_QWORD
*
__fastcall NtfsQueryEaUserEaList(_QWORD
*
a1,
FILE_FULL_EA_INFORMATION
*
CurrentEas,
__int64 a3, __int64 PEaBuffer,
unsigned
int
UserBufferLength,
FILE_GET_EA_INFORMATION
*
pUserEaList,
char a7)
{
. . . . . .
while
(
1
)
{
/
/
索引ealist中的成员,用作下面的查找。
v11
=
(FILE_GET_EA_INFORMATION
*
)((char
*
)pUserEaList
+
v9);
*
(_QWORD
*
)&DestinationString.Length
=
0i64
;
DestinationString.
Buffer
=
0i64
;
*
(_QWORD
*
)&SourceString.Length
=
0i64
;
SourceString.
Buffer
=
0i64
;
*
(_QWORD
*
)&DestinationString.Length
=
v11
-
>EaNameLength;
DestinationString.MaximumLength
=
DestinationString.Length;
DestinationString.
Buffer
=
v11
-
>EaName;
RtlUpperString(&DestinationString, &DestinationString);
/
/
检查ealist中成员的name是否有效
if
( !(unsigned __int8)NtfsIsEaNameValid(&DestinationString) )
break
;
v12
=
v11
-
>NextEntryOffset;
v13
=
v11
-
>EaNameLength;
v22
=
v11
-
>NextEntryOffset
+
v9;
/
/
遍历查询的EaList
for
( curEaList
=
pUserEaList; ; curEaList
=
(FILE_GET_EA_INFORMATION
*
)((char
*
)curEaList
+
curEaList
-
>NextEntryOffset) )
{
if
( curEaList
=
=
v11 )
{
v15
=
offset;
/
/
v16 分配的内核池
v16
=
(_DWORD
*
)(PEaBuffer
+
padding
+
offset);
/
/
根据name查找对应的Ea信息
if
( NtfsLocateEaByName((__int64)CurrentEas,
*
(_DWORD
*
)(a3
+
4
), &DestinationString, &FeaOffset) )
{
ea_block
=
(FILE_FULL_EA_INFORMATION
*
)((char
*
)CurrentEas
+
FeaOffset);
/
/
计算内存拷贝大小
RawEaSize
=
ea_block
-
>EaValueLength
+
ea_block
-
>EaNameLength
+
9
;
/
/
防溢出检查
if
( RawEaSize <
=
UserBufferLength
-
padding )
{
/
/
溢出点
memmove(v16, ea_block, RawEaSize);
*
v16
=
0
;
goto LABEL_8;
}
}
. . . . . .
if
( !a7 )
{
if
( v24 )
*
v24
=
(_DWORD)v16
-
(_DWORD)v24;
/
/
判断是ealist中是否还有其他成员
if
( v11
-
>NextEntryOffset )
{
v24
=
v16;
/
/
总长度减去已经拷贝的长度
UserBufferLength
-
=
RawEaSize
+
padding;
/
/
padding的计算
padding
=
((RawEaSize
+
3
) &
0xFFFFFFFC
)
-
RawEaSize;
goto LABEL_26;
}
}
. . . . . .
}
(NtfsQueryEaUserEaList函数片段)