查找所有打开的句柄或对 USB 驱动器的引用
Find all open handles or references to usb drive
我正在分析一个 post-mortem 内核转储,我正在尝试识别可能引用 USB 存储驱动器或对其打开句柄的所有进程和过滤驱动程序。我已经尝试检查所有打开的句柄,但即使将其限制为仅 File 对象,数据也无法管理。所以我浏览了 !object \ 列表以找到我正在寻找的卷:
3: kd> !devobj fffffa8007169cd0
Device object (fffffa8007169cd0) is for:
HarddiskVolume6 \Driver\volmgr DriverObject fffffa8006af2060
Current Irp 00000000 RefCount 34 Type 00000007 Flags 00001050
Vpb fffffa8007168940 Dacl fffff9a10033a3c0 DevExt fffffa8007169e20 DevObjExt fffffa8007169f88 Dope fffffa80071688d0 DevNode fffffa800716b890
3: kd> !vpb fffffa8007168940
Vpb at 0xfffffa8007168940
Flags: 0x1 mounted
DeviceObject: 0xfffffa8008880030
RealDevice: 0xfffffa8007169cd0
RefCount: 34
Volume Label:
是否可以找到这 34 个参考文献的全部内容?
是否有一种简单的方法来识别什么正在使用内存转储中的任何给定卷?
devobject 上的 !devhandle 是否为您提供任何详细信息?
kd> .shell -ci "!object \Device" grep -i harddisk
xxxxxxxxxx
20 849a8e20 Device HarddiskVolume8
xxxxxxxx
kd> !devobj 849a8e20
Device object (849a8e20) is for:
HarddiskVolume8 \Driver\volmgr DriverObject 851708b0
Current Irp 00000000 RefCount 5 Type 00000007 Flags 00003050
Vpb 8594de78 Dacl b0c8b8a4 DevExt 849a8ed8 DevObjExt 849a8fc0 Dope 8493ee10 DevNode 86643708
ExtensionFlags (0000000000)
Characteristics (0x00000001) FILE_REMOVABLE_MEDIA <--------
AttachedDevice (Upper) 866f04c8 \Driver\fvevol
Device queue is not busy.
kd> !devhandles 849a8e20
Checking handle table for process 0x84830ae8
Kernel handle table at 89601b80 with 636 entries in use
xxxxxxxxxxxxxxxxxxxxxxxx
PROCESS 86479210 SessionId: 1 Cid: 05e8 Peb: 7ffdf000 ParentCid: 05b0
DirBase: 7e28f2c0 ObjectTable: 94dcc900 HandleCount: 923.
Image: explorer.exe
121c: Object: 84a03550 GrantedAccess: 00100081 Entry: adac3438
Object: 84a03550 Type: (848adde8) File
ObjectHeader: 84a03538 (new version)
HandleCount: 1 PointerCount: 2
Directory Object: 00000000 Name: \ {HarddiskVolume8} <----
PROCESS 86479210 SessionId: 1 Cid: 05e8 Peb: 7ffdf000 ParentCid: 05b0
DirBase: 7e28f2c0 ObjectTable: 94dcc900 HandleCount: 923.
Image: explorer.exe
12ac: Object: 84a0a038 GrantedAccess: 00100081 Entry: adac3558
Object: 84a0a038 Type: (848adde8) File
ObjectHeader: 84a0a020 (new version)
HandleCount: 1 PointerCount: 2
Directory Object: 00000000 Name: \ {HarddiskVolume8} <-----
我正在分析一个 post-mortem 内核转储,我正在尝试识别可能引用 USB 存储驱动器或对其打开句柄的所有进程和过滤驱动程序。我已经尝试检查所有打开的句柄,但即使将其限制为仅 File 对象,数据也无法管理。所以我浏览了 !object \ 列表以找到我正在寻找的卷:
3: kd> !devobj fffffa8007169cd0
Device object (fffffa8007169cd0) is for:
HarddiskVolume6 \Driver\volmgr DriverObject fffffa8006af2060
Current Irp 00000000 RefCount 34 Type 00000007 Flags 00001050
Vpb fffffa8007168940 Dacl fffff9a10033a3c0 DevExt fffffa8007169e20 DevObjExt fffffa8007169f88 Dope fffffa80071688d0 DevNode fffffa800716b890
3: kd> !vpb fffffa8007168940
Vpb at 0xfffffa8007168940
Flags: 0x1 mounted
DeviceObject: 0xfffffa8008880030
RealDevice: 0xfffffa8007169cd0
RefCount: 34
Volume Label:
是否可以找到这 34 个参考文献的全部内容? 是否有一种简单的方法来识别什么正在使用内存转储中的任何给定卷?
devobject 上的 !devhandle 是否为您提供任何详细信息?
kd> .shell -ci "!object \Device" grep -i harddisk
xxxxxxxxxx
20 849a8e20 Device HarddiskVolume8
xxxxxxxx
kd> !devobj 849a8e20
Device object (849a8e20) is for:
HarddiskVolume8 \Driver\volmgr DriverObject 851708b0
Current Irp 00000000 RefCount 5 Type 00000007 Flags 00003050
Vpb 8594de78 Dacl b0c8b8a4 DevExt 849a8ed8 DevObjExt 849a8fc0 Dope 8493ee10 DevNode 86643708
ExtensionFlags (0000000000)
Characteristics (0x00000001) FILE_REMOVABLE_MEDIA <--------
AttachedDevice (Upper) 866f04c8 \Driver\fvevol
Device queue is not busy.
kd> !devhandles 849a8e20
Checking handle table for process 0x84830ae8
Kernel handle table at 89601b80 with 636 entries in use
xxxxxxxxxxxxxxxxxxxxxxxx
PROCESS 86479210 SessionId: 1 Cid: 05e8 Peb: 7ffdf000 ParentCid: 05b0
DirBase: 7e28f2c0 ObjectTable: 94dcc900 HandleCount: 923.
Image: explorer.exe
121c: Object: 84a03550 GrantedAccess: 00100081 Entry: adac3438
Object: 84a03550 Type: (848adde8) File
ObjectHeader: 84a03538 (new version)
HandleCount: 1 PointerCount: 2
Directory Object: 00000000 Name: \ {HarddiskVolume8} <----
PROCESS 86479210 SessionId: 1 Cid: 05e8 Peb: 7ffdf000 ParentCid: 05b0
DirBase: 7e28f2c0 ObjectTable: 94dcc900 HandleCount: 923.
Image: explorer.exe
12ac: Object: 84a0a038 GrantedAccess: 00100081 Entry: adac3558
Object: 84a0a038 Type: (848adde8) File
ObjectHeader: 84a0a020 (new version)
HandleCount: 1 PointerCount: 2
Directory Object: 00000000 Name: \ {HarddiskVolume8} <-----