Sandwiched in between is a call to _NtfsFindCachedFileRecord,
if you get bored from tracing and would want to get an overview of all the calls that xyz apis make directly
you can ask windbg to tell you with
uf /c <symbol / addr/ @eip>
for example ntfsReadFile call all these ddi's directly
uf /c Ntfs!NtfsReadFileRecord
Code:
Ntfs!NtfsReadFileRecord (bae93b5c)
Ntfs!NtfsFsdClose+0x3b9 (bae9248d):
call to Ntfs!_SEH_epilog (bae6d300)
Ntfs!NtfsLookupInFileRecord+0x1ad (bae93aa5):
call to Ntfs!NtfsFindInFileRecord (bae94156)
Ntfs!NtfsReadFileRecord+0x1a (bae93b76):
call to Ntfs!NtfsFindCachedFileRecord (bae6f5d0)
Ntfs!NtfsReadFileRecord+0x75 (bae93b91):
call to Ntfs!NtfsReadMftRecord (bae93c03)
Ntfs!NtfsFindInFileRecord+0xf5 (bae946aa):
call to nt!RtlCompareMemory (804dab8a)
Ntfs!NtfsLookupInFileRecord+0xf0 (bae99d53):
call to Ntfs!NtfsMapAttributeValue (bae99fb8)
Ntfs!NtfsLookupInFileRecord+0x142 (bae99d96):
call to Ntfs!NtfsLookupExternalAttribute (bae99da5)
Ntfs!NtfsFindInFileRecord+0xab (baeae0be):
call to Ntfs!NtfsCollateNames (bae945c1)
Ntfs!NtfsFindInFileRecord+0x77 (baeae0e4):
call to nt!FsRtlAreNamesEqual (8056c959)
Ntfs!NtfsFsdClose+0x81 (baeb16db):
call to Ntfs!NtfsCompleteRequest (bae6d638)
Ntfs!NtfsReadFileRecord+0x89 (baec15df):
call to nt!CcUnpinData (8056d72d)
Ntfs!NtfsReadFileRecord+0x9d (baec15f3):
call to Ntfs!NtfsRaiseStatus (bae72661)
Ntfs!NtfsFindInFileRecord+0xc7 (baec1606):
call to Ntfs!NtfsCollateNames (bae945c1)
Ntfs!NtfsFindInFileRecord+0x16a (baec1618):
call to Ntfs!NtfsRaiseStatus (bae72661)
Ntfs!NtfsLookupInFileRecord+0x11f (baec164a):
call to nt!CcUnpinData (8056d72d)
Ntfs!NtfsLookupInFileRecord+0x1c3 (baec1663):
call to Ntfs!NtfsRaiseStatus (bae72661)
these are not sequential calls but will be called based on results of earlier calls for example
RaiseStatus may be called from failure path or never called at all
any way you wrote earlier that you would want to trace through file creation
then try Ntfs!NtfsCreateNewFile:
set process specific breakpoint first
one way to curtail spurious breaks could be to
open a command prompt
and type copy con blah.txt
!process 0 0 cmd.exe
bp /p <EPROCESS of cmd.exe FROM above command > ntfs!ntfsCreatenewFile
g
now if you start writing to the file thsi will break in proper context
btw this ddi takes 20 parameters
should be fun to unravel it have FHUN
a call stack
Code:
kd> kb
ChildEBP RetAddr Args to Child
f9afd638 bae95b32 ffa09718 81592e48 81592fd8 Ntfs!NtfsCreateNewFile
f9afd88c bae92f2d ffa09718 81592e48 f9afd8e4 Ntfs!NtfsCommonCreate+0x12ce
f9afd970 804e37f7 812721c0 81592e48 806ef2a4 Ntfs!NtfsFsdCreate+0x1dc
f9afd980 8066bec5 f9af0080 ffb531e8 81592e48 nt!IopfCallDriver+0x31
f9afd9a4 baf16876 812c8dd0 812cbc50 ffb53100 nt!IovCallDriver+0xa0
f9afd9f0 804e37f7 812c8e88 00000001 806ef2a4 sr!SrCreate+0x150
f9afda00 8066bec5 81592e58 81592e48 ffb531e8 nt!IopfCallDriver+0x31
f9afda24 8056c712 ffb3a968 ffa09830 f9afdc04 nt!IovCallDriver+0xa0
f9afdb04 80577b38 812c8dd0 00000000 ffac0b48 nt!IopParseDevice+0xa12
f9afdb3c 805686f5 ffb3a968 00000000 ffac0b48 nt!IopParseFile+0x46
f9afdbc4 805684da 0000000c f9afdc04 00000040 nt!ObpLookupObjectName+0x119
f9afdc18 8056cbeb 00000000 00000000 43005c01 nt!ObOpenObjectByName+0xeb
f9afdc94 8056ccba 0013f350 80100080 0013f2f0 nt!IopCreateFile+0x407
f9afdcf0 8056cdf0 0013f350 80100080 0013f2f0 nt!IoCreateFile+0x8e
f9afdd30 804de7ec 0013f350 80100080 0013f2f0 nt!NtCreateFile+0x30
f9afdd30 7c90e4f4 0013f350 80100080 0013f2f0 nt!KiFastCallEntry+0xf8
0013f2ac 7c90d09c 7c8109a6 0013f350 80100080 ntdll!KiFastSystemCallRet
0013f2b0 7c8109a6 0013f350 80100080 0013f2f0 ntdll!ZwCreateFile+0xc
0013f348 4ad16281 00000000 80000000 00000001 kernel32!CreateFileW+0x35f
0013f598 4ad0c6a5 001587c0 00158758 0013fa34 cmd!get_dest_name+0x3c1
0013fc40 4ad0c9b5 00153ae0 00158758 001586a0 cmd!do_normal_copy+0x4a7
0013fc60 4ad0c901 00156b70 0013fe9c 4ad05a92 cmd!copy+0xad
0013fc6c 4ad05a92 001586a0 00000000 001586a0 cmd!eCopy+0x10
0013fe9c 4ad013eb 001586a0 001586a0 00000002 cmd!FindFixAndRun+0x1f5
0013fee0 4ad0f138 00000000 00000001 00000000 cmd!Dispatch+0x137
0013ff44 4ad05154 00000001 00034100 00032960 cmd!main+0x216
0013ffc0 7c817067 80000001 011bda28 7ffdf000 cmd!mainCRTStartup+0x125
0013fff0 00000000 4ad05046 00000000 78746341 kernel32!BaseProcessStart+0x23
the third parameter to ZwCreateFile is OBJECT_ATTRIBUTES check it
kd> !obja 0013f2f0
Obja +0013f2f0 at 0013f2f0:
Name is blah.txt
OBJ_CASE_INSENSITIVE
the first param is an undocumented IRP_CONTEXT structure whose 0x24 param is a pointer to IRP Structure
which contains a file object
kd> dt -r nt!_IRP ta..or->Fi* @@masm(poi(poi(@esp+4)+24))
+0x040 Tail :
+0x000 Overlay :
+0x024 OriginalFileObject :
+0x01c FinalStatus : 0n0
+0x030 FileName : _UNICODE_STRING "\Documents and Settings\admin\blah.txt"
Code:
kd> !irp @@masm(poi(poi(@esp+4)+24)) 1
Irp is active with 9 stacks 9 is current (= 0x81592fd8)
No Mdl: No System Buffer: Thread ffb0cb28: Irp stack trace.
Flags = 40000884
ThreadListEntry.Flink = ffb0cd38
ThreadListEntry.Blink = ffb0cd38
IoStatus.Status = 00000000
IoStatus.Information = 00000000
RequestorMode = 00000001
Cancel = 00
CancelIrql = 0
ApcEnvironment = 00
UserIosb = f9afdac0
UserEvent = 00000000
Overlay.AsynchronousParameters.UserApcRoutine = 00000000
Overlay.AsynchronousParameters.UserApcContext = 00000000
Overlay.AllocationSize = 00000000 - 00000000
CancelRoutine = 00000000
UserBuffer = 00000000
&Tail.Overlay.DeviceQueueEntry = 81592e88
Tail.Overlay.Thread = ffb0cb28
Tail.Overlay.AuxiliaryBuffer = 00000000
Tail.Overlay.ListEntry.Flink = 00000000
Tail.Overlay.ListEntry.Blink = 00000000
Tail.Overlay.CurrentStackLocation = 81592fd8
Tail.Overlay.OriginalFileObject = ffb531e8
Tail.Apc = 00000000
Tail.CompletionKey = 00000000
cmd flg cl Device File Completion-Context
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
>[ 0, 0] 0 0 812721c0 ffb531e8 00000000-00000000
\FileSystem\Ntfs
Args: f9afda50 01000060 00010080 00000000
kd> !devobj 812721c0
Device object (812721c0) is for:
\FileSystem\Ntfs DriverObject 812cb2f0
Current Irp 00000000 RefCount 0 Type 00000008 Flags 00000000
DevExt 81272278 DevObjExt 81272a20
ExtensionFlags (0x80000000) DOE_DESIGNATED_FDO
AttachedDevice (Upper) 812c8dd0 \FileSystem\sr
Device queue is not busy.
it is an IRP_MJ_CREATE [0,0]
the MajorNames are in an array whose 0th element foo[0] ==
kd> dpa nt!IrpMajorNames L1
8069c118 8069c3dc "IRP_MJ_CREATE"
sizeof(IRP_CONTEXT) == 0x44 dwords (see NtfsInitializeMFT -> ZeroMemory(&..,0,sizzeof(...)) Constant) and it will contain a pointer to the MFT record of current directory structure in my case the admin directory
Code:
kd> .load domdbg
dom WinDBG extension v0.3 loaded
kd> !grep -e "FILE0" -c "dpa edi l44"
ffa097e8 c7716000 "FILE0"
Code:
kd> dt Ntfs!_NTFSMFT c7716000
+0x000 MAGIC : 0x454c4946
+0x004 UpdateSeqOffset : 0x30
+0x006 FixupArrayEntries : 3
+0x008 $LogFileSeqNo : 0x829d4ec
+0x010 SequenceNumber : 2
+0x012 HardLinkCount : 1
+0x014 AttributeOffset : 0x38
+0x016 Flags : 3
+0x018 MftUsed : 0x1d8
+0x01c MftAlloc : 0x400
+0x020 FileRefernace : 0
+0x028 NextAttributeID : 6
+0x02a AlignNext4B : 0
+0x02c ThisMFTRecordNumber : 0x2858
+0x030 UpdateSequence : [8] "+"
kd> dt Ntfs!_ATTRIBUTE_HEADER (0xc7716000 + 38)
+0x000 AttributeType : 0x10
+0x004 AttributeLength : 0x60
+0x008 Resident : 0 ''
+0x009 NameLength : 0 ''
+0x00a NameOffset : 0
+0x00c Flags : 0
+0x00e AttributeNumber : 0
+0x010 AttributeContentLength : 0x48
+0x014 AttributeContentStartOffset : 0x18
+0x016 unk : 0
kd> ?? (wchar_t*)((Ntfs!_FILE_INFO_ATTRIBUTE_RECORD *)@@masm((0xc7716000 + 38+60+18 )))->Filename
wchar_t * 0xc77160f2
"admin"
Bookmarks