API tools faq
paste
cakemaker

Finding NTFS volumes

cakemaker
Aug 26th, 2025 (edited)
46
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 45.18 KB | TV | 0 0
raw download clone embed print report
  1. ## Thread
  2. 👉 https://twitter.com/sixtyvividtails/status/1960578133616152712
  3. stats before making public on 2025-09-06: 21 hits
  4.  
  5. ## Script
  6. WinDbg script to find NTFS volumes and show their basic info through VCB.
  7. Should work fine on win10 22H2 and win11 24H2.
  8.  
  9. Input: $t0. Either leave it 0 to show all volumes, or set it to the address of any [ntfs] _FILE_OBJECT to find the volume for that file.
  10.  
  11.  
  12. ```
  13. r$t0=0; r$t1=0;.foreach(v {#"lock cmpxchg" ntfs!NtfsAllocateBitmapRun L1000}) {.if (@$t1<2) {r$t1=@$t1+1} .elsif (@$t1<9) { r$t1=( v >>18&FF)+( v >>8&FF00) }};
  14. .if(@$t0){r?$t0=(nt!_FILE_OBJECT*)@$t0;r?$t2=@$t0->Vpb->DeviceObject->DeviceExtension;r$t3=@$t2+8;r$t2=poi(@$t3)}.else{r$t2=ntfs!NtfsData+0x18;r$t3=poi(@$t2)};.while(@$t3!=@$t2){r$t4=@$t3-8;.if(wo(@$t4)!=701){.printf "dt ntfs!_VCB %p : bad VCB\n",@$t4}.else{r?$t5=((nt!_DEVICE_OBJECT*)(@$t4)-1);.while(@@(@$t5->DeviceExtension != @$t4)){r?$t5=(nt!_DEVICE_OBJECT*)((int64)@$t5-0x10)};.printf /D "dt <link cmd=\"dt nt!_DEVICE_OBJECT %p\">nt!_DEVICE_OBJECT</link> %p\ndt ntfs!_VCB %p\n TotalClusters : %p\n FreeClusters : %p\n LowestFreeClusters : %p\n HighestFreeClusters : %p\n ClusterSize : %p\n",@$t5,@$t5,@$t4,qwo(@$t4+128),qwo(@$t4+130),qwo(@$t4+@$t1),qwo(@$t4+@$t1+8),dwo(@$t4+160);r?$t5=@$t5->DeviceObjectExtension->Vpb;??@$t5;!devobj @@(@$t5->RealDevice); .printf "\n"};r$t3=poi(@$t3);}
  15. ```
  16. Script looks beautiful, but how does it work? To answer that, we need some theory.
  17.  
  18. But first, here's output example:
  19. ```
  20. dt nt!_DEVICE_OBJECT ffffb603bc448030
  21. dt ntfs!_VCB ffffb603bc448180
  22. TotalClusters : 0000000001dd7689
  23. FreeClusters : 0000000001397265
  24. LowestFreeClusters : 00000000012bb0e6
  25. HighestFreeClusters : 0000000001399be9
  26. ClusterSize : 0000000000001000
  27. struct _VPB * 0xffffb603`bc3e9060
  28. +0x000 Type : 0n10
  29. +0x002 Size : 0n96
  30. +0x004 Flags : 1
  31. +0x006 VolumeLabelLength : 0
  32. +0x008 DeviceObject : 0xffffb603`bc448030 _DEVICE_OBJECT
  33. +0x010 RealDevice : 0xffffb603`bc4408a0 _DEVICE_OBJECT
  34. +0x018 SerialNumber : 0xdc76021a
  35. +0x01c ReferenceCount : 0x360d
  36. +0x020 VolumeLabel : [32] ""
  37. ```
  38.  
  39.  
  40. ## NTFS structures
  41. One of the most important globals in ntfs.sys is `ntfs!NtfsData`. Its type is ntfs!`_NTFS_DATA` (private, see definition below). This structure isn't even that large, but it holds all kinds of important stuff, including the list head for the chain of Volume Control Block structures.
  42. Each NTFS volume is represented in memory by its own Volume Control Block (VCB, type ntfs!`_VCB`). A VCB doesn't actually contain raw "disk data", but it does have pointers to a ton of critical volume structures, along with volume statistics.
  43.  
  44. All VCBs are linked together through the VCB.`VcbLinks` field, with the list head at ntfs!`NtfsData.VcbQueue`.
  45. `VcbQueue` field in the NtfsData has quite stable offset at 0x18, so enumerating all VCBs (and thus all volumes) is straightforward.
  46.  
  47. The important bit: each VCB is actually a tail of the corresponding nt!`_DEVICE_OBJECT` for the volume (yes, VCB is Device Extension for the volume device). To create a VCB, ntfs!`NtfsInitializeDevice` invokes nt!`IoCreateDevice(DeviceExtensionSize = sizeof(_VCB) + xxx)`.
  48. On win10 22H2, the DEVICE_OBJECT structure immediately precedes the VCB. On win11 24H2, there's some extra data jammed between them. In any case, DeviceObject.DeviceExtension is set to point exactly at the start of the VCB.
  49.  
  50. Besides the VCB, other important structures are:
  51. - FCB. File Control Block, for every opened file/directory.
  52. - SCB. Stream Control Block, for every opened stream. Each FCB can have more than one SCB.
  53. - CCB. Context Control Block, for every _FILE_OBJECT (basically one per handle, unless you dupe it).
  54. - LCB. Links Control Block. A file may have multiple names (hardlinks), and this ties that together. Links LCBs, CCBs, SCBs, and FCB.
  55.  
  56. Keep in mind these are in-memory structures, not on-disk ones. Their layouts can change a lot between OS versions (or even between different ntfs.sys builds).
  57. But ntfs devs added an extra checkpoint to help you deal with NTFS memory structures. There's two word-sized fields at the start of most of the structs:
  58. - NodeTypeCode. Fixed identifier for the structure type.
  59. - NodeByteSize. Size of the structure.
  60.  
  61. Some NodeTypeCode values:
  62. ```
  63. 0x0700 _NTFS_DATA
  64. 0x0701 _VCB
  65. 0x0702 _FCB
  66. 0x0703..0x0707 _SCB
  67. 0x0708..0x0709 _CCB
  68. 0x070B _LCB
  69. ```
  70.  
  71.  
  72. ## From file handle to VCB
  73. Let's assume we have a kernel dump, or a live kernel session. We can enumerate all VCB from the top, starting at ntfs!NtfsData, but how to get to a particular VCB from the bottom – from the file handle? EZ enough, knowing that everything is connected.
  74. First, let's grab a file handle:
  75. ```
  76. !handle 0 0 4
  77. ```
  78. This [relatively] quickly enumerates handles in the process with PID==4 (System). Once you see one or two handles with GrantedAccess == 00000003, press Ctrl+Break to stop the crawl. Then confirm that the handle with that access is actually a File handle:
  79. ```
  80. 0: kd> !handle 00e0 3 4
  81.  
  82. PROCESS ffffb603b9484080
  83. SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
  84. DirBase: 001ad002 ObjectTable: ffffa50ccf464e80 HandleCount: 2404.
  85. Image: System
  86.  
  87. Kernel handle table at ffffa50ccf464e80 with 2404 entries in use
  88.  
  89. 00e0: Object: ffffb603bc8b7650 GrantedAccess: 00000003 (Inherit) Entry: ffffa50ccf49a380
  90. Object: ffffb603bc8b7650 Type: (ffffb603b94f26c0) File <<< Yes, that's a File handle
  91. ObjectHeader: ffffb603bc8b7620 (new version)
  92. HandleCount: 1 PointerCount: 32632
  93. Directory Object: 00000000 Name: \Windows\System32\config\SYSTEM.LOG2 {HarddiskVolume3}
  94. ```
  95.  
  96. Of course the whole "GrantedAccess == 3" trick is just a rule of thumb to quickly get a valid file handle on an NTFS volume. You can absolutely use your own file handle instead, or skip the shortcut and just grab any handle with Type == File:
  97. ```
  98. !handle 0 3 4
  99. ```
  100. But this slow path will probably cost you 5 to 15 minutes (I don't know how Microsoft devs managed to make it that slow, even javascript manual handle/objdir parse works like 100 times faster).
  101.  
  102.  
  103. Okay, we have handle. And object address. Simple enter one command:
  104. ```
  105. 0: kd> dt ffffb603bc8b7650 nt!_FILE_OBJECT
  106. +0x000 Type : 0n5
  107. +0x002 Size : 0n216
  108. +0x008 DeviceObject : 0xffffb603`bc4408a0 _DEVICE_OBJECT <<< device for \Driver\volmgr (not the one we need!)
  109. +0x010 Vpb : 0xffffb603`bc3e9060 _VPB <<< pointer to _VPB (see below)
  110. +0x018 FsContext : 0xffffa50c`cfedca00 Void <<< pointer to _SCB (Stream Control Block)
  111. +0x020 FsContext2 : 0xffffa50c`cfedcc70 Void <<< pointer to _CCB (Context Control Block)
  112. +0x028 SectionObjectPointer : 0xffffb603`bc869488 _SECTION_OBJECT_POINTERS
  113. +0x030 PrivateCacheMap : (null)
  114. +0x038 FinalStatus : 0n0
  115. +0x040 RelatedFileObject : (null)
  116. +0x048 LockOperation : 0 ''
  117. +0x049 DeletePending : 0 ''
  118. +0x04a ReadAccess : 0x1 ''
  119. +0x04b WriteAccess : 0x1 ''
  120. +0x04c DeleteAccess : 0 ''
  121. +0x04d SharedRead : 0 ''
  122. +0x04e SharedWrite : 0 ''
  123. +0x04f SharedDelete : 0 ''
  124. +0x050 Flags : 0x40028
  125. +0x058 FileName : _UNICODE_STRING "\Windows\System32\config\SYSTEM.LOG2"
  126. +0x068 CurrentByteOffset : _LARGE_INTEGER 0x0
  127. +0x070 Waiters : 0
  128. +0x074 Busy : 0
  129. +0x078 LastLock : (null)
  130. +0x080 Lock : _KEVENT
  131. +0x098 Event : _KEVENT
  132. +0x0b0 CompletionContext : (null)
  133. +0x0b8 IrpListLock : 0
  134. +0x0c0 IrpList : _LIST_ENTRY [ 0xffffb603`bc8b7710 - 0xffffb603`bc8b7710 ]
  135. +0x0d0 FileObjectExtension : (null)
  136.  
  137. 0: kd> dt 0xffffb603`bc3e9060 nt!_VPB
  138. nt!_VPB
  139. +0x000 Type : 0n10
  140. +0x002 Size : 0n96
  141. +0x004 Flags : 1
  142. +0x006 VolumeLabelLength : 0
  143. +0x008 DeviceObject : 0xffffb603`bc448030 _DEVICE_OBJECT <<< device for \FileSystem\Ntfs driver (USE THIS ONE!)
  144. +0x010 RealDevice : 0xffffb603`bc4408a0 _DEVICE_OBJECT <<< device for \Driver\volmgr (again; ignore it now)
  145. +0x018 SerialNumber : 0xdc76021a <<< yay, 32-bit volume serial number (from the $Boot/VBR, at offset 0x48)
  146. +0x01c ReferenceCount : 0x360d
  147. +0x020 VolumeLabel : [32] "" <<< this volume has no label
  148. ```
  149.  
  150.  
  151. We're almost there. Just need to check out the DeviceObject (not the "RealDevice", just "DeviceObject").
  152.  
  153. ```
  154. 0: kd> !devobj 0xffffb603`bc448030
  155. Device object (ffffb603bc448030) is for:
  156. \FileSystem\Ntfs DriverObject ffffb603bc307c00
  157. Current Irp 00000000 RefCount 0 Type 00000008 Flags 08060000
  158. SecurityDescriptor ffffa50ccf4f76e0 DevExt ffffb603bc448180 DevObjExt ffffb603bc44ab50
  159. ExtensionFlags (0x00000800) DOE_DEFAULT_SD_PRESENT
  160. Characteristics (0000000000)
  161. AttachedDevice (Upper) ffffb603bc40f8d0 \FileSystem\FltMgr
  162. Device queue is not busy.
  163.  
  164. 0: kd> dt 0xffffb603`bc448030 nt!_DEVICE_OBJECT
  165. +0x000 Type : 0n3
  166. +0x002 Size : 0x2b20
  167. +0x004 ReferenceCount : 0n0
  168. +0x008 DriverObject : 0xffffb603`bc307c00 _DRIVER_OBJECT
  169. +0x010 NextDevice : 0xffffb603`bc0b3c20 _DEVICE_OBJECT
  170. +0x018 AttachedDevice : 0xffffb603`bc40f8d0 _DEVICE_OBJECT
  171. +0x020 CurrentIrp : (null)
  172. +0x028 Timer : (null)
  173. +0x030 Flags : 0x8060000
  174. +0x034 Characteristics : 0
  175. +0x038 Vpb : (null)
  176. +0x040 DeviceExtension : 0xffffb603`bc448180 Void <<< actually points to the VCB, Volume Control Block
  177. +0x048 DeviceType : 8
  178. +0x04c StackSize : 10 ''
  179. +0x050 Queue : <anonymous-tag>
  180. +0x098 AlignmentRequirement : 3
  181. +0x0a0 DeviceQueue : _KDEVICE_QUEUE
  182. +0x0c8 Dpc : _KDPC
  183. +0x108 ActiveThreadCount : 0
  184. +0x110 SecurityDescriptor : 0xffffa50c`cf4f76e0 Void
  185. +0x118 DeviceLock : _KEVENT
  186. +0x130 SectorSize : 0x200
  187. +0x132 Spare1 : 1
  188. +0x138 DeviceObjectExtension : 0xffffb603`bc44ab50 _DEVOBJ_EXTENSION
  189. +0x140 Reserved : (null)
  190. ...
  191. +0x150 [small extra structure here on win11 24H2, absent on win10 22H2]
  192. ...
  193. +0x180/+0x150 VCB (pointed to by ^DeviceExtension field right above)
  194. ```
  195.  
  196. So yeah, that's it – we've manually walked our way from a file handle to the VCB. The last bit is just looking up the VCB definition in the private symbols and picking up interesting fields.
  197. Script uses hardcoded offsets 0x128 and 0x130 for TotalClusters and FreeClusters (i.e. full volume size and free space size). These offsets are good for win10 22H2 and win11 24H2, but they already drift a bit compared to a 2016-era win10 build, as you can see in the structures dump below.
  198.  
  199. The script also shows LowestFreeClusters and HighestFreeClusters. Those are closer to the end of the struct, so their offsets jump around a lot. To find their offset, the script disassembles ntfs!NtfsAllocateBitmapRun and picks up the supposedly correct offset from there. Good enough for a quick hack.
  200.  
  201. THE END.
  202.  
  203.  
  204.  
  205. ## Appendix
  206. Ntfs stuctures defintions I've talked about.
  207. Note these structures are for an old win10 ntfs.sys from 2016; current win10 22H2 and win11 24H2 may differ substantially.
  208. Exact OS build for these structs was either 14361 or 14910.
  209.  
  210. Key NTFS structure, `NTFS_DATA`. The only instance of this structure is ntfs!`NtfsData` global variable.
  211. ```
  212. 0:000> dt -v _NTFS_DATA
  213. ntfs!_NTFS_DATA
  214. struct _NTFS_DATA, 76 elements, 0x780 bytes
  215. +0x000 NodeTypeCode : Uint2B
  216. +0x002 NodeByteSize : Int2B
  217. +0x008 DriverObject : Ptr64 to struct _DRIVER_OBJECT, 15 elements, 0x150 bytes
  218. +0x010 DeviceObject : Ptr64 to struct _DEVICE_OBJECT, 25 elements, 0x150 bytes
  219. +0x018 VcbQueue : struct _LIST_ENTRY, 2 elements, 0x10 bytes <<<<<< list of [_DEVICE_OBJECT,_VCB]
  220. +0x028 Resource : struct _ERESOURCE, 17 elements, 0x68 bytes
  221. +0x090 ShortNameRegKeyValue : Uint4B
  222. +0x094 CorruptionHandlingDisableRegKeyValue : Uint4B
  223. +0x098 CorruptionHandlingBypassRegKeyValue : Uint4B
  224. +0x0a0 Corruption : struct _GLOBAL_CORRUPTION, 6 elements, 0x98 bytes
  225. +0x138 SpotVerifyTimer : struct _KTIMER, 6 elements, 0x40 bytes
  226. +0x178 SpotVerifyTimerDpc : struct _KDPC, 11 elements, 0x40 bytes
  227. +0x1b8 SpotVerifyTimerActivityId : struct _NTFS_ACTIVITY_ID, 2 elements, 0x18 bytes
  228. +0x1d0 SpotVerifyExpiryItem : struct _WORK_QUEUE_ITEM, 3 elements, 0x20 bytes
  229. +0x1f0 SpotVerifyExpiryItemActivityId : struct _NTFS_ACTIVITY_ID, 2 elements, 0x18 bytes
  230. +0x208 SpotVerifyTimeout : Uint4B
  231. +0x210 OurProcess : Ptr64 to struct _KPROCESS, 38 elements, 0x288 bytes
  232. +0x218 FreeEresourceSize : Uint4B
  233. +0x21c FreeEresourceTotal : Uint4B
  234. +0x220 FreeEresourceMiss : Uint4B
  235. +0x228 FreeEresourceArray : Ptr64 to Ptr64 to struct _ERESOURCE, 17 elements, 0x68 bytes
  236. +0x230 CacheManagerCallbacks : struct _CACHE_MANAGER_CALLBACKS, 4 elements, 0x20 bytes
  237. +0x250 VolumeCheckpointDpc : struct _KDPC, 11 elements, 0x40 bytes
  238. +0x290 VolumeCheckpointTimer : struct _KTIMER, 6 elements, 0x40 bytes
  239. +0x2d0 VolumeCheckpointStatus : Uint4B
  240. +0x2d8 VolumeCheckpointTimerActivityId : struct _NTFS_ACTIVITY_ID, 2 elements, 0x18 bytes
  241. +0x2f0 VolumeCheckpointItem : struct _WORK_QUEUE_ITEM, 3 elements, 0x20 bytes
  242. +0x310 TimerStatus : Enum TIMER_STATUS, 2 total enums
  243. +0x314 IoCoalescingEnabled : UChar
  244. +0x318 IoCoalescingRegistration : Ptr64 to Void
  245. +0x320 VolumeCheckpointItemActivityId : struct _NTFS_ACTIVITY_ID, 2 elements, 0x18 bytes
  246. +0x338 UsnTimeOutTimer : Ptr64 to struct _EX_TIMER, 0 elements, 0x0 bytes
  247. +0x340 UsnTimeOutTimerActivityId : struct _NTFS_ACTIVITY_ID, 2 elements, 0x18 bytes
  248. +0x358 UsnTimeOutItem : struct _WORK_QUEUE_ITEM, 3 elements, 0x20 bytes
  249. +0x378 UsnTimeOutItemActivityId : struct _NTFS_ACTIVITY_ID, 2 elements, 0x18 bytes
  250. +0x390 Flags : Uint4B
  251. +0x394 UpcaseTableSize : Uint4B
  252. +0x398 UpcaseTable : Ptr64 to Wchar
  253. +0x3a0 UpcaseTableCrc64 : Uint8B
  254. +0x3a8 DefaultDescriptor : Ptr64 to Void
  255. +0x3b0 DefaultDescriptorLength : Uint4B
  256. +0x3b8 NtfsDataLock : struct _FAST_MUTEX, 5 elements, 0x38 bytes
  257. +0x3f0 EncryptionCallBackTable : struct _ENCRYPTION_CALL_BACK, 18 elements, 0x88 bytes
  258. +0x478 IsEdpEnabled : UChar
  259. +0x480 EdpEfsSWHiveAvailableWnfSubscription : Ptr64 to struct _EX_WNF_SUBSCRIPTION, 0 elements, 0x0 bytes
  260. +0x488 EdpPolicyChangedWnfSubscription : Ptr64 to struct _EX_WNF_SUBSCRIPTION, 0 elements, 0x0 bytes
  261. +0x490 EdpDplKeysDroppingSubscription : Ptr64 to struct _EX_WNF_SUBSCRIPTION, 0 elements, 0x0 bytes
  262. +0x498 EdpDplKeysStateSubscription : Ptr64 to struct _EX_WNF_SUBSCRIPTION, 0 elements, 0x0 bytes
  263. +0x4a0 SystemEtwHandle : Uint8B
  264. +0x4a8 UbpmEtwHandle : Uint8B
  265. +0x4b0 DiskFlushContextCompletedSpinLock : Uint8B
  266. +0x4b8 DiskFlushContextCompletedListHead : struct _LIST_ENTRY, 2 elements, 0x10 bytes
  267. +0x4c8 DiskFlushContextCompletedWorkItem : struct _WORK_QUEUE_ITEM, 3 elements, 0x20 bytes
  268. +0x4e8 DiskFlushContextCompletedWorkItemQueued : UChar
  269. +0x4f0 FrsConsolidationWorkQueueControl : struct _WORK_QUEUE_CONTROL, 7 elements, 0x78 bytes
  270. +0x568 DisableDebugCodeFlags : Uint4B
  271. +0x56c EnableDebugCodeFlags : Uint4B
  272. +0x570 ReservedCompressionBuffers : struct _NTFS_DATA_COMPRESSION_RESERVED, 4 elements, 0x120 bytes
  273. +0x690 ReservedUsaBuffers : struct _NTFS_DATA_USA_RESERVED, 2 elements, 0x98 bytes
  274. +0x728 ZeroPage : Ptr64 to UChar
  275. +0x730 VirtualDrivesMounted : Uint4B
  276. +0x738 NextCheckpointTimerTime : union _LARGE_INTEGER, 4 elements, 0x8 bytes
  277. +0x740 NextCheckpointTime : union _LARGE_INTEGER, 4 elements, 0x8 bytes
  278. +0x748 OldCheckpointTime : union _LARGE_INTEGER, 4 elements, 0x8 bytes
  279. +0x750 CompressionLimit : Int8B
  280. +0x758 CacheCoherencyHitThreshold : Uint4B
  281. +0x75c RangeTrackTimerCounter : Uint4B
  282. +0x760 RangeTrackTimerCountLimit : Uint4B
  283. +0x764 UsnMinutesTimer : Uint4B
  284. +0x768 MaxFspThreadsPerVolume : Uint4B
  285. +0x76c FrsConsolidationThreshold : Uint4B
  286. +0x770 FrsConsolidationBreakTime : Uint4B
  287. +0x774 FrsConsolidationScanCountPerBreak : Uint4B
  288. +0x778 MaxOverflowQueueEntries : Uint4B
  289. +0x77c AsyncCachedReadDisabled : UChar
  290. +0x77d EnableDirectAccess : UChar
  291. ```
  292.  
  293.  
  294. Volume Control Block, `VCB`. One structure per volume. Structure created as DeviceExtension for the volume device, pointed to by its `DEVICE_OBJECT.DeviceExtension`.
  295. ```
  296. 0:000> dt -v _VCB
  297. ntfs!_VCB
  298. struct _VCB, 292 elements, 0x24f8 bytes
  299. +0x000 NodeTypeCode : Uint2B
  300. +0x002 NodeByteSize : Int2B
  301. +0x004 VcbState : Uint4B
  302. +0x008 VcbLinks : struct _LIST_ENTRY, <<<<< VCB linked into ntfs!NtfsData via this
  303. +0x018 VcbState2 : Uint4B
  304. +0x020 RootIndexScb : Ptr64 to struct _SCB, 38 elements, 0x2d0 bytes
  305. +0x028 UsnJournal : Ptr64 to struct _SCB, 38 elements, 0x2d0 bytes
  306. +0x028 FirstSystemScb : Ptr64 to struct _SCB, 38 elements, 0x2d0 bytes
  307. +0x030 MftScb : Ptr64 to struct _SCB, 38 elements, 0x2d0 bytes
  308. +0x038 Mft2Scb : Ptr64 to struct _SCB, 38 elements, 0x2d0 bytes
  309. +0x040 LogFileScb : Ptr64 to struct _SCB, 38 elements, 0x2d0 bytes
  310. +0x048 BitmapScb : Ptr64 to struct _SCB, 38 elements, 0x2d0 bytes
  311. +0x050 AttributeDefTableScb : Ptr64 to struct _SCB, 38 elements, 0x2d0 bytes
  312. +0x058 BadClusterFileScb : Ptr64 to struct _SCB, 38 elements, 0x2d0 bytes
  313. +0x060 ExtendDirectory : Ptr64 to struct _SCB, 38 elements, 0x2d0 bytes
  314. +0x068 SecurityDescriptorStream : Ptr64 to struct _SCB, 38 elements, 0x2d0 bytes
  315. +0x070 SecurityIdIndex : Ptr64 to struct _SCB, 38 elements, 0x2d0 bytes
  316. +0x078 SecurityDescriptorHashIndex : Ptr64 to struct _SCB, 38 elements, 0x2d0 bytes
  317. +0x080 UpcaseTableScb : Ptr64 to struct _SCB, 38 elements, 0x2d0 bytes
  318. +0x088 QuotaTableScb : Ptr64 to struct _SCB, 38 elements, 0x2d0 bytes
  319. +0x090 OwnerIdTableScb : Ptr64 to struct _SCB, 38 elements, 0x2d0 bytes
  320. +0x098 ReparsePointTableScb : Ptr64 to struct _SCB, 38 elements, 0x2d0 bytes
  321. +0x0a0 ObjectIdTableScb : Ptr64 to struct _SCB, 38 elements, 0x2d0 bytes
  322. +0x0a8 VerifyScb : Ptr64 to struct _SCB, 38 elements, 0x2d0 bytes
  323. +0x0b0 CorruptScb : Ptr64 to struct _SCB, 38 elements, 0x2d0 bytes
  324. +0x0b8 VolumeDasdScb : Ptr64 to struct _SCB, 38 elements, 0x2d0 bytes
  325. +0x0c0 DeletedFiles : Ptr64 to struct _SCB, 38 elements, 0x2d0 bytes
  326. +0x0c8 MftBitmapScb : Ptr64 to struct _SCB, 38 elements, 0x2d0 bytes
  327. +0x0c8 LastSystemScb : Ptr64 to struct _SCB, 38 elements, 0x2d0 bytes
  328. +0x0d0 LogFileObject : Ptr64 to struct _FILE_OBJECT, 30 elements, 0xd8 bytes
  329. +0x0d8 TargetDeviceObject : Ptr64 to struct _DEVICE_OBJECT, 25 elements, 0x150 bytes
  330. +0x0e0 LogHandle : Ptr64 to Void
  331. +0x0e8 RootLcb : Ptr64 to struct _LCB, 27 elements, 0xe8 bytes
  332. +0x0f0 Vpb : Ptr64 to struct _VPB, 9 elements, 0x60 bytes
  333. +0x0f8 CleanupCount : Uint4B
  334. +0x0fc CloseCount : Uint4B
  335. +0x100 ReadOnlyCloseCount : Uint4B
  336. +0x104 SystemFileCloseCount : Uint4B
  337. +0x108 ExternalMetadataCleanupCount : Uint4B
  338. +0x10c DisallowDismountCount : Uint4B
  339. +0x110 DisallowDeleteCount : Uint4B
  340. +0x118 TotalClustersCommitted : Int8B
  341. +0x120 TotalClusters : Int8B
  342. +0x128 FreeClusters : Int8B
  343. +0x130 DeallocatedClusters : Int8B
  344. +0x138 DesiredTrimAlignment : Uint4B
  345. +0x13c DesiredStreamAlignment : Uint4B
  346. +0x140 TotalReserved : Int8B
  347. +0x148 PreviousTotalClusters : Int8B
  348. +0x150 BigEnoughToMove : Uint4B
  349. +0x154 DefaultBlocksPerIndexAllocationBuffer : Uint4B
  350. +0x158 DefaultBytesPerIndexAllocationBuffer : Uint4B
  351. +0x15c BytesPerCluster : Uint4B
  352. +0x160 BytesPerFileRecordSegment : Uint4B
  353. +0x164 SectorSizeInfo : struct _FILE_FS_SECTOR_SIZE_INFORMATION, 7 elements, 0x1c bytes
  354. +0x180 ClustersPerFileRecordSegment : Uint4B
  355. +0x184 FileRecordsPerCluster : Uint4B
  356. +0x188 ClustersPer4Gig : Uint4B
  357. +0x18c ClustersPerPage : Uint4B
  358. +0x190 MftStartLcn : Int8B
  359. +0x198 Mft2StartLcn : Int8B
  360. +0x1a0 NumberSectors : Int8B
  361. +0x1a8 PartitionNumberSectors : Int8B
  362. +0x1b0 VolumeSerialNumber : Int8B
  363. +0x1b8 VolumeCreationTime : Int8B
  364. +0x1c0 VolumeLastModificationTime : Int8B
  365. +0x1c8 VolumeLastChangeTime : Int8B
  366. +0x1d0 VolumeLastAccessTime : Int8B
  367. +0x1d8 ClusterMask : Uint4B
  368. +0x1dc InverseClusterMask : Int4B
  369. +0x1e0 ClusterShift : Uint4B
  370. +0x1e4 MftShift : Uint4B
  371. +0x1e8 MftToClusterShift : Uint4B
  372. +0x1ec MftReserved : Uint4B
  373. +0x1f0 MftCushion : Uint4B
  374. +0x1f8 Tiers : struct _LIST_ENTRY, 2 elements, 0x10 bytes
  375. +0x208 DiskTier : Ptr64 to struct _NTFS_STORAGE_TIER, 8 elements, 0x90 bytes
  376. +0x210 FlashTier : Ptr64 to struct _NTFS_STORAGE_TIER, 8 elements, 0x90 bytes
  377. +0x218 CheckpointFlags : Uint4B
  378. +0x220 CheckpointMutex : struct _FAST_MUTEX, 5 elements, 0x38 bytes
  379. +0x258 CheckpointNotifyEvent : struct _KEVENT, 1 elements, 0x18 bytes
  380. +0x270 FcbTableMutex : struct _FAST_MUTEX, 5 elements, 0x38 bytes
  381. +0x2a8 FcbSecurityMutex : struct _FAST_MUTEX, 5 elements, 0x38 bytes
  382. +0x2e0 ReservedClustersMutex : struct _FAST_MUTEX, 5 elements, 0x38 bytes
  383. +0x318 AttributeFlagsMask : Uint2B
  384. +0x31a MajorVersion : UChar
  385. +0x31b MinorVersion : UChar
  386. +0x31c UpcaseTableSize : Uint4B
  387. +0x320 UpcaseTable : Ptr64 to Wchar
  388. +0x328 UpcaseTableCrc64 : Uint8B
  389. +0x330 UpcaseInfo : Ptr64 to struct _UPCASE_INFORMATION, 4 elements, 0x20 bytes
  390. +0x338 Statistics : Ptr64 to struct _FILE_SYSTEM_STATISTICS_EX, 3 elements, 0x240 bytes
  391. +0x340 MaxDirtyPagesInDirtyPageTable : Uint4B
  392. +0x348 LastRestartArea : union _LARGE_INTEGER, 4 elements, 0x8 bytes
  393. +0x350 OpenAttributeTable : struct _RESTART_POINTERS, 6 elements, 0xe0 bytes
  394. +0x430 LastBaseLsn : union _LARGE_INTEGER, 4 elements, 0x8 bytes
  395. +0x438 TransactionTable : struct _RESTART_POINTERS, 6 elements, 0xe0 bytes
  396. +0x518 LastTransactionLsn : union _LARGE_INTEGER, 4 elements, 0x8 bytes
  397. +0x520 LastTransactionLsnCount : Uint4B
  398. +0x528 EndOfLastCheckpoint : union _LARGE_INTEGER, 4 elements, 0x8 bytes
  399. +0x530 OldestLsnAtMount : union _LARGE_INTEGER, 4 elements, 0x8 bytes
  400. +0x538 CurrentLsnAtMount : union _LARGE_INTEGER, 4 elements, 0x8 bytes
  401. +0x540 OldestDirtyLsn : union _LARGE_INTEGER, 4 elements, 0x8 bytes
  402. +0x548 LastRestartAreaAtNonTopLevelLogFull : union _LARGE_INTEGER, 4 elements, 0x8 bytes
  403. +0x550 FcbTable : struct _RTL_AVL_TABLE, 11 elements, 0x68 bytes
  404. +0x5b8 ViewIndexNotifyList : struct _LIST_ENTRY, 2 elements, 0x10 bytes
  405. +0x5c8 NotifySync : Ptr64 to struct _REAL_NOTIFY_SYNC, 0 elements, 0x0 bytes
  406. +0x5d0 FileObjectWithVcbLocked : Ptr64 to struct _FILE_OBJECT, 30 elements, 0xd8 bytes
  407. +0x5d8 FileObjectShrinkingVolume : Ptr64 to struct _FILE_OBJECT, 30 elements, 0xd8 bytes
  408. +0x5e0 MftZoneStart : Int8B
  409. +0x5e8 MftZoneEnd : Int8B
  410. +0x5f0 ClustersRecentlyFreed : Int8B
  411. +0x5f8 DeallocatedClustersListLengthInTrim : Uint4B
  412. +0x5fc DeallocatedClustersListLengthToDrain : Uint4B
  413. +0x600 MaxUnmapBlockDescriptorCount : Uint4B
  414. +0x604 MaxUnmapLbaCount : Uint4B
  415. +0x608 MaxTrimDataSetRangesLength : Uint4B
  416. +0x60c MaxTrimClustersCount : Uint4B
  417. +0x610 NumberOfInFlightTrim : Int4B
  418. +0x614 NotifyInFlightTrim : Int4B
  419. +0x618 DismountWaitingForBitmapScb : UChar
  420. +0x619 DeallocatedClustersListWaitersHasNewWaiter : UChar
  421. +0x620 ClearOfInFlightTrim : struct _KEVENT, 1 elements, 0x18 bytes
  422. +0x638 SyncOnlyBitmapScb : Ptr64 to struct _SCB, 38 elements, 0x2d0 bytes
  423. +0x640 EarliestTimeForDeallocatedClustersInTrimToDrain : union _LARGE_INTEGER, 4 elements, 0x8 bytes
  424. +0x648 DeallocatedClustersListWaiters : struct _LIST_ENTRY, 2 elements, 0x10 bytes
  425. +0x658 DeallocatedClusterListHead : struct _LIST_ENTRY, 2 elements, 0x10 bytes
  426. +0x668 DeallocatedClusters1 : struct _DEALLOCATED_CLUSTERS, 5 elements, 0x40 bytes
  427. +0x6a8 DeallocatedClusters2 : struct _DEALLOCATED_CLUSTERS, 5 elements, 0x40 bytes
  428. +0x6e8 MarkUnusedContextQueue : struct _MARK_UNUSED_CONTEXT_QUEUE, 4 elements, 0x40 bytes
  429. +0x728 DeallocatedClustersListIsNowEmpty : struct _KEVENT, 1 elements, 0x18 bytes
  430. +0x740 DeallocatedClustersListIsNowPartiallyDrained : struct _KEVENT, 1 elements, 0x18 bytes
  431. +0x758 ProtectedClustersMcb : struct _BASE_MCB, 5 elements, 0x18 bytes
  432. +0x770 ProtectedClusterCount : Int8B
  433. +0x778 UsnJournalInstance : struct _USN_JOURNAL_INSTANCE, 4 elements, 0x20 bytes
  434. +0x798 FirstValidUsn : Int8B
  435. +0x7a0 LowestOpenUsn : Int8B
  436. +0x7a8 UsnJournalReference : struct _MFT_SEGMENT_REFERENCE, 3 elements, 0x8 bytes
  437. +0x7b0 UsnCacheBias : Int8B
  438. +0x7b8 NotifyUsnDeleteIrps : struct _LIST_ENTRY, 2 elements, 0x10 bytes
  439. +0x7c8 ModifiedOpenFiles : struct _LIST_ENTRY, 2 elements, 0x10 bytes
  440. +0x7d8 ModifiedOpenFilesLock : struct _FAST_MUTEX, 5 elements, 0x38 bytes
  441. +0x810 CurrentTimeOutFiles : Ptr64 to struct _LIST_ENTRY, 2 elements, 0x10 bytes
  442. +0x818 AgedTimeOutFiles : Ptr64 to struct _LIST_ENTRY, 2 elements, 0x10 bytes
  443. +0x820 CurrentTimeOutFilesRangeTrack : Ptr64 to struct _LIST_ENTRY, 2 elements, 0x10 bytes
  444. +0x828 AgedTimeOutFilesRangeTrack : Ptr64 to struct _LIST_ENTRY, 2 elements, 0x10 bytes
  445. +0x830 TimeOutListA : struct _LIST_ENTRY, 2 elements, 0x10 bytes
  446. +0x840 TimeOutListB : struct _LIST_ENTRY, 2 elements, 0x10 bytes
  447. +0x850 TimeOutListRangeTrackA : struct _LIST_ENTRY, 2 elements, 0x10 bytes
  448. +0x860 TimeOutListRangeTrackB : struct _LIST_ENTRY, 2 elements, 0x10 bytes
  449. +0x870 DeleteUsnData : struct _NTFS_DELETE_JOURNAL_DATA, 4 elements, 0x18 bytes
  450. +0x888 Resource : struct _ERESOURCE, 17 elements, 0x68 bytes
  451. +0x8f0 SystemFileDefragResource : struct _ERESOURCE, 17 elements, 0x68 bytes
  452. +0x958 LogHeaderReservation : Uint4B
  453. +0x95c NotifyCount : Uint4B
  454. +0x960 ViewIndexNotifyCount : Uint4B
  455. +0x964 DeviceChangeCount : Uint4B
  456. +0x968 SecurityCacheById : [128] Ptr64 to Ptr64 to struct _SHARED_SECURITY, 4 elements, 0x20 bytes
  457. +0xd68 SecurityCacheByHash : [128] Ptr64 to struct _SHARED_SECURITY, 4 elements, 0x20 bytes
  458. +0x1168 NextSecurityId : Uint4B
  459. +0x116c QuotaState : Uint4B
  460. +0x1170 QuotaFlags : Uint4B
  461. +0x1174 QuotaOwnerId : Uint4B
  462. +0x1178 QuotaDeleteSecquence : Uint4B
  463. +0x117c QuotaControlDeleteCount : Uint4B
  464. +0x1180 QuotaControlTable : struct _RTL_AVL_TABLE, 11 elements, 0x68 bytes
  465. +0x11e8 QuotaControlLock : struct _FAST_MUTEX, 5 elements, 0x38 bytes
  466. +0x1220 QuotaFileReference : struct _MFT_SEGMENT_REFERENCE, 3 elements, 0x8 bytes
  467. +0x1228 AdministratorId : Uint4B
  468. +0x122c ObjectIdState : Uint4B
  469. +0x1230 QuotaControlTemplate : Ptr64 to struct _QUOTA_CONTROL_BLOCK, 8 elements, 0x38 bytes
  470. +0x1238 AttributeDefinitions : Ptr64 to struct _ATTRIBUTE_DEFINITION_COLUMNS, 7 elements, 0xa0 bytes
  471. +0x1240 Tunnel : struct TUNNEL, 4 elements, 0x58 bytes
  472. +0x1298 SparseFileUnit : Uint4B
  473. +0x129c SparseFileClusters : Uint4B
  474. +0x12a0 MaxClusterCount : Int8B
  475. +0x12a8 LfsWriteData : struct _LFS_WRITE_DATA, 4 elements, 0x18 bytes
  476. +0x12c0 AcquireFilesCount : Uint4B
  477. +0x12c4 LogFileFullCount : Uint4B
  478. +0x12c8 CleanCheckpointMark : Uint4B
  479. +0x12cc UnhandledLogFileFullCount : Uint4B
  480. +0x12d0 CleanCheckpointCount : Uint4B
  481. +0x12d4 FuzzyCheckpointCount : Uint4B
  482. +0x12d8 AlmostOverflowedDPTCount : Uint4B
  483. +0x12dc OverflowedDPTCount : Uint4B
  484. +0x12e0 CheckpointInjectionCount : Uint4B
  485. +0x12e4 WaitForCcLoggedDataActivityCount : Uint4B
  486. +0x12e8 FlushOldestFOCount : Uint4B
  487. +0x12ec RestartVersion : Uint4B
  488. +0x12f0 OatEntrySize : Uint4B
  489. +0x12f4 OatFlags : Uint4B
  490. +0x12f8 QueuedCloseCount : Uint4B
  491. +0x1300 SpareVpb : Ptr64 to struct _VPB, 9 elements, 0x60 bytes
  492. +0x1308 OnDiskOat : Ptr64 to struct _RESTART_POINTERS, 6 elements, 0xe0 bytes
  493. +0x1310 OpenAttributeData : struct _LIST_ENTRY, 2 elements, 0x10 bytes
  494. +0x1320 VolumeObjectId : [16] UChar
  495. +0x1330 CachedRuns : struct _NTFS_CACHED_RUNS, 13 elements, 0x40 bytes
  496. +0x1370 LastBitmapHint : Int8B
  497. +0x1378 HashTable : struct _NTFS_HASH_TABLE, 5 elements, 0x118 bytes
  498. +0x1490 MftReserveFlags : Uint4B
  499. +0x1498 Overflow : struct _VCB_OVERFLOW, 5 elements, 0x70 bytes
  500. +0x1508 TransactionsDoneEvent : struct _KEVENT, 1 elements, 0x18 bytes
  501. +0x1520 CheckpointOwnerThread : Ptr64 to Void
  502. +0x1528 DirtyPageTableSizeHint : Uint4B
  503. +0x1530 ShrinkVolumeBoundary : Int8B
  504. +0x1538 ShrinkNumberSectors : Uint8B
  505. +0x1540 ReservedUsaMapping : struct _RESERVED_MAPPING, 2 elements, 0x40 bytes
  506. +0x1580 ReservedResidentMapping : struct _RESERVED_MAPPING, 2 elements, 0x40 bytes
  507. +0x15c0 ReservedUsaBuffers : Ptr64 to struct _NTFS_DATA_USA_RESERVED, 2 elements, 0x98 bytes
  508. +0x15c8 BugCheckOnCorrupt : UChar
  509. +0x15c9 DisableUnusedClustersHint : UChar
  510. +0x15cc VolumeBitmapFlags : Uint4B
  511. +0x15d0 RepairThread : Ptr64 to Void
  512. +0x15d8 RepairQueueSpinLock : Uint8B
  513. +0x15e0 RepairQueue : struct _LIST_ENTRY, 2 elements, 0x10 bytes
  514. +0x15f0 RepairQueueCount : Uint4B
  515. +0x15f4 RepairFlags : Uint4B
  516. +0x15f8 RepairThreadEvent : struct _KEVENT, 1 elements, 0x18 bytes
  517. +0x1610 RepairCompletionWaiterCount : Uint4B
  518. +0x1618 RepairCompletionEvent : struct _KEVENT, 1 elements, 0x18 bytes
  519. +0x1630 RepairThreadDoneWaiterCount : Uint4B
  520. +0x1638 RepairThreadDoneEvent : struct _KEVENT, 1 elements, 0x18 bytes
  521. +0x1650 RepairLogScb : Ptr64 to struct _SCB, 38 elements, 0x2d0 bytes
  522. +0x1658 ReservedBitmapBuffer : Ptr64 to Void
  523. +0x1660 ReservedMftBitmapBuffer : Ptr64 to Void
  524. +0x1668 ReservedPageFileBuffer : Ptr64 to Void
  525. +0x1670 ReservedPageFileMapping : Ptr64 to Void
  526. +0x1678 ReservedPageFileLock : struct _FAST_MUTEX, 5 elements, 0x38 bytes
  527. +0x16b0 EmptyFileRecord : Ptr64 to struct _FILE_RECORD_SEGMENT_HEADER, 13 elements, 0x34 bytes
  528. +0x16b8 TxfVcb : struct _TXF_VCB, 18 elements, 0x368 bytes
  529. +0x1a20 EncryptedPageFileCount : Uint4B
  530. +0x1a24 VcbExtendedCharState : Uint4B
  531. +0x1a28 MountTime : union _LARGE_INTEGER, 4 elements, 0x8 bytes
  532. +0x1a30 MountEvent : struct _KEVENT, 1 elements, 0x18 bytes
  533. +0x1a48 LffOccurred : Uint4B
  534. +0x1a4c BusType : Enum _STORAGE_BUS_TYPE, 21 total enums
  535. +0x1a50 VendorId : struct _UNICODE_STRING, 3 elements, 0x10 bytes
  536. +0x1a60 ProductId : struct _UNICODE_STRING, 3 elements, 0x10 bytes
  537. +0x1a70 DriverId : struct _UNICODE_STRING, 3 elements, 0x10 bytes
  538. +0x1a80 DriverVersion : struct _UNICODE_STRING, 3 elements, 0x10 bytes
  539. +0x1a90 MaxTransferLength : Uint4B
  540. +0x1a94 MaxDiscontinuousPages : Uint4B
  541. +0x1a98 UsesPIO : UChar
  542. +0x1a99 SupportsSyncIo : UChar
  543. +0x1a9a DeviceType : UChar
  544. +0x1a9b DeviceTypeModifier : UChar
  545. +0x1a9c SupportsCommandQueuing : UChar
  546. +0x1aa0 DeviceNumber : Uint4B
  547. +0x1aa4 NumberOfDataCopies : Uint4B
  548. +0x1aa8 Corruption : struct _VOLUME_CORRUPTION, 14 elements, 0x210 bytes
  549. +0x1cb8 SdsCompaction : struct _VOLUME_SDS_COMPACTION, 3 elements, 0x40 bytes
  550. +0x1cf8 NextCheckpointTime : union _LARGE_INTEGER, 4 elements, 0x8 bytes
  551. +0x1d00 ViewCountHeader : struct _VIEW_COUNT_HEADER, 8 elements, 0x168 bytes
  552. +0x1e68 SupportedFeaturesFlags : Uint4B
  553. +0x1e70 SupportedFeaturesLastRefreshTick : Uint8B
  554. +0x1e78 MaxFileSize : Int8B
  555. +0x1e80 VolumeGuid : struct _GUID, 4 elements, 0x10 bytes
  556. +0x1e90 VolumeCorrelationId : struct _GUID, 4 elements, 0x10 bytes
  557. +0x1ea0 OriginalVolumeCorrelationId : struct _GUID, 4 elements, 0x10 bytes
  558. +0x1eb0 DeviceName : struct _UNICODE_STRING, 3 elements, 0x10 bytes
  559. +0x1ec0 VolumeName : struct _UNICODE_STRING, 3 elements, 0x10 bytes
  560. +0x1ed0 VolumeNameResource : struct _ERESOURCE, 17 elements, 0x68 bytes
  561. +0x1f38 PnpNotificationEntry : Ptr64 to Void
  562. +0x1f40 NestingLevel : Uint4B
  563. +0x1f48 RangeTrack : struct _VCB_RANGETRACK, 4 elements, 0x80 bytes
  564. +0x1fc8 TPMap : struct _RTL_BITMAP, 2 elements, 0x10 bytes
  565. +0x1fd8 TPMapResolution : Uint8B
  566. +0x1fe0 TPMapResolutionInClusters : Uint4B
  567. +0x1fe4 TPMapFlags : Uint4B
  568. +0x1fe8 TPMapFailure : Uint4B
  569. +0x1ff0 OriginalBytesInFirstTPMapBit : Uint8B
  570. +0x1ff8 BytesInFirstTPMapBit : Uint8B
  571. +0x2000 BytesInLastTPMapBit : Uint8B
  572. +0x2008 HeatData : struct _TIERING_HEAT_DATA, 2 elements, 0x8 bytes
  573. +0x2010 OriginalHeatMeasurementFlags : Uint4B
  574. +0x2014 VolumeGuidForHeat : struct _GUID, 4 elements, 0x10 bytes
  575. +0x2024 PurgeFailures : Uint4B
  576. +0x2028 StatsLock : struct _EX_PUSH_LOCK, 7 elements, 0x8 bytes
  577. +0x2030 DiskFullHistory : struct _NTFS_THROTTLE_HISTORY, 4 elements, 0x30 bytes
  578. +0x2060 LowestFreeClusters : Int8B
  579. +0x2068 HighestFreeClusters : Int8B
  580. +0x2070 FreeSpaceLastLoggedTime : Int8B
  581. +0x2078 EnumOnMountItemToDelete : struct _WORK_QUEUE_ITEM, 3 elements, 0x20 bytes
  582. +0x2098 VcbCloseItem : struct _WORK_QUEUE_ITEM, 3 elements, 0x20 bytes
  583. +0x20b8 AsyncCloseList : struct _LIST_ENTRY, 2 elements, 0x10 bytes
  584. +0x20c8 AsyncCloseActive : UChar
  585. +0x20c9 ReduceDelayedClose : UChar
  586. +0x20cc AsyncCloseCount : Uint4B
  587. +0x20d0 DelayedCloseCount : Uint4B
  588. +0x20d8 DelayedCloseList : struct _LIST_ENTRY, 2 elements, 0x10 bytes
  589. +0x20e8 CloseDataLock : struct _FAST_MUTEX, 5 elements, 0x38 bytes
  590. +0x2120 TelemetryData : struct _NTFS_VOLUME_TELEMETRY_DATA, 43 elements, 0x3d8 bytes
  591. ```
  592.  
  593.  
  594. File Control Block, `FCB`. Created for every opened file/directory.
  595. ```
  596. 0:000> dt -v _FCB
  597. ntfs!_FCB
  598. struct _FCB, 41 elements, 0x138 bytes
  599. +0x000 NodeTypeCode : Uint2B
  600. +0x002 NodeByteSize : Int2B
  601. +0x004 FcbState : Uint4B
  602. +0x008 FileReference : struct _MFT_SEGMENT_REFERENCE, 3 elements, 0x8 bytes
  603. +0x010 FcbState2 : Uint4B
  604. +0x014 CleanupCount : Uint4B
  605. +0x018 CloseCount : Uint4B
  606. +0x01c ReferenceCount : Uint4B
  607. +0x020 BaseExclusiveCount : Uint2B
  608. +0x022 SystemFileExId : Uint2B
  609. +0x022 EaModificationCount : Uint2B
  610. +0x028 LcbQueue : struct _LIST_ENTRY, 2 elements, 0x10 bytes
  611. +0x038 ScbQueue : struct _LIST_ENTRY, 2 elements, 0x10 bytes
  612. +0x048 ExclusiveFcbLinks : struct _LIST_ENTRY, 2 elements, 0x10 bytes
  613. +0x058 Vcb : Ptr64 to struct _VCB, 292 elements, 0x24f8 bytes
  614. +0x060 NonpagedFcb : Ptr64 to struct _FCB_NONPAGED, 7 elements, 0x158 bytes
  615. +0x068 PagingIoResource : Ptr64 to struct _ERESOURCE, 17 elements, 0x68 bytes
  616. +0x070 Info : struct _DUPLICATED_INFORMATION, 10 elements, 0x38 bytes
  617. +0x0a8 InfoFlags : Uint4B
  618. +0x0ac LinkCount : Uint2B
  619. +0x0ae TotalLinks : Uint2B
  620. +0x0b0 CurrentLastAccess : Int8B
  621. +0x0b8 StreamFileCreationLock : struct _EX_PUSH_LOCK, 7 elements, 0x8 bytes
  622. +0x0c0 SharedSecurity : Ptr64 to struct _SHARED_SECURITY, 4 elements, 0x20 bytes
  623. +0x0c8 QuotaControl : Ptr64 to struct _QUOTA_CONTROL_BLOCK, 8 elements, 0x38 bytes
  624. +0x0d0 UpdateLsn : union _LARGE_INTEGER, 4 elements, 0x8 bytes
  625. +0x0d8 TxfMetaDataLsn : union _CLS_LSN, 2 elements, 0x8 bytes
  626. +0x0e0 TxfDirectoryLsn : union _CLS_LSN, 2 elements, 0x8 bytes
  627. +0x0e8 TxfUserDataLsn : union _CLS_LSN, 2 elements, 0x8 bytes
  628. +0x0f0 OwnerId : Uint4B
  629. +0x0f4 DelayedCloseCount : Uint4B
  630. +0x0f8 SecurityId : Uint4B
  631. +0x0fc NonTransModifyCleanupCount : Uint4B
  632. +0x100 Usn : Int8B
  633. +0x108 FcbUsnRecord : Ptr64 to struct _FCB_USN_RECORD, 9 elements, 0x110 bytes
  634. +0x110 FcbContext : Ptr64 to struct _FCB_CONTEXT, 1 elements, 0x1 bytes
  635. +0x118 TxfRmcb : Ptr64 to struct _TXF_RMCB, 35 elements, 0x2358 bytes
  636. +0x120 TxfFileId : Int8B
  637. +0x120 TxfSystemFileListNext : Ptr64 to struct _FCB, 41 elements, 0x138 bytes
  638. +0x128 TxfFcb : Ptr64 to struct _TXF_FCB, 21 elements, 0xa0 bytes
  639. +0x130 FileContextSupport : Ptr64 to Void
  640. ```
  641.  
  642.  
  643. Stream Control Block, `SCB`. Creted for every opened stream. Each FCB can have more than one SCB.
  644. ```
  645. 0:000> dt -v _SCB
  646. ntfs!_SCB
  647. struct _SCB, 38 elements, 0x2d0 bytes
  648. +0x000 Header : struct _FSRTL_ADVANCED_FCB_HEADER, 19 elements, 0x68 bytes
  649. +0x068 EofLock : struct _FSRTL_EOF_LOCK, 7 elements, 0x28 bytes
  650. +0x090 EofGeneration : Int4B
  651. +0x098 FcbLinks : struct _LIST_ENTRY, 2 elements, 0x10 bytes
  652. +0x0a8 Fcb : Ptr64 to struct _FCB, 41 elements, 0x138 bytes
  653. +0x0b0 Vcb : Ptr64 to struct _VCB, 292 elements, 0x24f8 bytes
  654. +0x0b8 State : Uint4B
  655. +0x0bc NonCachedCleanupCount : Uint4B
  656. +0x0c0 CleanupCount : Uint4B
  657. +0x0c4 CloseCount : Uint4B
  658. +0x0c8 PurgeFailureModeEnableCount : Uint4B
  659. +0x0cc ReturnPurgeFailureEnableCount : Uint4B
  660. +0x0d0 CacheCoherencyHitCount : Uint4B
  661. +0x0d4 ShareAccess : struct _SHARE_ACCESS, 7 elements, 0x1c bytes
  662. +0x0f0 AttributeTypeCode : Uint4B
  663. +0x0f8 AttributeName : struct _UNICODE_STRING, 3 elements, 0x10 bytes
  664. +0x108 FileObject : Ptr64 to struct _FILE_OBJECT, 30 elements, 0xd8 bytes
  665. +0x110 NonpagedScb : Ptr64 to struct _SCB_NONPAGED, 10 elements, 0x48 bytes
  666. +0x120 McbStructs : union NTFS_MCB_INITIAL_STRUCTS, 2 elements, 0x60 bytes
  667. +0x180 Mcb : struct _NTFS_MCB, 6 elements, 0x30 bytes
  668. +0x1b0 DefragCount : Uint4B
  669. +0x1b4 CompressionUnit : Uint4B
  670. +0x1b8 SparseOverAllocateSize : Uint4B
  671. +0x1bc AttributeFlags : Uint2B
  672. +0x1be CompressionUnitShift : UChar
  673. +0x1bf PadUchar : UChar
  674. +0x1c0 ValidDataToDisk : Int8B
  675. +0x1c0 ValidDataInDax : Int8B
  676. +0x1c8 TotalAllocated : Int8B
  677. +0x1d0 CcbQueue : struct _LIST_ENTRY, 2 elements, 0x10 bytes
  678. +0x1e0 ScbSnapshot : Ptr64 to struct _SCB_SNAPSHOT, 15 elements, 0x68 bytes
  679. +0x1e8 EncryptionContext : Ptr64 to Void
  680. +0x1f0 Persist : Uint4B
  681. +0x1f8 CreateSectionThread : Ptr64 to Void
  682. +0x200 TxfScb : Ptr64 to struct _TXF_SCB, 22 elements, 0xe8 bytes
  683. +0x208 EncryptionOnCloseContext : Ptr64 to Void
  684. +0x210 MarkHandleDisallowWritesCount : Uint4B
  685. +0x218 ScbType : union <unnamed-tag>, 3 elements, 0xb0 bytes
  686. ```
  687.  
  688.  
  689. Context Control Block, `CCB`. Created for every _FILE_OBJECT (basically one per handle, unless you dupe the handle).
  690. ```
  691. 0:000> dt -v _CCB
  692. ntfs!_CCB
  693. struct _CCB, 32 elements, 0xd0 bytes
  694. +0x000 NodeTypeCode : Uint2B
  695. +0x002 NodeByteSize : Int2B
  696. +0x004 Flags : Uint4B
  697. +0x008 Flags2 : Uint4B
  698. +0x010 FullFileName : struct _UNICODE_STRING, 3 elements, 0x10 bytes
  699. +0x020 LastFileNameOffset : Uint2B
  700. +0x022 EaModificationCount : Uint2B
  701. +0x024 NextEaOffset : Uint4B
  702. +0x028 ScbLinks : struct _LIST_ENTRY, 2 elements, 0x10 bytes
  703. +0x038 LcbLinks : struct _LIST_ENTRY, 2 elements, 0x10 bytes
  704. +0x048 Lcb : Ptr64 to struct _LCB, 27 elements, 0xe8 bytes
  705. +0x050 TxfFo : Ptr64 to struct _TXF_FO, 15 elements, 0x48 bytes
  706. +0x058 TypeOfOpen : UChar
  707. +0x059 Reserved : UChar
  708. +0x05a WriteExtendCount : Uint2B
  709. +0x05c OwnerId : Uint4B
  710. +0x060 LastOwnerId : Uint4B
  711. +0x064 UsnSourceInfo : Uint4B
  712. +0x068 AccessFlags : Uint2B
  713. +0x06a Alignment : Uint2B
  714. +0x070 FileObject : Ptr64 to struct _FILE_OBJECT, 30 elements, 0xd8 bytes
  715. +0x078 ReadCopyNumber : Uint4B
  716. +0x080 EncryptionOnCloseContext : Ptr64 to Void
  717. +0x088 IndexContext : Ptr64 to struct _INDEX_CONTEXT, 14 elements, 0x170 bytes
  718. +0x090 QueryLength : Uint4B
  719. +0x098 QueryBuffer : Ptr64 to Void
  720. +0x098 QueryLayoutContext : Ptr64 to struct _QUERY_FILE_LAYOUT_CCB_CONTEXT, 5 elements, 0x20 bytes
  721. +0x0a0 IndexEntryLength : Uint4B
  722. +0x0a8 IndexEntry : Ptr64 to struct _INDEX_ENTRY, 8 elements, 0x10 bytes
  723. +0x0b0 FcbToAcquire : union <unnamed-tag>, 2 elements, 0x8 bytes
  724. +0x0b8 MftScanFileReference : struct _MFT_SEGMENT_REFERENCE, 3 elements, 0x8 bytes
  725. +0x0c0 EnumQueue : struct _LIST_ENTRY, 2 elements, 0x10 bytes
  726. ```
  727.  
  728.  
  729. Links Control Block, `LCB`. A file may have multiple names (hardlinks), and LCB ties that together. Links LCBs, CCBs, SCBs, and FCB.
  730. ```
  731. 0:000> dt -v _LCB
  732. ntfs!_LCB
  733. struct _LCB, 27 elements, 0xe8 bytes
  734. +0x000 NodeTypeCode : Uint2B
  735. +0x002 NodeByteSize : Int2B
  736. +0x004 LcbState : Uint4B
  737. +0x008 ScbLinks : struct _LIST_ENTRY, 2 elements, 0x10 bytes
  738. +0x018 Scb : Ptr64 to struct _SCB, 38 elements, 0x2d0 bytes
  739. +0x020 TxfNumWriters : Uint4B
  740. +0x028 Fcb : Ptr64 to struct _FCB, 41 elements, 0x138 bytes
  741. +0x030 FcbLinks : struct _LIST_ENTRY, 2 elements, 0x10 bytes
  742. +0x040 IgnoreCaseLink : struct _NAME_LINK, 2 elements, 0x28 bytes
  743. +0x068 ExactCaseLink : struct _NAME_LINK, 2 elements, 0x28 bytes
  744. +0x090 CcbQueue : struct _LIST_ENTRY, 2 elements, 0x10 bytes
  745. +0x0a0 ParentDirectory : struct _MFT_SEGMENT_REFERENCE, 3 elements, 0x8 bytes
  746. +0x0a8 Info : struct _DUPLICATED_INFORMATION, 10 elements, 0x38 bytes
  747. +0x0e0 FileNameLength : UChar
  748. +0x0e1 Flags : UChar
  749. +0x0e2 FileName : [1] Wchar
  750. +0x0a0 OverlayParentDirectory : struct _MFT_SEGMENT_REFERENCE, 3 elements, 0x8 bytes
  751. +0x0a8 Alignment : struct _DUPLICATED_INFORMATION, 10 elements, 0x38 bytes
  752. +0x0a8 QuickIndex : struct _QUICK_INDEX, 4 elements, 0x18 bytes
  753. +0x0c0 ReferenceCount : Uint4B
  754. +0x0c4 InfoFlags : Uint4B
  755. +0x0c8 HashValue : Uint4B
  756. +0x0cc CleanupCount : Uint4B
  757. +0x0d0 FileNameAttr : Ptr64 to struct _FILE_NAME, 5 elements, 0x44 bytes
  758. +0x0e0 OverlayFileNameLength : UChar
  759. +0x0e1 OverlayFlags : UChar
  760. +0x0e2 OverlayFileName : [1] Wchar
  761. ```
  762.  
  763.  
  764. The regular and familiar `DEVICE_OBJECT`. In public symbols.
  765. ```
  766. 0: kd> dt -v nt!_DEVICE_OBJECT
  767. struct _DEVICE_OBJECT, 25 elements, 0x150 bytes
  768. +0x000 Type : Int2B
  769. +0x002 Size : Uint2B
  770. +0x004 ReferenceCount : Int4B
  771. +0x008 DriverObject : Ptr64 to struct _DRIVER_OBJECT, 15 elements, 0x150 bytes
  772. +0x010 NextDevice : Ptr64 to struct _DEVICE_OBJECT, 25 elements, 0x150 bytes
  773. +0x018 AttachedDevice : Ptr64 to struct _DEVICE_OBJECT, 25 elements, 0x150 bytes
  774. +0x020 CurrentIrp : Ptr64 to struct _IRP, 23 elements, 0xd0 bytes
  775. +0x028 Timer : Ptr64 to struct _IO_TIMER, 6 elements, 0x30 bytes
  776. +0x030 Flags : Uint4B
  777. +0x034 Characteristics : Uint4B
  778. +0x038 Vpb : Ptr64 to struct _VPB, 9 elements, 0x60 bytes
  779. +0x040 DeviceExtension : Ptr64 to Void <<<< points to VCB
  780. +0x048 DeviceType : Uint4B
  781. +0x04c StackSize : Char
  782. +0x050 Queue : union <anonymous-tag>, 2 elements, 0x48 bytes
  783. +0x098 AlignmentRequirement : Uint4B
  784. +0x0a0 DeviceQueue : struct _KDEVICE_QUEUE, 7 elements, 0x28 bytes
  785. +0x0c8 Dpc : struct _KDPC, 11 elements, 0x40 bytes
  786. +0x108 ActiveThreadCount : Uint4B
  787. +0x110 SecurityDescriptor : Ptr64 to Void
  788. +0x118 DeviceLock : struct _KEVENT, 1 elements, 0x18 bytes
  789. +0x130 SectorSize : Uint2B
  790. +0x132 Spare1 : Uint2B
  791. +0x138 DeviceObjectExtension : Ptr64 to struct _DEVOBJ_EXTENSION, 16 elements, 0x70 bytes
  792. +0x140 Reserved : Ptr64 to Void
  793. ```
  794.  
  795.  
  796.  
  797. `DEVOBJ_EXTENSION`, pointed to by `DEVICE_OBJECT.DeviceObjectExtension`. Not to be confused with `DEVICE_OBJECT.DeviceExtension`. In public symbols.
  798. ```
  799. 0: kd> dt -v nt!_DEVOBJ_EXTENSION
  800. struct _DEVOBJ_EXTENSION, 16 elements, 0x70 bytes
  801. +0x000 Type : Int2B
  802. +0x002 Size : Uint2B
  803. +0x008 DeviceObject : Ptr64 to struct _DEVICE_OBJECT, 25 elements, 0x150 bytes
  804. +0x010 PowerFlags : Uint4B
  805. +0x018 Dope : Ptr64 to struct _DEVICE_OBJECT_POWER_EXTENSION, 14 elements, 0x60 bytes
  806. +0x020 ExtensionFlags : Uint4B
  807. +0x028 DeviceNode : Ptr64 to Void
  808. +0x030 AttachedTo : Ptr64 to struct _DEVICE_OBJECT, 25 elements, 0x150 bytes
  809. +0x038 StartIoCount : Int4B
  810. +0x03c StartIoKey : Int4B
  811. +0x040 StartIoFlags : Uint4B
  812. +0x048 Vpb : Ptr64 to struct _VPB, 9 elements, 0x60 bytes
  813. +0x050 DependencyNode : Ptr64 to Void
  814. +0x058 InterruptContext : Ptr64 to Void
  815. +0x060 InterruptCount : Int4B
  816. +0x068 VerifierContext : Ptr64 to Void
  817. ```
  818.  
  819.  
  820.  
  821. Volume Parameter Block, `VPB`. In public symbols.
  822. ```
  823. 0: kd> dt -v nt!_VPB
  824. struct _VPB, 9 elements, 0x60 bytes
  825. +0x000 Type : Int2B
  826. +0x002 Size : Int2B
  827. +0x004 Flags : Uint2B
  828. +0x006 VolumeLabelLength : Uint2B
  829. +0x008 DeviceObject : Ptr64 to struct _DEVICE_OBJECT, 25 elements, 0x150 bytes
  830. +0x010 RealDevice : Ptr64 to struct _DEVICE_OBJECT, 25 elements, 0x150 bytes
  831. +0x018 SerialNumber : Uint4B
  832. +0x01c ReferenceCount : Uint4B
  833. +0x020 VolumeLabel : [32] Wchar
  834. ```
  835.  
Tags: Script windbg ntfs vcb filesystems freespace NtfsData NTFS_DATA winternals
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!