根目录0xa0属性对应的Ntfs!_SCB中的FileObject是什么时候被建立的----NTFS源代码分析--重要

sitelist2025-06-08 18:40

根目录0xa0属性对应的Ntfs!_SCB中的FileObject是什么时候被建立的

第一部分:

0: kd> g

Breakpoint 9 hit

Ntfs!ReadIndexBuffer:

f7173886 55 push ebp

0: kd> kc

00 Ntfs!ReadIndexBuffer

01 Ntfs!FindFirstIndexEntry

02 Ntfs!NtfsUpdateFileNameInIndex

03 Ntfs!NtfsUpdateDuplicateInfo

04 Ntfs!NtfsInitializeSecurity

05 Ntfs!NtfsInitializeSecurityFile

06 Ntfs!NtfsMountVolume

07 Ntfs!NtfsCommonFileSystemControl

08 Ntfs!NtfsFspDispatch

09 nt!ExpWorkerThread

0a nt!PspSystemThreadStartup

0b nt!KiThreadStartup

0: kd> dv

IrpContext = 0x89797aa8

Scb = 0xe1350658

IndexBlock = 0n0

Reread = 0x00 ''

Sp = 0xf78d6824

0: kd> dx -r1 ((Ntfs!_INDEX_LOOKUP_STACK *)0xf78d6824)

((Ntfs!_INDEX_LOOKUP_STACK *)0xf78d6824) : 0xf78d6824 [Type: _INDEX_LOOKUP_STACK *]

+0x000\] Bcb : 0x0 \[Type: void \*

+0x004\] StartOfBuffer : 0x0 \[Type: void \*

+0x008\] IndexHeader : 0x0 \[Type: _INDEX_HEADER \*

+0x00c\] IndexEntry : 0x0 \[Type: _INDEX_ENTRY \*

+0x010\] IndexBlock : 0 \[Type: __int64

+0x018\] CapturedLsn : {0} \[Type: _LARGE_INTEGER

0: kd> dx -r1 ((Ntfs!_SCB *)0xe1350658)

((Ntfs!_SCB *)0xe1350658) : 0xe1350658 [Type: _SCB *]

+0x000\] Header \[Type: _NTFS_ADVANCED_FCB_HEADER

+0x040\] FcbLinks \[Type: _LIST_ENTRY

+0x048\] Fcb : 0xe1350590 \[Type: _FCB \*

+0x04c\] Vcb : 0x8962e100 \[Type: _VCB \*

+0x050\] ScbState : 0x480 \[Type: unsigned long

+0x054\] NonCachedCleanupCount : 0x0 \[Type: unsigned long

+0x058\] CleanupCount : 0x0 \[Type: unsigned long

+0x05c\] CloseCount : 0x0 \[Type: unsigned long

+0x060\] ShareAccess \[Type: _SHARE_ACCESS

+0x07c\] AttributeTypeCode : 0xa0 \[Type: unsigned long

+0x080\] AttributeName : "$I30" \[Type: _UNICODE_STRING

[+0x088] FileObject : 0x0[Type: _FILE_OBJECT *]

+0x08c\] NonpagedScb : 0x89927288 \[Type: _SCB_NONPAGED \*

+0x090\] Mcb \[Type: _NTFS_MCB

+0x0a8\] McbStructs \[Type: NTFS_MCB_INITIAL_STRUCTS

+0x0f0\] CompressionUnit : 0x0 \[Type: unsigned long

+0x0f4\] AttributeFlags : 0x0 \[Type: unsigned short

+0x0f6\] CompressionUnitShift : 0x0 \[Type: unsigned char

+0x0f7\] PadUchar : 0x0 \[Type: unsigned char

+0x0f8\] ValidDataToDisk : 0 \[Type: __int64

+0x100\] TotalAllocated : 0 \[Type: __int64

+0x108\] EofListHead \[Type: _LIST_ENTRY

+0x110\] CcbQueue \[Type: _LIST_ENTRY

+0x118\] ScbSnapshot : 0x0 \[Type: _SCB_SNAPSHOT \*

+0x11c\] EncryptionContext : 0x0 \[Type: void \*

+0x120\] EncryptionContextLength : 0x0 \[Type: unsigned long

+0x124\] ScbPersist : 0x0 \[Type: unsigned long

+0x128\] IoAtEofThread : 0x0 \[Type: unsigned long \*

+0x130\] ScbType \[Type: __unnamed

第二部分:

if (Scb->FileObject == NULL) {

NtfsCreateInternalAttributeStream( IrpContext,

Scb,

TRUE,

&NtfsInternalUseFile[DIRECTORY_FILE_NUMBER] );

}

#define DIRECTORY_FILE_NUMBER (7) // $Directory

const UNICODE_STRING NtfsInternalUseFile[] = {

CONSTANT_UNICODE_STRING( L"\\$ChangeAttributeValue" ), 0

CONSTANT_UNICODE_STRING( L"\\$ChangeAttributeValue2" ), 1

CONSTANT_UNICODE_STRING( L"\\$CommonCleanup" ), 2

CONSTANT_UNICODE_STRING( L"\\$ConvertToNonresident" ), 3

CONSTANT_UNICODE_STRING( L"\\$CreateNonresidentWithValue" ), 4

CONSTANT_UNICODE_STRING( L"\\$DeallocateRecord" ), 5

CONSTANT_UNICODE_STRING( L"\\$DeleteAllocationFromRecord" ), 6

CONSTANT_UNICODE_STRING( L"\\$Directory" ), 7

CONSTANT_UNICODE_STRING( L"\\$InitializeRecordAllocation" ),

CONSTANT_UNICODE_STRING( L"\\$MapAttributeValue" ),

CONSTANT_UNICODE_STRING( L"\\$NonCachedIo" ),

CONSTANT_UNICODE_STRING( L"\\$PerformHotFix" ),

CONSTANT_UNICODE_STRING( L"\\$PrepareToShrinkFileSize" ),

CONSTANT_UNICODE_STRING( L"\\$ReplaceAttribute" ),

CONSTANT_UNICODE_STRING( L"\\$ReplaceAttribute2" ),

CONSTANT_UNICODE_STRING( L"\\$SetAllocationInfo" ),

CONSTANT_UNICODE_STRING( L"\\$SetEndOfFileInfo" ),

CONSTANT_UNICODE_STRING( L"\\$ZeroRangeInStream" ),

CONSTANT_UNICODE_STRING( L"\\$ZeroRangeInStream2" ),

CONSTANT_UNICODE_STRING( L"\\$ZeroRangeInStream3" ),

};

第三部分:

0: kd> p

Ntfs!ReadIndexBuffer+0x72:

f71738f8 e8efda0300 call Ntfs!NtfsCreateInternalStreamCommon (f71b13ec)

0: kd> t

Ntfs!NtfsCreateInternalStreamCommon:

f71b13ec 6a34 push 34h

0: kd> kc

00 Ntfs!NtfsCreateInternalStreamCommon

01 Ntfs!ReadIndexBuffer

02 Ntfs!FindFirstIndexEntry

03 Ntfs!NtfsUpdateFileNameInIndex

04 Ntfs!NtfsUpdateDuplicateInfo

05 Ntfs!NtfsInitializeSecurity

06 Ntfs!NtfsInitializeSecurityFile

07 Ntfs!NtfsMountVolume

08 Ntfs!NtfsCommonFileSystemControl

09 Ntfs!NtfsFspDispatch

0a nt!ExpWorkerThread

0b nt!PspSystemThreadStartup

0c nt!KiThreadStartup

0: kd> dv

IrpContext = 0x89797aa8

Scb = 0xe1350658

UpdateScb = 0x01 ''

CompressedStream = 0x00 ''

StreamName = 0xf7161da0 "\$Directory"

相关推荐
sitelist16 天前
Ntfs!FindFirstIndexEntry函数中ReadIndexBuffer函数的作用是新建一个Ntfs!_INDEX_LOOKUP_STACK结构
firstindexentry·readindexbuffer·_lookup_stack·index_lookup
热门推荐
01【图像处理与机器视觉】XJTU期末考点02从零安装 LLaMA-Factory 微调 Qwen 大模型成功及所有的坑03KGG转MP3工具|非KGM文件|解密音频04海康Visionmaster-常见问题排查方法-启动阶段05YOLOv8入门 | 重要性能衡量指标、训练结果评价及分析及影响mAP的因素【发论文关注的指标】06【SpeedAI科研小助手】2分钟极速解决知网维普重复率、AIGC率过高,一键全文降!文件格式不变,公式都保留的!07R-tree详解08Coze扣子平台完整体验和实践(附国内和国际版对比)09DeepSeek各版本说明与优缺点分析10ICASSP2025 SPGC Challenge认知衰退挑战赛——通过自发语音的认知能力下降预测与识别(PROCESS)信号处理大奖赛