buffer (ATTRIBUTE)->NameLength +0x009 NameLength : 0x4 ''

(NAME)->Buffer (ATTRIBUTE)->NameOffset +0x00a NameOffset : 0x18

0: kd> dt Ntfs!_ATTRIBUTE_RECORD_HEADER 0xc1241438+48+60+28+48

+0x000 TypeCode : 0x90

+0x004 RecordLength : 0xe0

+0x008 FormCode : 0 ''

+0x009 NameLength : 0x4 ''

+0x00a NameOffset : 0x18

+0x00c Flags : 0

+0x00e Instance : 6

+0x010 Form : __unnamed

0: kd> db 0xc1241438+48+60+28+48**+18**

c1241568 24 00 49 00 33 00 30 00-30 00 00 00 01 00 00 00 $.I.3.0.0.......

第五部分:

0: kd> p

Ntfs!NtfsFindInFileRecord+0x92:

f7171ac2 384d1c cmp byte ptr [ebp+1Ch],cl

0: kd> dv

IrpContext = 0xf793291c

Attribute = 0xc1241438

0: kd> dx -r1 ((Ntfs!_ATTRIBUTE_RECORD_HEADER *)0xc1241438)

((Ntfs!_ATTRIBUTE_RECORD_HEADER *)0xc1241438) : 0xc1241438 [Type: _ATTRIBUTE_RECORD_HEADER *]

+0x000\] TypeCode : 0x10 \[Type: unsigned long

+0x004\] RecordLength : 0x48 \[Type: unsigned long

+0x008\] FormCode : 0x0 \[Type: unsigned char

+0x009\] NameLength : 0x0 \[Type: unsigned char

+0x00a\] NameOffset : 0x18 \[Type: unsigned short

+0x00c\] Flags : 0x0 \[Type: unsigned short

+0x00e\] Instance : 0x0 \[Type: unsigned short

+0x010\] Form \[Type: __unnamed

0: kd> dt Ntfs!_ATTRIBUTE_RECORD_HEADER 0xc1241438

+0x000 TypeCode : 0x10

+0x004 RecordLength : 0x48

+0x008 FormCode : 0 ''

+0x009 NameLength : 0 ''

+0x00a NameOffset : 0x18

+0x00c Flags : 0

+0x00e Instance : 0

+0x010 Form : __unnamed

0: kd> dt Ntfs!_ATTRIBUTE_RECORD_HEADER 0xc1241438+48

+0x000 TypeCode : 0x30

+0x004 RecordLength : 0x60

+0x008 FormCode : 0 ''

+0x009 NameLength : 0 ''

+0x00a NameOffset : 0x18

+0x00c Flags : 0

+0x00e Instance : 1

+0x010 Form : __unnamed

0: kd> dt Ntfs!_ATTRIBUTE_RECORD_HEADER 0xc1241438+48+60

+0x000 TypeCode : 0x40

+0x004 RecordLength : 0x28

+0x008 FormCode : 0 ''

+0x009 NameLength : 0 ''

+0x00a NameOffset : 0

+0x00c Flags : 0

+0x00e Instance : 9

+0x010 Form : __unnamed

0: kd> dt Ntfs!_ATTRIBUTE_RECORD_HEADER 0xc1241438+48+60+28

+0x000 TypeCode : 0x50

+0x004 RecordLength : 0x48

+0x008 FormCode : 0x1 ''

+0x009 NameLength : 0 ''

+0x00a NameOffset : 0x40

+0x00c Flags : 0

+0x00e Instance : 2

+0x010 Form : __unnamed

0: kd> dt Ntfs!_ATTRIBUTE_RECORD_HEADER 0xc1241438+48+60+28+48

+0x000 TypeCode : 0x90

+0x004 RecordLength : 0xe0

+0x008 FormCode : 0 ''

+0x009 NameLength : 0x4 ''

+0x00a NameOffset : 0x18

+0x00c Flags : 0

+0x00e Instance : 6

+0x010 Form : __unnamed

热门推荐
01KGG转MP3工具|非KGM文件|解密音频02从零安装 LLaMA-Factory 微调 Qwen 大模型成功及所有的坑03YOLOv8入门 | 重要性能衡量指标、训练结果评价及分析及影响mAP的因素【发论文关注的指标】04【SpeedAI科研小助手】2分钟极速解决知网维普重复率、AIGC率过高,一键全文降!文件格式不变,公式都保留的!05组基轨迹建模 GBTM的介绍与实现(Stata 或 R)06DeepSeek各版本说明与优缺点分析07【2025年最新】OpenWrt 更换国内源的指南(图形界面版)08VMware虚拟机安装Win7专业版保姆级教程(附镜像包)09Coze扣子平台完整体验和实践(附国内和国际版对比)10CCF CSP 认证考试历年真题满分题解(所有前四题)