第一部分:
1: kd> kc
#
00 nt!MmMapViewInSystemCache
01 nt!CcGetVacbMiss
02 nt!CcGetVirtualAddress
03 nt!CcMapData
04 Ntfs!NtfsMapStream
05 Ntfs!NtfsReadBootSector
06 Ntfs!NtfsMountVolume
07 Ntfs!NtfsCommonFileSystemControl
08 Ntfs!NtfsFspDispatch
09 nt!ExpWorkerThread
0a nt!PspSystemThreadStartup
0b nt!KiThreadStartup
1: kd> p
nt!MmMapViewInSystemCache+0x32b:
80aaf01d 8b0e mov ecx,dword ptr [esi]
1: kd> dv
SectionToMap = 0xe127a740
CapturedBase = 0x89988000
SectionOffset = 0xf78d6900 {-9175257283469246464}
CapturedViewSize = 0x00000040
PteOffset = 0
LastProto = 0x00000000
PteContents = struct _MMPTE
OldIrql = 0x00 ''
LastPte = 0x89988000
LastPteOffset = 0x40
Waited = 1
ProtoPte = 0xf78d6900
NumberOfPages = 0x40
if (PointerPte->u.List.NextEntry == MM_EMPTY_PTE_LIST) {
if ((PointerPte + 1)->u.List.NextEntry == (KeReadTbFlushTimeStamp() & MM_FLUSH_COUNTER_MASK)) {
KeFlushEntireTb (TRUE, TRUE);
}
第二部分:
1: kd> p
nt!MmMapViewInSystemCache+0x355:
80aaf047 8b4e04 mov ecx,dword ptr [esi+4]
1: kd> r
eax=00001314 ebx=898ff908 ecx=c10c0000 edx=00000000 esi=c0304200
1: kd> dd c0304200
c0304200 c10c0000 00000000 00000000 00000000
//
// Zero this explicitly now since the number of pages may be only 1.
//
(PointerPte + 1)->u.List.NextEntry = 0;
1: kd> p
nt!MmMapViewInSystemCache+0x36d:
80aaf05f 816604ff0f0000 and dword ptr [esi+4],0FFFh
1: kd> r
eax=00001314 ebx=898ff908 ecx=00000000 edx=00000000 esi=c0304200 edi=00000000
第三部分:
*CapturedBase = MiGetVirtualAddressMappedByPte (PointerPte); c1080000
#define MiGetVirtualAddressMappedByPte(PTE) ((PVOID)((ULONG)(PTE) << 10))
c0304200
1100 0000 0011 0000 0100 0010 0000 0000
11 0000 0100 0010 0000 0000 00 0000 0000
11 00 00 01 00 00 10 00 00 00 00 00 0000 0000
c1080000
1: kd> !pte c1080000
VA c1080000
PDE at C0300C10 PTE at C0304200
contains 0A03F963 contains C10C0000
pfn a03f -G-DA--KWEV not valid
Page has been freed
第四部分:
回顾PointerPte的由来:
PointerPte = MmFirstFreeSystemCache;
//
// Update next free entry.
//
ASSERT (PointerPte->u.Hard.Valid == 0);
MmFirstFreeSystemCache = MmSystemCachePteBase + PointerPte->u.List.NextEntry;
ASSERT (MmFirstFreeSystemCache <= MiGetPteAddress (MmSystemCacheEnd));
1: kd> p
nt!MmMapViewInSystemCache+0x377:
80aaf069 8bc6 mov eax,esi
1: kd> p
nt!MmMapViewInSystemCache+0x379:
80aaf06b c1e00a shl eax,0Ah
1: kd> r
eax=c0304200
1: kd> dv
SectionToMap = 0xe127a740
CapturedBase = 0x89988000
1: kd> dx -r1 ((ntkrnlmp!void * *)0x89988000)
((ntkrnlmp!void * *)0x89988000) : 0x89988000 [Type: void * *]
0xc1080000
1: kd> !pte 0xc1080000
VA c1080000
PDE at C0300C10 PTE at C0304200
contains 0A03F963 contains C10C0000
pfn a03f -G-DA--KWEV not valid
Page has been freed
1: kd> x nt!MmFirstFreeSystemCache
80b23594 nt!MmFirstFreeSystemCache = 0xc0304300
1: kd> dd 0xc0304200 //0xc0304200下一个是0xc0304300
c0304200 c10c0000
304300
0011 0000 0100 0011 0000 0000
0011 0000 0100 0011 0000 00
00 11 00 00 01 00 00 11 00 00 00
c10c0 //正确
1: kd> dd 0xc0304200
c0304200 c10c0000 00000000 00000000 00000000
c0304210 00000000 00000000 00000000 00000000
第五部分:
1: kd> dt subsection 0x898ff8d8+30
nt!SUBSECTION
+0x000 ControlArea : 0x898ff8d8 _CONTROL_AREA
+0x004 u : __unnamed
+0x008 StartingSector : 0
+0x00c NumberOfFullSectors : 0x100
+0x010 SubsectionBase : 0xe1009c00 _MMPTE
+0x014 UnusedPtes : 0
+0x018 PtesInSubsection : 0x100
+0x01c NextSubsection : (null)
PteOffset = 0
ProtoPte = &Subsection->SubsectionBase[PteOffset]; =0xe1009c00
1: kd> dd 0xe1009c00
e1009c00 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c10 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c20 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c30 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
1: kd> p
nt!MmMapViewInSystemCache+0x384:
80aaf076 8d0c88 lea ecx,[eax+ecx*4]
1: kd> r
eax=e1009c00 ebx=898ff908 ecx=00000000 edx=00000000 esi=c0304200 edi=00000000
eip=80aaf076 esp=f78d6910 ebp=f78d6930 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286
nt!MmMapViewInSystemCache+0x384:
80aaf076 8d0c88 lea ecx,[eax+ecx*4]
1: kd> p
nt!MmMapViewInSystemCache+0x387:
80aaf079 894d10 mov dword ptr [ebp+10h],ecx
1: kd> r
eax=e1009c00 ebx=898ff908 ecx=e1009c00 edx=00000000 esi=c0304200 edi=00000000
1: kd> dv
SectionToMap = 0xe127a740
ProtoPte = 0xe1009c00 //正确
第六部分:
LastProto = &Subsection->SubsectionBase[Subsection->PtesInSubsection];
+0x018 PtesInSubsection : 0x100
0xe1009c00+0x100*4=
1: kd> ?0xe1009c00+0x100*4
Evaluate expression: -520052736 = e100a000
1: kd> dv
SectionToMap = 0xe127a740
LastProto = 0xe100a000
LastPte = PointerPte + NumberOfPages; eax=c0304300
0xc0304200+0x40*4=
1: kd> ?0xc0304200+0x40*4
Evaluate expression: -1070578944 = c0304300
1: kd> p
nt!MmMapViewInSystemCache+0x396:
80aaf088 8d0486 lea eax,[esi+eax*4]
1: kd> r
eax=00000040 ebx=898ff908 ecx=00000100 edx=00000000 esi=c0304200 edi=00000000
eip=80aaf088 esp=f78d6910 ebp=f78d6930 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286
nt!MmMapViewInSystemCache+0x396:
80aaf088 8d0486 lea eax,[esi+eax*4]
1: kd> p
nt!MmMapViewInSystemCache+0x399:
80aaf08b 8d7e08 lea edi,[esi+8]
1: kd> r
eax=c0304300
第七部分:
while (PointerPte < LastPte) {
if (ProtoPte >= LastProto) {
//
// Handle extended subsections.
//
Subsection = Subsection->NextSubsection;
ProtoPte = Subsection->SubsectionBase;
LastProto = &Subsection->SubsectionBase[
Subsection->PtesInSubsection];
}
PteContents.u.Long = MiProtoAddressForKernelPte (ProtoPte);
MI_WRITE_INVALID_PTE (PointerPte, PteContents);
ASSERT (((ULONG_PTR)PointerPte & (MM_COLOR_MASK << PTE_SHIFT)) ==
(((ULONG_PTR)ProtoPte & (MM_COLOR_MASK << PTE_SHIFT))));
PointerPte += 1;
ProtoPte += 1;
}
ProtoPte = &Subsection->SubsectionBase[PteOffset]; =0xe1009c00
#define MiProtoAddressForKernelPte(proto_va) MiProtoAddressForPte(proto_va)
#define MiProtoAddressForPte(proto_va) \
((((((ULONG)proto_va - MmProtopte_Base) >> 1) & (ULONG)0x000000FE) | \
(((((ULONG)proto_va - MmProtopte_Base) << 2) & (ULONG)0xfffff800))) | \
MM_PTE_PROTOTYPE_MASK)
#define MM_PTE_PROTOTYPE_MASK 0x400
#define MmProtopte_Base ((ULONG)MmPagedPoolStart)
1: kd> x nt!MmPagedPoolStart
80b15028 nt!MmPagedPoolStart = 0xe1000000
1: kd> !pte 0xe1009c00
VA e1009c00
PDE at C0300E10 PTE at C0384024
contains 0A1C0963 contains 0A1CD963
pfn a1c0 -G-DA--KWEV pfn a1cd -G-DA--KWEV
9c00
1001 1100 0000 0000
1001 1100 0000 000
1001 110 0 000 0 000
1 111 1 110
1001 1100 0000 0000 00
10 01 11 00 00 00 00 00 00
27000
27400
第八部分:
PteContents.u.Long = MiProtoAddressForKernelPte (ProtoPte); //关键地方1:
1: kd> p
nt!MmMapViewInSystemCache+0x3ee:
80aaf0e0 8b4510 mov eax,dword ptr [ebp+10h]
1: kd> p
nt!MmMapViewInSystemCache+0x3f1:
80aaf0e3 2b052850b180 sub eax,dword ptr [nt!MmPagedPoolStart (80b15028)]
1: kd> r
eax=e1009c00
1: kd> p
nt!MmMapViewInSystemCache+0x411:
80aaf103 894d08 mov dword ptr [ebp+8],ecx
1: kd> r
eax=00027000 ebx=898ff908 ecx=00027400
第九部分:
MI_WRITE_INVALID_PTE (PointerPte, PteContents); //关键地方2:
1: kd> p
nt!MmMapViewInSystemCache+0x506:
80aaf1f8 8906 mov dword ptr [esi],eax
1: kd> r
eax=00027400 ebx=898ff908 ecx=f78d6920 edx=e7f77906 esi=c0304200 edi=80b79030
1: kd> dd 0xc0304200
c0304200 00027400 00000000 00000000 00000000
c0304210 00000000 00000000 00000000 00000000
c0304220 00000000 00000000 00000000 00000000
c0304230 00000000 00000000 00000000 00000000
c0304240 00000000 00000000 00000000 00000000
c0304250 00000000 00000000 00000000 00000000
c0304260 00000000 00000000 00000000 00000000
c0304270 00000000 00000000 00000000 00000000
1: kd> !pte 0xc0304200
VA c1080000
PDE at C0300C10 PTE at C0304200
contains 0A03F963 contains 00027400
pfn a03f -G-DA--KWEV not valid
Proto: E1009C00
第十部分:
1: kd> dd 0xc0304200
c0304200 00027400 00027402
1: kd> !pte 0xc0304204
VA c1081000
PDE at C0300C10 PTE at C0304204
contains 0A03F963 contains 00027402
pfn a03f -G-DA--KWEV not valid
Proto: E1009C04
ProtoPte = 0xe1009c08
第十一部分:
1: kd> dd 0xc0304200
c0304200 00027400 00027402 00027404 00000000
1: kd> dd 0xc0304200
c0304200 00027400 00027402 00027404 00027406
c0304210 00027408 0002740a 0002740c 0002740e
c0304220 00027410 00027412 00027414 00027416
c0304230 00027418 0002741a 0002741c 0002741e
c0304240 00027420 00027422 00027424 00027426
c0304250 00027428 0002742a 0002742c 0002742e
c0304260 00027430 00027432 00027434 00027436
c0304270 00027438 0002743a 0002743c 0002743e
dv
ProtoPte = 0xe1009c80
1: kd> dd 0xc0304200+80
c0304280 00027440 00027442 00027444 00027446
c0304290 00027448 0002744a 0002744c 0002744e
c03042a0 00027450 00027452 00027454 00027456
c03042b0 00027458 0002745a 0002745c 0002745e
c03042c0 00027460 00027462 00027464 00027466
c03042d0 00027468 0002746a 0002746c 0002746e
c03042e0 00027470 00027472 00027474 00027476
c03042f0 00027478 0002747a 0002747c 0002747e
ProtoPte = 0xe1009cfc
1: kd> dd 0xe1009c00
e1009c00 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c10 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c20 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c30 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c40 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c50 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c60 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c70 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
1: kd> dd 0xe1009c00+80
e1009c80 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c90 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009ca0 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009cb0 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009cc0 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009cd0 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009ce0 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009cf0 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
1: kd> p
nt!MmMapViewInSystemCache+0x50f:
80aaf201 3b750c cmp esi,dword ptr [ebp+0Ch]
1: kd> r
eax=0002747e ebx=898ff908 ecx=f78d6920 edx=e7f77906 esi=c0304300 edi=80b88f00
eip=80aaf201 esp=f78d6910 ebp=f78d6930 iopl=0 nv up ei ng nz ac pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000296
nt!MmMapViewInSystemCache+0x50f:
80aaf201 3b750c cmp esi,dword ptr [ebp+0Ch] ss:0010:f78d693c=c0304300
1: kd> dd f78d6930+c
f78d693c c0304300
)
——dlib关键点定位)
