Ntfs!NtfsWriteLog函数分析之ntfs!NTFS_LOG_RECORD_HEADER结构的一个例子
第一部分:
LSN
NtfsWriteLog (
IN PIRP_CONTEXT IrpContext,
IN PSCB Scb,
IN PBCB Bcb OPTIONAL,
IN NTFS_LOG_OPERATION RedoOperation,
IN PVOID RedoBuffer OPTIONAL,
IN ULONG RedoLength,
IN NTFS_LOG_OPERATION UndoOperation,
IN PVOID UndoBuffer OPTIONAL,
IN ULONG UndoLength,
IN LONGLONG StreamOffset,
IN ULONG RecordOffset,
IN ULONG AttributeOffset,
IN ULONG StructureSize
)
{
PNTFS_LOG_RECORD_HEADER MyHeader;
//
// If there is a Redo buffer, fill in its write entry.
//
if (RedoLength != 0) {
WriteEntries[1].Buffer = RedoBuffer;
WriteEntries[1].ByteLength = RedoLength;
UndoIndex = RedoIndex = WriteIndex;
WriteIndex += 1;
}
//
// If there is an undo buffer, and it is at a different address than
// the redo buffer, then fill in its write entry.
//
if ((RedoBuffer != UndoBuffer) && (UndoLength != 0) &&
(UndoOperation != CompensationLogRecord)) {
WriteEntries[WriteIndex].Buffer = UndoBuffer;
WriteEntries[WriteIndex].ByteLength = UndoLength;
UndoIndex = WriteIndex;
WriteIndex += 1;
}
//
// Now fill in the rest of the header. Assume Redo and Undo buffer is
// the same, then fix them up if they are not.
//
MyHeader->RedoOperation = (USHORT)RedoOperation;
MyHeader->UndoOperation = (USHORT)UndoOperation;
MyHeader->RedoOffset = (USHORT)WriteEntries[0].ByteLength;
MyHeader->RedoLength = (USHORT)RedoLength;
MyHeader->UndoOffset = MyHeader->RedoOffset;
if (RedoBuffer != UndoBuffer) {
MyHeader->UndoOffset += (USHORT)QuadAlign(MyHeader->RedoLength);
}
MyHeader->UndoLength = (USHORT)UndoLength;
MyHeader->TargetAttribute = (USHORT)Scb->NonpagedScb->OnDiskOatIndex;
MyHeader->RecordOffset = (USHORT)RecordOffset;
MyHeader->AttributeOffset = (USHORT)AttributeOffset;
MyHeader->Reserved = 0;
MyHeader->TargetVcn = LogVcn;
MyHeader->ClusterBlockOffset = (USHORT) LogBlocksFromBytesTruncate( ClusterOffset( Vcb, StreamOffset ));
NumberOfWriteEntries = 3
WriteEntries = 0xf78d66d0
0: kd> dt Ntfs!_LFS_WRITE_ENTRY 0xf78d66d0
+0x000 Buffer : 0xf78d6638 Void
+0x004 ByteLength : 0x28
0: kd> dt Ntfs!_LFS_WRITE_ENTRY 0xf78d66d0+8
+0x000 Buffer : 0xe1362ca8 Void
+0x004 ByteLength : 0x38
0: kd> dt Ntfs!_LFS_WRITE_ENTRY 0xf78d66d0+8*2
+0x000 Buffer : 0xc14c0390 Void
+0x004 ByteLength : 0x38
0: kd> dt _NTFS_LOG_RECORD_HEADER 0xf78d6638
Ntfs!_NTFS_LOG_RECORD_HEADER
+0x000 RedoOperation : 0x14
+0x002 UndoOperation : 0x14
+0x004 RedoOffset : 0x28
+0x006 RedoLength : 0x38
+0x008 UndoOffset : 0x60
+0x00a UndoLength : 0x38
+0x00c TargetAttribute : 0x18
+0x00e LcnsToFollow : 1
+0x010 RecordOffset : 0
+0x012 AttributeOffset : 0x378
+0x014 ClusterBlockOffset : 0
+0x016 Reserved : 0
+0x018 TargetVcn : 0n0
+0x020 LcnsForPage : [1] 0n5337437
0: kd> dt DUPLICATED_INFORMATION 0xe1362ca8
Ntfs!DUPLICATED_INFORMATION
+0x000 CreationTime : 0n133707810243906250
+0x008 LastModificationTime : 0n133707810243906250
+0x010 LastChangeTime : 0n133707810243906250
+0x018 LastAccessTime : 0n133707810243906250
+0x020 AllocatedLength : 0n0
+0x028 FileSize : 0n0
+0x030 FileAttributes : 0x20000006
+0x034 PackedEaSize : 0
+0x036 Reserved : 0
+0x034 ReparsePointTag : 0
0: kd> dt DUPLICATED_INFORMATION 0xc14c0390
Ntfs!DUPLICATED_INFORMATION
+0x000 CreationTime : 0n133707810243906250
+0x008 LastModificationTime : 0n133707810243906250
+0x010 LastChangeTime : 0n133707810243906250
+0x018 LastAccessTime : 0n133707810243906250
+0x020 AllocatedLength : 0n0
+0x028 FileSize : 0n0
+0x030 FileAttributes : 0x20000006
+0x034 PackedEaSize : 0
+0x036 Reserved : 0
+0x034 ReparsePointTag : 0
第二部分:
0: kd> kc
#
00 Ntfs!LfsWriteLogRecordIntoLogPage
01 Ntfs!LfsWrite
02 Ntfs!NtfsWriteLog
03 Ntfs!NtfsUpdateFileNameInIndex
04 Ntfs!NtfsUpdateDuplicateInfo
05 Ntfs!NtfsInitializeSecurity
06 Ntfs!NtfsInitializeSecurityFile
07 Ntfs!NtfsMountVolume
08 Ntfs!NtfsCommonFileSystemControl
09 Ntfs!NtfsFspDispatch
0a nt!ExpWorkerThread
0b nt!PspSystemThreadStartup
0c nt!KiThreadStartup
0: kd> dv
Lfcb = 0xe1351768
Lch = 0xe1293300
NumberOfWriteEntries = 3
WriteEntries = 0xf78d66d0
第三部分:
typedef enum _NTFS_LOG_OPERATION {
Noop = 0x00, //
CompensationLogRecord = 0x01, //
InitializeFileRecordSegment = 0x02, // FILE_RECORD_SEGMENT_HEADER
DeallocateFileRecordSegment = 0x03, //
WriteEndOfFileRecordSegment = 0x04, // ATTRIBUTE_RECORD_HEADER
CreateAttribute = 0x05, // ATTRIBUTE_RECORD_HEADER
DeleteAttribute = 0x06, //
UpdateResidentValue = 0x07, // (value)
UpdateNonresidentValue = 0x08, // (value)
UpdateMappingPairs = 0x09, // (value = mapping pairs bytes)
DeleteDirtyClusters = 0x0A, // array of LCN_RANGE
SetNewAttributeSizes = 0x0B, // NEW_ATTRIBUTE_SIZES
AddIndexEntryRoot = 0x0C, // INDEX_ENTRY
DeleteIndexEntryRoot = 0x0D, // INDEX_ENTRY
AddIndexEntryAllocation = 0x0E, // INDEX_ENTRY
DeleteIndexEntryAllocation = 0x0F, // INDEX_ENTRY
WriteEndOfIndexBuffer = 0x10, // INDEX_ENTRY
SetIndexEntryVcnRoot = 0x11, // VCN
SetIndexEntryVcnAllocation = 0x12, // VCN
UpdateFileNameRoot = 0x13, // DUPLICATED_INFORMATION
UpdateFileNameAllocation = 0x14, // DUPLICATED_INFORMATION
SetBitsInNonresidentBitMap = 0x15, // BITMAP_RANGE
ClearBitsInNonresidentBitMap = 0x16, // BITMAP_RANGE
HotFix = 0x17, //
EndTopLevelAction = 0x18, //
PrepareTransaction = 0x19, //
CommitTransaction = 0x1A, //
ForgetTransaction = 0x1B, //
OpenNonresidentAttribute = 0x1C, // OPEN_ATTRIBUTE_ENTRY+ATTRIBUTE_NAME_ENTRY
OpenAttributeTableDump = 0x1D, // OPEN_ATTRIBUTE_ENTRY array
AttributeNamesDump = 0x1E, // (all attribute names)
DirtyPageTableDump = 0x1F, // DIRTY_PAGE_ENTRY array
TransactionTableDump = 0x20, // TRANSACTION_ENTRY array
UpdateRecordDataRoot = 0x21, // (value)
UpdateRecordDataAllocation = 0x22 // (value)
} NTFS_LOG_OPERATION, *PNTFS_LOG_OPERATION;
