Ntfs!LfsReadRestart函数和Ntfs!_LFCB->LogHeadBuffer的关系

第0部分：

// Remember this log file in the Lfcb.

ThisLfcb->FileObject = LogFile;

SetFlag( ThisLfcb->Flags,

(LFCB_READ_FIRST_RESTART |

LFCB_READ_SECOND_RESTART) );

if (LfsInfo->ReadOnly) {

SetFlag( ThisLfcb->Flags, LFCB_READ_ONLY );

}

// Look for a restart area on the disk.

if (!LfsInfo->BadRestart &&

LfsReadRestart( ThisLfcb,

FileSize,

TRUE,

&FirstRestartOffset,

&FirstRestartPage,

&FirstRestartPageBcb,

&FirstChkdskWasRun,

&FirstValidPage,

&UninitializedFile,

&FirstLogPacked,

&FirstRestartLastLsn )) {

第一部分：

1: kd> g

Breakpoint 2 hit

Ntfs!LfsReadRestart:

f7193f74 6a30 push 30h

1: kd> kc

00 Ntfs!LfsReadRestart

01 Ntfs!LfsRestartLogFile

02 Ntfs!LfsOpenLogFile

03 Ntfs!NtfsStartLogFile

04 Ntfs!NtfsMountVolume

05 Ntfs!NtfsCommonFileSystemControl

06 Ntfs!NtfsFspDispatch

07 nt!ExpWorkerThread

08 nt!PspSystemThreadStartup

09 nt!KiThreadStartup

1: kd> kv

ChildEBP RetAddr Args to Child

00 f78d2920 f71fc6e6 e1364008 04000000 00000000 Ntfs!LfsReadRestart (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\fs\lfs\cachesup.c @ 1406]

01 f78d2a08 f71fcecb 89811f90 00000001 00001000 Ntfs!LfsRestartLogFile+0x120 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\fs\lfs\registry.c @ 1439]

02 f78d2a80 f7193f12 89811f90 000a0008 f7193e48 Ntfs!LfsOpenLogFile+0xbd (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\fs\lfs\registry.c @ 287]

03 f78d2acc f719279e 894d1a08 895cf100 89598660 Ntfs!NtfsStartLogFile+0xc0 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\fs\ntfs\logsup.c @ 3632]

04 f78d2cec f717c5aa 895d0850 89598660 895d0850 Ntfs!NtfsMountVolume+0xbba (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\fs\ntfs\fsctrl.c @ 1900]

05 f78d2d04 f71484b0 895d0850 89598660 8999e3a0 Ntfs!NtfsCommonFileSystemControl+0x8c (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\fs\ntfs\fsctrl.c @ 837]

06 f78d2d80 80af2bb9 895d0850 00000000 8999e3a0 Ntfs!NtfsFspDispatch+0x1fe (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\fs\ntfs\fspdisp.c @ 336]

07 f78d2dac 80d391f0 895d0850 00000000 00000000 nt!ExpWorkerThread+0x10f (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ex\worker.c @ 1153]

08 f78d2ddc 80b00d52 80af2aaa 00000000 00000000 nt!PspSystemThreadStartup+0x2e (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ps\create.c @ 2213]

09 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16 [d:\srv03rtm\base\ntos\ke\i386\threadbg.asm @ 81]

1: kd> dv

Lfcb = 0xe1364008

FileSize = 0n67108864

FirstRestart = 0x01 ''

第二部分：

1: kd> dx -r1 ((Ntfs!_LFCB *)0xe1364008)

((Ntfs!_LFCB *)0xe1364008) : 0xe1364008 [Type: _LFCB *]

+0x000\] NodeTypeCode : 2051 \[Type: short

+0x002\] NodeByteSize : 352 \[Type: short

+0x004\] LfcbLinks \[Type: _LIST_ENTRY

+0x00c\] LchLinks \[Type: _LIST_ENTRY

+0x014\] FileObject : 0x89811f90 \[Type: _FILE_OBJECT \*

+0x018\] FileSize : 67108864 \[Type: __int64

+0x020\] LogPageSize : 0 \[Type: __int64

+0x028\] LogPageMask : 0x0 \[Type: unsigned long

+0x02c\] LogPageInverseMask : 0 \[Type: long

+0x030\] LogPageShift : 0x0 \[Type: unsigned long

+0x038\] FirstLogPage : 0 \[Type: __int64

+0x040\] NextLogPage : 0 \[Type: __int64

+0x048\] ReusePageOffset : 0x0 \[Type: unsigned long

+0x04c\] RestartDataOffset : 0x0 \[Type: unsigned long

+0x050\] LogPageDataOffset : 0 \[Type: __int64

+0x058\] RestartDataSize : 0x0 \[Type: unsigned long

+0x060\] LogPageDataSize : 0 \[Type: __int64

+0x068\] RecordHeaderLength : 0x0 \[Type: unsigned short

+0x070\] SeqNumber : 0 \[Type: __int64

+0x078\] SeqNumberForWrap : 0 \[Type: __int64

+0x080\] SeqNumberBits : 0x0 \[Type: unsigned long

+0x084\] FileDataBits : 0x0 \[Type: unsigned long

+0x088\] LbcbWorkque \[Type: _LIST_ENTRY

+0x090\] LbcbActive \[Type: _LIST_ENTRY

+0x098\] ActiveTail : 0x0 \[Type: _LBCB \*

+0x09c\] PrevTail : 0x0 \[Type: _LBCB \*

+0x0a0\] RestartArea : 0x0 \[Type: _LFS_RESTART_AREA \*

+0x0a4\] ClientArray : 0x0 \[Type: _LFS_CLIENT_RECORD \*

+0x0a8\] ClientArrayOffset : 0x0 \[Type: unsigned short

+0x0aa\] ClientNameOffset : 0x0 \[Type: unsigned short

+0x0ac\] RestartAreaSize : 0x0 \[Type: unsigned long

+0x0b0\] LogClients : 0x0 \[Type: unsigned short

+0x0b2\] InitialRestartArea : 0x0 \[Type: unsigned char

+0x0b8\] OldestLsn : {0} \[Type: _LARGE_INTEGER

+0x0c0\] OldestLsnOffset : 0 \[Type: __int64

+0x0c8\] LastFlushedLsn : {0} \[Type: _LARGE_INTEGER

+0x0d0\] LastFlushedRestartLsn : {0} \[Type: _LARGE_INTEGER

+0x0d8\] TotalAvailable : 0 \[Type: __int64

+0x0e0\] TotalAvailInPages : 0 \[Type: __int64

+0x0e8\] TotalUndoCommitment : 0 \[Type: __int64

+0x0f0\] MaxCurrentAvail : 0 \[Type: __int64

+0x0f8\] CurrentAvailable : 0 \[Type: __int64

+0x100\] ReservedLogPageSize : 0 \[Type: __int64

+0x108\] RestartUsaOffset : 0x0 \[Type: unsigned short

+0x10a\] UsaArraySize : 0x0 \[Type: unsigned short

+0x10c\] LogRecordUsaOffset : 0x0 \[Type: unsigned short

+0x10e\] MajorVersion : 0 \[Type: short

+0x110\] MinorVersion : 0 \[Type: short

+0x114\] Flags : 0x300 \[Type: unsigned long\] \[+0x114\] Flags : 0x300 \[+0x118\] SpareLbcbCount : 0x5 \[Type: unsigned long

+0x11c\] SpareLbcbList \[Type: _LIST_ENTRY

+0x124\] SpareLebCount : 0x5 \[Type: unsigned long

+0x128\] SpareLebList \[Type: _LIST_ENTRY

+0x130\] Sync : 0x8955b210 \[Type: _LFCB_SYNC \*

+0x134\] Waiters : 0x0 \[Type: unsigned long

+0x138\] WaiterList \[Type: _LIST_ENTRY

+0x140\] CurrentOpenLogCount : 0x0 \[Type: unsigned long

+0x144\] UserWriteData : 0x0 \[Type: _LFS_WRITE_DATA \*

+0x148\] LfsIoThread : 0x0 \[Type: unsigned long

+0x14c\] LogHeadMdl : 0x0 \[Type: _MDL \*

+0x150\] LogHeadPartialMdl : 0x0 \[Type: _MDL \*

+0x154\] LogHeadBuffer : 0x0 \[Type: void \*

+0x158\] ErrorLogPacket : 0x0 \[Type: _IO_ERROR_LOG_PACKET \*

+0x15c\] LfsRestartBias : 0x1 \[Type: unsigned long

+0x160\] DirtyLbcb \[Type: _LBCB \* \[0\]

1: kd> dx -r1 ((Ntfs!_FILE_OBJECT *)0x89811f90)

((Ntfs!_FILE_OBJECT *)0x89811f90) : 0x89811f90 [Type: _FILE_OBJECT *]

+0x000\] Type : 5 \[Type: short

+0x002\] Size : 112 \[Type: short

+0x004\] DeviceObject : 0x89618718 : Device for "\\Driver\\Ftdisk" \[Type: _DEVICE_OBJECT \*

+0x008\] Vpb : 0x89909178 \[Type: _VPB \*

+0x00c\] FsContext : 0x894d1a08 \[Type: void \*

+0x010\] FsContext2 : 0x0 \[Type: void \*

+0x014\] SectionObjectPointer : 0x89954e3c \[Type: _SECTION_OBJECT_POINTERS \*

+0x018\] PrivateCacheMap : 0x89811f10 \[Type: void \*

+0x01c\] FinalStatus : 0 \[Type: long

+0x020\] RelatedFileObject : 0x0 \[Type: _FILE_OBJECT \*

+0x024\] LockOperation : 0x0 \[Type: unsigned char

+0x025\] DeletePending : 0x0 \[Type: unsigned char

+0x026\] ReadAccess : 0x1 \[Type: unsigned char

+0x027\] WriteAccess : 0x1 \[Type: unsigned char

+0x028\] DeleteAccess : 0x1 \[Type: unsigned char

+0x029\] SharedRead : 0x0 \[Type: unsigned char

+0x02a\] SharedWrite : 0x0 \[Type: unsigned char

+0x02b\] SharedDelete : 0x0 \[Type: unsigned char

+0x02c\] Flags : 0x40100 \[Type: unsigned long

+0x030\] FileName : "\\$LogFile" \[Type: _UNICODE_STRING\] \[+0x030\] FileName : "\\$LogFile" \[+0x038\] CurrentByteOffset : {0} \[Type: _LARGE_INTEGER

+0x040\] Waiters : 0x0 \[Type: unsigned long

+0x044\] Busy : 0x0 \[Type: unsigned long

+0x048\] LastLock : 0x0 \[Type: void \*

+0x04c\] Lock \[Type: _KEVENT

+0x05c\] Event \[Type: _KEVENT

+0x06c\] CompletionContext : 0x0 \[Type: _IO_COMPLETION_CONTEXT \*

1: kd> dx -r1 ((Ntfs!_SECTION_OBJECT_POINTERS *)0x89954e3c)

((Ntfs!_SECTION_OBJECT_POINTERS *)0x89954e3c) : 0x89954e3c [Type: _SECTION_OBJECT_POINTERS *]

+0x000\] DataSectionObject : 0x89458210 \[Type: void \*

+0x004\] SharedCacheMap : 0x89811e38 \[Type: void \*

+0x008\] ImageSectionObject : 0x0 \[Type: void \*

1: kd> dt Shared_Cache_Map 0x89811e38

nt!SHARED_CACHE_MAP

+0x000 NodeTypeCode : 0n767

+0x002 NodeByteSize : 0n304

+0x004 OpenCount : 1

+0x008 FileSize : _LARGE_INTEGER 0x4000000

+0x010 BcbList : _LIST_ENTRY [ 0x89811e48 - 0x89811e48 ]

+0x018 SectionSize : _LARGE_INTEGER 0x4000000

+0x020 ValidDataLength : _LARGE_INTEGER 0x7fffffff`ffffffff

+0x028 ValidDataGoal : _LARGE_INTEGER 0x7fffffff`ffffffff

+0x030 InitialVacbs : [4] (null)

+0x040 Vacbs : 0x89811c28 -> (null)

+0x044 FileObject : 0x89811f90 _FILE_OBJECT

1: kd> dd 0x89811c28

89811c28 00000000 00000000 00000000 00000000

89811c38 00000000 00000000 00000000 00000000

89811c48 00000000 00000000 00000000 00000000

89811c58 00000000 00000000 00000000 00000000

89811c68 00000000 00000000 00000000 00000000

89811c78 00000000 00000000 00000000 00000000

89811c88 00000000 00000000 00000000 00000000

89811c98 00000000 00000000 00000000 00000000

1: kd> dt subsection 0x89458210+30

nt!SUBSECTION

+0x000 ControlArea : 0x89458210 _CONTROL_AREA

+0x004 u : __unnamed

+0x008 StartingSector : 0

+0x00c NumberOfFullSectors : 0x4000

+0x010 SubsectionBase : (null)

+0x014 UnusedPtes : 0

+0x018 PtesInSubsection : 0x4000

+0x01c NextSubsection : (null)

1: kd> x nt!CcBcbList

80b1cad0 nt!CcBcbList = struct _LIST_ENTRY [ 0x80b1cad0 - 0x80b1cad0 ]

1: kd> dx -r1 (*((ntkrnlmp!_LIST_ENTRY *)0x80b1cad0))

(*((ntkrnlmp!_LIST_ENTRY *)0x80b1cad0)) [Type: _LIST_ENTRY]

+0x000\] Flink : 0x80b1cad0 \[Type: _LIST_ENTRY \*

+0x004\] Blink : 0x80b1cad0 \[Type: _LIST_ENTRY \*

Ntfs!LfsReadRestart函数和Ntfs!_LFCB-＞LogHeadBuffer的关系

ChildEBP RetAddr Args to Child