Читаем Windows® Internals, Sixth Edition, Part 2 полностью

The first address is that of a control area data structure, which the memory manager uses to keep track of an address range. (See Chapter 10 for more information.) The control area stores the pointer to the file object that corresponds to the view in the cache. A file object identifies an instance of an open file. Execute the following command using the address of the control area of the entry you identified to see the control area structure:lkd> !ca 8742a008 ControlArea @ 87cd7248 Segment 824157e0 Flink 00000000 Blink 00000000 Section Ref 1 Pfn Ref 1117 Mapped Views 3 User Ref 0 WaitForDel 0 Flush Count 0 File Object 87bcab60 ModWriteCount 0 System Views 3 WritableRefs 0 Flags (c080) File WasPurged Accessed \Windows\System32\winevt\Logs\System.evtx ...

Next look at the file object referenced by the control area with this command:lkd> dt nt!_FILE_OBJECT 87bcab60 +0x000 Type : 0n5 +0x002 Size : 0n128 +0x004 DeviceObject : 0x86a4c4d0 _DEVICE_OBJECT +0x008 Vpb : 0x86a0c270 _VPB +0x00c FsContext : 0x93b2a8e0 Void +0x010 FsContext2 : 0x93b2aa38 Void +0x014 SectionObjectPointer : 0x87c1b6f0 _SECTION_OBJECT_POINTERS +0x018 PrivateCacheMap : 0x87cd59e8 Void +0x01c FinalStatus : 0n0 +0x020 RelatedFileObject : (null) +0x024 LockOperation : 0 '' ...

The private cache map is at offset 0x18:lkd> dt nt!_PRIVATE_CACHE_MAP 0x87cd59e8 +0x000 NodeTypeCode : 0n766 +0x000 Flags : _PRIVATE_CACHE_MAP_FLAGS +0x000 UlongFlags : 0x1402fe +0x004 ReadAheadMask : 0xffff +0x008 FileObject : 0x87bcab60 _FILE_OBJECT +0x010 FileOffset1 : _LARGE_INTEGER 0x1000 +0x018 BeyondLastByte1 : _LARGE_INTEGER 0x1080 +0x020 FileOffset2 : _LARGE_INTEGER 0x1000 +0x028 BeyondLastByte2 : _LARGE_INTEGER 0x1080 ...

Finally, you can locate the shared cache map in the SectionObjectPointer field of the file object and then view its contents:lkd> dt nt!_SECTION_OBJECT_POINTERS 0x87c1b6f0 +0x000 DataSectionObject : 0x87cd7248 +0x004 SharedCacheMap : 0x87cd58f8 +0x008 ImageSectionObject : (null) lkd> dt nt!_SHARED_CACHE_MAP 0x87cd58f8 +0x000 NodeTypeCode : 767 +0x002 NodeByteSize : 0n352 +0x004 OpenCount : 1 +0x008 FileSize : _LARGE_INTEGER 0x1211000 +0x010 BcbList : _LIST_ENTRY [ 0x87cd5908 - 0x87cd5908 ] +0x018 SectionSize : _LARGE_INTEGER 0x1300000 +0x020 ValidDataLength : _LARGE_INTEGER 0x1116200 +0x028 ValidDataGoal : _LARGE_INTEGER 0x1116200 +0x030 InitialVacbs : [4] (null) +0x040 Vacbs : 0x87dc3a20 -> 0x85ba9df0 _VACB +0x044 FileObjectFastRef : _EX_FAST_REF +0x048 VacbLock : _EX_PUSH_LOCK ...

Alternatively, you can use the !fileobj command to look up and display much of this information automatically. For example, using this command on the same file object referenced earlier results in the following output:lkd> !fileobj 87bcab60 \Windows\System32\winevt\Logs\System.evtx Device Object: 0x86a4c4d0 \Driver\volmgr Vpb: 0x86a0c270 Event signalled Access: Read Write SharedRead Flags: 0xc3042 Synchronous IO Cache Supported Modified Size Changed Handle Created Fast IO Read FsContext: 0x93b2a8e0 FsContext2: 0x93b2aa38 Private Cache Map: 0x87cd59e8 CurrentByteOffset: 1116180 Cache Data: Section Object Pointers: 87c1b6f0 Shared Cache Map: 87cd58f8 File Offset: 1116180 in VACB number 44 Vacb: 85ba9d90 Your data is at: 82756180

File System Interfaces

The first time a file’s data is accessed for a read or write operation, the file system driver is responsible for determining whether some part of the file is mapped in the system cache. If it’s not, the file system driver must call the CcInitializeCacheMap function to set up the per-file data structures described in the preceding section.

Once a file is set up for cached access, the file system driver calls one of several functions to access the data in the file. There are three primary methods for accessing cached data, each intended for a specific situation:

The copy method copies user data between cache buffers in system space and a process buffer in user space.

The mapping and pinning method uses virtual addresses to read and write data directly from and to cache buffers.

The physical memory access method uses physical addresses to read and write data directly from and to cache buffers.