根目录0xa0属性对应的Ntfs!_SCB中的FileObject是什么时候被建立的----NTFS源代码分析--重要

根目录0xa0属性对应的Ntfs!_SCB中的FileObject是什么时候被建立的

第一部分：
0: kd> g
Breakpoint 9 hit
Ntfs!ReadIndexBuffer:
f7173886 55              push    ebp
0: kd> kc
 #
00 Ntfs!ReadIndexBuffer
01 Ntfs!FindFirstIndexEntry
02 Ntfs!NtfsUpdateFileNameInIndex
03 Ntfs!NtfsUpdateDuplicateInfo
04 Ntfs!NtfsInitializeSecurity
05 Ntfs!NtfsInitializeSecurityFile
06 Ntfs!NtfsMountVolume
07 Ntfs!NtfsCommonFileSystemControl
08 Ntfs!NtfsFspDispatch
09 nt!ExpWorkerThread
0a nt!PspSystemThreadStartup
0b nt!KiThreadStartup

0: kd> dv
     IrpContext = 0x89797aa8
            Scb = 0xe1350658
     IndexBlock = 0n0
         Reread = 0x00 ''
             Sp = 0xf78d6824
0: kd> dx -r1 ((Ntfs!_INDEX_LOOKUP_STACK *)0xf78d6824)
((Ntfs!_INDEX_LOOKUP_STACK *)0xf78d6824)                 : 0xf78d6824 [Type: _INDEX_LOOKUP_STACK *]
    [+0x000] Bcb              : 0x0 [Type: void *]
    [+0x004] StartOfBuffer    : 0x0 [Type: void *]
    [+0x008] IndexHeader      : 0x0 [Type: _INDEX_HEADER *]
    [+0x00c] IndexEntry       : 0x0 [Type: _INDEX_ENTRY *]
    [+0x010] IndexBlock       : 0 [Type: __int64]
    [+0x018] CapturedLsn      : {0} [Type: _LARGE_INTEGER]
0: kd> dx -r1 ((Ntfs!_SCB *)0xe1350658)
((Ntfs!_SCB *)0xe1350658)                 : 0xe1350658 [Type: _SCB *]
    [+0x000] Header           [Type: _NTFS_ADVANCED_FCB_HEADER]
    [+0x040] FcbLinks         [Type: _LIST_ENTRY]
    [+0x048] Fcb              : 0xe1350590 [Type: _FCB *]
    [+0x04c] Vcb              : 0x8962e100 [Type: _VCB *]
    [+0x050] ScbState         : 0x480 [Type: unsigned long]
    [+0x054] NonCachedCleanupCount : 0x0 [Type: unsigned long]
    [+0x058] CleanupCount     : 0x0 [Type: unsigned long]
    [+0x05c] CloseCount       : 0x0 [Type: unsigned long]
    [+0x060] ShareAccess      [Type: _SHARE_ACCESS]
    [+0x07c] AttributeTypeCode : 0xa0 [Type: unsigned long]
    [+0x080] AttributeName    : "$I30" [Type: _UNICODE_STRING]
    [+0x088] FileObject       : 0x0 [Type: _FILE_OBJECT *]
    [+0x08c] NonpagedScb      : 0x89927288 [Type: _SCB_NONPAGED *]
    [+0x090] Mcb              [Type: _NTFS_MCB]
    [+0x0a8] McbStructs       [Type: NTFS_MCB_INITIAL_STRUCTS]
    [+0x0f0] CompressionUnit  : 0x0 [Type: unsigned long]
    [+0x0f4] AttributeFlags   : 0x0 [Type: unsigned short]
    [+0x0f6] CompressionUnitShift : 0x0 [Type: unsigned char]
    [+0x0f7] PadUchar         : 0x0 [Type: unsigned char]
    [+0x0f8] ValidDataToDisk  : 0 [Type: __int64]
    [+0x100] TotalAllocated   : 0 [Type: __int64]
    [+0x108] EofListHead      [Type: _LIST_ENTRY]
    [+0x110] CcbQueue         [Type: _LIST_ENTRY]
    [+0x118] ScbSnapshot      : 0x0 [Type: _SCB_SNAPSHOT *]
    [+0x11c] EncryptionContext : 0x0 [Type: void *]
    [+0x120] EncryptionContextLength : 0x0 [Type: unsigned long]
    [+0x124] ScbPersist       : 0x0 [Type: unsigned long]
    [+0x128] IoAtEofThread    : 0x0 [Type: unsigned long *]
    [+0x130] ScbType          [Type: __unnamed]

第二部分：

    if (Scb->FileObject == NULL) {

        NtfsCreateInternalAttributeStream( IrpContext,
                                           Scb,
                                           TRUE,
                                           &NtfsInternalUseFile[DIRECTORY_FILE_NUMBER] );
    }

#define DIRECTORY_FILE_NUMBER                       (7)     //  $Directory

const UNICODE_STRING NtfsInternalUseFile[] = {
    CONSTANT_UNICODE_STRING( L"\\$ChangeAttributeValue" ),        0
    CONSTANT_UNICODE_STRING( L"\\$ChangeAttributeValue2" ),        1
    CONSTANT_UNICODE_STRING( L"\\$CommonCleanup" ),            2
    CONSTANT_UNICODE_STRING( L"\\$ConvertToNonresident" ),        3
    CONSTANT_UNICODE_STRING( L"\\$CreateNonresidentWithValue" ),    4
    CONSTANT_UNICODE_STRING( L"\\$DeallocateRecord" ),            5
    CONSTANT_UNICODE_STRING( L"\\$DeleteAllocationFromRecord" ),    6
    CONSTANT_UNICODE_STRING( L"\\$Directory" ),            7
    CONSTANT_UNICODE_STRING( L"\\$InitializeRecordAllocation" ),
    CONSTANT_UNICODE_STRING( L"\\$MapAttributeValue" ),
    CONSTANT_UNICODE_STRING( L"\\$NonCachedIo" ),
    CONSTANT_UNICODE_STRING( L"\\$PerformHotFix" ),
    CONSTANT_UNICODE_STRING( L"\\$PrepareToShrinkFileSize" ),
    CONSTANT_UNICODE_STRING( L"\\$ReplaceAttribute" ),
    CONSTANT_UNICODE_STRING( L"\\$ReplaceAttribute2" ),
    CONSTANT_UNICODE_STRING( L"\\$SetAllocationInfo" ),
    CONSTANT_UNICODE_STRING( L"\\$SetEndOfFileInfo" ),
    CONSTANT_UNICODE_STRING( L"\\$ZeroRangeInStream" ),
    CONSTANT_UNICODE_STRING( L"\\$ZeroRangeInStream2" ),
    CONSTANT_UNICODE_STRING( L"\\$ZeroRangeInStream3" ),
};

第三部分：
0: kd> p
Ntfs!ReadIndexBuffer+0x72:
f71738f8 e8efda0300      call    Ntfs!NtfsCreateInternalStreamCommon (f71b13ec)
0: kd> t
Ntfs!NtfsCreateInternalStreamCommon:
f71b13ec 6a34            push    34h
0: kd> kc
 #
00 Ntfs!NtfsCreateInternalStreamCommon
01 Ntfs!ReadIndexBuffer
02 Ntfs!FindFirstIndexEntry
03 Ntfs!NtfsUpdateFileNameInIndex
04 Ntfs!NtfsUpdateDuplicateInfo
05 Ntfs!NtfsInitializeSecurity
06 Ntfs!NtfsInitializeSecurityFile
07 Ntfs!NtfsMountVolume
08 Ntfs!NtfsCommonFileSystemControl
09 Ntfs!NtfsFspDispatch
0a nt!ExpWorkerThread
0b nt!PspSystemThreadStartup
0c nt!KiThreadStartup
0: kd> dv
              IrpContext = 0x89797aa8
                     Scb = 0xe1350658
               UpdateScb = 0x01 ''
        CompressedStream = 0x00 ''
              StreamName = 0xf7161da0 "\$Directory"