Ntfs!LfsUpdateLfcbFromRestart函数分析之根据Ntfs!_LFS_RESTART_AREA初始化Ntfs!_LFCB

sitelist2025-07-11 21:28

第一部分:

LfsUpdateLfcbFromRestart( ThisLfcb,

FileSize,

DiskRestartArea,

FirstRestar

1: kd> p

Ntfs!LfsRestartLogFile+0x317:

f71fc8dd e820e5ffff call Ntfs!LfsUpdateLfcbFromRestart (f71fae02)

1: kd> t

Ntfs!LfsUpdateLfcbFromRestart:

f71fae02 55 push ebp

1: kd> kc

00 Ntfs!LfsUpdateLfcbFromRestart

01 Ntfs!LfsRestartLogFile

02 Ntfs!LfsOpenLogFile

03 Ntfs!NtfsStartLogFile

04 Ntfs!NtfsMountVolume

05 Ntfs!NtfsCommonFileSystemControl

06 Ntfs!NtfsFspDispatch

07 nt!ExpWorkerThread

08 nt!PspSystemThreadStartup

09 nt!KiThreadStartup

1: kd> dv

Lfcb = 0xe1364008

FileSize = 0n67108864

RestartArea = 0xc1140030

RestartOffset = 0x30

LsnFileOffset = 0n67108864

Wrapped = 0x00 ''

LsnFinalOffset = 0n38505786882

第二部分:

Lfcb->SeqNumber = LfsLsnToSeqNumber( Lfcb, Lfcb->LastFlushedLsn );

#define LfsLsnToSeqNumber(LFCB,LSN) \

/*xxShr*/Int64ShrlMod32( ((ULONGLONG)(LSN).QuadPart), (LFCB)->FileDataBits )

逻辑右移:数字向右移动,左边补0。Windows中支持的函数为:Int64ShrlMod32

1: kd> dt _LFS_RESTART_AREA 0xc1140030

Ntfs!_LFS_RESTART_AREA

+0x000 CurrentLsn : _LARGE_INTEGER 0x8117464

+0x008 LogClients : 1

+0x00a ClientFreeList : 0xffff

+0x00c ClientInUseList : 0

+0x00e Flags : 0

+0x010 SeqNumberBits : 0x28

+0x014 RestartAreaLength : 0xe0

+0x016 ClientArrayOffset : 0x40

+0x018 FileSize : 0n67108864

+0x020 LastLsnDataLength : 0x68

+0x024 RecordHeaderLength : 0x30

+0x026 LogPageDataOffset : 0x40

+0x028 RestartOpenLogCount : 0x85e1225b

+0x02c LastFailedFlushStatus : 0

+0x030 LastFailedFlushOffset : 0n0

+0x038 LastFailedFlushLsn : _LARGE_INTEGER 0x0

+0x040 LogClientArray : [1] _LFS_CLIENT_RECORD

第三部分:

Lfcb->SeqNumberBits = RestartArea->SeqNumberBits;

Lfcb->FileDataBits = (sizeof( LSN ) * 8) - Lfcb->SeqNumberBits;

+0x010 SeqNumberBits : 0x28

1: kd> dt _LARGE_INTEGER -v

hal!_LARGE_INTEGER

union _LARGE_INTEGER, 4 elements, 0x8 bytes

+0x000 LowPart : Uint4B

+0x004 HighPart : Int4B

+0x000 u : struct __unnamed, 2 elements, 0x8 bytes

+0x000 QuadPart : Int8B

0x40-0x28=0x18

第四部分:

} else {

Lfcb->FileSize = min( FileSize, RestartArea->FileSize );

}

+0x018\] FileSize : 67108864 \[Type: __int64

第五部分:

//

// We get the sequence number bits from the restart area and compute the

// file data bits.

//

Lfcb->SeqNumberBits = RestartArea->SeqNumberBits;

Lfcb->FileDataBits = (sizeof( LSN ) * 8) - Lfcb->SeqNumberBits;

+0x080\] SeqNumberBits : 0x28 \[Type: unsigned long

+0x084\] FileDataBits : 0x18 \[Type: unsigned long

Lfcb->SeqNumber = LfsLsnToSeqNumber( Lfcb, Lfcb->LastFlushedLsn ); =0x8

+0x0c8\] LastFlushedLsn : {135361636} \[Type: _LARGE_INTEGER

1: kd> ?0n135361636

Evaluate expression: 135361636 = 08117464

#define LfsLsnToSeqNumber(LFCB,LSN) \

/*xxShr*/Int64ShrlMod32( ((ULONGLONG)(LSN).QuadPart), (LFCB)->FileDataBits )

逻辑右移:数字向右移动,左边补0。Windows中支持的函数为:Int64ShrlMod32

Lfcb->SeqNumber = LfsLsnToSeqNumber( Lfcb, Lfcb->LastFlushedLsn );

Lfcb->SeqNumberForWrap = Lfcb->SeqNumber + 1;

+0x070\] SeqNumber : 8 \[Type: __int64

+0x078\] SeqNumberForWrap : 9 \[Type: __int64

第六部分:

1: kd> dv

Lfcb = 0x00000018

FileSize = 0n135361636

RestartArea = 0xc1140030

RestartOffset = 0x30

//

// Compute the restart page values from the restart offset.

//

Lfcb->RestartDataOffset = RestartOffset;

Lfcb->RestartDataSize = (ULONG)Lfcb->LogPageSize - RestartOffset;

+0x04c\] RestartDataOffset : 0x30 \[Type: unsigned long

+0x050\] LogPageDataOffset : 0 \[Type: __int64

+0x058\] RestartDataSize : 0xfd0 \[Type: unsigned long

if (FlagOn( Lfcb->Flags, LFCB_PACK_LOG )) {

Lfcb->RecordHeaderLength = RestartArea->RecordHeaderLength;

Lfcb->ClientArrayOffset = RestartArea->ClientArrayOffset;

Lfcb->RestartAreaSize = RestartArea->RestartAreaLength;

(ULONG)Lfcb->LogPageDataOffset = RestartArea->LogPageDataOffset;

Lfcb->LogPageDataSize = Lfcb->LogPageSize - Lfcb->LogPageDataOffset;

+0x024\] RecordHeaderLength : 0x30 \[Type: unsigned short

+0x016\] ClientArrayOffset : 0x40 \[Type: unsigned short

+0x014\] RestartAreaLength : 0xe0 \[Type: unsigned short

+0x026\] LogPageDataOffset : 0x40 \[Type: unsigned short

第七部分:

LfsAllocateLbcb( Lfcb, &Lfcb->PrevTail );

Lfcb->PrevTail->FileOffset = Lfcb->FirstLogPage - Lfcb->LogPageSize;

LfsAllocateLbcb( Lfcb, &Lfcb->ActiveTail );

Lfcb->ActiveTail->FileOffset = Lfcb->PrevTail->FileOffset - Lfcb->LogPageSize;

1: kd> dt _LFCB 0xe1364008

Ntfs!_LFCB

+0x000 NodeTypeCode : 0n2051

+0x002 NodeByteSize : 0n352

+0x004 LfcbLinks : _LIST_ENTRY [ 0x0 - 0x0 ]

+0x00c LchLinks : _LIST_ENTRY [ 0xe1364014 - 0xe1364014 ]

+0x014 FileObject : 0x89811f90 _FILE_OBJECT

+0x018 FileSize : 0n67108864

+0x020 LogPageSize : 0n4096

+0x028 LogPageMask : 0xfff

+0x02c LogPageInverseMask : 0n-4096

+0x030 LogPageShift : 0xc

+0x038 FirstLogPage : 0n16384

1: kd> ?0n16384

Evaluate expression: 16384 = 00004000

+0x098 ActiveTail : 0xe13417e8 _LBCB

+0x09c PrevTail : 0xe1278640 _LBCB

1: kd> dx -id 0,0,899a2278 -r1 ((Ntfs!_LBCB *)0xe1278640)

((Ntfs!_LBCB *)0xe1278640) : 0xe1278640 [Type: _LBCB *]

+0x000\] NodeTypeCode : 2050 \[Type: short

+0x002\] NodeByteSize : 96 \[Type: short

+0x004\] WorkqueLinks \[Type: _LIST_ENTRY

+0x00c\] ActiveLinks \[Type: _LIST_ENTRY

+0x018\] FileOffset : 12288 \[Type: __int64\] 0x3000 \[+0x020\] Length : 0 \[Type: __int64

+0x028\] SeqNumber : 0 \[Type: __int64

+0x030\] BufferOffset : 0 \[Type: __int64

+0x038\] PageHeader : 0x0 \[Type: void \*

+0x03c\] LogPageBcb : 0x0 \[Type: void \*

+0x040\] LastLsn : {0} \[Type: _LARGE_INTEGER

+0x048\] LastEndLsn : {0} \[Type: _LARGE_INTEGER

+0x050\] Flags : 0x0 \[Type: unsigned long

+0x054\] LbcbFlags : 0x0 \[Type: unsigned long

+0x058\] ResourceThread : 0x0 \[Type: unsigned long

1: kd> dx -id 0,0,899a2278 -r1 ((Ntfs!_LBCB *)0xe13417e8)

((Ntfs!_LBCB *)0xe13417e8) : 0xe13417e8 [Type: _LBCB *]

+0x000\] NodeTypeCode : 2050 \[Type: short

+0x002\] NodeByteSize : 96 \[Type: short

+0x004\] WorkqueLinks \[Type: _LIST_ENTRY

+0x00c\] ActiveLinks \[Type: _LIST_ENTRY

+0x018\] FileOffset : 8192 \[Type: __int64\] 0x2000 \[+0x020\] Length : 0 \[Type: __int64

+0x028\] SeqNumber : 0 \[Type: __int64

+0x030\] BufferOffset : 0 \[Type: __int64

+0x038\] PageHeader : 0x0 \[Type: void \*

+0x03c\] LogPageBcb : 0x0 \[Type: void \*

+0x040\] LastLsn : {0} \[Type: _LARGE_INTEGER

+0x048\] LastEndLsn : {0} \[Type: _LARGE_INTEGER

+0x050\] Flags : 0x0 \[Type: unsigned long

+0x054\] LbcbFlags : 0x0 \[Type: unsigned long

+0x058\] ResourceThread : 0x0 \[Type: unsigned long

第八部分:

(ULONG)Lfcb->ReservedLogPageSize = (ULONG)Lfcb->LogPageDataSize - Lfcb->RecordHeaderLength;

+0x060 LogPageDataSize : 0n4032

1: kd> ?0n4032

Evaluate expression: 4032 = 00000fc0

+0x100\] ReservedLogPageSize : 3984 \[Type: __int64\] 00000f90 #define LfsLsnToFileOffset(LFCB,LSN) \\ /\*xxShr\*/( ((ULONGLONG)/\*xxShl\*/( (LSN).QuadPart \<\< (LFCB)-\>SeqNumberBits )) \>\> ((LFCB)-\>SeqNumberBits - 3) ) 第九部分: LsnFileOffset = LfsLsnToFileOffset( Lfcb, Lfcb-\>LastFlushedLsn ); \[+0x0c8\] LastFlushedLsn : {135361636} \[Type: _LARGE_INTEGER

1: kd> ?0n135361636

Evaluate expression: 135361636 = 08117464

+0x080\] SeqNumberBits : 0x28 \[Type: unsigned long

+0x084\] FileDataBits : 0x18 \[Type: unsigned long

0x8117464

1000 0001 0001 0111 0100 0110 0100

1000 0001 0001 0111 0100 0110 0100 000

100 0 000 1 000 1 011 1 010 0 011 0 010 0 000

1: kd> ?0x117464*8

Evaluate expression: 9151264 = 008ba320

1: kd> p

Ntfs!LfsUpdateLfcbFromRestart+0x1f9:

f71faffb e8c0b8f4ff call Ntfs!aullshr (f71468c0)

1: kd> p

Ntfs!LfsUpdateLfcbFromRestart+0x1fe:

f71fb000 8b4e38 mov ecx,dword ptr [esi+38h]

1: kd> r

eax=008ba320

1: kd> dv

Lfcb = 0x00000018

FileSize = 0n9151264

RestartArea = 0xc1140030

RestartOffset = 0x30

LsnFileOffset = 0n9151264

Wrapped = 0x00 ''

LsnFinalOffset = 0n38654705673

1: kd> ?0n9151264

Evaluate expression: 9151264 = 008ba320

第十部分:

} else {

LONGLONG LsnFinalOffset;

BOOLEAN Wrapped;

ULONG DataLength;

ULONG RemainingPageBytes;

DataLength = RestartArea->LastLsnDataLength;

//

// Find the end of this log record.

//

LfsLsnFinalOffset( Lfcb,

Lfcb->LastFlushedLsn,

DataLength,

&LsnFinalOffset );

+0x020\] LastLsnDataLength : 0x68 \[Type: unsigned long

1: kd> p

Ntfs!LfsUpdateLfcbFromRestart+0x23b:

f71fb03d e8183a0000 call Ntfs!LfsLsnFinalOffset (f71fea5a)

1: kd> t

Ntfs!LfsLsnFinalOffset:

f71fea5a 55 push ebp

1: kd> kc

00 Ntfs!LfsLsnFinalOffset

01 Ntfs!LfsUpdateLfcbFromRestart

02 Ntfs!LfsRestartLogFile

03 Ntfs!LfsOpenLogFile

04 Ntfs!NtfsStartLogFile

05 Ntfs!NtfsMountVolume

06 Ntfs!NtfsCommonFileSystemControl

07 Ntfs!NtfsFspDispatch

08 nt!ExpWorkerThread

09 nt!PspSystemThreadStartup

0a nt!KiThreadStartup

1: kd> dv

Lfcb = 0xe1364008

Lsn = {135361636}

DataLength = 0x68

FinalOffset = 0xf78d2934

RemainingPageBytes = 0xf78d2934

Wrapped = 0xe1 ''

热门推荐
01【无标题】02集群聊天服务器---MySQL数据库的建立03Coze扣子平台完整体验和实践(附国内和国际版对比)04Java类变量(静态变量)05KGG转MP3工具|非KGM文件|解密音频06扣子(coze)实战|我用扣子搭建了一个自动分析小红薯笔记内容的AI应用|详细步骤拆解07深度神经网络训练过程与常见概念08使用Ruby接入实时行情API教程09DeepSeek各版本说明与优缺点分析10基于uni-app的书法学习管理小程序的设计与实现