NtfsLookupAttributeByName函数分析之和Scb-＞AttributeName的关系

sitelist

于 2025-05-23 11:23:18 发布

阅读量555

点赞数 6

分类专栏： nt4源代码分析文章标签： AttributeName LookupAttribute AttributeByName NtfsLookup

本文链接：https://blog.csdn.net/oldlinux/article/details/148160212

版权

nt4源代码分析专栏收录该内容

155 篇文章

订阅专栏

第一部分：

VOID
FindFirstIndexEntry (
    IN PIRP_CONTEXT IrpContext,
    IN PSCB Scb,
    IN PVOID Value,
    IN OUT PINDEX_CONTEXT IndexContext
    )
{

。。。。。。

    //
    // Lookup the attribute record from the Scb.
    //

    if (!NtfsLookupAttributeByName( IrpContext,
                                    Scb->Fcb,
                                    &Scb->Fcb->FileReference,
                                    $INDEX_ROOT,
                                    &Scb->AttributeName,
                                    NULL,
                                    FALSE,
                                    &IndexContext->AttributeContext )) {

第二部分：

0: kd> p
Ntfs!FindFirstIndexEntry+0x68:
f71740d2 84c0 test al,al
0: kd> dv

     IrpContext = 0xf793291c
            Scb = 0xe1363d20
          Value = 0xe13559b0
   IndexContext = 0xe1352348
      Attribute = 0x00000000
      IndexRoot = 0xe1352348
             Sp = 0xe1363d20
0: kd> dx -r1 ((Ntfs!_SCB *)0xe1363d20)
((Ntfs!_SCB *)0xe1363d20)                 : 0xe1363d20 [Type: _SCB *]
    [+0x000] Header           [Type: _NTFS_ADVANCED_FCB_HEADER]
    [+0x040] FcbLinks         [Type: _LIST_ENTRY]
    [+0x048] Fcb              : 0xe1363c58 [Type: _FCB *]
    [+0x04c] Vcb              : 0x895d5100 [Type: _VCB *]
    [+0x050] ScbState         : 0x100006a0 [Type: unsigned long]
    [+0x054] NonCachedCleanupCount : 0x0 [Type: unsigned long]
    [+0x058] CleanupCount     : 0x1 [Type: unsigned long]
    [+0x05c] CloseCount       : 0x2 [Type: unsigned long]
    [+0x060] ShareAccess      [Type: _SHARE_ACCESS]
    [+0x07c] AttributeTypeCode : 0xa0 [Type: unsigned long]
    [+0x080] AttributeName    : "$I30" [Type: _UNICODE_STRING]
    [+0x088] FileObject       : 0x8962b128 [Type: _FILE_OBJECT *]
    [+0x08c] NonpagedScb      : 0x89954e60 [Type: _SCB_NONPAGED *]
    [+0x090] Mcb              [Type: _NTFS_MCB]
    [+0x0a8] McbStructs       [Type: NTFS_MCB_INITIAL_STRUCTS]
    [+0x0f0] CompressionUnit : 0x0 [Type: unsigned long]
    [+0x0f4] AttributeFlags   : 0x0 [Type: unsigned short]
    [+0x0f6] CompressionUnitShift : 0x0 [Type: unsigned char]
    [+0x0f7] PadUchar         : 0x0 [Type: unsigned char]
    [+0x0f8] ValidDataToDisk : 0 [Type: __int64]
    [+0x100] TotalAllocated   : 8192 [Type: __int64]
    [+0x108] EofListHead      [Type: _LIST_ENTRY]
    [+0x110] CcbQueue         [Type: _LIST_ENTRY]
    [+0x118] ScbSnapshot      : 0x0 [Type: _SCB_SNAPSHOT *]
    [+0x11c] EncryptionContext : 0x0 [Type: void *]
    [+0x120] EncryptionContextLength : 0x0 [Type: unsigned long]
    [+0x124] ScbPersist       : 0x0 [Type: unsigned long]
    [+0x128] IoAtEofThread    : 0x0 [Type: unsigned long *]
    [+0x130] ScbType          [Type: __unnamed]

第三部分：

BOOLEAN
NtfsFindInFileRecord (
    IN PIRP_CONTEXT IrpContext,
    IN PATTRIBUTE_RECORD_HEADER Attribute,
    OUT PATTRIBUTE_RECORD_HEADER *ReturnAttribute,
    IN ATTRIBUTE_TYPE_CODE QueriedTypeCode,
    IN PCUNICODE_STRING QueriedName OPTIONAL,
    IN BOOLEAN IgnoreCase,
    IN PVOID QueriedValue OPTIONAL,
    IN ULONG QueriedValueLength
    )
{

while ( TRUE ) {

。。。。。。

NtfsInitializeStringFromAttribute( &AttributeName, Attribute );

                //
                // See if we have a name match.
                //

                if (NtfsAreNamesEqual( UpcaseTable,
                                       &AttributeName,
                                       QueriedName,
                                       IgnoreCase )) {

break;
}

return TRUE;
}

第四部分：

NtfsInitializeStringFromAttribute( &AttributeName, Attribute );

#define NtfsInitializeStringFromAttribute(NAME,ATTRIBUTE) {                \
    (NAME)->Length = (USHORT)(ATTRIBUTE)->NameLength << 1;                 \
    (NAME)->MaximumLength = (NAME)->Length;                                \
    (NAME)->Buffer = (PWSTR)Add2Ptr((ATTRIBUTE), (ATTRIBUTE)->NameOffset); \
}

(NAME)->Buffer (ATTRIBUTE)->NameLength +0x009 NameLength : 0x4 ''
(NAME)->Buffer (ATTRIBUTE)->NameOffset +0x00a NameOffset : 0x18

0: kd> dt Ntfs!_ATTRIBUTE_RECORD_HEADER 0xc1241438+48+60+28+48
   +0x000 TypeCode         : 0x90
   +0x004 RecordLength     : 0xe0
   +0x008 FormCode         : 0 ''
   +0x009 NameLength       : 0x4 ''
   +0x00a NameOffset       : 0x18
   +0x00c Flags            : 0
   +0x00e Instance         : 6
   +0x010 Form             : __unnamed

0: kd> db 0xc1241438+48+60+28+48+18
c1241568 24 00 49 00 33 00 30 00-30 00 00 00 01 00 00 00 $.I.3.0.0.......

第五部分：

0: kd> p
Ntfs!NtfsFindInFileRecord+0x92:
f7171ac2 384d1c          cmp     byte ptr [ebp+1Ch],cl
0: kd> dv
        IrpContext = 0xf793291c
         Attribute = 0xc1241438

0: kd> dx -r1 ((Ntfs!_ATTRIBUTE_RECORD_HEADER *)0xc1241438)
((Ntfs!_ATTRIBUTE_RECORD_HEADER *)0xc1241438)                 : 0xc1241438 [Type: _ATTRIBUTE_RECORD_HEADER *]
    [+0x000] TypeCode         : 0x10 [Type: unsigned long]
    [+0x004] RecordLength     : 0x48 [Type: unsigned long]
    [+0x008] FormCode         : 0x0 [Type: unsigned char]
    [+0x009] NameLength       : 0x0 [Type: unsigned char]
    [+0x00a] NameOffset       : 0x18 [Type: unsigned short]
    [+0x00c] Flags            : 0x0 [Type: unsigned short]
    [+0x00e] Instance         : 0x0 [Type: unsigned short]
    [+0x010] Form             [Type: __unnamed]
0: kd> dt Ntfs!_ATTRIBUTE_RECORD_HEADER 0xc1241438
   +0x000 TypeCode         : 0x10
   +0x004 RecordLength     : 0x48
   +0x008 FormCode         : 0 ''
   +0x009 NameLength       : 0 ''
   +0x00a NameOffset       : 0x18
   +0x00c Flags            : 0
   +0x00e Instance         : 0
   +0x010 Form             : __unnamed
0: kd> dt Ntfs!_ATTRIBUTE_RECORD_HEADER 0xc1241438+48
   +0x000 TypeCode         : 0x30
   +0x004 RecordLength     : 0x60
   +0x008 FormCode         : 0 ''
   +0x009 NameLength       : 0 ''
   +0x00a NameOffset       : 0x18
   +0x00c Flags            : 0
   +0x00e Instance         : 1
   +0x010 Form             : __unnamed
0: kd> dt Ntfs!_ATTRIBUTE_RECORD_HEADER 0xc1241438+48+60
   +0x000 TypeCode         : 0x40
   +0x004 RecordLength     : 0x28
   +0x008 FormCode         : 0 ''
   +0x009 NameLength       : 0 ''
   +0x00a NameOffset       : 0
   +0x00c Flags            : 0
   +0x00e Instance         : 9
   +0x010 Form             : __unnamed
0: kd> dt Ntfs!_ATTRIBUTE_RECORD_HEADER 0xc1241438+48+60+28
   +0x000 TypeCode         : 0x50
   +0x004 RecordLength     : 0x48
   +0x008 FormCode         : 0x1 ''
   +0x009 NameLength       : 0 ''
   +0x00a NameOffset       : 0x40
   +0x00c Flags            : 0
   +0x00e Instance         : 2
   +0x010 Form             : __unnamed
0: kd> dt Ntfs!_ATTRIBUTE_RECORD_HEADER 0xc1241438+48+60+28+48
   +0x000 TypeCode         : 0x90
   +0x004 RecordLength     : 0xe0
   +0x008 FormCode         : 0 ''
   +0x009 NameLength       : 0x4 ''
   +0x00a NameOffset       : 0x18
   +0x00c Flags            : 0
   +0x00e Instance         : 6
   +0x010 Form             : __unnamed