试图用 WinDbg 查看内存中的 _FILE_ID_BOTH_DIR_INFORMATION 结构
Trying to view the _FILE_ID_BOTH_DIR_INFORMATION structure in memory with WinDbg
我正在尝试使用 WinDbg 查看内存中的 Windows 文件系统结构 _FILE_ID_BOTH_DIR_INFORMATION,但由于某种原因它告诉我找不到该符号。
我通过管道将 WinDbg 连接到 Windows XP 虚拟机以调试其内核。
我尝试使用命令 dt _FILE_ID_BOTH_DIR_INFORMATION esi
查看结构的数据,因为 ESI 的值是一个地址,其中包含我要检查的相关结构。
我得到的只是以下输出:
3: kd> dt _FILE_ID_BOTH_DIR_INFORMATION esi
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: _FILE_ID_BOTH_DIR_INFORMATION ***
*** ***
*************************************************************************
Symbol _FILE_ID_BOTH_DIR_INFORMATION not found.
其他结构对我有用,比如 _DRIVER_OBJECT。
根据 Microsoft 的文档,我对 _FILE_ID_BOTH_DIR_INFORMATION 符号的了解是它包含在 ntifs.h 中。我找不到有关此符号是否由 Microsoft Symbol Server 提供的信息。
不,此类型信息似乎在 ms
提供的 public pdb 中不可用
您可以使用通配符检查自己
0: kd> dt nt!*_FILE_*
ntkrnlmp!_FILE_INFORMATION_CLASS
ntkrnlmp!_FILE_OBJECT
ntkrnlmp!_PF_FILE_ACCESS_TYPE
ntkrnlmp!_FILE_SEGMENT_ELEMENT
ntkrnlmp!_IOP_FILE_OBJECT_EXTENSION
ntkrnlmp!_CREATE_FILE_TYPE
ntkrnlmp!_FILE_OBJECT_EXTENSION_TYPE
ntkrnlmp!_DUMMY_FILE_OBJECT
ntkrnlmp!_IMAGE_FILE_HEADER
ntkrnlmp!_FILE_BASIC_INFORMATION
ntkrnlmp!_FILE_GET_QUOTA_INFORMATION
ntkrnlmp!_FILE_NETWORK_OPEN_INFORMATION
ntkrnlmp!_MMPAGE_FILE_EXPANSION
ntkrnlmp!_FILE_STANDARD_INFORMATION
ntkrnlmp!_MAPPED_FILE_SEGMENT
ntkrnlmp!_MMPAGE_FILE_EXPANSION_FLAGS
ntkrnlmp!_MI_PAGING_FILE_SPACE_BITMAPS
0: kd> dt nt!*_FILE_I*
ntkrnlmp!_FILE_INFORMATION_CLASS
至于查看它们,您可以查看内存的原始内容,只需执行 dd @esi
并将它们与 ntifs.h
中的结构相关联
或使用 .printf 和一些在记事本中查找替换来打印格式化输出
我只是将 Documentation 中的结构复制粘贴到记事本++
使用 find replace
将 .printf 填充在前面
最后使用相同的程序填充 \t%x
调整了 PseudoRegister 的偏移量并将其保存为 .txt
使用 $$>a< 到 运行 它作为 windbg 脚本为伪寄存器提供随机偏移量(只是确保在偏移量+0x48 处有一些 Unicode 字符串
结果如下
r $t0 = (fffff805`19ec53e0-48)
.printf "typedef struct _FILE_ID_BOTH_DIR_INFORMATION { \n"
.printf " ULONG NextEntryOffset; \t%x\n" , @$t0+0
.printf " ULONG FileIndex; \t%x\n" , @$t0+4
.printf " LARGE_INTEGER CreationTime; \t%N\n" , @$t0+8
.printf " LARGE_INTEGER LastAccessTime; \t%N\n" , @$t0+10
.printf " LARGE_INTEGER LastWriteTime; \t%N\n" , @$t0+18
.printf " LARGE_INTEGER ChangeTime; \t%N\n" , @$t0+20
.printf " LARGE_INTEGER EndOfFile; \t%N\n" , @$t0+28
.printf " LARGE_INTEGER AllocationSize; \t%N\n" , @$t0+30
.printf " ULONG FileAttributes; \t%x\n" , @$t0+38
.printf " ULONG FileNameLength; \t%x\n" , @$t0+3c
.printf " ULONG EaSize; \t%x\n" , @$t0+40
.printf " CCHAR ShortNameLength; \t%x\n" , @$t0+44
.printf " WCHAR ShortName[12]; \t%mu\n" , @$t0+48
.printf " LARGE_INTEGER FileId; \t%N\n" , @$t0+54
.printf " WCHAR FileName[1]; \t%mu\n" , @$t0+58
.printf "} FILE_ID_BOTH_DIR_INFORMATION, *PFILE_ID_BOTH_DIR_INFORMATION; \n"
结果
0: kd> $$>a< f:\wdscr\fileid.wds
typedef struct _FILE_ID_BOTH_DIR_INFORMATION {
ULONG NextEntryOffset; 19ec5398
ULONG FileIndex; 19ec539c
LARGE_INTEGER CreationTime; FFFFF80519EC53A0
LARGE_INTEGER LastAccessTime; FFFFF80519EC53A8
LARGE_INTEGER LastWriteTime; FFFFF80519EC53B0
LARGE_INTEGER ChangeTime; FFFFF80519EC53B8
LARGE_INTEGER EndOfFile; FFFFF80519EC53C0
LARGE_INTEGER AllocationSize; FFFFF80519EC53C8
ULONG FileAttributes; 19ec53d0
ULONG FileNameLength; 19ec53d4
ULONG EaSize; 19ec53d8
CCHAR ShortNameLength; 19ec53dc
WCHAR ShortName[12]; KeRevertToUserGroupAffinityThread
LARGE_INTEGER FileId; FFFFF80519EC53EC
WCHAR FileName[1]; ToUserGroupAffinityThread
} FILE_ID_BOTH_DIR_INFORMATION, *PFILE_ID_BOTH_DIR_INFORMATION;
我正在尝试使用 WinDbg 查看内存中的 Windows 文件系统结构 _FILE_ID_BOTH_DIR_INFORMATION,但由于某种原因它告诉我找不到该符号。
我通过管道将 WinDbg 连接到 Windows XP 虚拟机以调试其内核。
我尝试使用命令 dt _FILE_ID_BOTH_DIR_INFORMATION esi
查看结构的数据,因为 ESI 的值是一个地址,其中包含我要检查的相关结构。
我得到的只是以下输出:
3: kd> dt _FILE_ID_BOTH_DIR_INFORMATION esi
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: _FILE_ID_BOTH_DIR_INFORMATION ***
*** ***
*************************************************************************
Symbol _FILE_ID_BOTH_DIR_INFORMATION not found.
其他结构对我有用,比如 _DRIVER_OBJECT。
根据 Microsoft 的文档,我对 _FILE_ID_BOTH_DIR_INFORMATION 符号的了解是它包含在 ntifs.h 中。我找不到有关此符号是否由 Microsoft Symbol Server 提供的信息。
不,此类型信息似乎在 ms
提供的 public pdb 中不可用您可以使用通配符检查自己
0: kd> dt nt!*_FILE_*
ntkrnlmp!_FILE_INFORMATION_CLASS
ntkrnlmp!_FILE_OBJECT
ntkrnlmp!_PF_FILE_ACCESS_TYPE
ntkrnlmp!_FILE_SEGMENT_ELEMENT
ntkrnlmp!_IOP_FILE_OBJECT_EXTENSION
ntkrnlmp!_CREATE_FILE_TYPE
ntkrnlmp!_FILE_OBJECT_EXTENSION_TYPE
ntkrnlmp!_DUMMY_FILE_OBJECT
ntkrnlmp!_IMAGE_FILE_HEADER
ntkrnlmp!_FILE_BASIC_INFORMATION
ntkrnlmp!_FILE_GET_QUOTA_INFORMATION
ntkrnlmp!_FILE_NETWORK_OPEN_INFORMATION
ntkrnlmp!_MMPAGE_FILE_EXPANSION
ntkrnlmp!_FILE_STANDARD_INFORMATION
ntkrnlmp!_MAPPED_FILE_SEGMENT
ntkrnlmp!_MMPAGE_FILE_EXPANSION_FLAGS
ntkrnlmp!_MI_PAGING_FILE_SPACE_BITMAPS
0: kd> dt nt!*_FILE_I*
ntkrnlmp!_FILE_INFORMATION_CLASS
至于查看它们,您可以查看内存的原始内容,只需执行 dd @esi 并将它们与 ntifs.h
中的结构相关联或使用 .printf 和一些在记事本中查找替换来打印格式化输出
我只是将 Documentation 中的结构复制粘贴到记事本++
使用 find replace
将 .printf 填充在前面
最后使用相同的程序填充 \t%x
调整了 PseudoRegister 的偏移量并将其保存为 .txt
使用 $$>a< 到 运行 它作为 windbg 脚本为伪寄存器提供随机偏移量(只是确保在偏移量+0x48 处有一些 Unicode 字符串 结果如下
r $t0 = (fffff805`19ec53e0-48)
.printf "typedef struct _FILE_ID_BOTH_DIR_INFORMATION { \n"
.printf " ULONG NextEntryOffset; \t%x\n" , @$t0+0
.printf " ULONG FileIndex; \t%x\n" , @$t0+4
.printf " LARGE_INTEGER CreationTime; \t%N\n" , @$t0+8
.printf " LARGE_INTEGER LastAccessTime; \t%N\n" , @$t0+10
.printf " LARGE_INTEGER LastWriteTime; \t%N\n" , @$t0+18
.printf " LARGE_INTEGER ChangeTime; \t%N\n" , @$t0+20
.printf " LARGE_INTEGER EndOfFile; \t%N\n" , @$t0+28
.printf " LARGE_INTEGER AllocationSize; \t%N\n" , @$t0+30
.printf " ULONG FileAttributes; \t%x\n" , @$t0+38
.printf " ULONG FileNameLength; \t%x\n" , @$t0+3c
.printf " ULONG EaSize; \t%x\n" , @$t0+40
.printf " CCHAR ShortNameLength; \t%x\n" , @$t0+44
.printf " WCHAR ShortName[12]; \t%mu\n" , @$t0+48
.printf " LARGE_INTEGER FileId; \t%N\n" , @$t0+54
.printf " WCHAR FileName[1]; \t%mu\n" , @$t0+58
.printf "} FILE_ID_BOTH_DIR_INFORMATION, *PFILE_ID_BOTH_DIR_INFORMATION; \n"
结果
0: kd> $$>a< f:\wdscr\fileid.wds
typedef struct _FILE_ID_BOTH_DIR_INFORMATION {
ULONG NextEntryOffset; 19ec5398
ULONG FileIndex; 19ec539c
LARGE_INTEGER CreationTime; FFFFF80519EC53A0
LARGE_INTEGER LastAccessTime; FFFFF80519EC53A8
LARGE_INTEGER LastWriteTime; FFFFF80519EC53B0
LARGE_INTEGER ChangeTime; FFFFF80519EC53B8
LARGE_INTEGER EndOfFile; FFFFF80519EC53C0
LARGE_INTEGER AllocationSize; FFFFF80519EC53C8
ULONG FileAttributes; 19ec53d0
ULONG FileNameLength; 19ec53d4
ULONG EaSize; 19ec53d8
CCHAR ShortNameLength; 19ec53dc
WCHAR ShortName[12]; KeRevertToUserGroupAffinityThread
LARGE_INTEGER FileId; FFFFF80519EC53EC
WCHAR FileName[1]; ToUserGroupAffinityThread
} FILE_ID_BOTH_DIR_INFORMATION, *PFILE_ID_BOTH_DIR_INFORMATION;