系统线程nt!CcPfBootWorker里面的nt!MmPrefetchPages函数分析

于 2025-05-16 18:11:01 发布
阅读量743 收藏 4
点赞数 15
分类专栏: nt4源代码分析 文章标签: CcPfBootWorker PrefetchPages
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/oldlinux/article/details/148013485
版权

第一部分:

CcPfBeginBootPhase函数分析之创建了系统线程CcPfBootWorker
NTSTATUS
CcPfBeginBootPhase(
    PF_BOOT_PHASE_ID Phase
    )

        //
        // Kick off the boot worker in paralel.
        //
            
        Status = PsCreateSystemThread(&ThreadHandle,
                                      THREAD_ALL_ACCESS,
                                      NULL,
                                      NULL,
                                      NULL,
                                      CcPfBootWorker,
                                      BootPrefetcher);
第二部分:

1: kd> kc
 #
00 nt!MmPrefetchPages
01 nt!CcPfPrefetchSections
02 nt!CcPfBootWorker
03 nt!PspSystemThreadStartup
04 nt!KiThreadStartup


1: kd> p
nt!MmPrefetchPages+0x229:
80cf7d25 8d1c88          lea     ebx,[eax+ecx*4]
1: kd> r
eax=898d7870 ebx=898d78b0 ecx=00000011 edx=04fb0000 esi=8989e020 edi=80a03598
eip=80cf7d25 esp=f705fb50 ebp=f705fb74 iopl=0         nv up ei ng nz ac po cy
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000293
nt!MmPrefetchPages+0x229:
80cf7d25 8d1c88          lea     ebx,[eax+ecx*4]
1: kd> dd 898d7870
898d7870  8973a008 895ef848 895efce8 895ef820
898d7880  89808e58 8946f268 8952e3f8 8962bf80
898d7890  8962b4c0 8952e760 898d7848 89492210
898d78a0  89439988 894921a8 89505e18 8989b1f8
898d78b0  898fefa8 8980d8c0 89840310 895f1200
898d78c0  895f1310 895881d0 89941e10 898d7820
898d78d0  898d7d08 898d7ce0 8951d310 8945cb20
898d78e0  896242c0 8945c508 898457e0 895c70e8

1: kd> dt _MI_READ_LIST 895ef848
nt!_MI_READ_LIST
   +0x000 ControlArea      : 0x895ae810 _CONTROL_AREA
   +0x004 FileObject       : 0x89624698 _FILE_OBJECT
   +0x008 LastPteOffsetReferenced : 0x128
   +0x00c InPageSupportHead : _SINGLE_LIST_ENTRY
   +0x010 List             : [1] _MI_READ_LIST_ENTRY

1: kd> dx -id 0,0,899a2278 -r1 ((ntkrnlmp!_FILE_OBJECT *)0x89624698)
((ntkrnlmp!_FILE_OBJECT *)0x89624698)                 : 0x89624698 [Type: _FILE_OBJECT *]
    [+0x000] Type             : 5 [Type: short]
    [+0x002] Size             : 112 [Type: short]
    [+0x004] DeviceObject     : 0x89811788 : Device for "\Driver\Ftdisk" [Type: _DEVICE_OBJECT *]
    [+0x008] Vpb              : 0x89909178 [Type: _VPB *]
    [+0x00c] FsContext        : 0xe15bd7c8 [Type: void *]
    [+0x010] FsContext2       : 0xe15bd918 [Type: void *]
    [+0x014] SectionObjectPointer : 0x899ad3dc [Type: _SECTION_OBJECT_POINTERS *]
    [+0x018] PrivateCacheMap  : 0x0 [Type: void *]
    [+0x01c] FinalStatus      : 0 [Type: long]
    [+0x020] RelatedFileObject : 0x0 [Type: _FILE_OBJECT *]
    [+0x024] LockOperation    : 0x0 [Type: unsigned char]
    [+0x025] DeletePending    : 0x0 [Type: unsigned char]
    [+0x026] ReadAccess       : 0x1 [Type: unsigned char]
    [+0x027] WriteAccess      : 0x0 [Type: unsigned char]
    [+0x028] DeleteAccess     : 0x0 [Type: unsigned char]
    [+0x029] SharedRead       : 0x1 [Type: unsigned char]
    [+0x02a] SharedWrite      : 0x1 [Type: unsigned char]
    [+0x02b] SharedDelete     : 0x1 [Type: unsigned char]
    [+0x02c] Flags            : 0x40040 [Type: unsigned long]
    [+0x030] FileName         : "\WINDOWS\AppPatch\sysmain.sdb" [Type: _UNICODE_STRING]
    [+0x038] CurrentByteOffset : {0} [Type: _LARGE_INTEGER]
    [+0x040] Waiters          : 0x0 [Type: unsigned long]
    [+0x044] Busy             : 0x0 [Type: unsigned long]
    [+0x048] LastLock         : 0x0 [Type: void *]
    [+0x04c] Lock             [Type: _KEVENT]
    [+0x05c] Event            [Type: _KEVENT]
    [+0x06c] CompletionContext : 0x0 [Type: _IO_COMPLETION_CONTEXT *]


1: kd> dt _MI_READ_LIST 895efce8
nt!_MI_READ_LIST
   +0x000 ControlArea      : 0x898ef598 _CONTROL_AREA
   +0x004 FileObject       : 0x8962bd38 _FILE_OBJECT
   +0x008 LastPteOffsetReferenced : 0x23
   +0x00c InPageSupportHead : _SINGLE_LIST_ENTRY
   +0x010 List             : [1] _MI_READ_LIST_ENTRY
1: kd> dx -id 0,0,899a2278 -r1 ((ntkrnlmp!_FILE_OBJECT *)0x8962bd38)
((ntkrnlmp!_FILE_OBJECT *)0x8962bd38)                 : 0x8962bd38 [Type: _FILE_OBJECT *]
    [+0x000] Type             : 5 [Type: short]
    [+0x002] Size             : 112 [Type: short]
    [+0x004] DeviceObject     : 0x89811788 : Device for "\Driver\Ftdisk" [Type: _DEVICE_OBJECT *]
    [+0x008] Vpb              : 0x89909178 [Type: _VPB *]
    [+0x00c] FsContext        : 0xe1466d98 [Type: void *]
    [+0x010] FsContext2       : 0xe1551ec0 [Type: void *]
    [+0x014] SectionObjectPointer : 0x89453aec [Type: _SECTION_OBJECT_POINTERS *]
    [+0x018] PrivateCacheMap  : 0x0 [Type: void *]
    [+0x01c] FinalStatus      : 0 [Type: long]
    [+0x020] RelatedFileObject : 0x0 [Type: _FILE_OBJECT *]
    [+0x024] LockOperation    : 0x0 [Type: unsigned char]
    [+0x025] DeletePending    : 0x0 [Type: unsigned char]
    [+0x026] ReadAccess       : 0x1 [Type: unsigned char]
    [+0x027] WriteAccess      : 0x0 [Type: unsigned char]
    [+0x028] DeleteAccess     : 0x0 [Type: unsigned char]
    [+0x029] SharedRead       : 0x1 [Type: unsigned char]
    [+0x02a] SharedWrite      : 0x1 [Type: unsigned char]
    [+0x02b] SharedDelete     : 0x1 [Type: unsigned char]
    [+0x02c] Flags            : 0x40040 [Type: unsigned long]
    [+0x030] FileName         : "\WINDOWS\system32\desk.cpl" [Type: _UNICODE_STRING]
    [+0x038] CurrentByteOffset : {0} [Type: _LARGE_INTEGER]
    [+0x040] Waiters          : 0x0 [Type: unsigned long]
    [+0x044] Busy             : 0x0 [Type: unsigned long]
    [+0x048] LastLock         : 0x0 [Type: void *]
    [+0x04c] Lock             [Type: _KEVENT]
    [+0x05c] Event            [Type: _KEVENT]
    [+0x06c] CompletionContext : 0x0 [Type: _IO_COMPLETION_CONTEXT *]


 

第三部分:nt!CcPfPrefetchSections函数分析

1: kd> dt CCPF_PREFETCH_HEADER f705fd5c
nt!CCPF_PREFETCH_HEADER
   +0x000 Scenario         : 0xe13dc000 _PF_SCENARIO_HEADER
   +0x004 VolumeNodes      : 0xe1293d18 _CCPF_PREFETCH_VOLUME_INFO
   +0x008 BadVolumeList    : _LIST_ENTRY [ 0xf705fd64 - 0xf705fd64 ]
   +0x010 OpenedVolumeList : _LIST_ENTRY [ 0xe1293d18 - 0xe1293d18 ]
1: kd> dx -id 0,0,899a2278 -r1 ((ntkrnlmp!_PF_SCENARIO_HEADER *)0xe13dc000)
((ntkrnlmp!_PF_SCENARIO_HEADER *)0xe13dc000)                 : 0xe13dc000 [Type: _PF_SCENARIO_HEADER *]
    [+0x000] Version          : 0x11 [Type: unsigned long]
    [+0x004] MagicNumber      : 0x41434353 [Type: unsigned long]
    [+0x008] ServiceVersion   : 0xf [Type: unsigned long]
    [+0x00c] Size             : 0x4c6fa [Type: unsigned long]
    [+0x010] ScenarioId       [Type: _PF_SCENARIO_ID]
    [+0x050] ScenarioType     : PfSystemBootScenarioType (1) [Type: _PF_SCENARIO_TYPE]
    [+0x054] SectionInfoOffset : 0x98 [Type: unsigned long]
    [+0x058] NumSections      : 0x21f [Type: unsigned long]
    [+0x05c] PageInfoOffset   : 0x2b04 [Type: unsigned long]
    [+0x060] NumPages         : 0x45b6 [Type: unsigned long]
    [+0x064] FileNameInfoOffset : 0x36f8c [Type: unsigned long]
    [+0x068] FileNameInfoSize : 0x1052c [Type: unsigned long]
    [+0x06c] MetadataInfoOffset : 0x474b8 [Type: unsigned long]
    [+0x070] NumMetadataRecords : 0x1 [Type: unsigned long]
    [+0x074] MetadataInfoSize : 0x5242 [Type: unsigned long]
    [+0x078] LastLaunchTime   : {133862567540312500} [Type: _LARGE_INTEGER]
    [+0x080] MinRePrefetchTime : {0} [Type: _LARGE_INTEGER]
    [+0x088] MinReTraceTime   : {0} [Type: _LARGE_INTEGER]
    [+0x090] NumLaunches      : 0x45 [Type: unsigned long]
    [+0x094] Sensitivity      : 0x2 [Type: unsigned long]

    Scenario = PrefetchHeader->Scenario;

    NumberOfSections = Scenario->NumSections;        NumSections      : 0x21f

    SectionRecords = (PPF_SECTION_RECORD)
        ((PCHAR) Scenario + Scenario->SectionInfoOffset);


1: kd> dt nt!_PF_SECTION_RECORD 0xe13dc000+0x98
   +0x000 FirstPageIdx     : 0n0
   +0x004 NumPages         : 0x1d8
   +0x008 FileNameOffset   : 0
   +0x00c FileNameLength   : 0x1c
   +0x010 IsIgnore         : 0y1
   +0x010 IsImage          : 0y0
   +0x010 IsData           : 0y1

1: kd> dt nt!_PF_SECTION_RECORD 0xe13dc000+0x98+14*1
   +0x000 FirstPageIdx     : 0n472
   +0x004 NumPages         : 0x4e
   +0x008 FileNameOffset   : 0x3a
   +0x00c FileNameLength   : 0x3d
   +0x010 IsIgnore         : 0y0
   +0x010 IsImage          : 0y0
   +0x010 IsData           : 0y1
1: kd> dt nt!_PF_SECTION_RECORD 0xe13dc000+0x98+14*2
   +0x000 FirstPageIdx     : 0n550
   +0x004 NumPages         : 0x31
   +0x008 FileNameOffset   : 0xb6
   +0x00c FileNameLength   : 0x3d
   +0x010 IsIgnore         : 0y0
   +0x010 IsImage          : 0y1
   +0x010 IsData           : 0y1


第四部分:

    SectionRecords = (PPF_SECTION_RECORD)
        ((PCHAR) Scenario + Scenario->SectionInfoOffset);

    PageRecords = (PPF_PAGE_RECORD)
        ((PCHAR) Scenario + Scenario->PageInfoOffset);

    FileNameData = (PCHAR) Scenario + Scenario->FileNameInfoOffset;


1: kd> dt PF_PAGE_RECORD 0xe13dc000+0x2b04
basesrv!PF_PAGE_RECORD
   +0x000 NextPageIdx      : 0n1
   +0x004 FileOffset       : 0
   +0x008 IsIgnore         : 0y0
   +0x008 IsImage          : 0y0
   +0x008 IsData           : 0y1
   +0x008 UsageHistory     : 0y11011111 (0xdf)
   +0x008 PrefetchHistory  : 0y11111111 (0xff)

1: kd> dt PF_PAGE_RECORD 0xe13dc000+0x2b04+c*1
basesrv!PF_PAGE_RECORD
   +0x000 NextPageIdx      : 0n2
   +0x004 FileOffset       : 0x1000
   +0x008 IsIgnore         : 0y0
   +0x008 IsImage          : 0y0
   +0x008 IsData           : 0y1
   +0x008 UsageHistory     : 0y11011111 (0xdf)
   +0x008 PrefetchHistory  : 0y11111111 (0xff)
1: kd> dt PF_PAGE_RECORD 0xe13dc000+0x2b04+c*2
basesrv!PF_PAGE_RECORD
   +0x000 NextPageIdx      : 0n3
   +0x004 FileOffset       : 0x2000
   +0x008 IsIgnore         : 0y0
   +0x008 IsImage          : 0y0
   +0x008 IsData           : 0y1
   +0x008 UsageHistory     : 0y11011111 (0xdf)
   +0x008 PrefetchHistory  : 0y11111111 (0xff)

1: kd> db  0xe13dc000+0x36f8c
e1412f8c  5c 00 44 00 45 00 56 00-49 00 43 00 45 00 5c 00  \.D.E.V.I.C.E.\.

    FileNameData = (PCHAR) Scenario + Scenario->FileNameInfoOffset;=e1412f8c


1: kd> dt nt!_PF_SECTION_RECORD 0xe13dc000+0x98
   +0x000 FirstPageIdx     : 0n0
   +0x004 NumPages         : 0x1d8
   +0x008 FileNameOffset   : 0
   +0x00c FileNameLength   : 0x1c
   +0x010 IsIgnore         : 0y1
   +0x010 IsImage          : 0y0
   +0x010 IsData           : 0y1


1: kd> dt nt!_PF_SECTION_RECORD 0xe13dc000+0x98+14*1
   +0x000 FirstPageIdx     : 0n472
   +0x004 NumPages         : 0x4e
   +0x008 FileNameOffset   : 0x3a
   +0x00c FileNameLength   : 0x3d
   +0x010 IsIgnore         : 0y0
   +0x010 IsImage          : 0y0
   +0x010 IsData           : 0y1

1: kd> db e1412f8c+0x3a
e1412fc6  5c 00 44 00 45 00 56 00-49 00 43 00 45 00 5c 00  \.D.E.V.I.C.E.\.
e1412fd6  48 00 41 00 52 00 44 00-44 00 49 00 53 00 4b 00  H.A.R.D.D.I.S.K.
e1412fe6  56 00 4f 00 4c 00 55 00-4d 00 45 00 31 00 5c 00  V.O.L.U.M.E.1.\.
e1412ff6  57 00 49 00 4e 00 44 00-4f 00 57 00 53 00 5c 00  W.I.N.D.O.W.S.\.
e1413006  50 00 52 00 45 00 46 00-45 00 54 00 43 00 48 00  P.R.E.F.E.T.C.H.
e1413016  5c 00 4e 00 54 00 4f 00-53 00 42 00 4f 00 4f 00  \.N.T.O.S.B.O.O.
e1413026  54 00 2d 00 42 00 30 00-30 00 44 00 46 00 41 00  T.-.B.0.0.D.F.A.
e1413036  41 00 44 00 2e 00 50 00-46 00 00 00 5c 00 44 00  A.D...P.F...\.D.

1: kd> dt nt!_PF_SECTION_RECORD 0xe13dc000+0x98+14*2
   +0x000 FirstPageIdx     : 0n550
   +0x004 NumPages         : 0x31
   +0x008 FileNameOffset   : 0xb6
   +0x00c FileNameLength   : 0x3d
   +0x010 IsIgnore         : 0y0
   +0x010 IsImage          : 0y1
   +0x010 IsData           : 0y1

1: kd> db e1412f8c+0xb6
e1413042  5c 00 44 00 45 00 56 00-49 00 43 00 45 00 5c 00  \.D.E.V.I.C.E.\.
e1413052  48 00 41 00 52 00 44 00-44 00 49 00 53 00 4b 00  H.A.R.D.D.I.S.K.
e1413062  56 00 4f 00 4c 00 55 00-4d 00 45 00 31 00 5c 00  V.O.L.U.M.E.1.\.
e1413072  57 00 49 00 4e 00 44 00-4f 00 57 00 53 00 5c 00  W.I.N.D.O.W.S.\.
e1413082  53 00 59 00 53 00 54 00-45 00 4d 00 33 00 32 00  S.Y.S.T.E.M.3.2.
e1413092  5c 00 44 00 52 00 49 00-56 00 45 00 52 00 53 00  \.D.R.I.V.E.R.S.
e14130a2  5c 00 49 00 38 00 30 00-34 00 32 00 50 00 52 00  \.I.8.0.4.2.P.R.
e14130b2  54 00 2e 00 53 00 59 00-53 00 00 00 5c 00 44 00  T...S.Y.S...\.D.


1: kd> dt PF_PAGE_RECORD 0xe13dc000+0x2b04+c*0n550
basesrv!PF_PAGE_RECORD
   +0x000 NextPageIdx      : 0n551
   +0x004 FileOffset       : 0
   +0x008 IsIgnore         : 0y0
   +0x008 IsImage          : 0y1
   +0x008 IsData           : 0y1
   +0x008 UsageHistory     : 0y11111111 (0xff)
   +0x008 PrefetchHistory  : 0y11111111 (0xff)


第五部分:MiReadLists数组

1: kd> dv
           NumberOfLists = 0x49
               ReadLists = 0x00000000
               ReadBuilt = 1
CauseOfReadBuildFailures = 0n0
                  status = 0n0
               ApcNeeded = 0
             MiReadLists = 0x898d7870

1: kd> dx -r1 ((ntkrnlmp!_MI_READ_LIST * *)0x898d7870)
((ntkrnlmp!_MI_READ_LIST * *)0x898d7870)                 : 0x898d7870 [Type: _MI_READ_LIST * *]
    0x8973a008 [Type: _MI_READ_LIST *]


1: kd> dd 0x898d7870
898d7870  8973a008 895ef848 895efce8 895ef820
898d7880  89808e58 8946f268 8952e3f8 8962bf80
898d7890  8962b4c0 8952e760 898d7848 89492210
898d78a0  89439988 894921a8 89505e18 8989b1f8
898d78b0  898fefa8 8980d8c0 89840310 895f1200
898d78c0  895f1310 895881d0 89941e10 898d7820
898d78d0  898d7d08 898d7ce0 8951d310 8945cb20
898d78e0  896242c0 8945c508 898457e0 895c70e8


1: kd> dt _MI_READ_LIST  894921a8
nt!_MI_READ_LIST
   +0x000 ControlArea      : 0x89466a48 _CONTROL_AREA
   +0x004 FileObject       : 0x89466458 _FILE_OBJECT
   +0x008 LastPteOffsetReferenced : 1
   +0x00c InPageSupportHead : _SINGLE_LIST_ENTRY
   +0x010 List             : [1] _MI_READ_LIST_ENTRY

1: kd> dt _MI_READ_LIST_ENTRY -r
nt!_MI_READ_LIST_ENTRY
   +0x000 u1               : __unnamed
      +0x000 PrototypePte     : Ptr32 _MMPTE
         +0x000 u                : __unnamed
      +0x000 e1               : _RLETYPE
         +0x000 Partial          : Pos 0, 1 Bit
         +0x000 NewSubsection    : Pos 1, 1 Bit
         +0x000 DontUse          : Pos 2, 30 Bits


1: kd> dx -id 0,0,899a2278 -r1 ((ntkrnlmp!_FILE_OBJECT *)0x89466458)
((ntkrnlmp!_FILE_OBJECT *)0x89466458)                 : 0x89466458 [Type: _FILE_OBJECT *]
    [+0x000] Type             : 5 [Type: short]
    [+0x002] Size             : 112 [Type: short]
    [+0x004] DeviceObject     : 0x89811788 : Device for "\Driver\Ftdisk" [Type: _DEVICE_OBJECT *]
    [+0x008] Vpb              : 0x89909178 [Type: _VPB *]
    [+0x00c] FsContext        : 0xe15e77f8 [Type: void *]
    [+0x010] FsContext2       : 0xe15e7948 [Type: void *]
    [+0x014] SectionObjectPointer : 0x8989126c [Type: _SECTION_OBJECT_POINTERS *]
    [+0x018] PrivateCacheMap  : 0x0 [Type: void *]
    [+0x01c] FinalStatus      : 0 [Type: long]
    [+0x020] RelatedFileObject : 0x0 [Type: _FILE_OBJECT *]
    [+0x024] LockOperation    : 0x0 [Type: unsigned char]
    [+0x025] DeletePending    : 0x0 [Type: unsigned char]
    [+0x026] ReadAccess       : 0x1 [Type: unsigned char]
    [+0x027] WriteAccess      : 0x0 [Type: unsigned char]
    [+0x028] DeleteAccess     : 0x0 [Type: unsigned char]
    [+0x029] SharedRead       : 0x1 [Type: unsigned char]
    [+0x02a] SharedWrite      : 0x1 [Type: unsigned char]
    [+0x02b] SharedDelete     : 0x1 [Type: unsigned char]
    [+0x02c] Flags            : 0x40040 [Type: unsigned long]
    [+0x030] FileName         : "\Documents and Settings\All Users\Start Menu\desktop.ini" [Type: _UNICODE_STRING]
    [+0x038] CurrentByteOffset : {0} [Type: _LARGE_INTEGER]
    [+0x040] Waiters          : 0x0 [Type: unsigned long]
    [+0x044] Busy             : 0x0 [Type: unsigned long]
    [+0x048] LastLock         : 0x0 [Type: void *]
    [+0x04c] Lock             [Type: _KEVENT]
    [+0x05c] Event            [Type: _KEVENT]
    [+0x06c] CompletionContext : 0x0 [Type: _IO_COMPLETION_CONTEXT *]

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值