第一部分:
NtfsMapStream( IrpContext,
Scb,
LlBytesFromIndexBlocks( IndexBlock, Scb->ScbType.Index.IndexBlockByteShift ),
Scb->ScbType.Index.BytesPerIndexBuffer,
&Sp->Bcb,
&Sp->StartOfBuffer );
0: kd> dv
IrpContext = 0x89797aa8
Scb = 0xe1350658
IndexBlock = 0n0
Reread = 0x00 ''
Sp = 0xf78d6824
0: kd> dx -r1 ((Ntfs!_INDEX_LOOKUP_STACK *)0xf78d6824)
((Ntfs!_INDEX_LOOKUP_STACK *)0xf78d6824) : 0xf78d6824 [Type: _INDEX_LOOKUP_STACK *]
[+0x000] Bcb : 0x0 [Type: void *]
[+0x004] StartOfBuffer : 0x0 [Type: void *]
[+0x008] IndexHeader : 0x0 [Type: _INDEX_HEADER *]
[+0x00c] IndexEntry : 0x0 [Type: _INDEX_ENTRY *]
[+0x010] IndexBlock : 0 [Type: __int64]
[+0x018] CapturedLsn : {0} [Type: _LARGE_INTEGER]
0: kd> r
eax=00000000 ebx=e1350658 ecx=0000000c edx=00000000 esi=f78d6824 edi=00000000
eip=f7173948 esp=f78d6764 ebp=f78d6770 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
Ntfs!ReadIndexBuffer+0xc2:
f7173948 8d7e04 lea edi,[esi+4]
0: kd> r
eax=00000000 ebx=e1350658 ecx=0000000c edx=00000000 esi=f78d6824 edi=f78d6828
0: kd> dd 0xf78d6824
f78d6824 00000000 00000000 00000000 00000000
f78d6834 00000000 00000000 00000000 00000000
f78d6844 00000000 00000000 00000000 00000000
BOOLEAN
ReadIndexBuffer (
IN PIRP_CONTEXT IrpContext,
IN PSCB Scb,
IN LONGLONG IndexBlock,
IN BOOLEAN Reread,
OUT PINDEX_LOOKUP_STACK Sp
)
0: kd> dv
IrpContext = 0x89797aa8
Scb = 0xe1350658
FileOffset = 0n0
Length = 0x1000
Bcb = 0xf78d6824
Buffer = 0xf78d6828
0: kd> dx -r1 ((Ntfs!_SCB *)0xe1350658)
((Ntfs!_SCB *)0xe1350658) : 0xe1350658 [Type: _SCB *]
[+0x000] Header [Type: _NTFS_ADVANCED_FCB_HEADER]
[+0x040] FcbLinks [Type: _LIST_ENTRY]
[+0x048] Fcb : 0xe1350590 [Type: _FCB *]
[+0x04c] Vcb : 0x8962e100 [Type: _VCB *]
[+0x050] ScbState : 0x6a0 [Type: unsigned long]
[+0x054] NonCachedCleanupCount : 0x0 [Type: unsigned long]
[+0x058] CleanupCount : 0x0 [Type: unsigned long]
[+0x05c] CloseCount : 0x1 [Type: unsigned long]
[+0x060] ShareAccess [Type: _SHARE_ACCESS]
[+0x07c] AttributeTypeCode : 0xa0 [Type: unsigned long]
[+0x080] AttributeName : "$I30" [Type: _UNICODE_STRING]
[+0x088] FileObject : 0x89455df0 [Type: _FILE_OBJECT *]
0: kd> dx -r1 ((Ntfs!_FILE_OBJECT *)0x89455df0)
((Ntfs!_FILE_OBJECT *)0x89455df0) : 0x89455df0 [Type: _FILE_OBJECT *]
[+0x000] Type : 5 [Type: short]
[+0x002] Size : 112 [Type: short]
[+0x004] DeviceObject : 0x894d1c08 : Device for "\Driver\Ftdisk" [Type: _DEVICE_OBJECT *]
[+0x008] Vpb : 0x899a7008 [Type: _VPB *]
[+0x00c] FsContext : 0xe1350658 [Type: void *]
[+0x010] FsContext2 : 0x0 [Type: void *]
[+0x014] SectionObjectPointer : 0x89927294 [Type: _SECTION_OBJECT_POINTERS *]
0: kd> dx -r1 ((Ntfs!_SECTION_OBJECT_POINTERS *)0x89927294)
((Ntfs!_SECTION_OBJECT_POINTERS *)0x89927294) : 0x89927294 [Type: _SECTION_OBJECT_POINTERS *]
[+0x000] DataSectionObject : 0x89455c30 [Type: void *]
[+0x004] SharedCacheMap : 0x89455c98 [Type: void *]
[+0x008] ImageSectionObject : 0x0 [Type: void *]
0: kd> dt SHARED_CACHE_MAP 0x89455c98
nt!SHARED_CACHE_MAP
+0x000 NodeTypeCode : 0n767
+0x002 NodeByteSize : 0n304
+0x004 OpenCount : 1
+0x008 FileSize : _LARGE_INTEGER 0x2000
+0x010 BcbList : _LIST_ENTRY [ 0x89455ca8 - 0x89455ca8 ]
+0x018 SectionSize : _LARGE_INTEGER 0x100000
+0x020 ValidDataLength : _LARGE_INTEGER 0x7fffffff`ffffffff
+0x028 ValidDataGoal : _LARGE_INTEGER 0x7fffffff`ffffffff
+0x030 InitialVacbs : [4] (null)
+0x040 Vacbs : 0x89455cc8 -> (null)
+0x044 FileObject : 0x89455df0 _FILE_OBJECT
第二部分:
//
// Call local routine to Map or Access the file data. If we cannot map
// the data because of a Wait condition, return FALSE.
//
if (FlagOn(Flags, MAP_WAIT)) {
*Buffer = CcGetVirtualAddress( SharedCacheMap,
*FileOffset,
(PVACB *)&TempBcb,
&ReceivedLength );
0: kd> kc
#
00 nt!CcGetVirtualAddress
01 nt!CcMapData
02 Ntfs!NtfsMapStream
03 Ntfs!ReadIndexBuffer
04 Ntfs!FindFirstIndexEntry
05 Ntfs!NtfsUpdateFileNameInIndex
06 Ntfs!NtfsUpdateDuplicateInfo
07 Ntfs!NtfsInitializeSecurity
08 Ntfs!NtfsInitializeSecurityFile
09 Ntfs!NtfsMountVolume
0a Ntfs!NtfsCommonFileSystemControl
0b Ntfs!NtfsFspDispatch
0c nt!ExpWorkerThread
0d nt!PspSystemThreadStartup
0e nt!KiThreadStartup
if ((TempVacb = GetVacb( SharedCacheMap, FileOffset )) == NULL) {
TempVacb = CcGetVacbMiss( SharedCacheMap, FileOffset, &OldIrql ); //关键代码:第一次需要调用CcGetVacbMiss函数
#define GetVacb(SCM,OFF) ( \
((SCM)->SectionSize.QuadPart > VACB_SIZE_OF_FIRST_LEVEL) ? \
CcGetVacbLargeOffset((SCM),(OFF).QuadPart) : \
(SCM)->Vacbs[(OFF).LowPart >> VACB_OFFSET_SHIFT] \
)
#define VACB_SIZE_OF_FIRST_LEVEL (1 << (VACB_OFFSET_SHIFT + VACB_LEVEL_SHIFT))
#define VACB_OFFSET_SHIFT (18)
#define VACB_LEVEL_SHIFT (7)
10 0000 0000 0000 0000 0000 0000
2000000
100 0000 0000 0000 0000
0x40000=256k
0: kd> dt SHARED_CACHE_MAP 0x89455c98
nt!SHARED_CACHE_MAP
+0x000 NodeTypeCode : 0n767
+0x002 NodeByteSize : 0n304
+0x004 OpenCount : 1
+0x008 FileSize : _LARGE_INTEGER 0x2000
+0x010 BcbList : _LIST_ENTRY [ 0x89455ca8 - 0x89455ca8 ]
+0x018 SectionSize : _LARGE_INTEGER 0x100000 1M
0: kd> dv
SharedCacheMap = 0x89455d68
FileOffset = {0}
0: kd> p
nt!CcGetVirtualAddress+0x93:
80a1a913 817f1800000002 cmp dword ptr [edi+18h],2000000h
0: kd> r
eax=00000000 ebx=89455d68 ecx=80b16100 edx=00000000 esi=00000000 edi=89455c98
0: kd> p
nt!CcGetVirtualAddress+0xad:
80a1a92d c1ee12 shr esi,12h
0: kd> r
eax=89455cc8 ebx=89455d68 ecx=80b16100 edx=00000000 esi=00000000
第三部分:
0: kd> t
Breakpoint 13 hit
nt!CcGetVacbMiss:
80a1a19e 6a30 push 30h
0: kd> kc
#
00 nt!CcGetVacbMiss
01 nt!CcGetVirtualAddress
02 nt!CcMapData
03 Ntfs!NtfsMapStream
04 Ntfs!ReadIndexBuffer
05 Ntfs!FindFirstIndexEntry
06 Ntfs!NtfsUpdateFileNameInIndex
07 Ntfs!NtfsUpdateDuplicateInfo
08 Ntfs!NtfsInitializeSecurity
09 Ntfs!NtfsInitializeSecurityFile
0a Ntfs!NtfsMountVolume
0b Ntfs!NtfsCommonFileSystemControl
0c Ntfs!NtfsFspDispatch
0d nt!ExpWorkerThread
0e nt!PspSystemThreadStartup
0f nt!KiThreadStartup
0: kd> dv
SharedCacheMap = 0x89455c98
FileOffset = {0}
OldIrql = 0xf78d66ab ""
PageIsDirty = 0xf78d6704
ULONG VacbOffset = FileOffset.LowPart & (VACB_MAPPING_GRANULARITY - 1); =0
if ((TempVacb = GetVacb( SharedCacheMap, NormalOffset )) == NULL) {
Vacb->SharedCacheMap = SharedCacheMap;
Vacb->Overlay.FileOffset = NormalOffset;
Vacb->Overlay.ActiveCount = 1;
SetVacb( SharedCacheMap, NormalOffset, Vacb );
//
// If there is a free view, move it to the LRU and we're done.
//
if (!IsListEmpty(&CcVacbFreeList)) {
Vacb = CONTAINING_RECORD( CcVacbFreeList.Flink, VACB, LruList ); //关键代码:空闲列表里面得到一个vacb结构
CcMoveVacbToReuseTail( Vacb );
0: kd> x nt!CcVacbFreeList
80b1cb58 nt!CcVacbFreeList = struct _LIST_ENTRY [ 0x899880e8 - 0x89993fc8 ]
0: kd> dx -r1 (*((ntkrnlmp!_LIST_ENTRY *)0x80b1cb58))
(*((ntkrnlmp!_LIST_ENTRY *)0x80b1cb58)) [Type: _LIST_ENTRY]
[+0x000] Flink : 0x899880e8 [Type: _LIST_ENTRY *]
[+0x004] Blink : 0x89993fc8 [Type: _LIST_ENTRY *]
0: kd> dt _vacb 0x899880e8-10
nt!_VACB
+0x000 BaseAddress : (null)
+0x004 SharedCacheMap : (null)
+0x008 Overlay : __unnamed
+0x010 LruList : _LIST_ENTRY [ 0x89988100 - 0x80b1cb58 ]
0: kd> p
nt!CcGetVacbMiss+0x8e:
80a1a22c 8d4610 lea eax,[esi+10h]
0: kd> pr
eax=899880e8 ebx=89455d68 ecx=00000000 edx=00000000 esi=899880d8
Vacb->Overlay.ActiveCount = 1;
SharedCacheMap->VacbActiveCount += 1;
0: kd> dt SHARED_CACHE_MAP 0x89455c98
nt!SHARED_CACHE_MAP
+0x000 NodeTypeCode : 0n767
+0x002 NodeByteSize : 0n304
+0x004 OpenCount : 1
+0x008 FileSize : _LARGE_INTEGER 0x2000
+0x010 BcbList : _LIST_ENTRY [ 0x89455ca8 - 0x89455ca8 ]
+0x018 SectionSize : _LARGE_INTEGER 0x100000
+0x020 ValidDataLength : _LARGE_INTEGER 0x7fffffff`ffffffff
+0x028 ValidDataGoal : _LARGE_INTEGER 0x7fffffff`ffffffff
+0x030 InitialVacbs : [4] (null)
+0x040 Vacbs : 0x89455cc8 -> (null)
+0x044 FileObject : 0x89455df0 _FILE_OBJECT
+0x048 ActiveVacb : (null)
+0x04c NeedToZero : (null)
+0x050 ActivePage : 0
+0x054 NeedToZeroPage : 0
+0x058 ActiveVacbSpinLock : 0
+0x05c VacbActiveCount : 1
第四部分:
Status = MmMapViewInSystemCache (SharedCacheMap->Section,
&Vacb->BaseAddress,
&NormalOffset,
&MappedLength.LowPart);
0: kd> t
Breakpoint 14 hit
nt!MmMapViewInSystemCache:
80aaecf2 55 push ebp
0: kd> kc
#
00 nt!MmMapViewInSystemCache
01 nt!CcGetVacbMiss
02 nt!CcGetVirtualAddress
03 nt!CcMapData
04 Ntfs!NtfsMapStream
05 Ntfs!ReadIndexBuffer
06 Ntfs!FindFirstIndexEntry
07 Ntfs!NtfsUpdateFileNameInIndex
08 Ntfs!NtfsUpdateDuplicateInfo
09 Ntfs!NtfsInitializeSecurity
0a Ntfs!NtfsInitializeSecurityFile
0b Ntfs!NtfsMountVolume
0c Ntfs!NtfsCommonFileSystemControl
0d Ntfs!NtfsFspDispatch
0e nt!ExpWorkerThread
0f nt!PspSystemThreadStartup
10 nt!KiThreadStartup
0: kd> dv
SectionToMap = 0xe13603d0
CapturedBase = 0x899880d8
SectionOffset = 0xf78d6648 {0}
CapturedViewSize = 0xf78d6640
PteOffset = 0xf78d6680`ffffffff
LastProto = 0x80aaecf2
PteContents = struct _MMPTE
OldIrql = 0x48 'H'
LastPte = 0x899880d8
LastPteOffset = 0x80aaecf2`00000000
Waited = 8
ProtoPte = 0xf78d6648
NumberOfPages = 0xf78d6640
0: kd> dx -r1 ((ntkrnlmp!unsigned long *)0xf78d6640)
((ntkrnlmp!unsigned long *)0xf78d6640) : 0xf78d6640 : 0x40000 [Type: unsigned long *]
0x40000 [Type: unsigned long]
0: kd> dx -r1 ((ntkrnlmp!void * *)0x899880d8)
((ntkrnlmp!void * *)0x899880d8) : 0x899880d8 [Type: void * *]
0x0 [Type: void *]
Status = MmMapViewInSystemCache (SharedCacheMap->Section,
&Vacb->BaseAddress,
&NormalOffset,
&MappedLength.LowPart);
0: kd> dt section 0xe13603d0
nt!SECTION
+0x000 Address : _MMADDRESS_NODE
+0x014 Segment : 0xe1291b48 _SEGMENT
+0x018 SizeOfSection : _LARGE_INTEGER 0x100000
+0x020 u : __unnamed
+0x024 InitialPageProtection : 4
0: kd> dx -id 0,0,899a2278 -r1 ((ntkrnlmp!_SEGMENT *)0xe1291b48)
((ntkrnlmp!_SEGMENT *)0xe1291b48) : 0xe1291b48 [Type: _SEGMENT *]
[+0x000] ControlArea : 0x89455c30 [Type: _CONTROL_AREA *]
[+0x004] TotalNumberOfPtes : 0x100 [Type: unsigned long]
[+0x008] NonExtendedPtes : 0x100 [Type: unsigned long]
[+0x00c] WritableUserReferences : 0x0 [Type: unsigned long]
[+0x010] SizeOfSegment : 0x100000 [Type: unsigned __int64]
[+0x018] SegmentPteTemplate [Type: _MMPTE]
[+0x01c] NumberOfCommittedPages : 0x0 [Type: unsigned long]
[+0x020] ExtendInfo : 0x0 [Type: _MMEXTEND_INFO *]
[+0x024] SegmentFlags [Type: _SEGMENT_FLAGS]
[+0x028] BasedAddress : 0x0 [Type: void *]
[+0x02c] u1 [Type: __unnamed]
[+0x030] u2 [Type: __unnamed]
[+0x034] PrototypePte : 0x61444d43 [Type: _MMPTE *]
[+0x038] ThePtes [Type: _MMPTE [1]]
0: kd> dx -id 0,0,899a2278 -r1 ((ntkrnlmp!_CONTROL_AREA *)0x89455c30)
((ntkrnlmp!_CONTROL_AREA *)0x89455c30) : 0x89455c30 [Type: _CONTROL_AREA *]
[+0x000] Segment : 0xe1291b48 [Type: _SEGMENT *]
[+0x004] DereferenceList [Type: _LIST_ENTRY]
[+0x00c] NumberOfSectionReferences : 0x1 [Type: unsigned long]
[+0x010] NumberOfPfnReferences : 0x0 [Type: unsigned long]
[+0x014] NumberOfMappedViews : 0x0 [Type: unsigned long]
[+0x018] NumberOfSystemCacheViews : 0x0 [Type: unsigned long]
[+0x01c] NumberOfUserReferences : 0x0 [Type: unsigned long]
[+0x020] u [Type: __unnamed]
[+0x024] FilePointer : 0x89455df0 [Type: _FILE_OBJECT *] FilePointer : 0x89455df0
[+0x028] WaitingForDeletion : 0x0 [Type: _EVENT_COUNTER *]
[+0x02c] ModifiedWriteCount : 0x0 [Type: unsigned short]
[+0x02e] FlushInProgressCount : 0x0 [Type: unsigned short]
if (ControlArea->u.Flags.Rom == 0) {
Subsection = (PSUBSECTION)(ControlArea + 1);
}
else {
Subsection = (PSUBSECTION)((PLARGE_CONTROL_AREA)ControlArea + 1);
}
0: kd> dt subsection 0x89455c30+30
nt!SUBSECTION
+0x000 ControlArea : 0x89455c30 _CONTROL_AREA
+0x004 u : __unnamed
+0x008 StartingSector : 0
+0x00c NumberOfFullSectors : 0x100
+0x010 SubsectionBase : (null)
+0x014 UnusedPtes : 0
+0x018 PtesInSubsection : 0x100
+0x01c NextSubsection : (null)
NumberOfPages = BYTES_TO_PAGES (*CapturedViewSize); =eax=00000040
0: kd> p
nt!MmMapViewInSystemCache+0xab:
80aaed9d 03f0 add esi,eax
0: kd> r
eax=00000040 ebx=00000000 ecx=00000000 edx=00000000 esi=00000000 edi=89455c30
SectionOffset = 0xf78d6648 {0}
PteOffset = (UINT64)(SectionOffset->QuadPart >> PAGE_SHIFT); 0x0
LastPteOffset = PteOffset + NumberOfPages; 0x40
PointerPte = MmFirstFreeSystemCache; //关键代码:得到PointerPte
//
// Update next free entry.
//
ASSERT (PointerPte->u.Hard.Valid == 0);
MmFirstFreeSystemCache = MmSystemCachePteBase + PointerPte->u.List.NextEntry;
ASSERT (MmFirstFreeSystemCache <= MiGetPteAddress (MmSystemCacheEnd));
0: kd> x nt!MmFirstFreeSystemCache
80b23594 nt!MmFirstFreeSystemCache = 0xc0305300
0: kd> dd 0xc0305300
c0305300 c1500000 00000000 00000000 00000000
c0305310 00000000 00000000 00000000 00000000
c0305320 00000000 00000000 00000000 00000000
c0305330 00000000 00000000 00000000 00000000
c0305340 00000000 00000000 00000000 00000000
0: kd> x nt!MmSystemCachePteBase
80b2358c nt!MmSystemCachePteBase = 0xc0000000
+0x000 List : _MMPTE_LIST
+0x000 Valid : Pos 0, 1 Bit
+0x000 OneEntry : Pos 1, 1 Bit
+0x000 filler0 : Pos 2, 8 Bits
+0x000 Prototype : Pos 10, 1 Bit
+0x000 filler1 : Pos 11, 1 Bit
+0x000 NextEntry : Pos 12, 20 Bits
c1500
1100 0001 0101 0000 0000
1100 0001 0101 0000 0000 00
11 00 00 01 01 01 00 00 00 00 00
305400
c0305400
0: kd> dd c0305400
c0305400 c1540000 00000000 00000000 00000000
0: kd> p
nt!MmMapViewInSystemCache+0x229:
80aaef1b 8d0481 lea eax,[ecx+eax*4]
0: kd> p
nt!MmMapViewInSystemCache+0x22c:
80aaef1e 8b0da003bf80 mov ecx,dword ptr [nt!MmSystemCacheEnd (80bf03a0)]
0: kd> r
eax=c0305400
MmFirstFreeSystemCache = MmSystemCachePteBase + PointerPte->u.List.NextEntry; =eax=c0305400
第五部分:
0: kd> p
nt!MmMapViewInSystemCache+0x296:
80aaef88 e8bfa8feff call nt!MiAddViewsForSection (80a9984c)
0: kd> t
nt!MiAddViewsForSection:
80a9984c 55 push ebp
0: kd> dv
StartMappedSubsection = 0x89455c60
LastPteOffset = 0x40
OldIrql = 0x00 ''
Waited = 0xf78d6618
Size = (MappedSubsection->PtesInSubsection + MappedSubsection->UnusedPtes) * sizeof(MMPTE);
ASSERT (Size != 0);
ProtoPtes = (PMMPTE)ExAllocatePoolWithTag (PagedPool | POOL_MM_ALLOCATION,
Size,
MMSECT);
0: kd> p
nt!MiAddViewsForSection+0x17f:
80a999cb e808190700 call nt!ExAllocatePoolWithTag (80b0b2d8)
0: kd> p
Breakpoint 3 hit
nt!MmAccessFault:
80abcfda 55 push ebp
0: kd> kc
#
00 nt!MmAccessFault
01 nt!_KiTrap0E
02 nt!ExAllocatePoolWithTag
03 nt!MiAddViewsForSection
04 nt!MmMapViewInSystemCache
05 nt!CcGetVacbMiss
06 nt!CcGetVirtualAddress
07 nt!CcMapData
08 Ntfs!NtfsMapStream
09 Ntfs!ReadIndexBuffer
0a Ntfs!FindFirstIndexEntry
0b Ntfs!NtfsUpdateFileNameInIndex
0c Ntfs!NtfsUpdateDuplicateInfo
0d Ntfs!NtfsInitializeSecurity
0e Ntfs!NtfsInitializeSecurityFile
0f Ntfs!NtfsMountVolume
10 Ntfs!NtfsCommonFileSystemControl
11 Ntfs!NtfsFspDispatch
12 nt!ExpWorkerThread
13 nt!PspSystemThreadStartup
14 nt!KiThreadStartup
0: kd> dv
FaultStatus = 1
VirtualAddress = 0xe13c3000
0: kd> gu
nt!MiAddViewsForSection+0x184:
80a999d0 8bd8 mov ebx,eax
0: kd> r
eax=e13c3008
ProtoPtes = (PMMPTE)ExAllocatePoolWithTag (PagedPool | POOL_MM_ALLOCATION,
Size,
MMSECT); =eax=e13c3008 //关键代码,是随机分配来的。
第六部分:
TempPte.u.Long = MiGetSubsectionAddressForPte (MappedSubsection);
TempPte.u.Soft.Prototype = 1;
0: kd> p
nt!MiAddViewsForSection+0x1b1:
80a999fd 0bc1 or eax,ecx
0: kd> r
eax=7854c000 ebx=e13c3008 ecx=00000018 edx=0000017f esi=89455c60 edi=00000400
#define MiGetSubsectionAddressForPte(VA) \
(((ULONG)(VA) < (ULONG)MmSubsectionBase + 128*1024*1024) ? \
(((((ULONG)VA - (ULONG)MmSubsectionBase)>>2) & (ULONG)0x0000001E) | \
((((((ULONG)VA - (ULONG)MmSubsectionBase)<<4) & (ULONG)0x7ffff800)))| \
0x80000000) \
: \
(((((ULONG)MmNonPagedPoolEnd - (ULONG)VA)>>2) & (ULONG)0x0000001E) | \
((((((ULONG)MmNonPagedPoolEnd - (ULONG)VA)<<4) & (ULONG)0x7ffff800)))))
0: kd> x nt!MmSubsectionBase
80be3860 nt!MmSubsectionBase = 0x81c01000
0: kd> p
nt!MiAddViewsForSection+0x1b3:
80a999ff 0d00000080 or eax,80000000h
0: kd> p
nt!MiAddViewsForSection+0x1b8:
80a99a04 eb1a jmp nt!MiAddViewsForSection+0x1d4 (80a99a20)
0: kd> r
eax=f854c018
TempPte.u.Long = MiGetSubsectionAddressForPte (MappedSubsection); =eax=f854c018
TempPte.u.Soft.Prototype = 1;
MiFillMemoryPte (ProtoPtes, Size / sizeof (MMPTE), TempPte.u.Long);
0: kd> dd e13c3008
e13c3008 f854c4d8 f854c4d8 f854c4d8 f854c4d8
e13c3018 f854c4d8 f854c4d8 f854c4d8 f854c4d8
e13c3028 f854c4d8 f854c4d8 f854c4d8 f854c4d8
e13c3038 f854c4d8 f854c4d8 f854c4d8 f854c4d8
e13c3048 f854c4d8 f854c4d8 f854c4d8 f854c4d8
e13c3058 f854c4d8 f854c4d8 f854c4d8 f854c4d8
e13c3068 f854c4d8 f854c4d8 f854c4d8 f854c4d8
e13c3078 f854c4d8 f854c4d8 f854c4d8 f854c4d8
0: kd> dd e13c3008+80*7
e13c3388 f854c4d8 f854c4d8 f854c4d8 f854c4d8
e13c3398 f854c4d8 f854c4d8 f854c4d8 f854c4d8
e13c33a8 f854c4d8 f854c4d8 f854c4d8 f854c4d8
e13c33b8 f854c4d8 f854c4d8 f854c4d8 f854c4d8
e13c33c8 f854c4d8 f854c4d8 f854c4d8 f854c4d8
e13c33d8 f854c4d8 f854c4d8 f854c4d8 f854c4d8
e13c33e8 f854c4d8 f854c4d8 f854c4d8 f854c4d8
e13c33f8 f854c4d8 f854c4d8 f854c4d8 f854c4d8
0: kd> ?0n256/0n32
Evaluate expression: 8 = 00000008
if (MappedSubsection->SubsectionBase == NULL) {
ASSERT (MappedSubsection->NumberOfMappedViews == 1);
MappedSubsection->SubsectionBase = ProtoPtes;
}
0: kd> dt subsection 0x89455c30+30
nt!SUBSECTION
+0x000 ControlArea : 0x89455c30 _CONTROL_AREA
+0x004 u : __unnamed
+0x008 StartingSector : 0
+0x00c NumberOfFullSectors : 0x100
+0x010 SubsectionBase : 0xe13c3008 _MMPTE //+0x010 SubsectionBase : 0xe13c3008 _MMPTE
+0x014 UnusedPtes : 0
+0x018 PtesInSubsection : 0x100
+0x01c NextSubsection : (null)
第七部分:
返回到这里:
Status = MiAddViewsForSection ((PMSUBSECTION)Subsection,
LastPteOffset,
OldIrql,
&Waited);
返回到这里:
//
// Zero this explicitly now since the number of pages may be only 1.
//
(PointerPte + 1)->u.List.NextEntry = 0;
*CapturedBase = MiGetVirtualAddressMappedByPte (PointerPte); //关键代码:
#define MiGetVirtualAddressMappedByPte(PTE) ((PVOID)((ULONG)(PTE) << 10))
esi=c0305300
0: kd> x nt!MmFirstFreeSystemCache
80b23594 nt!MmFirstFreeSystemCache = 0xc0305300
c0305300
1100 0000 0011 0000 0101 0011 0000 0000
11 0000 0101 0011 0000 0000 00 0000 0000
11 00 00 01 01 00 11 00 00 00 00 00 0000 0000
0xc14c0000
0: kd> p
nt!MmMapViewInSystemCache+0x37c:
80aaf06e 8901 mov dword ptr [ecx],eax
0: kd> p
nt!MmMapViewInSystemCache+0x37e:
80aaf070 8b4310 mov eax,dword ptr [ebx+10h]
0: kd> r
eax=c14c0000
*CapturedBase = MiGetVirtualAddressMappedByPte (PointerPte); =eax=c14c0000
ProtoPte = &Subsection->SubsectionBase[PteOffset];
LastProto = &Subsection->SubsectionBase[Subsection->PtesInSubsection];
LastPte = PointerPte + NumberOfPages;
dv
ProtoPte = 0xe13c3008
LastPte = 0xc0305400
LastProto = 0xe13c3408
PteContents.u.Long = MiProtoAddressForKernelPte (ProtoPte);
MI_WRITE_INVALID_PTE (PointerPte, PteContents);
#define MiProtoAddressForKernelPte(proto_va) MiProtoAddressForPte(proto_va)
#define MiProtoAddressForPte(proto_va) \
((((((ULONG)proto_va - MmProtopte_Base) >> 1) & (ULONG)0x000000FE) | \
(((((ULONG)proto_va - MmProtopte_Base) << 2) & (ULONG)0xfffff800))) | \
MM_PTE_PROTOTYPE_MASK)
#define MmProtopte_Base ((ULONG)MmPagedPoolStart)
0: kd> x nt!MmPagedPoolStart
80b15028 nt!MmPagedPoolStart = 0xe1000000
3c3008
0011 1100 0011 0000 0000 1000
0011 1100 0011 0000 0000 100
04
0011 1100 0011 0000 0000 1000 00
00 11 11 00 00 11 00 00 00 00 10 00 00
f0c000
f0c004
0: kd> dd c0305300
c0305300 c1500000 00000000 00000000 00000000
c0305310 00000000 00000000 00000000 00000000
c0305320 00000000 00000000 00000000 00000000
c0305330 00000000 00000000 00000000 00000000
c0305340 00000000 00000000 00000000 00000000
c0305350 00000000 00000000 00000000 00000000
c0305360 00000000 00000000 00000000 00000000
c0305370 00000000 00000000 00000000 00000000
0: kd> gu
nt!CcGetVacbMiss+0x300:
80a1a49e 8945d4 mov dword ptr [ebp-2Ch],eax
0: kd> dd c0305300
c0305300 00f0c404 00f0c406 00f0c408 00f0c40a
c0305310 00f0c40c 00f0c40e 00f0c410 00f0c412
c0305320 00f0c414 00f0c416 00f0c418 00f0c41a
c0305330 00f0c41c 00f0c41e 00f0c420 00f0c422
c0305340 00f0c424 00f0c426 00f0c428 00f0c42a
c0305350 00f0c42c 00f0c42e 00f0c430 00f0c432
c0305360 00f0c434 00f0c436 00f0c438 00f0c43a
c0305370 00f0c43c 00f0c43e 00f0c440 00f0c442
第八部分:
if ((TempVacb = GetVacb( SharedCacheMap, NormalOffset )) == NULL) {
Vacb->SharedCacheMap = SharedCacheMap;
Vacb->Overlay.FileOffset = NormalOffset;
Vacb->Overlay.ActiveCount = 1;
SetVacb( SharedCacheMap, NormalOffset, Vacb );
0: kd> dt SHARED_CACHE_MAP 0x89455c98
nt!SHARED_CACHE_MAP
+0x000 NodeTypeCode : 0n767
+0x002 NodeByteSize : 0n304
+0x004 OpenCount : 1
+0x008 FileSize : _LARGE_INTEGER 0x2000
+0x010 BcbList : _LIST_ENTRY [ 0x89455ca8 - 0x89455ca8 ]
+0x018 SectionSize : _LARGE_INTEGER 0x100000
+0x020 ValidDataLength : _LARGE_INTEGER 0x7fffffff`ffffffff
+0x028 ValidDataGoal : _LARGE_INTEGER 0x7fffffff`ffffffff
+0x030 InitialVacbs : [4] (null)
+0x040 Vacbs : 0x89455cc8 -> (null)
Vacb->SharedCacheMap = SharedCacheMap; esi=899880d8
Vacb->Overlay.FileOffset = NormalOffset;
Vacb->Overlay.ActiveCount = 1;
SetVacb( SharedCacheMap, NormalOffset, Vacb );
回顾:
Status = MmMapViewInSystemCache (SharedCacheMap->Section,
&Vacb->BaseAddress, +0x000 BaseAddress : 0xc14c0000 Void
&NormalOffset,
&MappedLength.LowPart);
0: kd> dt _vacb 899880d8
nt!_VACB
+0x000 BaseAddress : 0xc14c0000 Void
+0x004 SharedCacheMap : 0x89455c98 _SHARED_CACHE_MAP
+0x008 Overlay : __unnamed
+0x010 LruList : _LIST_ENTRY [ 0x80b1cb60 - 0x89988010 ]
0: kd> dt SHARED_CACHE_MAP 0x89455c98
nt!SHARED_CACHE_MAP
+0x000 NodeTypeCode : 0n767
+0x002 NodeByteSize : 0n304
+0x004 OpenCount : 1
+0x008 FileSize : _LARGE_INTEGER 0x2000
+0x010 BcbList : _LIST_ENTRY [ 0x89455ca8 - 0x89455ca8 ]
+0x018 SectionSize : _LARGE_INTEGER 0x100000
+0x020 ValidDataLength : _LARGE_INTEGER 0x7fffffff`ffffffff
+0x028 ValidDataGoal : _LARGE_INTEGER 0x7fffffff`ffffffff
+0x030 InitialVacbs : [4] 0x899880d8 _VACB
+0x040 Vacbs : 0x89455cc8 -> 0x899880d8 _VACB
0: kd> dd 0x89455cc8
89455cc8 899880d8 00000000 00000000 00000000
0: kd> p
nt!CcGetVacbMiss+0x59d:
80a1a73b c21000 ret 10h
0: kd> p
nt!CcGetVirtualAddress+0xc7:
80a1a947 8bf0 mov esi,eax
0: kd> r
eax=899880d8
--Java版)
)
——更多深度强化学习的算法)
)
