当前位置: 首页 > news >正文

nt!MiFlushSectionInternal函数分析从nt!IoSynchronousPageWrite函数到Ntfs!NtfsFsdWrite函数

news 2025/6/28 17:39:14

第一部分:

                while (TRUE) {

                    KeClearEvent (&IoEvent);

                    Status = IoSynchronousPageWrite (FilePointer,
                                                     Mdl,
                                                     (PLARGE_INTEGER)&StartingOffset,
                                                     &IoEvent,
                                                     IoStatus);

1: kd> p
nt!MiFlushSectionInternal+0x6f6:
80a72410 e8c74bfbff      call    nt!IoSynchronousPageWrite (80a26fdc)
1: kd> t
Breakpoint 43 hit
nt!IoSynchronousPageWrite:
80a26fdc 55              push    ebp
1: kd> kc
 #
00 nt!IoSynchronousPageWrite
01 nt!MiFlushSectionInternal
02 nt!MmFlushSection
03 nt!CcFlushCache
04 Ntfs!LfsFlushLfcb
05 Ntfs!LfsFlushToLsnPriv
06 Ntfs!LfsWriteLfsRestart
07 Ntfs!LfsWriteRestartArea
08 Ntfs!NtfsCheckpointVolume
09 Ntfs!NtfsCheckpointAllVolumes
0a nt!ExpWorkerThread
0b nt!PspSystemThreadStartup
0c nt!KiThreadStartup
1: kd> dv
          FileObject = 0x89469688
MemoryDescriptorList = 0xf78d263c
      StartingOffset = 0xf78d26bc {7884800}
               Event = 0xf78d26a0
       IoStatusBlock = 0xf78d2834


1: kd> dx -r1 ((ntkrnlmp!_MDL *)0xf78d263c)
((ntkrnlmp!_MDL *)0xf78d263c)                 : 0xf78d263c [Type: _MDL *]
    [+0x000] Next             : 0x0 [Type: _MDL *]
    [+0x004] Size             : 92 [Type: short]
    [+0x006] MdlFlags         : 2 [Type: short]
    [+0x008] Process          : 0x0 [Type: _EPROCESS *]
    [+0x00c] MappedSystemVa   : 0x0 [Type: void *]
    [+0x010] StartVa          : 0x0 [Type: void *]
    [+0x014] ByteCount        : 0x2000 [Type: unsigned long]
    [+0x018] ByteOffset       : 0x0 [Type: unsigned long]


    if (CcIsFileCached(FileObject)) {
        CcDataFlushes += 1;
        CcDataPages += (MemoryDescriptorList->ByteCount + PAGE_SIZE - 1) >> PAGE_SHIFT;    eax=00000002
    }


1: kd> x nt!CcDataFlushes
80b1ca50          nt!CcDataFlushes = 0xb

1: kd> p
nt!IoSynchronousPageWrite+0x27:
80a27003 c1e80c          shr     eax,0Ch
1: kd> p
nt!IoSynchronousPageWrite+0x2a:
80a27006 01054ccab180    add     dword ptr [nt!CcDataPages (80b1ca4c)],eax
1: kd> r
eax=00000002


第二部分:

1: kd> p
nt!IoSynchronousPageWrite+0x43:
80a2701f ff150888b180    call    dword ptr [nt!pIoAllocateIrp (80b18808)]
1: kd> p
nt!IoSynchronousPageWrite+0x49:
80a27025 85c0            test    eax,eax
1: kd> r
eax=894c7980


1: kd> dt _irp 894c7980
ntdll!_IRP
   +0x000 Type             : 0n6
   +0x002 Size             : 0x190
   +0x004 MdlAddress       : (null)
   +0x008 Flags            : 0
   +0x00c AssociatedIrp    : __unnamed
   +0x010 ThreadListEntry  : _LIST_ENTRY [ 0x894c7990 - 0x894c7990 ]
   +0x018 IoStatus         : _IO_STATUS_BLOCK
   +0x020 RequestorMode    : 0 ''
   +0x021 PendingReturned  : 0 ''
   +0x022 StackCount       : 7 ''
   +0x023 CurrentLocation  : 8 ''
   +0x024 Cancel           : 0 ''
   +0x025 CancelIrql       : 0 ''
   +0x026 ApcEnvironment   : 0 ''
   +0x027 AllocationFlags  : 0x4 ''
   +0x028 UserIosb         : (null)
   +0x02c UserEvent        : (null)
   +0x030 Overlay          : __unnamed
   +0x038 CancelRoutine    : (null)
   +0x03c UserBuffer       : (null)
   +0x040 Tail             : __unnamed

第三部分:

    irp->MdlAddress = MemoryDescriptorList;
    irp->Flags = IRP_PAGING_IO | IRP_NOCACHE | IRP_SYNCHRONOUS_PAGING_IO;

    irp->RequestorMode = KernelMode;
    irp->UserIosb = IoStatusBlock;
    irp->UserEvent = Event;
    irp->UserBuffer = (PVOID) ((PCHAR) MemoryDescriptorList->StartVa + MemoryDescriptorList->ByteOffset);
    irp->Tail.Overlay.OriginalFileObject = FileObject;
    irp->Tail.Overlay.Thread = PsGetCurrentThread();

1: kd> dt _irp 894c7980
ntdll!_IRP
   +0x000 Type             : 0n6
   +0x002 Size             : 0x190
   +0x004 MdlAddress       : 0xf78d263c _MDL
   +0x008 Flags            : 0x43
   +0x00c AssociatedIrp    : __unnamed
   +0x010 ThreadListEntry  : _LIST_ENTRY [ 0x894c7990 - 0x894c7990 ]
   +0x018 IoStatus         : _IO_STATUS_BLOCK
   +0x020 RequestorMode    : 0 ''
   +0x021 PendingReturned  : 0 ''
   +0x022 StackCount       : 7 ''
   +0x023 CurrentLocation  : 8 ''
   +0x024 Cancel           : 0 ''
   +0x025 CancelIrql       : 0 ''
   +0x026 ApcEnvironment   : 0 ''
   +0x027 AllocationFlags  : 0x4 ''
   +0x028 UserIosb         : 0xf78d2834 _IO_STATUS_BLOCK
   +0x02c UserEvent        : 0xf78d26a0 _KEVENT
   +0x030 Overlay          : __unnamed
   +0x038 CancelRoutine    : (null)
   +0x03c UserBuffer       : (null)
   +0x040 Tail             : __unnamed
1: kd> dx -id 0,0,899a2278 -r1 ((ntdll!_MDL *)0xf78d263c)
((ntdll!_MDL *)0xf78d263c)                 : 0xf78d263c [Type: _MDL *]
    [+0x000] Next             : 0x0 [Type: _MDL *]
    [+0x004] Size             : 92 [Type: short]
    [+0x006] MdlFlags         : 2 [Type: short]
    [+0x008] Process          : 0x0 [Type: _EPROCESS *]
    [+0x00c] MappedSystemVa   : 0x0 [Type: void *]
    [+0x010] StartVa          : 0x0 [Type: void *]
    [+0x014] ByteCount        : 0x2000 [Type: unsigned long]
    [+0x018] ByteOffset       : 0x0 [Type: unsigned long]


第四部分:

    //
    // Fill in the normal write parameters.
    //

    irpSp->MajorFunction = IRP_MJ_WRITE;
    irpSp->Parameters.Write.Length = MemoryDescriptorList->ByteCount;
    irpSp->Parameters.Write.ByteOffset = *StartingOffset;
    irpSp->FileObject = FileObject;
dv
      StartingOffset = 0xf78d26bc {7884800}

1: kd> dt _io_stack_location 894c7ac8
ntdll!_IO_STACK_LOCATION
   +0x000 MajorFunction    : 0x4 ''
   +0x001 MinorFunction    : 0 ''
   +0x002 Flags            : 0 ''
   +0x003 Control          : 0 ''
   +0x004 Parameters       : __unnamed
   +0x014 DeviceObject     : (null)
   +0x018 FileObject       : (null)
   +0x01c CompletionRoutine : (null)
   +0x020 Context          : (null)


1: kd> dt _io_stack_location 894c7ac8
ntdll!_IO_STACK_LOCATION
   +0x000 MajorFunction    : 0x4 ''
   +0x001 MinorFunction    : 0 ''
   +0x002 Flags            : 0 ''
   +0x003 Control          : 0 ''
   +0x004 Parameters       : __unnamed
   +0x014 DeviceObject     : (null)
   +0x018 FileObject       : 0x89469688 _FILE_OBJECT
   +0x01c CompletionRoutine : (null)
   +0x020 Context          : (null)


1: kd> dt _io_stack_location 894c7ac8 -r
ntdll!_IO_STACK_LOCATION
   +0x000 MajorFunction    : 0x4 ''
   +0x001 MinorFunction    : 0 ''
   +0x002 Flags            : 0 ''
   +0x003 Control          : 0 ''
   +0x004 Parameters       : __unnamed

      +0x000 Write            : __unnamed
         +0x000 Length           : 0x2000
         +0x004 Key              : 0
         +0x008 ByteOffset       : _LARGE_INTEGER 0x785000


第五部分:

1: kd> p
nt!IoSynchronousPageWrite+0xa8:
80a27084 e871f6ffff      call    nt!IofCallDriver (80a266fa)
1: kd> t
nt!IofCallDriver:
80a266fa 55              push    ebp
1: kd> kc
 #
00 nt!IofCallDriver
01 nt!IoSynchronousPageWrite
02 nt!MiFlushSectionInternal
03 nt!MmFlushSection
04 nt!CcFlushCache
05 Ntfs!LfsFlushLfcb
06 Ntfs!LfsFlushToLsnPriv
07 Ntfs!LfsWriteLfsRestart
08 Ntfs!LfsWriteRestartArea
09 Ntfs!NtfsCheckpointVolume
0a Ntfs!NtfsCheckpointAllVolumes
0b nt!ExpWorkerThread
0c nt!PspSystemThreadStartup
0d nt!KiThreadStartup
1: kd> dv
   DeviceObject = 0x894c7980 Device for {...}
            Irp = 0x8962e020

NTSTATUS
FASTCALL
IofCallDriver(
    IN PDEVICE_OBJECT DeviceObject,
    IN OUT PIRP Irp
    )
{
    if (pIofCallDriver != NULL) {

        //
        // This routine will either jump immediately to IovCallDriver or
        // IoPerfCallDriver.
        //
        return pIofCallDriver(DeviceObject, Irp, _ReturnAddress());
    }

    return IopfCallDriver(DeviceObject, Irp);
}

1: kd> p
nt!IofCallDriver+0x5c:
80a26756 56              push    esi
1: kd> p
nt!IofCallDriver+0x5d:
80a26757 57              push    edi
1: kd> p
nt!IofCallDriver+0x5e:
80a26758 ff548138        call    dword ptr [ecx+eax*4+38h]
1: kd> r
eax=00000004 ebx=00000000 ecx=89630390 edx=894c7980 esi=894c7980 edi=8962e020
eip=80a26758 esp=f78d25ec ebp=f78d2600 iopl=0         nv up ei ng nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000282
nt!IofCallDriver+0x5e:
80a26758 ff548138        call    dword ptr [ecx+eax*4+38h] ds:0023:896303d8={Ntfs!NtfsFsdWrite (f714171a)}

1: kd> t
Ntfs!NtfsFsdWrite:
f714171a 6a48            push    48h
1: kd> kc
 #
00 Ntfs!NtfsFsdWrite
01 nt!IofCallDriver
02 nt!IoSynchronousPageWrite
03 nt!MiFlushSectionInternal
04 nt!MmFlushSection
05 nt!CcFlushCache
06 Ntfs!LfsFlushLfcb
07 Ntfs!LfsFlushToLsnPriv
08 Ntfs!LfsWriteLfsRestart
09 Ntfs!LfsWriteRestartArea
0a Ntfs!NtfsCheckpointVolume
0b Ntfs!NtfsCheckpointAllVolumes
0c nt!ExpWorkerThread
0d nt!PspSystemThreadStartup
0e nt!KiThreadStartup
1: kd> dv
   VolumeDeviceObject = 0x8962e020
                  Irp = 0x894c7980

http://www.lqws.cn/news/550063.html

相关文章:

  • 三阶落地:腾讯云Serverless+Spring Cloud的微服务实战架构
  • React中的ErrorBoundary
  • 【经验】新版Chrome中Proxy SwitchyOmega2已实效,改为ZeroOmega
  • 车载诊断架构 --- 诊断与ECU平台工作说明书
  • SQL Server for Linux 如何实现高可用架构
  • 【策划所需编程知识】
  • 中国双非高校经费TOP榜数据分析
  • 【记录】Ubuntu|Ubuntu服务器挂载新的硬盘的流程(开机自动挂载)
  • SQL学习笔记4
  • MFC获取本机所有IP、局域网所有IP、本机和局域网可连接IP
  • 一起endpoint迷路的问题排查总结
  • 浅谈Apache HttpClient的相关配置和使用
  • git add 报错UnicodeDecodeError: ‘gbk‘ codec can‘t decode byte 0xaf in position 42
  • SOCKS 协议版本 5 (RFC 1928)
  • 【stm32】HAL库开发——CubeMX配置串口通讯(中断方式)
  • VUE使用过程中的碰到问题记录
  • 自动对焦技术助力TGV检测 半导体检测精度大突破
  • 工作台-02.代码开发
  • Linux信号机制:从入门到精通
  • [Python]-基础篇1- 从零开始的Python入门指南
  • 微调大语言模型(生成任务),怎么评估它到底“变好”了?
  • Python网安-zip文件暴力破解
  • Java:链接mysql数据库报错:CommunicationsException: Communications link failure
  • Coze API如何上传文件能得到文件的file_url
  • 缓解停车难的城市密码:4G地磁检测器如何重构车位资源分配
  • Discrete Audio Tokens: More Than a Survey
  • TensorRT-LLM的深度剖析:关键问题与核心局限性
  • Java-异常类
  • Spearman检验组间相关性及SCI风格绘图
  • MySQL之事务原理深度解析