Ntfs!ReadIndexBuffer函数分析之nt!CcGetVirtualAddress函数之nt!CcGetVacbMiss

第一部分：

    NtfsMapStream( IrpContext,
                   Scb,
                   LlBytesFromIndexBlocks( IndexBlock, Scb->ScbType.Index.IndexBlockByteShift ),
                   Scb->ScbType.Index.BytesPerIndexBuffer,
                   &Sp->Bcb,
                   &Sp->StartOfBuffer );

0: kd> dv
     IrpContext = 0x89797aa8
            Scb = 0xe1350658
     IndexBlock = 0n0
         Reread = 0x00 ''
             Sp = 0xf78d6824

0: kd> dx -r1 ((Ntfs!_INDEX_LOOKUP_STACK *)0xf78d6824)
((Ntfs!_INDEX_LOOKUP_STACK *)0xf78d6824)                 : 0xf78d6824 [Type: _INDEX_LOOKUP_STACK *]
    [+0x000] Bcb              : 0x0 [Type: void *]
    [+0x004] StartOfBuffer    : 0x0 [Type: void *]
    [+0x008] IndexHeader      : 0x0 [Type: _INDEX_HEADER *]
    [+0x00c] IndexEntry       : 0x0 [Type: _INDEX_ENTRY *]
    [+0x010] IndexBlock       : 0 [Type: __int64]
    [+0x018] CapturedLsn      : {0} [Type: _LARGE_INTEGER]

0: kd> r
eax=00000000 ebx=e1350658 ecx=0000000c edx=00000000 esi=f78d6824 edi=00000000
eip=f7173948 esp=f78d6764 ebp=f78d6770 iopl=0         nv up ei pl zr na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000246
Ntfs!ReadIndexBuffer+0xc2:
f7173948 8d7e04          lea     edi,[esi+4]

0: kd> r
eax=00000000 ebx=e1350658 ecx=0000000c edx=00000000 esi=f78d6824 edi=f78d6828

0: kd> dd 0xf78d6824
f78d6824  00000000 00000000 00000000 00000000
f78d6834  00000000 00000000 00000000 00000000
f78d6844  00000000 00000000 00000000 00000000

BOOLEAN
ReadIndexBuffer (
    IN PIRP_CONTEXT IrpContext,
    IN PSCB Scb,
    IN LONGLONG IndexBlock,
    IN BOOLEAN Reread,
    OUT PINDEX_LOOKUP_STACK Sp
    )

0: kd> dv
     IrpContext = 0x89797aa8
            Scb = 0xe1350658
     FileOffset = 0n0
         Length = 0x1000
            Bcb = 0xf78d6824
         Buffer = 0xf78d6828

0: kd> dx -r1 ((Ntfs!_SCB *)0xe1350658)
((Ntfs!_SCB *)0xe1350658)                 : 0xe1350658 [Type: _SCB *]
    [+0x000] Header           [Type: _NTFS_ADVANCED_FCB_HEADER]
    [+0x040] FcbLinks         [Type: _LIST_ENTRY]
    [+0x048] Fcb              : 0xe1350590 [Type: _FCB *]
    [+0x04c] Vcb              : 0x8962e100 [Type: _VCB *]
    [+0x050] ScbState         : 0x6a0 [Type: unsigned long]
    [+0x054] NonCachedCleanupCount : 0x0 [Type: unsigned long]
    [+0x058] CleanupCount     : 0x0 [Type: unsigned long]
    [+0x05c] CloseCount       : 0x1 [Type: unsigned long]
    [+0x060] ShareAccess      [Type: _SHARE_ACCESS]
    [+0x07c] AttributeTypeCode : 0xa0 [Type: unsigned long]
    [+0x080] AttributeName    : "$I30" [Type: _UNICODE_STRING]
    [+0x088] FileObject       : 0x89455df0 [Type: _FILE_OBJECT *]

0: kd> dx -r1 ((Ntfs!_FILE_OBJECT *)0x89455df0)
((Ntfs!_FILE_OBJECT *)0x89455df0)                 : 0x89455df0 [Type: _FILE_OBJECT *]
    [+0x000] Type             : 5 [Type: short]
    [+0x002] Size             : 112 [Type: short]
    [+0x004] DeviceObject     : 0x894d1c08 : Device for "\Driver\Ftdisk" [Type: _DEVICE_OBJECT *]
    [+0x008] Vpb              : 0x899a7008 [Type: _VPB *]
    [+0x00c] FsContext        : 0xe1350658 [Type: void *]
    [+0x010] FsContext2       : 0x0 [Type: void *]
    [+0x014] SectionObjectPointer : 0x89927294 [Type: _SECTION_OBJECT_POINTERS *]

0: kd> dx -r1 ((Ntfs!_SECTION_OBJECT_POINTERS *)0x89927294)
((Ntfs!_SECTION_OBJECT_POINTERS *)0x89927294)                 : 0x89927294 [Type: _SECTION_OBJECT_POINTERS *]
    [+0x000] DataSectionObject : 0x89455c30 [Type: void *]
    [+0x004] SharedCacheMap   : 0x89455c98 [Type: void *]
    [+0x008] ImageSectionObject : 0x0 [Type: void *]

0: kd> dt SHARED_CACHE_MAP 0x89455c98
nt!SHARED_CACHE_MAP
   +0x000 NodeTypeCode     : 0n767
   +0x002 NodeByteSize     : 0n304
   +0x004 OpenCount        : 1
   +0x008 FileSize         : _LARGE_INTEGER 0x2000
   +0x010 BcbList          : _LIST_ENTRY [ 0x89455ca8 - 0x89455ca8 ]
   +0x018 SectionSize      : _LARGE_INTEGER 0x100000
   +0x020 ValidDataLength  : _LARGE_INTEGER 0x7fffffff`ffffffff
   +0x028 ValidDataGoal    : _LARGE_INTEGER 0x7fffffff`ffffffff
   +0x030 InitialVacbs     : [4] (null)
   +0x040 Vacbs            : 0x89455cc8  -> (null)
   +0x044 FileObject       : 0x89455df0 _FILE_OBJECT

第二部分：

    //
    //  Call local routine to Map or Access the file data.  If we cannot map
    //  the data because of a Wait condition, return FALSE.
    //

    if (FlagOn(Flags, MAP_WAIT)) {

        *Buffer = CcGetVirtualAddress( SharedCacheMap,
                                       *FileOffset,
                                       (PVACB *)&TempBcb,
                                       &ReceivedLength );

0: kd> kc
 #
00 nt!CcGetVirtualAddress
01 nt!CcMapData
02 Ntfs!NtfsMapStream
03 Ntfs!ReadIndexBuffer
04 Ntfs!FindFirstIndexEntry
05 Ntfs!NtfsUpdateFileNameInIndex
06 Ntfs!NtfsUpdateDuplicateInfo
07 Ntfs!NtfsInitializeSecurity
08 Ntfs!NtfsInitializeSecurityFile
09 Ntfs!NtfsMountVolume
0a Ntfs!NtfsCommonFileSystemControl
0b Ntfs!NtfsFspDispatch
0c nt!ExpWorkerThread
0d nt!PspSystemThreadStartup
0e nt!KiThreadStartup

    if ((TempVacb = GetVacb( SharedCacheMap, FileOffset )) == NULL) {

        TempVacb = CcGetVacbMiss( SharedCacheMap, FileOffset, &OldIrql );    //关键代码：第一次需要调用CcGetVacbMiss函数

#define GetVacb(SCM,OFF) (                                                                \
    ((SCM)->SectionSize.QuadPart > VACB_SIZE_OF_FIRST_LEVEL) ?                            \
    CcGetVacbLargeOffset((SCM),(OFF).QuadPart) :                                          \
    (SCM)->Vacbs[(OFF).LowPart >> VACB_OFFSET_SHIFT]                                      \
)
#define VACB_SIZE_OF_FIRST_LEVEL         (1 << (VACB_OFFSET_SHIFT + VACB_LEVEL_SHIFT))
#define VACB_OFFSET_SHIFT                (18)
#define VACB_LEVEL_SHIFT                  (7)
10    0000    0000    0000    0000    0000    0000
2000000

100 0000 0000 0000 0000
0x40000=256k

0: kd> dt SHARED_CACHE_MAP 0x89455c98
nt!SHARED_CACHE_MAP
   +0x000 NodeTypeCode     : 0n767
   +0x002 NodeByteSize     : 0n304
   +0x004 OpenCount        : 1
   +0x008 FileSize         : _LARGE_INTEGER 0x2000
   +0x010 BcbList          : _LIST_ENTRY [ 0x89455ca8 - 0x89455ca8 ]
   +0x018 SectionSize      : _LARGE_INTEGER 0x100000            1M

0: kd> dv
 SharedCacheMap = 0x89455d68
     FileOffset = {0}

0: kd> p
nt!CcGetVirtualAddress+0x93:
80a1a913 817f1800000002  cmp     dword ptr [edi+18h],2000000h
0: kd> r
eax=00000000 ebx=89455d68 ecx=80b16100 edx=00000000 esi=00000000 edi=89455c98

0: kd> p
nt!CcGetVirtualAddress+0xad:
80a1a92d c1ee12          shr     esi,12h
0: kd> r
eax=89455cc8 ebx=89455d68 ecx=80b16100 edx=00000000 esi=00000000

第三部分：

0: kd> t
Breakpoint 13 hit
nt!CcGetVacbMiss:
80a1a19e 6a30            push    30h
0: kd> kc
 #
00 nt!CcGetVacbMiss
01 nt!CcGetVirtualAddress
02 nt!CcMapData
03 Ntfs!NtfsMapStream
04 Ntfs!ReadIndexBuffer
05 Ntfs!FindFirstIndexEntry
06 Ntfs!NtfsUpdateFileNameInIndex
07 Ntfs!NtfsUpdateDuplicateInfo
08 Ntfs!NtfsInitializeSecurity
09 Ntfs!NtfsInitializeSecurityFile
0a Ntfs!NtfsMountVolume
0b Ntfs!NtfsCommonFileSystemControl
0c Ntfs!NtfsFspDispatch
0d nt!ExpWorkerThread
0e nt!PspSystemThreadStartup
0f nt!KiThreadStartup
0: kd> dv
   SharedCacheMap = 0x89455c98
       FileOffset = {0}
          OldIrql = 0xf78d66ab ""
      PageIsDirty = 0xf78d6704

    ULONG VacbOffset = FileOffset.LowPart & (VACB_MAPPING_GRANULARITY - 1);    =0

    if ((TempVacb = GetVacb( SharedCacheMap, NormalOffset )) == NULL) {

        Vacb->SharedCacheMap = SharedCacheMap;
        Vacb->Overlay.FileOffset = NormalOffset;
        Vacb->Overlay.ActiveCount = 1;

        SetVacb( SharedCacheMap, NormalOffset, Vacb );

    //
    //  If there is a free view, move it to the LRU and we're done.
    //

    if (!IsListEmpty(&CcVacbFreeList)) {
    
        Vacb = CONTAINING_RECORD( CcVacbFreeList.Flink, VACB, LruList );    //关键代码：空闲列表里面得到一个vacb结构
        CcMoveVacbToReuseTail( Vacb );

0: kd> x nt!CcVacbFreeList
80b1cb58          nt!CcVacbFreeList = struct _LIST_ENTRY [ 0x899880e8 - 0x89993fc8 ]
0: kd> dx -r1 (*((ntkrnlmp!_LIST_ENTRY *)0x80b1cb58))
(*((ntkrnlmp!_LIST_ENTRY *)0x80b1cb58))                 [Type: _LIST_ENTRY]
    [+0x000] Flink            : 0x899880e8 [Type: _LIST_ENTRY *]
    [+0x004] Blink            : 0x89993fc8 [Type: _LIST_ENTRY *]

0: kd> dt _vacb 0x899880e8-10
nt!_VACB
   +0x000 BaseAddress      : (null)
   +0x004 SharedCacheMap   : (null)
   +0x008 Overlay          : __unnamed
   +0x010 LruList          : _LIST_ENTRY [ 0x89988100 - 0x80b1cb58 ]

0: kd> p
nt!CcGetVacbMiss+0x8e:
80a1a22c 8d4610          lea     eax,[esi+10h]
0: kd> pr
eax=899880e8 ebx=89455d68 ecx=00000000 edx=00000000 esi=899880d8

    Vacb->Overlay.ActiveCount = 1;
    SharedCacheMap->VacbActiveCount += 1;

0: kd> dt SHARED_CACHE_MAP 0x89455c98
nt!SHARED_CACHE_MAP
   +0x000 NodeTypeCode     : 0n767
   +0x002 NodeByteSize     : 0n304
   +0x004 OpenCount        : 1
   +0x008 FileSize         : _LARGE_INTEGER 0x2000
   +0x010 BcbList          : _LIST_ENTRY [ 0x89455ca8 - 0x89455ca8 ]
   +0x018 SectionSize      : _LARGE_INTEGER 0x100000
   +0x020 ValidDataLength  : _LARGE_INTEGER 0x7fffffff`ffffffff
   +0x028 ValidDataGoal    : _LARGE_INTEGER 0x7fffffff`ffffffff
   +0x030 InitialVacbs     : [4] (null)
   +0x040 Vacbs            : 0x89455cc8  -> (null)
   +0x044 FileObject       : 0x89455df0 _FILE_OBJECT
   +0x048 ActiveVacb       : (null)
   +0x04c NeedToZero       : (null)
   +0x050 ActivePage       : 0
   +0x054 NeedToZeroPage   : 0
   +0x058 ActiveVacbSpinLock : 0
   +0x05c VacbActiveCount  : 1

第四部分：

        Status = MmMapViewInSystemCache (SharedCacheMap->Section,
                                         &Vacb->BaseAddress,
                                         &NormalOffset,
                                         &MappedLength.LowPart);

0: kd> t
Breakpoint 14 hit
nt!MmMapViewInSystemCache:
80aaecf2 55              push    ebp
0: kd> kc
 #
00 nt!MmMapViewInSystemCache
01 nt!CcGetVacbMiss
02 nt!CcGetVirtualAddress
03 nt!CcMapData
04 Ntfs!NtfsMapStream
05 Ntfs!ReadIndexBuffer
06 Ntfs!FindFirstIndexEntry
07 Ntfs!NtfsUpdateFileNameInIndex
08 Ntfs!NtfsUpdateDuplicateInfo
09 Ntfs!NtfsInitializeSecurity
0a Ntfs!NtfsInitializeSecurityFile
0b Ntfs!NtfsMountVolume
0c Ntfs!NtfsCommonFileSystemControl
0d Ntfs!NtfsFspDispatch
0e nt!ExpWorkerThread
0f nt!PspSystemThreadStartup
10 nt!KiThreadStartup
0: kd> dv
    SectionToMap = 0xe13603d0
    CapturedBase = 0x899880d8
   SectionOffset = 0xf78d6648 {0}
CapturedViewSize = 0xf78d6640
       PteOffset = 0xf78d6680`ffffffff
       LastProto = 0x80aaecf2
     PteContents = struct _MMPTE
         OldIrql = 0x48 'H'
         LastPte = 0x899880d8
   LastPteOffset = 0x80aaecf2`00000000
          Waited = 8
        ProtoPte = 0xf78d6648
   NumberOfPages = 0xf78d6640
0: kd> dx -r1 ((ntkrnlmp!unsigned long *)0xf78d6640)
((ntkrnlmp!unsigned long *)0xf78d6640)                 : 0xf78d6640 : 0x40000 [Type: unsigned long *]
    0x40000 [Type: unsigned long]
0: kd> dx -r1 ((ntkrnlmp!void * *)0x899880d8)
((ntkrnlmp!void * *)0x899880d8)                 : 0x899880d8 [Type: void * *]
    0x0 [Type: void *]

        Status = MmMapViewInSystemCache (SharedCacheMap->Section,
                                         &Vacb->BaseAddress,
                                         &NormalOffset,
                                         &MappedLength.LowPart);

0: kd> dt section 0xe13603d0
nt!SECTION
   +0x000 Address          : _MMADDRESS_NODE
   +0x014 Segment          : 0xe1291b48 _SEGMENT
   +0x018 SizeOfSection    : _LARGE_INTEGER 0x100000
   +0x020 u                : __unnamed
   +0x024 InitialPageProtection : 4

0: kd> dx -id 0,0,899a2278 -r1 ((ntkrnlmp!_SEGMENT *)0xe1291b48)
((ntkrnlmp!_SEGMENT *)0xe1291b48)                 : 0xe1291b48 [Type: _SEGMENT *]
    [+0x000] ControlArea      : 0x89455c30 [Type: _CONTROL_AREA *]
    [+0x004] TotalNumberOfPtes : 0x100 [Type: unsigned long]
    [+0x008] NonExtendedPtes  : 0x100 [Type: unsigned long]
    [+0x00c] WritableUserReferences : 0x0 [Type: unsigned long]
    [+0x010] SizeOfSegment    : 0x100000 [Type: unsigned __int64]
    [+0x018] SegmentPteTemplate [Type: _MMPTE]
    [+0x01c] NumberOfCommittedPages : 0x0 [Type: unsigned long]
    [+0x020] ExtendInfo       : 0x0 [Type: _MMEXTEND_INFO *]
    [+0x024] SegmentFlags     [Type: _SEGMENT_FLAGS]
    [+0x028] BasedAddress     : 0x0 [Type: void *]
    [+0x02c] u1               [Type: __unnamed]
    [+0x030] u2               [Type: __unnamed]
    [+0x034] PrototypePte     : 0x61444d43 [Type: _MMPTE *]
    [+0x038] ThePtes          [Type: _MMPTE [1]]
0: kd> dx -id 0,0,899a2278 -r1 ((ntkrnlmp!_CONTROL_AREA *)0x89455c30)
((ntkrnlmp!_CONTROL_AREA *)0x89455c30)                 : 0x89455c30 [Type: _CONTROL_AREA *]
    [+0x000] Segment          : 0xe1291b48 [Type: _SEGMENT *]
    [+0x004] DereferenceList  [Type: _LIST_ENTRY]
    [+0x00c] NumberOfSectionReferences : 0x1 [Type: unsigned long]
    [+0x010] NumberOfPfnReferences : 0x0 [Type: unsigned long]
    [+0x014] NumberOfMappedViews : 0x0 [Type: unsigned long]
    [+0x018] NumberOfSystemCacheViews : 0x0 [Type: unsigned long]
    [+0x01c] NumberOfUserReferences : 0x0 [Type: unsigned long]
    [+0x020] u                [Type: __unnamed]
    [+0x024] FilePointer      : 0x89455df0 [Type: _FILE_OBJECT *]            FilePointer      : 0x89455df0
    [+0x028] WaitingForDeletion : 0x0 [Type: _EVENT_COUNTER *]
    [+0x02c] ModifiedWriteCount : 0x0 [Type: unsigned short]
    [+0x02e] FlushInProgressCount : 0x0 [Type: unsigned short]

    if (ControlArea->u.Flags.Rom == 0) {
        Subsection = (PSUBSECTION)(ControlArea + 1);
    }
    else {
        Subsection = (PSUBSECTION)((PLARGE_CONTROL_AREA)ControlArea + 1);
    }

0: kd> dt subsection 0x89455c30+30
nt!SUBSECTION
   +0x000 ControlArea      : 0x89455c30 _CONTROL_AREA
   +0x004 u                : __unnamed
   +0x008 StartingSector   : 0
   +0x00c NumberOfFullSectors : 0x100
   +0x010 SubsectionBase   : (null)
   +0x014 UnusedPtes       : 0
   +0x018 PtesInSubsection : 0x100
   +0x01c NextSubsection   : (null)

   NumberOfPages = BYTES_TO_PAGES (*CapturedViewSize);    =eax=00000040

0: kd> p
nt!MmMapViewInSystemCache+0xab:
80aaed9d 03f0            add     esi,eax
0: kd> r
eax=00000040 ebx=00000000 ecx=00000000 edx=00000000 esi=00000000 edi=89455c30

   SectionOffset = 0xf78d6648 {0}

    PteOffset = (UINT64)(SectionOffset->QuadPart >> PAGE_SHIFT);    0x0
    LastPteOffset = PteOffset + NumberOfPages;            0x40

    PointerPte = MmFirstFreeSystemCache;            //关键代码：得到PointerPte

    //
    // Update next free entry.
    //

    ASSERT (PointerPte->u.Hard.Valid == 0);

    MmFirstFreeSystemCache = MmSystemCachePteBase + PointerPte->u.List.NextEntry;
    ASSERT (MmFirstFreeSystemCache <= MiGetPteAddress (MmSystemCacheEnd));

0: kd> x nt!MmFirstFreeSystemCache
80b23594          nt!MmFirstFreeSystemCache = 0xc0305300

0: kd> dd 0xc0305300
c0305300  c1500000 00000000 00000000 00000000
c0305310  00000000 00000000 00000000 00000000
c0305320  00000000 00000000 00000000 00000000
c0305330  00000000 00000000 00000000 00000000
c0305340  00000000 00000000 00000000 00000000

0: kd> x nt!MmSystemCachePteBase
80b2358c          nt!MmSystemCachePteBase = 0xc0000000

      +0x000 List             : _MMPTE_LIST
         +0x000 Valid            : Pos 0, 1 Bit
         +0x000 OneEntry         : Pos 1, 1 Bit
         +0x000 filler0          : Pos 2, 8 Bits
         +0x000 Prototype        : Pos 10, 1 Bit
         +0x000 filler1          : Pos 11, 1 Bit
         +0x000 NextEntry        : Pos 12, 20 Bits

c1500
1100 0001 0101 0000 0000

1100 0001 0101 0000 0000 00

11    00 00    01 01    01 00    00 00    00 00

305400
c0305400

0: kd> dd c0305400
c0305400  c1540000 00000000 00000000 00000000

0: kd> p
nt!MmMapViewInSystemCache+0x229:
80aaef1b 8d0481          lea     eax,[ecx+eax*4]
0: kd> p
nt!MmMapViewInSystemCache+0x22c:
80aaef1e 8b0da003bf80    mov     ecx,dword ptr [nt!MmSystemCacheEnd (80bf03a0)]
0: kd> r
eax=c0305400

    MmFirstFreeSystemCache = MmSystemCachePteBase + PointerPte->u.List.NextEntry;    =eax=c0305400

第五部分：

0: kd> p
nt!MmMapViewInSystemCache+0x296:
80aaef88 e8bfa8feff      call    nt!MiAddViewsForSection (80a9984c)
0: kd> t
nt!MiAddViewsForSection:
80a9984c 55              push    ebp
0: kd> dv
StartMappedSubsection = 0x89455c60
        LastPteOffset = 0x40
              OldIrql = 0x00 ''
               Waited = 0xf78d6618

            Size = (MappedSubsection->PtesInSubsection + MappedSubsection->UnusedPtes) * sizeof(MMPTE);

            ASSERT (Size != 0);

            ProtoPtes = (PMMPTE)ExAllocatePoolWithTag (PagedPool | POOL_MM_ALLOCATION,
                                                       Size,
                                                       MMSECT);

0: kd> p
nt!MiAddViewsForSection+0x17f:
80a999cb e808190700      call    nt!ExAllocatePoolWithTag (80b0b2d8)
0: kd> p
Breakpoint 3 hit
nt!MmAccessFault:
80abcfda 55              push    ebp
0: kd> kc
 #
00 nt!MmAccessFault
01 nt!_KiTrap0E
02 nt!ExAllocatePoolWithTag
03 nt!MiAddViewsForSection
04 nt!MmMapViewInSystemCache
05 nt!CcGetVacbMiss
06 nt!CcGetVirtualAddress
07 nt!CcMapData
08 Ntfs!NtfsMapStream
09 Ntfs!ReadIndexBuffer
0a Ntfs!FindFirstIndexEntry
0b Ntfs!NtfsUpdateFileNameInIndex
0c Ntfs!NtfsUpdateDuplicateInfo
0d Ntfs!NtfsInitializeSecurity
0e Ntfs!NtfsInitializeSecurityFile
0f Ntfs!NtfsMountVolume
10 Ntfs!NtfsCommonFileSystemControl
11 Ntfs!NtfsFspDispatch
12 nt!ExpWorkerThread
13 nt!PspSystemThreadStartup
14 nt!KiThreadStartup
0: kd> dv
    FaultStatus = 1
 VirtualAddress = 0xe13c3000

0: kd> gu
nt!MiAddViewsForSection+0x184:
80a999d0 8bd8            mov     ebx,eax
0: kd> r
eax=e13c3008

            ProtoPtes = (PMMPTE)ExAllocatePoolWithTag (PagedPool | POOL_MM_ALLOCATION,
                                                       Size,
                                                       MMSECT);    =eax=e13c3008    //关键代码，是随机分配来的。

第六部分：

            TempPte.u.Long = MiGetSubsectionAddressForPte (MappedSubsection);
            TempPte.u.Soft.Prototype = 1;

0: kd> p
nt!MiAddViewsForSection+0x1b1:
80a999fd 0bc1            or      eax,ecx
0: kd> r
eax=7854c000 ebx=e13c3008 ecx=00000018 edx=0000017f esi=89455c60 edi=00000400

#define MiGetSubsectionAddressForPte(VA)                   \
            (((ULONG)(VA) < (ULONG)MmSubsectionBase + 128*1024*1024) ?                  \
   (((((ULONG)VA - (ULONG)MmSubsectionBase)>>2) & (ULONG)0x0000001E) |  \
   ((((((ULONG)VA - (ULONG)MmSubsectionBase)<<4) & (ULONG)0x7ffff800)))| \
   0x80000000) \
            : \
   (((((ULONG)MmNonPagedPoolEnd - (ULONG)VA)>>2) & (ULONG)0x0000001E) |  \
   ((((((ULONG)MmNonPagedPoolEnd - (ULONG)VA)<<4) & (ULONG)0x7ffff800)))))

0: kd> x nt!MmSubsectionBase
80be3860          nt!MmSubsectionBase = 0x81c01000

0: kd> p
nt!MiAddViewsForSection+0x1b3:
80a999ff 0d00000080      or      eax,80000000h
0: kd> p
nt!MiAddViewsForSection+0x1b8:
80a99a04 eb1a            jmp     nt!MiAddViewsForSection+0x1d4 (80a99a20)
0: kd> r
eax=f854c018

            TempPte.u.Long = MiGetSubsectionAddressForPte (MappedSubsection);        =eax=f854c018
            TempPte.u.Soft.Prototype = 1;

            MiFillMemoryPte (ProtoPtes, Size / sizeof (MMPTE), TempPte.u.Long);

0: kd> dd e13c3008
e13c3008  f854c4d8 f854c4d8 f854c4d8 f854c4d8
e13c3018  f854c4d8 f854c4d8 f854c4d8 f854c4d8
e13c3028  f854c4d8 f854c4d8 f854c4d8 f854c4d8
e13c3038  f854c4d8 f854c4d8 f854c4d8 f854c4d8
e13c3048  f854c4d8 f854c4d8 f854c4d8 f854c4d8
e13c3058  f854c4d8 f854c4d8 f854c4d8 f854c4d8
e13c3068  f854c4d8 f854c4d8 f854c4d8 f854c4d8
e13c3078  f854c4d8 f854c4d8 f854c4d8 f854c4d8
0: kd> dd e13c3008+80*7
e13c3388  f854c4d8 f854c4d8 f854c4d8 f854c4d8
e13c3398  f854c4d8 f854c4d8 f854c4d8 f854c4d8
e13c33a8  f854c4d8 f854c4d8 f854c4d8 f854c4d8
e13c33b8  f854c4d8 f854c4d8 f854c4d8 f854c4d8
e13c33c8  f854c4d8 f854c4d8 f854c4d8 f854c4d8
e13c33d8  f854c4d8 f854c4d8 f854c4d8 f854c4d8
e13c33e8  f854c4d8 f854c4d8 f854c4d8 f854c4d8
e13c33f8  f854c4d8 f854c4d8 f854c4d8 f854c4d8

0: kd> ?0n256/0n32
Evaluate expression: 8 = 00000008

            if (MappedSubsection->SubsectionBase == NULL) {

                ASSERT (MappedSubsection->NumberOfMappedViews == 1);

                MappedSubsection->SubsectionBase = ProtoPtes;
            }

0: kd> dt subsection 0x89455c30+30
nt!SUBSECTION
   +0x000 ControlArea      : 0x89455c30 _CONTROL_AREA
   +0x004 u                : __unnamed
   +0x008 StartingSector   : 0
   +0x00c NumberOfFullSectors : 0x100
   +0x010 SubsectionBase   : 0xe13c3008 _MMPTE            //+0x010 SubsectionBase   : 0xe13c3008 _MMPTE
   +0x014 UnusedPtes       : 0
   +0x018 PtesInSubsection : 0x100
   +0x01c NextSubsection   : (null)

第七部分：

返回到这里：
        Status = MiAddViewsForSection ((PMSUBSECTION)Subsection,
                                       LastPteOffset,
                                       OldIrql,
                                       &Waited);
返回到这里：

    //
    // Zero this explicitly now since the number of pages may be only 1.
    //

    (PointerPte + 1)->u.List.NextEntry = 0;

    *CapturedBase = MiGetVirtualAddressMappedByPte (PointerPte);        //关键代码：

#define MiGetVirtualAddressMappedByPte(PTE) ((PVOID)((ULONG)(PTE) << 10))

esi=c0305300

0: kd> x nt!MmFirstFreeSystemCache
80b23594          nt!MmFirstFreeSystemCache = 0xc0305300

c0305300

1100 0000 0011 0000 0101 0011 0000 0000

11 0000 0101 0011 0000 0000 00 0000 0000

11 00    00 01    01 00    11 00    00 00    00 00 0000 0000

0xc14c0000

0: kd> p
nt!MmMapViewInSystemCache+0x37c:
80aaf06e 8901            mov     dword ptr [ecx],eax
0: kd> p
nt!MmMapViewInSystemCache+0x37e:
80aaf070 8b4310          mov     eax,dword ptr [ebx+10h]
0: kd> r
eax=c14c0000

    *CapturedBase = MiGetVirtualAddressMappedByPte (PointerPte);    =eax=c14c0000

    ProtoPte = &Subsection->SubsectionBase[PteOffset];

    LastProto = &Subsection->SubsectionBase[Subsection->PtesInSubsection];

    LastPte = PointerPte + NumberOfPages;

dv

        ProtoPte = 0xe13c3008
         LastPte = 0xc0305400
       LastProto = 0xe13c3408

        PteContents.u.Long = MiProtoAddressForKernelPte (ProtoPte);
        MI_WRITE_INVALID_PTE (PointerPte, PteContents);

#define MiProtoAddressForKernelPte(proto_va)  MiProtoAddressForPte(proto_va)

#define MiProtoAddressForPte(proto_va)  \
   ((((((ULONG)proto_va - MmProtopte_Base) >> 1) & (ULONG)0x000000FE)   | \
    (((((ULONG)proto_va - MmProtopte_Base) << 2) & (ULONG)0xfffff800))) | \
    MM_PTE_PROTOTYPE_MASK)

#define MmProtopte_Base ((ULONG)MmPagedPoolStart)

0: kd> x nt!MmPagedPoolStart
80b15028          nt!MmPagedPoolStart = 0xe1000000

3c3008

0011 1100 0011 0000 0000 1000

0011 1100 0011 0000 0000 100

04

0011 1100 0011 0000 0000 1000 00

00    11 11    00 00    11 00    00 00    00 10    00 00

f0c000

f0c004

0: kd> dd c0305300
c0305300  c1500000 00000000 00000000 00000000
c0305310  00000000 00000000 00000000 00000000
c0305320  00000000 00000000 00000000 00000000
c0305330  00000000 00000000 00000000 00000000
c0305340  00000000 00000000 00000000 00000000
c0305350  00000000 00000000 00000000 00000000
c0305360  00000000 00000000 00000000 00000000
c0305370  00000000 00000000 00000000 00000000

0: kd> gu
nt!CcGetVacbMiss+0x300:
80a1a49e 8945d4          mov     dword ptr [ebp-2Ch],eax

0: kd> dd c0305300
c0305300  00f0c404 00f0c406 00f0c408 00f0c40a
c0305310  00f0c40c 00f0c40e 00f0c410 00f0c412
c0305320  00f0c414 00f0c416 00f0c418 00f0c41a
c0305330  00f0c41c 00f0c41e 00f0c420 00f0c422
c0305340  00f0c424 00f0c426 00f0c428 00f0c42a
c0305350  00f0c42c 00f0c42e 00f0c430 00f0c432
c0305360  00f0c434 00f0c436 00f0c438 00f0c43a
c0305370  00f0c43c 00f0c43e 00f0c440 00f0c442

第八部分：

    if ((TempVacb = GetVacb( SharedCacheMap, NormalOffset )) == NULL) {

        Vacb->SharedCacheMap = SharedCacheMap;
        Vacb->Overlay.FileOffset = NormalOffset;
        Vacb->Overlay.ActiveCount = 1;

        SetVacb( SharedCacheMap, NormalOffset, Vacb );

0: kd> dt SHARED_CACHE_MAP 0x89455c98
nt!SHARED_CACHE_MAP
   +0x000 NodeTypeCode     : 0n767
   +0x002 NodeByteSize     : 0n304
   +0x004 OpenCount        : 1
   +0x008 FileSize         : _LARGE_INTEGER 0x2000
   +0x010 BcbList          : _LIST_ENTRY [ 0x89455ca8 - 0x89455ca8 ]
   +0x018 SectionSize      : _LARGE_INTEGER 0x100000
   +0x020 ValidDataLength  : _LARGE_INTEGER 0x7fffffff`ffffffff
   +0x028 ValidDataGoal    : _LARGE_INTEGER 0x7fffffff`ffffffff
   +0x030 InitialVacbs     : [4] (null)
   +0x040 Vacbs            : 0x89455cc8  -> (null)

        Vacb->SharedCacheMap = SharedCacheMap;    esi=899880d8
        Vacb->Overlay.FileOffset = NormalOffset;
        Vacb->Overlay.ActiveCount = 1;

        SetVacb( SharedCacheMap, NormalOffset, Vacb );

回顾：
        Status = MmMapViewInSystemCache (SharedCacheMap->Section,
                                         &Vacb->BaseAddress,                +0x000 BaseAddress      : 0xc14c0000 Void
                                         &NormalOffset,
                                         &MappedLength.LowPart);

0: kd> dt _vacb 899880d8
nt!_VACB
   +0x000 BaseAddress      : 0xc14c0000 Void
   +0x004 SharedCacheMap   : 0x89455c98 _SHARED_CACHE_MAP
   +0x008 Overlay          : __unnamed
   +0x010 LruList          : _LIST_ENTRY [ 0x80b1cb60 - 0x89988010 ]

0: kd> dt SHARED_CACHE_MAP 0x89455c98
nt!SHARED_CACHE_MAP
   +0x000 NodeTypeCode     : 0n767
   +0x002 NodeByteSize     : 0n304
   +0x004 OpenCount        : 1
   +0x008 FileSize         : _LARGE_INTEGER 0x2000
   +0x010 BcbList          : _LIST_ENTRY [ 0x89455ca8 - 0x89455ca8 ]
   +0x018 SectionSize      : _LARGE_INTEGER 0x100000
   +0x020 ValidDataLength  : _LARGE_INTEGER 0x7fffffff`ffffffff
   +0x028 ValidDataGoal    : _LARGE_INTEGER 0x7fffffff`ffffffff
   +0x030 InitialVacbs     : [4] 0x899880d8 _VACB
   +0x040 Vacbs            : 0x89455cc8  -> 0x899880d8 _VACB

0: kd> dd 0x89455cc8
89455cc8  899880d8 00000000 00000000 00000000

0: kd> p
nt!CcGetVacbMiss+0x59d:
80a1a73b c21000          ret     10h
0: kd> p
nt!CcGetVirtualAddress+0xc7:
80a1a947 8bf0            mov     esi,eax
0: kd> r
eax=899880d8