Windows 处理卷的信息_Windows_Driver_Windbg

Windows 处理卷的信息

windows windbg

Windows 处理卷的信息,windows,driver,windbg,Windows,Driver,Windbg,我使用WinDBG获取句柄信息： kd> !handle 430 PROCESS 85c91030 SessionId: 0 Cid: 0388 Peb: 7ffdc000 ParentCid: 01e8 DirBase: 7ee841c0 ObjectTable: 8da023f0 HandleCount: 539. Image: svchost.exe Handle table at 9a3da000 with 539 entries in use

我使用WinDBG获取句柄信息：

kd> !handle 430

PROCESS 85c91030  SessionId: 0  Cid: 0388    Peb: 7ffdc000  ParentCid: 01e8
    DirBase: 7ee841c0  ObjectTable: 8da023f0  HandleCount: 539.
    Image: svchost.exe

Handle table at 9a3da000 with 539 entries in use

0430: Object: 8480e038  GrantedAccess: 00100080 Entry: 8da01860
Object: 8480e038  Type: (844f9ac8) File
    ObjectHeader: 8480e020 (new version)
        HandleCount: 1  PointerCount: 2
        Directory Object: 00000000  Name: \ {HarddiskVolume2}

我知道大多数数据来自_FILE_OBJECT，但我无法找出{HarddiskVolume2}是如何确定的。WinDBG是如何获得此信息的？

它是硬盘分区的设备对象名

kd> !object \Device\HardDisk0\
Object: e13d5f58  Type: (812bd3c8) Directory
    ObjectHeader: e13d5f40 (old version)
    HandleCount: 1  PointerCount: 6
    Directory Object: e10077a0  Name: Harddisk0

    Hash Address  Type          Name
    ---- -------  ----          ----
     21  8123e5e0 Device        DR0
     33  e13d3a50 SymbolicLink  Partition0
     34  e13d3030 SymbolicLink  Partition1
     36  8126b030 Device        DP(1)0x7e00-0xfff2e4400+1
kd> !object \Device\HardDisk0\Partition1
Object: e13d3030  Type: (812bd1f8) SymbolicLink
    ObjectHeader: e13d3018 (old version)
    HandleCount: 0  PointerCount: 1
    Directory Object: e13d5f58  Name: Partition1
    Target String is '\Device\HarddiskVolume1'

您也可以使用查询反向！driveinfo[dosdevicename]

kd> !driveinfo c:
Drive c:, DriveObject e13d3770
    Directory Object: e1004890  Name: C:
        Target String is '\Device\HarddiskVolume1'
        Drive Letter Index is 3 (C:)
    Volume DevObj: 8126bd98
    Vpb: 8123db20  DeviceObject: 8121b020
    FileSystem: \FileSystem\Ntfs

获取所有驱动器映射的python脚本

from ctypes import *
ntdevs = create_string_buffer(15000)
b=windll.kernel32.GetLogicalDriveStringsA(sizeof(ntdevs),byref(ntdevs))
for i in range(0,b):
    print ntdevs[i],
print "\n"
dosdevs = create_string_buffer(15000)
for j in range(0,b,4):
    a=windll.Kernel32.QueryDosDeviceA(ntdevs[j]+ntdevs[j+1],byref(dosdevs),sizeof(dosdevs))
    for i in range(0,a):
        print dosdevs[i],
    print "\n"

执行官

编辑

如果您使用的是xp-sp3，此脚本可以帮助您了解windbg如何检索{hardiskvolume1}。此脚本还假设了某些事情，如内核级别\u handle\u table请注意，如果有很多句柄，您可能无法盲目索引，如

handle*size+start of table

在以后的操作系统中，对象头结构不同，没有

NameInfoOffset

字段
在

OBJECT\u标题

结构中，但在

TypeIndex

中，您可能需要修改此脚本以适应os>xp

r $t0 = (@@c++((sizeof(nt!_HANDLE_TABLE_ENTRY) / sizeof(unsigned long))) * ${$arg1})
r $t1 = (@$t0 + poi(poi(nt!ObpKernelHandleTable)))
r $t2 = (@@c++(#FIELD_OFFSET(nt!_OBJECT_HEADER  ,Body)))
r $t3 = (@@c++(#FIELD_OFFSET(nt!_FILE_OBJECT    ,DeviceObject)))
r $t4 = (@@c++(#FIELD_OFFSET(nt!_OBJECT_HEADER  ,NameInfoOffset)))
r $t5 = ((poi(@$t1) & 0xfffffff8 ) + @$t2)
r $t6 = (poi(@$t5 + @$t3) - @$t2 - @$t4)
.printf "%mu {%msu}" , @@c++(((nt!_FILE_OBJECT *) @@masm( @$t5 ))->FileName.Buffer ) ,  @$t6

这样处决

kd> $$>a< "xxx\getfilename.txt" 294
\Documents and Settings\NetworkService\NTUSER.DAT {HarddiskVolume1}

谢谢，我如何将句柄链接到此信息？我实际上尝试通过代码执行windbg所做的操作，但我没有找到链接，因为它添加了一个与os xp-sp3相关的旧脚本。请看一看，您可能需要研究并调整该脚本以适应os>xpsp3（查找对象\u头差异）

kd> $$>a< "xxx\getfilename.txt" 294
\Documents and Settings\NetworkService\NTUSER.DAT {HarddiskVolume1}

PROCESS 80559c20  SessionId: none  Cid: 0000    Peb: 00000000  ParentCid: 0000
    DirBase: 00039000  ObjectTable: e1000b78  HandleCount: 230.
    Image: Idle

Kernel handle table at e1002000 with 230 entries in use

0294: Object: 810c20e0  GrantedAccess: 00000003 (Protected) Entry: e1002528
Object: 810c20e0  Type: (8127b900) File
    ObjectHeader: 810c20c8 (old version)
        HandleCount: 1  PointerCount: 4
        Directory Object: 00000000  Name: \Documents and Settings\NetworkService\NTUSER.DAT {HarddiskVolume1}