Ntfs!NtfsFreeRestartTableIndex函数分析
第一部分:
0: kd> p
Ntfs!NtfsCommitCurrentTransaction+0x25c:
f7178ca6 e88785fcff call Ntfs!NtfsFreeRestartTableIndex (f7141232)
0: kd> t
Ntfs!NtfsFreeRestartTableIndex:
f7141232 55 push ebp
0: kd> kc
#
00 Ntfs!NtfsFreeRestartTableIndex
01 Ntfs!NtfsCommitCurrentTransaction
02 Ntfs!NtfsCompleteRequest
03 Ntfs!NtfsMountVolume
04 Ntfs!NtfsCommonFileSystemControl
05 Ntfs!NtfsFspDispatch
06 nt!ExpWorkerThread
07 nt!PspSystemThreadStartup
08 nt!KiThreadStartup
0: kd> kv
# ChildEBP RetAddr Args to Child
00 f78d6a14 f7178cab 8962e368 00000018 00000000 Ntfs!NtfsFreeRestartTableIndex (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\fs\ntfs\logsup.c @ 4303]
01 f78d6ab0 f713e314 89797aa8 00000000 00000000 Ntfs!NtfsCommitCurrentTransaction+0x261 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\fs\ntfs\logsup.c @ 3414]
02 f78d6ac8 f719343a 89797aa8 894e2008 00000000 Ntfs!NtfsCompleteRequest+0x3a (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\fs\ntfs\ntfsdata.c @ 1674]
03 f78d6cec f717c5aa 89797aa8 894e2008 89797aa8 Ntfs!NtfsMountVolume+0x1856 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\fs\ntfs\fsctrl.c @ 3174]
04 f78d6d04 f71484b0 89797aa8 894e2008 8999d020 Ntfs!NtfsCommonFileSystemControl+0x8c (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\fs\ntfs\fsctrl.c @ 837]
05 f78d6d80 80af2bb9 89797aa8 00000000 8999d020 Ntfs!NtfsFspDispatch+0x1fe (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\fs\ntfs\fspdisp.c @ 336]
06 f78d6dac 80d391f0 89797aa8 00000000 00000000 nt!ExpWorkerThread+0x10f (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ex\worker.c @ 1153]
07 f78d6ddc 80b00d52 80af2aaa 00000000 00000000 nt!PspSystemThreadStartup+0x2e (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ps\create.c @ 2213]
08 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16 [d:\srv03rtm\base\ntos\ke\i386\threadbg.asm @ 81]
0: kd> dv
TablePointer = 0x8962e368
Index = 0x18
LockHandle = struct _KLOCK_QUEUE_HANDLE
0: kd> dx -r1 ((Ntfs!_RESTART_POINTERS *)0x8962e368)
((Ntfs!_RESTART_POINTERS *)0x8962e368) : 0x8962e368 [Type: _RESTART_POINTERS *]
[+0x000] Resource [Type: _ERESOURCE]
[+0x038] Table : 0x899c5380 [Type: _RESTART_TABLE *]
[+0x03c] SpinLock : 0x0 [Type: unsigned long]
[+0x040] ResourceInitialized : 0x1 [Type: unsigned char]
[+0x041] DrainPending : 0x0 [Type: unsigned char]
[+0x042] Unused [Type: unsigned char [6]]
0: kd> dx -r1 ((Ntfs!_RESTART_TABLE *)0x899c5380)
((Ntfs!_RESTART_TABLE *)0x899c5380) : 0x899c5380 [Type: _RESTART_TABLE *]
[+0x000] EntrySize : 0x28 [Type: unsigned short]
[+0x002] NumberEntries : 0x5 [Type: unsigned short]
[+0x004] NumberAllocated : 0x1 [Type: unsigned short] [+0x004] NumberAllocated : 0x1
[+0x006] Reserved [Type: unsigned short [3]]
[+0x00c] FreeGoal : 0xffffffff [Type: unsigned long]
[+0x010] FirstFree : 0x40 [Type: unsigned long] [+0x010] FirstFree : 0x40
[+0x014] LastFree : 0xb8 [Type: unsigned long]
第二部分:
Entry = GetRestartEntryFromIndex( TablePointer, Index );
#define GetRestartEntryFromIndex(TBL,INDX) ( \
(PVOID)((PCHAR)(TBL)->Table + (INDX)) \
)
0: kd> dt _TRANSACTION_ENTRY 0x899c5380+18
Ntfs!_TRANSACTION_ENTRY
+0x000 AllocatedOrNextFree : 0xffffffff
+0x004 TransactionState : 0x1 ''
+0x005 Reserved : [3] ""
+0x008 FirstLsn : _LARGE_INTEGER 0x80ee20e
+0x010 PreviousLsn : _LARGE_INTEGER 0x80ee239
+0x018 UndoNextLsn : _LARGE_INTEGER 0x0
+0x020 UndoRecords : 1
+0x024 UndoBytes : 0n96
第三部分:
if (Table->LastFree == 0) {
Table->LastFree = Index;
}
0: kd> p
Ntfs!NtfsFreeRestartTableIndex+0xa7:
f71412d9 837e1400 cmp dword ptr [esi+14h],0
0: kd> r
eax=00000040 ebx=899c5398 ecx=8962e3a4 edx=00000000 esi=899c5380
if (Index < Table->FreeGoal) {
*Entry = Table->FirstFree;
ASSERT( Index != RESTART_ENTRY_ALLOCATED );
Table->FirstFree = Index;
if (Table->LastFree == 0) {
Table->LastFree = Index;
}
第四部分:
0: kd> dx -r1 ((Ntfs!_RESTART_TABLE *)0x899c5380)
((Ntfs!_RESTART_TABLE *)0x899c5380) : 0x899c5380 [Type: _RESTART_TABLE *]
[+0x000] EntrySize : 0x28 [Type: unsigned short]
[+0x002] NumberEntries : 0x5 [Type: unsigned short]
[+0x004] NumberAllocated : 0x0 [Type: unsigned short] [+0x004] NumberAllocated : 0x0
[+0x006] Reserved [Type: unsigned short [3]]
[+0x00c] FreeGoal : 0xffffffff [Type: unsigned long]
[+0x010] FirstFree : 0x18 [Type: unsigned long] [+0x010] FirstFree : 0x18
[+0x014] LastFree : 0xb8 [Type: unsigned long]
0: kd> dt _TRANSACTION_ENTRY 0x899c5380+18
Ntfs!_TRANSACTION_ENTRY
+0x000 AllocatedOrNextFree : 0x40
+0x004 TransactionState : 0x1 ''
+0x005 Reserved : [3] ""
+0x008 FirstLsn : _LARGE_INTEGER 0x80ee20e
+0x010 PreviousLsn : _LARGE_INTEGER 0x80ee239
+0x018 UndoNextLsn : _LARGE_INTEGER 0x0
+0x020 UndoRecords : 1
+0x024 UndoBytes : 0n96
0: kd> dt _TRANSACTION_ENTRY 0x899c5380+18+28*2
Ntfs!_TRANSACTION_ENTRY
+0x000 AllocatedOrNextFree : 0x90
+0x004 TransactionState : 0 ''
+0x005 Reserved : [3] ""
+0x008 FirstLsn : _LARGE_INTEGER 0x0
+0x010 PreviousLsn : _LARGE_INTEGER 0x0
+0x018 UndoNextLsn : _LARGE_INTEGER 0x0
+0x020 UndoRecords : 0
+0x024 UndoBytes : 0n0
0: kd> dt _TRANSACTION_ENTRY 0x899c5380+18+28*3
Ntfs!_TRANSACTION_ENTRY
+0x000 AllocatedOrNextFree : 0xb8
+0x004 TransactionState : 0 ''
+0x005 Reserved : [3] ""
+0x008 FirstLsn : _LARGE_INTEGER 0x0
+0x010 PreviousLsn : _LARGE_INTEGER 0x0
+0x018 UndoNextLsn : _LARGE_INTEGER 0x0
+0x020 UndoRecords : 0
+0x024 UndoBytes : 0n0
