nt!CcGetDirtyPages函数分析

第一部分：

1: kd> t

Breakpoint 31 hit

nt!CcGetDirtyPages:

80a15bbe 6a48 push 48h

1: kd> kc

00 nt!CcGetDirtyPages

01 Ntfs!NtfsCheckpointVolume

02 Ntfs!NtfsCheckpointAllVolumes

03 nt!ExpWorkerThread

04 nt!PspSystemThreadStartup

05 nt!KiThreadStartup

1: kd> dv

LogHandle = 0xe1293300

DirtyPageRoutine = 0xf71451f2

Context1 = 0xf78d2c28

Context2 = 0xf78d2aa4

SavedNewestLsn = {0}

SavedFileOffset = {0}

第二部分：

1: kd> x nt!CcDirtySharedCacheMapList

80b1cbc0 nt!CcDirtySharedCacheMapList = struct _SHARED_CACHE_MAP_LIST_CURSOR

1: kd> dx -r1 (*((ntkrnlmp!_SHARED_CACHE_MAP_LIST_CURSOR *)0x80b1cbc0))

(*((ntkrnlmp!_SHARED_CACHE_MAP_LIST_CURSOR *)0x80b1cbc0)) [Type: _SHARED_CACHE_MAP_LIST_CURSOR]

+0x000\] SharedCacheMapLinks \[Type: _LIST_ENTRY

+0x008\] Flags : 0x800 \[Type: unsigned long

1: kd> dx -r1 (*((ntkrnlmp!_LIST_ENTRY *)0x80b1cbc0))

(*((ntkrnlmp!_LIST_ENTRY *)0x80b1cbc0)) [Type: _LIST_ENTRY]

+0x000\] Flink : 0x80b1cbb0 \[Type: _LIST_ENTRY \*

+0x004\] Blink : 0x894d006c \[Type: _LIST_ENTRY \*

1: kd> dd 0x80b1cbb0

80b1cbb0 89455cfc

1: kd> dd 89455cfc-64

89455c98 013002ff 00000001 00002000 00000000

89455ca8 89486bb8 89469228 00100000 00000000

89455cb8 ffffffff 7fffffff ffffffff 7fffffff

1: kd> dt SHARED_CACHE_MAP 89455cfc-64

nt!SHARED_CACHE_MAP

+0x000 NodeTypeCode : 0n767

+0x002 NodeByteSize : 0n304

+0x004 OpenCount : 1

+0x008 FileSize : _LARGE_INTEGER 0x2000

+0x010 BcbList : _LIST_ENTRY [ 0x89486bb8 - 0x89469228 ]

+0x018 SectionSize : _LARGE_INTEGER 0x100000

+0x020 ValidDataLength : _LARGE_INTEGER 0x7fffffff`ffffffff

+0x028 ValidDataGoal : _LARGE_INTEGER 0x7fffffff`ffffffff

+0x030 InitialVacbs : [4] 0x899880d8 _VACB

+0x040 Vacbs : 0x89455cc8 -> 0x899880d8 _VACB

+0x044 FileObject : 0x89455df0 _FILE_OBJECT

+0x048 ActiveVacb : (null)

+0x04c NeedToZero : (null)

+0x050 ActivePage : 0

+0x054 NeedToZeroPage : 0

+0x058 ActiveVacbSpinLock : 0

+0x05c VacbActiveCount : 0

+0x060 DirtyPages : 2

+0x064 SharedCacheMapLinks : _LIST_ENTRY [ 0x895d580c - 0x80b1cbb0 ]

1: kd> dt _vacb 0x899880d8

nt!_VACB

+0x000 BaseAddress : 0xc14c0000 Void

+0x004 SharedCacheMap : 0x89455c98 _SHARED_CACHE_MAP

+0x008 Overlay : __unnamed

+0x010 LruList : _LIST_ENTRY [ 0x89988178 - 0x899883a0 ]

第三部分：

+0x010\] BcbList \[Type: _LIST_ENTRY

1: kd> dx -r1 (*((ntkrnlmp!_LIST_ENTRY *)0x89455ca8))

(*((ntkrnlmp!_LIST_ENTRY *)0x89455ca8)) [Type: _LIST_ENTRY]

+0x000\] Flink : 0x89486bb8 \[Type: _LIST_ENTRY \*

+0x004\] Blink : 0x89469228 \[Type: _LIST_ENTRY \*

1: kd> dt _bcb 0x89486bb8-10

nt!_BCB

+0x000 Dummy : _MBCB

+0x000 NodeTypeCode : 0n765 000002fd #define CACHE_NTC_BCB (0x2FD)

+0x002 Dirty : 0x1 ''

+0x003 Reserved : 0 ''

+0x004 ByteLength : 0x1000

+0x008 FileOffset : _LARGE_INTEGER 0x1000

+0x010 BcbLinks : _LIST_ENTRY [ 0x89469228 - 0x89455ca8 ]

+0x018 BeyondLastByte : _LARGE_INTEGER 0x2000

+0x020 OldestLsn : _LARGE_INTEGER 0x80ee35b

+0x028 NewestLsn : _LARGE_INTEGER 0x80ef490

+0x030 Vacb : (null)

+0x034 PinCount : 0

+0x038 Resource : _ERESOURCE

+0x070 SharedCacheMap : 0x89455c98 _SHARED_CACHE_MAP

+0x074 BaseAddress : (null)

1: kd> ?0n765

Evaluate expression: 765 = 000002fd

第四部分：

if ((Bcb->NodeTypeCode == CACHE_NTC_BCB) && Bcb->Dirty) {

SavedFileOffset = Bcb->FileOffset;

SavedByteLength = Bcb->ByteLength;

SavedOldestLsn = Bcb->OldestLsn;

SavedNewestLsn = Bcb->NewestLsn;

// Increment PinCount so the Bcb sticks around

Bcb->PinCount += 1;