卷的句柄信息
Handle Information for Volume
我使用WinDBG获取句柄信息:
kd> !handle 430
PROCESS 85c91030 SessionId: 0 Cid: 0388 Peb: 7ffdc000 ParentCid: 01e8
DirBase: 7ee841c0 ObjectTable: 8da023f0 HandleCount: 539.
Image: svchost.exe
Handle table at 9a3da000 with 539 entries in use
0430: Object: 8480e038 GrantedAccess: 00100080 Entry: 8da01860
Object: 8480e038 Type: (844f9ac8) File
ObjectHeader: 8480e020 (new version)
HandleCount: 1 PointerCount: 2
Directory Object: 00000000 Name: \ {HarddiskVolume2}
我知道大部分数据来自_FILE_OBJECT,但我不知道{HarddiskVolume2} 是如何确定的。 WinDBG 如何获得这些信息?
它是您硬盘中分区的设备对象名称
kd> !object \Device\HardDisk0\
Object: e13d5f58 Type: (812bd3c8) Directory
ObjectHeader: e13d5f40 (old version)
HandleCount: 1 PointerCount: 6
Directory Object: e10077a0 Name: Harddisk0
Hash Address Type Name
---- ------- ---- ----
21 8123e5e0 Device DR0
33 e13d3a50 SymbolicLink Partition0
34 e13d3030 SymbolicLink Partition1
36 8126b030 Device DP(1)0x7e00-0xfff2e4400+1
kd> !object \Device\HardDisk0\Partition1
Object: e13d3030 Type: (812bd1f8) SymbolicLink
ObjectHeader: e13d3018 (old version)
HandleCount: 0 PointerCount: 1
Directory Object: e13d5f58 Name: Partition1
Target String is '\Device\HarddiskVolume1'
您也可以使用 !driveinfo [dosdevicename]
进行反向查询
kd> !driveinfo c:
Drive c:, DriveObject e13d3770
Directory Object: e1004890 Name: C:
Target String is '\Device\HarddiskVolume1'
Drive Letter Index is 3 (C:)
Volume DevObj: 8126bd98
Vpb: 8123db20 DeviceObject: 8121b020
FileSystem: \FileSystem\Ntfs
python获取所有驱动器映射的脚本
from ctypes import *
ntdevs = create_string_buffer(15000)
b=windll.kernel32.GetLogicalDriveStringsA(sizeof(ntdevs),byref(ntdevs))
for i in range(0,b):
print ntdevs[i],
print "\n"
dosdevs = create_string_buffer(15000)
for j in range(0,b,4):
a=windll.Kernel32.QueryDosDeviceA(ntdevs[j]+ntdevs[j+1],byref(dosdevs),sizeof(dosdevs))
for i in range(0,a):
print dosdevs[i],
print "\n"
执行
python qdd.py
C : \ D : \ E : \ F : \ G : \
\ D e v i c e \ H a r d d i s k V o l u m e 2
\ D e v i c e \ H a r d d i s k V o l u m e 3
\ D e v i c e \ H a r d d i s k V o l u m e 4
\ D e v i c e \ C d R o m 0
\ D e v i c e \ H a r d d i s k V o l u m e 5
编辑
如果您使用的是 xp-sp3,此脚本可以帮助您了解 windbg 如何检索 {hardiskvolume1} 此脚本还假设某些事情,例如 kernel_handle_table 级别不要盲目索引 handle * size + start of table
在后面的os中OBJECT_HEADER结构不同没有NameInfoOffset字段
在 OBJECT_HEADER 结构中,但 TypeIndex 您可能需要
修改此脚本以适应 os > xp
r $t0 = (@@c++((sizeof(nt!_HANDLE_TABLE_ENTRY) / sizeof(unsigned long))) * ${$arg1})
r $t1 = (@$t0 + poi(poi(nt!ObpKernelHandleTable)))
r $t2 = (@@c++(#FIELD_OFFSET(nt!_OBJECT_HEADER ,Body)))
r $t3 = (@@c++(#FIELD_OFFSET(nt!_FILE_OBJECT ,DeviceObject)))
r $t4 = (@@c++(#FIELD_OFFSET(nt!_OBJECT_HEADER ,NameInfoOffset)))
r $t5 = ((poi(@$t1) & 0xfffffff8 ) + @$t2)
r $t6 = (poi(@$t5 + @$t3) - @$t2 - @$t4)
.printf "%mu {%msu}" , @@c++(((nt!_FILE_OBJECT *) @@masm( @$t5 ))->FileName.Buffer ) , @$t6
像这样执行
kd> $$>a< "xxx\getfilename.txt" 294
\Documents and Settings\NetworkService\NTUSER.DAT {HarddiskVolume1}
用 !handle 294 确认
PROCESS 80559c20 SessionId: none Cid: 0000 Peb: 00000000 ParentCid: 0000
DirBase: 00039000 ObjectTable: e1000b78 HandleCount: 230.
Image: Idle
Kernel handle table at e1002000 with 230 entries in use
0294: Object: 810c20e0 GrantedAccess: 00000003 (Protected) Entry: e1002528
Object: 810c20e0 Type: (8127b900) File
ObjectHeader: 810c20c8 (old version)
HandleCount: 1 PointerCount: 4
Directory Object: 00000000 Name: \Documents and Settings\NetworkService\NTUSER.DAT {HarddiskVolume1}
我使用WinDBG获取句柄信息:
kd> !handle 430
PROCESS 85c91030 SessionId: 0 Cid: 0388 Peb: 7ffdc000 ParentCid: 01e8
DirBase: 7ee841c0 ObjectTable: 8da023f0 HandleCount: 539.
Image: svchost.exe
Handle table at 9a3da000 with 539 entries in use
0430: Object: 8480e038 GrantedAccess: 00100080 Entry: 8da01860
Object: 8480e038 Type: (844f9ac8) File
ObjectHeader: 8480e020 (new version)
HandleCount: 1 PointerCount: 2
Directory Object: 00000000 Name: \ {HarddiskVolume2}
我知道大部分数据来自_FILE_OBJECT,但我不知道{HarddiskVolume2} 是如何确定的。 WinDBG 如何获得这些信息?
它是您硬盘中分区的设备对象名称
kd> !object \Device\HardDisk0\
Object: e13d5f58 Type: (812bd3c8) Directory
ObjectHeader: e13d5f40 (old version)
HandleCount: 1 PointerCount: 6
Directory Object: e10077a0 Name: Harddisk0
Hash Address Type Name
---- ------- ---- ----
21 8123e5e0 Device DR0
33 e13d3a50 SymbolicLink Partition0
34 e13d3030 SymbolicLink Partition1
36 8126b030 Device DP(1)0x7e00-0xfff2e4400+1
kd> !object \Device\HardDisk0\Partition1
Object: e13d3030 Type: (812bd1f8) SymbolicLink
ObjectHeader: e13d3018 (old version)
HandleCount: 0 PointerCount: 1
Directory Object: e13d5f58 Name: Partition1
Target String is '\Device\HarddiskVolume1'
您也可以使用 !driveinfo [dosdevicename]
进行反向查询kd> !driveinfo c:
Drive c:, DriveObject e13d3770
Directory Object: e1004890 Name: C:
Target String is '\Device\HarddiskVolume1'
Drive Letter Index is 3 (C:)
Volume DevObj: 8126bd98
Vpb: 8123db20 DeviceObject: 8121b020
FileSystem: \FileSystem\Ntfs
python获取所有驱动器映射的脚本
from ctypes import *
ntdevs = create_string_buffer(15000)
b=windll.kernel32.GetLogicalDriveStringsA(sizeof(ntdevs),byref(ntdevs))
for i in range(0,b):
print ntdevs[i],
print "\n"
dosdevs = create_string_buffer(15000)
for j in range(0,b,4):
a=windll.Kernel32.QueryDosDeviceA(ntdevs[j]+ntdevs[j+1],byref(dosdevs),sizeof(dosdevs))
for i in range(0,a):
print dosdevs[i],
print "\n"
执行
python qdd.py
C : \ D : \ E : \ F : \ G : \
\ D e v i c e \ H a r d d i s k V o l u m e 2
\ D e v i c e \ H a r d d i s k V o l u m e 3
\ D e v i c e \ H a r d d i s k V o l u m e 4
\ D e v i c e \ C d R o m 0
\ D e v i c e \ H a r d d i s k V o l u m e 5
编辑
如果您使用的是 xp-sp3,此脚本可以帮助您了解 windbg 如何检索 {hardiskvolume1} 此脚本还假设某些事情,例如 kernel_handle_table 级别不要盲目索引 handle * size + start of table
在后面的os中OBJECT_HEADER结构不同没有NameInfoOffset字段
在 OBJECT_HEADER 结构中,但 TypeIndex 您可能需要
修改此脚本以适应 os > xp
r $t0 = (@@c++((sizeof(nt!_HANDLE_TABLE_ENTRY) / sizeof(unsigned long))) * ${$arg1})
r $t1 = (@$t0 + poi(poi(nt!ObpKernelHandleTable)))
r $t2 = (@@c++(#FIELD_OFFSET(nt!_OBJECT_HEADER ,Body)))
r $t3 = (@@c++(#FIELD_OFFSET(nt!_FILE_OBJECT ,DeviceObject)))
r $t4 = (@@c++(#FIELD_OFFSET(nt!_OBJECT_HEADER ,NameInfoOffset)))
r $t5 = ((poi(@$t1) & 0xfffffff8 ) + @$t2)
r $t6 = (poi(@$t5 + @$t3) - @$t2 - @$t4)
.printf "%mu {%msu}" , @@c++(((nt!_FILE_OBJECT *) @@masm( @$t5 ))->FileName.Buffer ) , @$t6
像这样执行
kd> $$>a< "xxx\getfilename.txt" 294
\Documents and Settings\NetworkService\NTUSER.DAT {HarddiskVolume1}
用 !handle 294 确认
PROCESS 80559c20 SessionId: none Cid: 0000 Peb: 00000000 ParentCid: 0000
DirBase: 00039000 ObjectTable: e1000b78 HandleCount: 230.
Image: Idle
Kernel handle table at e1002000 with 230 entries in use
0294: Object: 810c20e0 GrantedAccess: 00000003 (Protected) Entry: e1002528
Object: 810c20e0 Type: (8127b900) File
ObjectHeader: 810c20c8 (old version)
HandleCount: 1 PointerCount: 4
Directory Object: 00000000 Name: \Documents and Settings\NetworkService\NTUSER.DAT {HarddiskVolume1}