文件读操作过程探究

R3->R0 过程

R0读取文件过程

相关内核对象

a) fileobject

kd> dt fltobjects
Local var @ 0xee55eb0c Type _FLT_RELATED_OBJECTS*
0xee55ebcc 
   +0x000 Size             : 0x18
   +0x002 TransactionContext : 0
   +0x004 Filter           : 0x86008bf8 _FLT_FILTER
   +0x008 Volume           : 0x863b4430 _FLT_VOLUME
   +0x00c Instance         : 0x863cb1d0 _FLT_INSTANCE
   +0x010 FileObject       : 0x864956c0 _FILE_OBJECT
   +0x014 Transaction      : (null) 


kd> !fileobj 0x864956c0
\Documents and Settings\Administrator\Desktop\Document.rtf
Device Object: 0x86539900   \Driver\Ftdisk
Vpb: 0x86524a80
Access: Read SharedRead 
Flags:  0xc0042
Synchronous IO
Cache Supported
Handle Created
Fast IO Read
File Object is currently busy and has 0 waiters.
FsContext: 0xe1355cb0 // CommonFCB FsContext2: 0xe1355e08 // CCB
CurrentByteOffset: 0
Cache Data:
  Section Object Pointers: 8601ef2c
  Shared Cache Map: 00000000

FsContext: CommonFCB

kd> dt _FSRTL_COMMON_FCB_HEADER 0xe1355cb0 
minifilter!_FSRTL_COMMON_FCB_HEADER
   +0x000 NodeTypeCode     : 0n1797
   +0x002 NodeByteSize     : 0n344
   +0x004 Flags            : 0x60 '`' //  FSRTL_FLAG_USER_MAPPED_FILE|FSRTL_FLAG_ADVANCED_HEADER
   +0x005 IsFastIoPossible : 0x1 ''
   +0x006 Flags2           : 0x2 ''   //  FSRTL_FLAG2_SUPPORTS_FILTER_CONTEXTS
   +0x007 Reserved         : 0y0000
   +0x007 Version          : 0y0000
   +0x008 Resource         : 0x8604bfa0 _ERESOURCE
   +0x00c PagingIoResource : 0x864ccd98 _ERESOURCE
   +0x010 AllocationSize   : _LARGE_INTEGER 0x7000
   +0x018 FileSize         : _LARGE_INTEGER 0x7000
   +0x020 ValidDataLength  : _LARGE_INTEGER 0x7000


kd> dt _FSRTL_ADVANCED_FCB_HEADER 0xe1355cb0 
miniflt!_FSRTL_ADVANCED_FCB_HEADER
   +0x000 NodeTypeCode     : 0n1797
   +0x002 NodeByteSize     : 0n344
   +0x004 Flags            : 0x60 '`'
   +0x005 IsFastIoPossible : 0x1 ''
   +0x006 Flags2           : 0x2 ''
   +0x007 Reserved         : 0y0000
   +0x007 Version          : 0y0000
   +0x008 Resource         : 0x8604bfa0 _ERESOURCE
   +0x00c PagingIoResource : 0x864ccd98 _ERESOURCE
   +0x010 AllocationSize   : _LARGE_INTEGER 0x7000
   +0x018 FileSize         : _LARGE_INTEGER 0x7000
   +0x020 ValidDataLength  : _LARGE_INTEGER 0x7000
   +0x028 FastMutex        : 0x8601eef8 _FAST_MUTEX
   +0x02c FilterContexts   : _LIST_ENTRY [ 0x862d0b8c - 0x862d0b8c ]
   +0x034 PushLock         : 0
   +0x038 FileContextSupportPointer : 0xe1355dc0  -> 0xe1355dc0 Void

c)Vpb

kd> !vpb 0x86524a80
Vpb at 0x86524a80
Flags: 0x1 mounted 
DeviceObject: 0x8606e020
RealDevice:   0x86539900
RefCount: 2557
Volume Label: 

设备对象

kd> !devobj 0x8606e020 
Device object (8606e020) is for:
  \FileSystem\Ntfs DriverObject 865276f0
Current Irp 00000000 RefCount 0 Type 00000008 Flags 00000000
DevExt 8606e0d8 DevObjExt 8606e880 
ExtensionFlags (0000000000)  
Characteristics (0000000000)  
AttachedDevice (Upper) 8606fdd0 \FileSystem\sr
Device queue is not busy.

真实设备对象

kd> !devobj 0x86539900 
Device object (86539900) is for:
 HarddiskVolume1 \Driver\Ftdisk DriverObject 8634bf38
Current Irp 00000000 RefCount 2557 Type 00000007 Flags 00001150
Vpb 86524a80 Dacl e13ffa3c DevExt 865399b8 DevObjExt 86539aa0 Dope 865e49b8 DevNode 8643d9b8 
ExtensionFlags (0000000000)  
Characteristics (0000000000)  
AttachedDevice (Upper) 8640b900 \Driver\VolSnap
Device queue is not busy.

IRP及设备栈 

a)文件系统上的设备栈

kd> !devstack 0x8606e020 // Vpb->DeviceObject
  !DevObj   !DrvObj            !DevExt   ObjectName
  863b4838  \FileSystem\FltMgr 863b48f0  
  8606fdd0  \FileSystem\sr     8606fe88  
> 8606e020  \FileSystem\Ntfs   8606e0d8  // 当前设备栈

b)卷设备上的设备栈

kd> !devstack 0x86539900 // fileobject->DeviceObject 或者 Vpb->RealDevice
  !DevObj   !DrvObj            !DevExt   ObjectName
  8640b900  \Driver\VolSnap    8640b9b8  
> 86539900  \Driver\Ftdisk     865399b8  HarddiskVolume1 // 当前位置
!DevNode 8643d9b8 :
  DeviceInst is "STORAGE\Volume\1&30a96598&0&Signature99639963Offset7000Length9FF662000"
  ServiceName is "VolSnap"