Ntfs!LfsGetLbcb函数分析之nt!CcPreparePinWrite
第一部分:
1: kd> p
Ntfs!LfsPrepareLfcbForLogRecord+0x78:
f7179d72 e891210000 call Ntfs!LfsGetLbcb (f717bf08)
1: kd> t
Ntfs!LfsGetLbcb:
f717bf08 6a40 push 40h
1: kd> kc
#
00 Ntfs!LfsGetLbcb
01 Ntfs!LfsPrepareLfcbForLogRecord
02 Ntfs!LfsWriteLogRecordIntoLogPage
03 Ntfs!LfsWrite
04 Ntfs!NtfsWriteLog
05 Ntfs!NtfsCheckpointVolume
06 Ntfs!NtfsCheckpointAllVolumes
07 nt!ExpWorkerThread
08 nt!PspSystemThreadStartup
09 nt!KiThreadStartup
1: kd> dv
Lfcb = 0xe1351768
PageHeaderBcb = 0xffffffff
WrappedOrUsaError = 0xe1 ''
Lbcb = 0x00000030
PageHeader = 0xf78d27d0
_LocalFileOffset = 0n150323855360
//
// Id strings for the page headers.
//
#define LFS_SIGNATURE_RESTART_PAGE "RSTR"
#define LFS_SIGNATURE_RESTART_PAGE_ULONG 0x52545352
#define LFS_SIGNATURE_RECORD_PAGE "RCRD"
#define LFS_SIGNATURE_RECORD_PAGE_ULONG 0x44524352
#define LFS_SIGNATURE_BAD_USA "BAAD"
#define LFS_SIGNATURE_BAD_USA_ULONG 0x44414142
#define LFS_SIGNATURE_MODIFIED "CHKD"
#define LFS_SIGNATURE_MODIFIED_ULONG 0x444b4843
#define LFS_SIGNATURE_UNINITIALIZED "\377\377\377\377"
#define LFS_SIGNATURE_UNINITIALIZED_ULONG 0xffffffff
#define LFCB_REUSE_TAIL (0x00000010)
CcPreparePinWrite( (L)->FileObject, \
(PLARGE_INTEGER)&_LocalFileOffset, \
(LEN), \
FALSE, \
TRUE, \
(B), \
(BUF) );
第二部分:
1: kd> p
Ntfs!LfsGetLbcb+0x8c:
f717bf94 ff15080116f7 call dword ptr [Ntfs!_imp__CcPreparePinWrite (f7160108)]
1: kd> t
nt!CcPreparePinWrite:
80bf9b9e 6a2c push 2Ch
1: kd> kc
#
00 nt!CcPreparePinWrite
01 Ntfs!LfsGetLbcb
02 Ntfs!LfsPrepareLfcbForLogRecord
03 Ntfs!LfsWriteLogRecordIntoLogPage
04 Ntfs!LfsWrite
05 Ntfs!NtfsWriteLog
06 Ntfs!NtfsCheckpointVolume
07 Ntfs!NtfsCheckpointAllVolumes
08 nt!ExpWorkerThread
09 nt!PspSystemThreadStartup
0a nt!KiThreadStartup
1: kd> dv
FileObject = 0x89469688
FileOffset = 0xf78d2660 {7888896}
Length = 0x1000
Zero = 0x00 ''
Flags = 1
Bcb = 0xf78d2678
1: kd> dx -r1 ((ntkrnlmp!_FILE_OBJECT *)0x89469688)
((ntkrnlmp!_FILE_OBJECT *)0x89469688) : 0x89469688 [Type: _FILE_OBJECT *]
[+0x000] Type : 5 [Type: short]
[+0x002] Size : 112 [Type: short]
[+0x004] DeviceObject : 0x894d1c08 : Device for "\Driver\Ftdisk" [Type: _DEVICE_OBJECT *]
[+0x008] Vpb : 0x899a7008 [Type: _VPB *]
[+0x00c] FsContext : 0x89469700 [Type: void *]
[+0x010] FsContext2 : 0x0 [Type: void *]
[+0x014] SectionObjectPointer : 0x89982e3c [Type: _SECTION_OBJECT_POINTERS *]
[+0x018] PrivateCacheMap : 0x89469608 [Type: void *]
[+0x01c] FinalStatus : 0 [Type: long]
[+0x020] RelatedFileObject : 0x0 [Type: _FILE_OBJECT *]
[+0x024] LockOperation : 0x0 [Type: unsigned char]
[+0x025] DeletePending : 0x0 [Type: unsigned char]
[+0x026] ReadAccess : 0x1 [Type: unsigned char]
[+0x027] WriteAccess : 0x1 [Type: unsigned char]
[+0x028] DeleteAccess : 0x1 [Type: unsigned char]
[+0x029] SharedRead : 0x0 [Type: unsigned char]
[+0x02a] SharedWrite : 0x0 [Type: unsigned char]
[+0x02b] SharedDelete : 0x0 [Type: unsigned char]
[+0x02c] Flags : 0x40100 [Type: unsigned long]
[+0x030] FileName : "\$LogFile" [Type: _UNICODE_STRING] //[+0x030] FileName : "\$LogFile" [
[+0x038] CurrentByteOffset : {0} [Type: _LARGE_INTEGER]
[+0x040] Waiters : 0x0 [Type: unsigned long]
[+0x044] Busy : 0x0 [Type: unsigned long]
[+0x048] LastLock : 0x0 [Type: void *]
[+0x04c] Lock [Type: _KEVENT]
[+0x05c] Event [Type: _KEVENT]
[+0x06c] CompletionContext : 0x0 [Type: _IO_COMPLETION_CONTEXT *]
1: kd> dx -r1 ((ntkrnlmp!_SECTION_OBJECT_POINTERS *)0x89982e3c)
((ntkrnlmp!_SECTION_OBJECT_POINTERS *)0x89982e3c) : 0x89982e3c [Type: _SECTION_OBJECT_POINTERS *]
[+0x000] DataSectionObject : 0x899bf650 [Type: void *]
[+0x004] SharedCacheMap : 0x89469530 [Type: void *]
[+0x008] ImageSectionObject : 0x0 [Type: void *]
1: kd> dx -r1 ((Ntfs!_LFCB *)0xe1351768)
((Ntfs!_LFCB *)0xe1351768) : 0xe1351768 [Type: _LFCB *]
[+0x000] NodeTypeCode : 2051 [Type: short]
[+0x002] NodeByteSize : 352 [Type: short]
[+0x004] LfcbLinks [Type: _LIST_ENTRY]
[+0x00c] LchLinks [Type: _LIST_ENTRY]
[+0x014] FileObject : 0x89469688 [Type: _FILE_OBJECT *]
1: kd> dv
FileObject = 0x89469688
FileOffset = 0xf78d2660 {7888896} //FileOffset = 0xf78d2660 {7888896}
LARGE_INTEGER LocalFileOffset = *FileOffset;
第三部分:
if (!CcPinFileData( FileObject,
&LocalFileOffset,
Length,
FALSE,
TRUE,
Flags,
CurrentBcbPtr,
&LocalBuffer,
&BeyondLastByte )) {
1: kd> p
nt!CcPreparePinWrite+0x8e:
80bf9c2c e8adafe1ff call nt!CcPinFileData (80a14bde)
1: kd> t
nt!CcPinFileData:
80a14bde 6a68 push 68h
1: kd> dv
FileObject = 0x89469688
FileOffset = 0xf78d25ec {7888896}
Length = 0x1000
ReadOnly = 0x00 ''
WriteOnly = 0x01 ''
Flags = 1
Bcb = 0xf78d2600
BaseAddress = 0xf78d25fc
BeyondLastByte = 0xf78d25e4 {7902739826480}
gu
第四部分:
1: kd> dx -r1 ((ntkrnlmp!_BCB * *)0xf78d2600)
((ntkrnlmp!_BCB * *)0xf78d2600) : 0xf78d2600 [Type: _BCB * *]
0x8962bce8 [Type: _BCB *]
1: kd> dx -r1 ((ntkrnlmp!_BCB *)0x8962bce8)
((ntkrnlmp!_BCB *)0x8962bce8) : 0x8962bce8 [Type: _BCB *]
[+0x000] Dummy [Type: _MBCB]
[+0x000] NodeTypeCode : 765 [Type: short]
[+0x002] Dirty : 0x0 [Type: unsigned char]
[+0x003] Reserved : 0x0 [Type: unsigned char]
[+0x004] ByteLength : 0x1000 [Type: unsigned long]
[+0x008] FileOffset : {7888896} [Type: _LARGE_INTEGER]
[+0x010] BcbLinks [Type: _LIST_ENTRY]
[+0x018] BeyondLastByte : {7892992} [Type: _LARGE_INTEGER]
[+0x020] OldestLsn : {0} [Type: _LARGE_INTEGER]
[+0x028] NewestLsn : {0} [Type: _LARGE_INTEGER]
[+0x030] Vacb : 0x89988498 [Type: _VACB *]
[+0x034] PinCount : 0x1 [Type: unsigned long]
[+0x038] Resource [Type: _ERESOURCE]
[+0x070] SharedCacheMap : 0x89469530 [Type: _SHARED_CACHE_MAP *]
[+0x074] BaseAddress : 0xc2c46000 [Type: void *] [+0x074] BaseAddress : 0xc2c46000
1: kd> dx -r1 ((ntkrnlmp!_VACB *)0x89988498)
((ntkrnlmp!_VACB *)0x89988498) : 0x89988498 [Type: _VACB *]
[+0x000] BaseAddress : 0xc2c40000 [Type: void *]
[+0x004] SharedCacheMap : 0x89469530 [Type: _SHARED_CACHE_MAP *]
[+0x008] Overlay [Type: __unnamed]
[+0x010] LruList [Type: _LIST_ENTRY]
1: kd> db 0xc2c40000
c2c40000 52 43 52 44 28 00 09 00-eb 01 0f 08 00 00 00 00 RCRD(...........
c2c40010 01 00 00 00 14 00 10 00-58 0f 00 00 00 00 00 00 ........X.......
c2c40020 e0 01 0f 08 00 00 00 00-d7 0e 00 00 00 00 00 00 ................
c2c40030 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
c2c40040 08 00 0f 08 00 00 00 00-e5 ff 0e 08 00 00 00 00 ................
c2c40050 00 00 00 00 00 00 00 00-28 00 00 00 00 00 00 00 ........(.......
c2c40060 01 00 00 00 18 00 00 00-00 00 00 00 00 00 00 00 ................
c2c40070 1b 00 01 00 28 00 00 00-28 00 04 00 44 00 00 00 ....(...(...D...
1: kd> db 0xc2c46000
c2c46000 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
c2c46010 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
c2c46020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
c2c46030 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
c2c46040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
c2c46050 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
c2c46060 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
c2c46070 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
第五部分:
1: kd> dt _BCB 0x8962bce8
nt!_BCB
+0x000 Dummy : _MBCB
+0x000 NodeTypeCode : 0n765
+0x002 Dirty : 0 ''
+0x003 Reserved : 0 ''
+0x004 ByteLength : 0x1000
+0x008 FileOffset : _LARGE_INTEGER 0x786000
+0x010 BcbLinks : _LIST_ENTRY [ 0x894c6668 - 0x894d1288 ]
+0x018 BeyondLastByte : _LARGE_INTEGER 0x787000
+0x020 OldestLsn : _LARGE_INTEGER 0x0
+0x028 NewestLsn : _LARGE_INTEGER 0x0
+0x030 Vacb : 0x89988498 _VACB
+0x034 PinCount : 1
+0x038 Resource : _ERESOURCE
+0x070 SharedCacheMap : 0x89469530 _SHARED_CACHE_MAP
+0x074 BaseAddress : 0xc2c46000 Void
1: kd> dt _bcb 0x894c6668-10
nt!_BCB
+0x000 Dummy : _MBCB
+0x000 NodeTypeCode : 0n765
+0x002 Dirty : 0x1 ''
+0x003 Reserved : 0 ''
+0x004 ByteLength : 0x1000
+0x008 FileOffset : _LARGE_INTEGER 0x785000
+0x010 BcbLinks : _LIST_ENTRY [ 0x894792b8 - 0x8962bcf8 ]
+0x018 BeyondLastByte : _LARGE_INTEGER 0x786000
+0x020 OldestLsn : _LARGE_INTEGER 0x0
+0x028 NewestLsn : _LARGE_INTEGER 0x0
+0x030 Vacb : 0x89988498 _VACB
+0x034 PinCount : 1
+0x038 Resource : _ERESOURCE
+0x070 SharedCacheMap : 0x89469530 _SHARED_CACHE_MAP
+0x074 BaseAddress : 0xc2c45000 Void
1: kd> dt _BCB 0x894792b8-10
nt!_BCB
+0x000 Dummy : _MBCB
+0x000 NodeTypeCode : 0n765
+0x002 Dirty : 0 ''
+0x003 Reserved : 0 ''
+0x004 ByteLength : 0x1000
+0x008 FileOffset : _LARGE_INTEGER 0x784000
+0x010 BcbLinks : _LIST_ENTRY [ 0x895c0018 - 0x894c6668 ]
+0x018 BeyondLastByte : _LARGE_INTEGER 0x785000
+0x020 OldestLsn : _LARGE_INTEGER 0x0
+0x028 NewestLsn : _LARGE_INTEGER 0x0
+0x030 Vacb : (null)
+0x034 PinCount : 1
+0x038 Resource : _ERESOURCE
+0x070 SharedCacheMap : 0x89469530 _SHARED_CACHE_MAP
+0x074 BaseAddress : (null)
1: kd> dx -id 0,0,899a2278 -r1 ((ntkrnlmp!_LIST_ENTRY *)0x894792b8)
((ntkrnlmp!_LIST_ENTRY *)0x894792b8) : 0x894792b8 [Type: _LIST_ENTRY *]
[+0x000] Flink : 0x895c0018 [Type: _LIST_ENTRY *]
[+0x004] Blink : 0x894c6668 [Type: _LIST_ENTRY *]
1: kd> dt _BCB 0x895c0018-10
nt!_BCB
+0x000 Dummy : _MBCB
+0x000 NodeTypeCode : 0n765
+0x002 Dirty : 0 ''
+0x003 Reserved : 0 ''
+0x004 ByteLength : 0x1000
+0x008 FileOffset : _LARGE_INTEGER 0x783000
+0x010 BcbLinks : _LIST_ENTRY [ 0x89509778 - 0x894792b8 ]
+0x018 BeyondLastByte : _LARGE_INTEGER 0x784000
+0x020 OldestLsn : _LARGE_INTEGER 0x0
+0x028 NewestLsn : _LARGE_INTEGER 0x0
+0x030 Vacb : (null)
+0x034 PinCount : 1
+0x038 Resource : _ERESOURCE
+0x070 SharedCacheMap : 0x89469530 _SHARED_CACHE_MAP
+0x074 BaseAddress : (null)
1: kd> dt _BCB 0x89509778-10
nt!_BCB
+0x000 Dummy : _MBCB
+0x000 NodeTypeCode : 0n765
+0x002 Dirty : 0 ''
+0x003 Reserved : 0 ''
+0x004 ByteLength : 0x1000
+0x008 FileOffset : _LARGE_INTEGER 0x782000
+0x010 BcbLinks : _LIST_ENTRY [ 0x894cd018 - 0x895c0018 ]
+0x018 BeyondLastByte : _LARGE_INTEGER 0x783000
+0x020 OldestLsn : _LARGE_INTEGER 0x0
+0x028 NewestLsn : _LARGE_INTEGER 0x0
+0x030 Vacb : (null)
+0x034 PinCount : 1
+0x038 Resource : _ERESOURCE
+0x070 SharedCacheMap : 0x89469530 _SHARED_CACHE_MAP
+0x074 BaseAddress : (null)
1: kd> dt _BCB 0x894cd018-10
nt!_BCB
+0x000 Dummy : _MBCB
+0x000 NodeTypeCode : 0n765
+0x002 Dirty : 0 ''
+0x003 Reserved : 0 ''
+0x004 ByteLength : 0x1000
+0x008 FileOffset : _LARGE_INTEGER 0x781000
+0x010 BcbLinks : _LIST_ENTRY [ 0x894d1280 - 0x89509778 ]
+0x018 BeyondLastByte : _LARGE_INTEGER 0x782000
+0x020 OldestLsn : _LARGE_INTEGER 0x0
+0x028 NewestLsn : _LARGE_INTEGER 0x0
+0x030 Vacb : (null)
+0x034 PinCount : 1
+0x038 Resource : _ERESOURCE
+0x070 SharedCacheMap : 0x89469530 _SHARED_CACHE_MAP
+0x074 BaseAddress : (null)
第六部分:
dv
LocalBuffer = 0xc2c46000
BeyondLastByte = {7892992}
1: kd> ?0n7888896
Evaluate expression: 7888896 = 00786000
//
// In the normal (nonoverlapping) case we return the
// correct buffer address here.
//
if (CurrentBcbPtr == (PBCB *)&MyBcb) {
*Buffer = LocalBuffer;
}
)
)
![BUUCTF在线评测-练习场-WebCTF习题[极客大挑战 2019]PHP1-flag获取、解析](http://pic.xiahunao.cn/BUUCTF在线评测-练习场-WebCTF习题[极客大挑战 2019]PHP1-flag获取、解析)
