试图用 WinDbg 查看内存中的 _FILE_ID_BOTH_DIR_INFORMATION 结构

Trying to view the _FILE_ID_BOTH_DIR_INFORMATION structure in memory with WinDbg

我正在尝试使用 WinDbg 查看内存中的 Windows 文件系统结构 _FILE_ID_BOTH_DIR_INFORMATION,但由于某种原因它告诉我找不到该符号。

我通过管道将 WinDbg 连接到 Windows XP 虚拟机以调试其内核。 我尝试使用命令 dt _FILE_ID_BOTH_DIR_INFORMATION esi 查看结构的数据,因为 ESI 的值是一个地址,其中包含我要检查的相关结构。

我得到的只是以下输出:

3: kd> dt _FILE_ID_BOTH_DIR_INFORMATION esi
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that     ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: _FILE_ID_BOTH_DIR_INFORMATION                 ***
***                                                                   ***
*************************************************************************
Symbol _FILE_ID_BOTH_DIR_INFORMATION not found.

其他结构对我有用,比如 _DRIVER_OBJECT。

根据 Microsoft 的文档,我对 _FILE_ID_BOTH_DIR_INFORMATION 符号的了解是它包含在 ntifs.h 中。我找不到有关此符号是否由 Microsoft Symbol Server 提供的信息。

不,此类型信息似乎在 ms

提供的 public pdb 中不可用

您可以使用通配符检查自己

0: kd> dt nt!*_FILE_*
          ntkrnlmp!_FILE_INFORMATION_CLASS
          ntkrnlmp!_FILE_OBJECT
          ntkrnlmp!_PF_FILE_ACCESS_TYPE
          ntkrnlmp!_FILE_SEGMENT_ELEMENT
          ntkrnlmp!_IOP_FILE_OBJECT_EXTENSION
          ntkrnlmp!_CREATE_FILE_TYPE
          ntkrnlmp!_FILE_OBJECT_EXTENSION_TYPE
          ntkrnlmp!_DUMMY_FILE_OBJECT
          ntkrnlmp!_IMAGE_FILE_HEADER
          ntkrnlmp!_FILE_BASIC_INFORMATION
          ntkrnlmp!_FILE_GET_QUOTA_INFORMATION
          ntkrnlmp!_FILE_NETWORK_OPEN_INFORMATION
          ntkrnlmp!_MMPAGE_FILE_EXPANSION
          ntkrnlmp!_FILE_STANDARD_INFORMATION
          ntkrnlmp!_MAPPED_FILE_SEGMENT
          ntkrnlmp!_MMPAGE_FILE_EXPANSION_FLAGS
          ntkrnlmp!_MI_PAGING_FILE_SPACE_BITMAPS
0: kd> dt nt!*_FILE_I*
          ntkrnlmp!_FILE_INFORMATION_CLASS

至于查看它们,您可以查看内存的原始内容,只需执行 dd @esi 并将它们与 ntifs.h

中的结构相关联

或使用 .printf 和一些在记事本中查找替换来打印格式化输出

我只是将 Documentation 中的结构复制粘贴到记事本++
使用 find replace
将 .printf 填充在前面 最后使用相同的程序填充 \t%x
调整了 PseudoRegister 的偏移量并将其保存为 .txt

使用 $$>a< 到 运行 它作为 windbg 脚本为伪寄存器提供随机偏移量(只是确保在偏移量+0x48 处有一些 Unicode 字符串 结果如下

r $t0 = (fffff805`19ec53e0-48)

.printf "typedef struct _FILE_ID_BOTH_DIR_INFORMATION {                             \n"
.printf "  ULONG         NextEntryOffset;                                           \t%x\n"  , @$t0+0
.printf "  ULONG         FileIndex;                                                 \t%x\n"  , @$t0+4
.printf "  LARGE_INTEGER CreationTime;                                              \t%N\n"  , @$t0+8
.printf "  LARGE_INTEGER LastAccessTime;                                            \t%N\n"  , @$t0+10
.printf "  LARGE_INTEGER LastWriteTime;                                             \t%N\n"  , @$t0+18
.printf "  LARGE_INTEGER ChangeTime;                                                \t%N\n"  , @$t0+20
.printf "  LARGE_INTEGER EndOfFile;                                                 \t%N\n"  , @$t0+28
.printf "  LARGE_INTEGER AllocationSize;                                            \t%N\n"  , @$t0+30
.printf "  ULONG         FileAttributes;                                            \t%x\n"  , @$t0+38
.printf "  ULONG         FileNameLength;                                            \t%x\n"  , @$t0+3c
.printf "  ULONG         EaSize;                                                    \t%x\n"  , @$t0+40
.printf "  CCHAR         ShortNameLength;                                           \t%x\n"  , @$t0+44
.printf "  WCHAR         ShortName[12];                                             \t%mu\n" , @$t0+48
.printf "  LARGE_INTEGER FileId;                                                    \t%N\n"  , @$t0+54
.printf "  WCHAR         FileName[1];                                               \t%mu\n" , @$t0+58
.printf "} FILE_ID_BOTH_DIR_INFORMATION, *PFILE_ID_BOTH_DIR_INFORMATION;            \n"

结果

0: kd> $$>a< f:\wdscr\fileid.wds
typedef struct _FILE_ID_BOTH_DIR_INFORMATION {                              
  ULONG         NextEntryOffset;                                                19ec5398
  ULONG         FileIndex;                                                      19ec539c
  LARGE_INTEGER CreationTime;                                                   FFFFF80519EC53A0
  LARGE_INTEGER LastAccessTime;                                             FFFFF80519EC53A8
  LARGE_INTEGER LastWriteTime;                                                  FFFFF80519EC53B0
  LARGE_INTEGER ChangeTime;                                                 FFFFF80519EC53B8
  LARGE_INTEGER EndOfFile;                                                      FFFFF80519EC53C0
  LARGE_INTEGER AllocationSize;                                             FFFFF80519EC53C8
  ULONG         FileAttributes;                                             19ec53d0
  ULONG         FileNameLength;                                             19ec53d4
  ULONG         EaSize;                                                     19ec53d8
  CCHAR         ShortNameLength;                                                19ec53dc
  WCHAR         ShortName[12];                                                  KeRevertToUserGroupAffinityThread
  LARGE_INTEGER FileId;                                                     FFFFF80519EC53EC
  WCHAR         FileName[1];                                                    ToUserGroupAffinityThread
} FILE_ID_BOTH_DIR_INFORMATION, *PFILE_ID_BOTH_DIR_INFORMATION;