当前位置：首页 > article >正文

nt!CcGetVacbMiss函数分析之设置好nt!_VACB然后调用函数nt!SetVacb

article 2025/9/13 8:40:36

第一部分：MmMapViewInSystemCache函数返回

        Status = MmMapViewInSystemCache (SharedCacheMap->Section,
                                         &Vacb->BaseAddress,
                                         &NormalOffset,
                                         &MappedLength.LowPart);

NTSTATUS
MmMapViewInSystemCache (
    IN PVOID SectionToMap,
    OUT PVOID *CapturedBase,
    IN OUT PLARGE_INTEGER SectionOffset,
    IN OUT PULONG CapturedViewSize
    )

第二部分：(ntkrnlmp!_VACB *)0x89988000结构中的BaseAddress : 0xc1080000

1: kd> p
nt!MmMapViewInSystemCache+0x51e:
80aaf210 c21000          ret     10h
1: kd> p
nt!CcGetVacbMiss+0x300:
80a1a49e 8945d4          mov     dword ptr [ebp-2Ch],eax
1: kd> dv
   SharedCacheMap = 0x89901cc8
       FileOffset = {0}
          OldIrql = 0xf78d69bf ""
      PageIsDirty = 0x89901cc8
OldSharedCacheMap = 0xffffffff
     NormalOffset = {0}
       ActiveVacb = 0x00000000
             Vacb = 0x89988000
           Status = 0n-141727208
       ActivePage = 0x30
     MappedLength = {262144}
1: kd> dx -r1 ((ntkrnlmp!_VACB *)0x89988000)
((ntkrnlmp!_VACB *)0x89988000)                 : 0x89988000 [Type: _VACB *]
    [+0x000] BaseAddress      : 0xc1080000 [Type: void *]                   BaseAddress      : 0xc1080000
    [+0x004] SharedCacheMap   : 0x0 [Type: _SHARED_CACHE_MAP *]
    [+0x008] Overlay          [Type: __unnamed]
    [+0x010] LruList          [Type: _LIST_ENTRY]

第三部分：

    //
    // Finish filling in the Vacb, and store its address in the array in
    // the Shared Cache Map. (We have to rewrite the ActiveCount
    // since it is overlaid.) To do this we must reacquire the
    // spin lock one more time. Note we have to check for the unusual
    // case that someone beat us to mapping this view, since we had to
    // drop the spin lock.
    //

if ((TempVacb = GetVacb( SharedCacheMap, NormalOffset )) == NULL) {

        Vacb->SharedCacheMap = SharedCacheMap;
        Vacb->Overlay.FileOffset = NormalOffset;
        Vacb->Overlay.ActiveCount = 1;

SetVacb( SharedCacheMap, NormalOffset, Vacb );

#define GetVacb(SCM,OFF) (                                                                \
    ((SCM)->SectionSize.QuadPart > VACB_SIZE_OF_FIRST_LEVEL) ?                            \
    CcGetVacbLargeOffset((SCM),(OFF).QuadPart) :                                          \
    (SCM)->Vacbs[(OFF).LowPart >> VACB_OFFSET_SHIFT]                                      \
)

NormalOffset = {0}

1: kd> p
nt!CcGetVacbMiss+0x4cb:
80a1a669 8b1c81 mov ebx,dword ptr [ecx+eax*4]
1: kd> r
eax=00000000 ebx=00000000 ecx=89901cf8

第四部分： ((TempVacb = GetVacb( SharedCacheMap, NormalOffset )) == NULL)

1: kd> dd 89901cf8
89901cf8 00000000 00000000 00000000 00000000
89901d08 89901cf8 899c41b0 00000000 00000000
89901d18 00000000 00000000 00000000 00000001
89901d28 00000000 80b1cbd0 80b1cbd0 00000204
89901d38 00000000 00000000 e127a740 00000000
89901d48 00000000 00000000 00000000 00000000
89901d58 f7169a2c 898ffa10 89901dec 89901dec
89901d68 00000000 f718f6ec 00000000 00000000

1: kd> p
nt!CcGetVacbMiss+0x4ce:
80a1a66c 85db            test    ebx,ebx
1: kd> r
eax=00000000 ebx=00000000 ecx=89901cf8 edx=00000000 esi=89988000 edi=89901cc8
eip=80a1a66c esp=f78d6948 ebp=f78d6994 iopl=0         nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000             efl=00000246
nt!CcGetVacbMiss+0x4ce:
80a1a66c 85db            test    ebx,ebx
1: kd> p
nt!CcGetVacbMiss+0x4d0:
80a1a66e 7527            jne     nt!CcGetVacbMiss+0x4f9 (80a1a697)

89901cf8还没有被设置现在设置Vacb！！！

第五部分：

if ((TempVacb = GetVacb( SharedCacheMap, NormalOffset )) == NULL) {

        Vacb->SharedCacheMap = SharedCacheMap;
        Vacb->Overlay.FileOffset = NormalOffset;
        Vacb->Overlay.ActiveCount = 1;

SetVacb( SharedCacheMap, NormalOffset, Vacb );

1: kd> dx -r1 ((ntkrnlmp!_VACB *)0x89988000)
((ntkrnlmp!_VACB *)0x89988000)                 : 0x89988000 [Type: _VACB *]
    [+0x000] BaseAddress      : 0xc1080000 [Type: void *]
    [+0x004] SharedCacheMap   : 0x89901cc8 [Type: _SHARED_CACHE_MAP *]
    [+0x008] Overlay          [Type: __unnamed]
    [+0x010] LruList          [Type: _LIST_ENTRY]

   +0x008 Overlay          : __unnamed
      +0x000 FileOffset       : _LARGE_INTEGER
         +0x000 LowPart          : Uint4B
         +0x004 HighPart         : Int4B
         +0x000 u                : __unnamed
         +0x000 QuadPart         : Int8B
      +0x000 ActiveCount      : Uint2B

1: kd> dd 0x89988000
89988000 c1080000 89901cc8 00000001 00000000
89988010 80b1cb60 80b1cb60

第六部分：

1: kd> t
Breakpoint 2 hit
nt!SetVacb:
80a194a2 55              push    ebp
1: kd> kc
#
00 nt!SetVacb
01 nt!CcGetVacbMiss
02 nt!CcGetVirtualAddress
03 nt!CcMapData
04 Ntfs!NtfsMapStream
05 Ntfs!NtfsReadBootSector
06 Ntfs!NtfsMountVolume
07 Ntfs!NtfsCommonFileSystemControl
08 Ntfs!NtfsFspDispatch
09 nt!ExpWorkerThread
0a nt!PspSystemThreadStartup
0b nt!KiThreadStartup
1: kd> dv
SharedCacheMap = 0x89901cc8
         Offset = {0}
           Vacb = 0x89988000

    } else if (Vacb < VACB_SPECIAL_FIRST_VALID) {
        SharedCacheMap->Vacbs[Offset.LowPart >> VACB_OFFSET_SHIFT] = Vacb;
    }

#define VACB_OFFSET_SHIFT (18)

第七部分：结果！！！

1: kd> dd 0x89901cf8
89901cf8 89988000
1: kd> dt nt!_vacb 89988000
   +0x000 BaseAddress      : 0xc1080000 Void
   +0x004 SharedCacheMap   : 0x89901cc8 _SHARED_CACHE_MAP
   +0x008 Overlay          : __unnamed
   +0x010 LruList          : _LIST_ENTRY [ 0x80b1cb60 - 0x80b1cb60 ]

原来为0
1: kd> dd 89901cf8
89901cf8 00000000 00000000 00000000 00000000

查看全文

http://www.lryc.cn/news/2397335.html