Читаем Windows® Internals, Sixth Edition, Part 2 полностью

Finally, use !ca to display the control area using the address:lkd> !ca 0x863d3b00 ControlArea @ 863d3b00 Segment b1de9d48 Flink 00000000 Blink 8731f80c Section Ref 1 Pfn Ref 48 Mapped Views 2 User Ref 0 WaitForDel 0 Flush Count 0 File Object 86cf6188 ModWriteCount 0 System Views 2 WritableRefs 0 Flags (c080) File WasPurged Accessed No name for file Segment @ b1de9d48 ControlArea 863d3b00 ExtendInfo 00000000 Total Ptes 100 Segment Size 100000 Committed 0 Flags (c0000) ProtectionMask Subsection 1 @ 863d3b48 ControlArea 863d3b00 Starting Sector 0 Number Of Sectors 100 Base Pte bf85e008 Ptes In Subsect 100 Unused Ptes 0 Flags d Sector Offset 0 Protection 6 Accessed Flink 00000000 Blink 8731f87c MappedViews 2

Another technique is to display the list of all control areas with the !memusage command. The following excerpt is from the output of this command:lkd> !memusage loading PFN database loading (100% complete) Compiling memory usage data (99% Complete). Zeroed: 2654 ( 10616 kb) Free: 584 ( 2336 kb) Standby: 402938 (1611752 kb) Modified: 12732 ( 50928 kb) ModifiedNoWrite: 3 ( 12 kb) Active/Valid: 431478 (1725912 kb) Transition: 1186 ( 4744 kb) Bad: 0 ( 0 kb) Unknown: 0 ( 0 kb) TOTAL: 851575 (3406300 kb) Building kernel map Finished building kernel map Scanning PFN database - (100% complete) Usage Summary (in Kb): Control Valid Standby Dirty Shared Locked PageTables name 86d75f18 0 64 0 0 0 0 mapped_file( netcfgx.dll ) 8a124ef8 0 4 0 0 0 0 No Name for File 8747af80 0 52 0 0 0 0 mapped_file( iebrshim.dll ) 883a2e58 24 8 0 0 0 0 mapped_file( WINWORD.EXE ) 86d6eae0 0 16 0 0 0 0 mapped_file( oem13.CAT ) 84b19af8 8 0 0 0 0 0 No Name for File b1672ab0 4 0 0 0 0 0 No Name for File 88319da8 0 20 0 0 0 0 mapped_file( Microsoft-Windows-MediaPlayer- Package~31bf3856ad364e35~x86~en-US~6.0.6001.18000.cat ) 8a04db00 0 48 0 0 0 0 mapped_file( eapahost.dll )

The Control column points to the control area structure that describes the mapped file. You can display control areas, segments, and subsections with the kernel debugger !ca command. For example, to dump the control area for the mapped file Winword.exe in this example, type the !ca command followed by the Control number, as shown here:lkd> !ca 883a2e58 ControlArea @ 883a2e58 Segment ee613998 Flink 00000000 Blink 88a985a4 Section Ref 1 Pfn Ref 8 Mapped Views 1 User Ref 2 WaitForDel 0 Flush Count 0 File Object 88b45180 ModWriteCount 0 System Views ffff WritableRefs 80000006 Flags (40a0) Image File Accessed File: \PROGRA~1\MICROS~1\Office12\WINWORD.EXE Segment @ ee613998 ControlArea 883a2e58 BasedAddress 2f510000 Total Ptes 57 Segment Size 57000 Committed 0 Image Commit 1 Image Info ee613c80 ProtoPtes ee6139c8 Flags (20000) ProtectionMask Subsection 1 @ 883a2ea0 ControlArea 883a2e58 Starting Sector 0 Number Of Sectors 2 Base Pte ee6139c8 Ptes In Subsect 1 Unused Ptes 0 Flags 2 Sector Offset 0 Protection 1 Subsection 2 @ 883a2ec0 ControlArea 883a2e58 Starting Sector 2 Number Of Sectors a Base Pte ee6139d0 Ptes In Subsect 2 Unused Ptes 0 Flags 6 Sector Offset 0 Protection 3 Subsection 3 @ 883a2ee0 ControlArea 883a2e58 Starting Sector c Number Of Sectors 1 Base Pte ee6139e0 Ptes In Subsect 1 Unused Ptes 0 Flags a Sector Offset 0 Protection 5 Subsection 4 @ 883a2f00 ControlArea 883a2e58 Starting Sector d Number Of Sectors 28b Base Pte ee6139e8 Ptes In Subsect 52 Unused Ptes 0 Flags 2 Sector Offset 0 Protection 1 Subsection 5 @ 883a2f20 ControlArea 883a2e58 Starting Sector 298 Number Of Sectors 1 Base Pte ee613c78 Ptes In Subsect 1 Unused Ptes 0 Flags 2 Sector Offset 0 Protection 1

Driver Verifier