Ntfs!LfsQueryLastLsn函数分析

Ntfs!LfsQueryLastLsn函数分析

第一部分：

BaseLsn =

RestartArea.StartOfCheckpoint = LfsQueryLastLsn( Vcb->LogHandle );

NtfsReleaseRestartTable( &Vcb->TransactionTable );

第二部分：

1: kd> p

Ntfs!NtfsCheckpointVolume+0x3e6:

f71d832e e8ab0cfaff call Ntfs!LfsQueryLastLsn (f7178fde)

1: kd> p

Ntfs!NtfsCheckpointVolume+0x3eb:

f71d8333 8985e8fdffff mov dword ptr [ebp-218h],eax

1: kd> r

eax=080f0b0f

第三部分：

+0x064\] LogHandle : 0xe1293300 \[Type: void \*

Lch = (PLCH) LogHandle;

Lfcb = Lch->Lfcb;

1: kd> dt LCH 0xe1293300

Ntfs!LCH

+0x000 NodeTypeCode : 0n2049

+0x002 NodeByteSize : 0n40

+0x004 LchLinks : _LIST_ENTRY [ 0xe1351774 - 0xe1351774 ]

+0x00c Lfcb : 0xe1351768 _LFCB

+0x010 ClientId : _LFS_CLIENT_ID

+0x018 ClientUndoCommitment : 0n8488

+0x020 ClientArrayByteOffset : 0

+0x024 Sync : 0x897979c0 _LFCB_SYNC

1: kd> dt _LFCB 0xe1351768

Ntfs!_LFCB

+0x000 NodeTypeCode : 0n2051

+0x002 NodeByteSize : 0n352

+0x004 LfcbLinks : _LIST_ENTRY [ 0xf7169b84 - 0xf7169b84 ]

+0x00c LchLinks : _LIST_ENTRY [ 0xe1293304 - 0xe1293304 ]

+0x014 FileObject : 0x89469688 _FILE_OBJECT

+0x018 FileSize : 0n67108864

+0x020 LogPageSize : 0n4096

+0x028 LogPageMask : 0xfff

+0x02c LogPageInverseMask : 0n-4096

+0x030 LogPageShift : 0xc

+0x038 FirstLogPage : 0n16384

+0x040 NextLogPage : 0n7888896

+0x048 ReusePageOffset : 0xf98

+0x04c RestartDataOffset : 0x30

+0x050 LogPageDataOffset : 0n64

第四部分：

} else {

LastLsn = Lfcb->RestartArea->CurrentLsn;

}

1: kd> dt _LFCB 0xe1351768

Ntfs!_LFCB

+0x000 NodeTypeCode : 0n2051

+0x002 NodeByteSize : 0n352

+0x004 LfcbLinks : _LIST_ENTRY [ 0xf7169b84 - 0xf7169b84 ]

+0x00c LchLinks : _LIST_ENTRY [ 0xe1293304 - 0xe1293304 ]

+0x014 FileObject : 0x89469688 _FILE_OBJECT

+0x018 FileSize : 0n67108864

+0x020 LogPageSize : 0n4096

+0x028 LogPageMask : 0xfff

+0x02c LogPageInverseMask : 0n-4096

+0x030 LogPageShift : 0xc

+0x038 FirstLogPage : 0n16384

+0x040 NextLogPage : 0n7888896

+0x048 ReusePageOffset : 0xf98

+0x04c RestartDataOffset : 0x30

+0x050 LogPageDataOffset : 0n64

+0x058 RestartDataSize : 0xfd0

+0x060 LogPageDataSize : 0n4032

+0x068 RecordHeaderLength : 0x30

+0x070 SeqNumber : 0n8

+0x078 SeqNumberForWrap : 0n9

+0x080 SeqNumberBits : 0x28

+0x084 FileDataBits : 0x18

+0x088 LbcbWorkque : _LIST_ENTRY [ 0xe128e9f4 - 0xe1368a8c ]

+0x090 LbcbActive : _LIST_ENTRY [ 0xe1368a94 - 0xe1368a94 ]

+0x098 ActiveTail : 0xe1291c20 _LBCB

+0x09c PrevTail : 0xe1347398 _LBCB

+0x0a0 RestartArea : 0xe1351680 _LFS_RESTART_AREA

+0x0a4 ClientArray : 0xe13516c0 _LFS_CLIENT_RECORD

1: kd> dx -id 0,0,899a2278 -r1 ((Ntfs!_LFS_RESTART_AREA *)0xe1351680)

((Ntfs!_LFS_RESTART_AREA *)0xe1351680) : 0xe1351680 [Type: _LFS_RESTART_AREA *]

+0x000\] CurrentLsn : {135203599} \[Type: _LARGE_INTEGER

+0x008\] LogClients : 0x1 \[Type: unsigned short

+0x00a\] ClientFreeList : 0xffff \[Type: unsigned short

+0x00c\] ClientInUseList : 0x0 \[Type: unsigned short

+0x00e\] Flags : 0x0 \[Type: unsigned short

+0x010\] SeqNumberBits : 0x28 \[Type: unsigned long

+0x014\] RestartAreaLength : 0xe0 \[Type: unsigned short

+0x016\] ClientArrayOffset : 0x40 \[Type: unsigned short

+0x018\] FileSize : 67108864 \[Type: __int64

+0x020\] LastLsnDataLength : 0x28 \[Type: unsigned long

+0x024\] RecordHeaderLength : 0x30 \[Type: unsigned short

+0x026\] LogPageDataOffset : 0x40 \[Type: unsigned short

+0x028\] RestartOpenLogCount : 0x85e12258 \[Type: unsigned long

+0x02c\] LastFailedFlushStatus : 0x0 \[Type: unsigned long

+0x030\] LastFailedFlushOffset : 0 \[Type: __int64

+0x038\] LastFailedFlushLsn : {0} \[Type: _LARGE_INTEGER

+0x040\] LogClientArray \[Type: _LFS_CLIENT_RECORD \[1\]

1: kd> ?0n135203599

Evaluate expression: 135203599 = 080f0b0f