我有已加载驱动程序的模块地址。我想在内核模式调试中使用windbg从模块地址或名称中获取驱动程序对象。有没有命令可以找到它?
我不记得是否有可从内核全局变量访问的驱动程序对象列表,所以这相当复杂。
!objectpath\driver_DRIVER_OBJECT0: kd> !object \driver
Object: ffff9c0a5dd51920 Type: (ffffe58ca0c8cd20) Directory
ObjectHeader: ffff9c0a5dd518f0 (new version)
HandleCount: 0 PointerCount: 105
Directory Object: ffff9c0a5dc24420 Name: Driver
Hash Address Type Name
---- ------- ---- ----
00 ffffe58ca160ce00 Driver fvevol
ffffe58ca0c9be20 Driver vdrvroot
01 ffffe58ca15e8e00 Driver NetBT
ffffe58ca0cc6e30 Driver acpiex
ffffe58ca0d69df0 Driver Wdf01000
02 ffffe58ca6ce8e30 Driver WdNisDrv
ffffe58ca0c8e060 Driver mpsdrv
// ... snip ...
问题是它根本不可编写脚本,因为您需要遍历整个列表。
对象管理器根位于全局
nt!ObpRootDirectoryObjectHugsy 制作了一个非常好的 JS 脚本来解析它,幸运的是它支持
\driver.scriptload "C:\test\ObjectExplorer.js"dx -r0 @$drvs = @$cursession.Objects.Children.Where( obj => obj.Name == "Driver" ).First().Children.Select( obj_entry => obj_entry.NativeObject)
注意:如果您想查看脚本如何解析对象,您可以这样做:
dx -r0 @$drvs = @$cursession.Objects.Children.Where( obj => obj.Name == "Driver" ).First().Children
0xfffff8073a2d00000: kd> dx -g @$drvs.Where( drv => drv.DriverStart == 0xfffff8073a2d0000 )
===========================================================================================================================================================================================
= = [<Raw View>] = (+) HardwareDatabase = (+) DeviceObject = (+) Flags = (+) Devices =
===========================================================================================================================================================================================
= [0x0] : Driver "\Driver\CNG" - {...} - 0xfffff80736355710 : "\REGISTRY\MACHINE\HARDWARE\DESCRIPT... - 0xffffe58ca0d7ac10 : Device for "\Driver\CNG" - 0x12 - {...} =
===========================================================================================================================================================================================
然后您可以单击条目,它会输出完整的
_DRIVER_OBJECTdt0: kd> dx -r1 (*((ntkrnlmp!_DRIVER_OBJECT *)0xffffe58ca0c8ec10))
(*((ntkrnlmp!_DRIVER_OBJECT *)0xffffe58ca0c8ec10)) : Driver "\Driver\CNG" [Type: _DRIVER_OBJECT]
[<Raw View>] [Type: _DRIVER_OBJECT]
HardwareDatabase : 0xfffff80736355710 : "\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM" [Type: _UNICODE_STRING *]
DeviceObject : 0xffffe58ca0d7ac10 : Device for "\Driver\CNG" [Type: _DEVICE_OBJECT *]
Flags : 0x12
Devices
0: kd> dx -r1 -nv (*((ntkrnlmp!_DRIVER_OBJECT *)0xffffe58ca0c8ec10))
(*((ntkrnlmp!_DRIVER_OBJECT *)0xffffe58ca0c8ec10)) : Driver "\Driver\CNG" [Type: _DRIVER_OBJECT]
[+0x000] Type : 4 [Type: short]
[+0x002] Size : 336 [Type: short]
[+0x008] DeviceObject : 0xffffe58ca0d7ac10 : Device for "\Driver\CNG" [Type: _DEVICE_OBJECT *]
[+0x010] Flags : 0x12 [Type: unsigned long]
[+0x018] DriverStart : 0xfffff8073a2d0000 [Type: void *]
[+0x020] DriverSize : 0xbd000 [Type: unsigned long]
[+0x028] DriverSection : 0xffffe58ca0c6dd50 [Type: void *]
[+0x030] DriverExtension : 0xffffe58ca0c8ed60 [Type: _DRIVER_EXTENSION *]
[+0x038] DriverName [Type: _UNICODE_STRING]
[+0x048] HardwareDatabase : 0xfffff80736355710 : "\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM" [Type: _UNICODE_STRING *]
[+0x050] FastIoDispatch : 0x0 [Type: _FAST_IO_DISPATCH *]
[+0x058] DriverInit : 0xfffff8073a384010 : cng!GsDriverEntry+0x0 [Type: long (__cdecl*)(_DRIVER_OBJECT *,_UNICODE_STRING *)]
[+0x060] DriverStartIo : 0x0 : 0x0 [Type: void (__cdecl*)(_DEVICE_OBJECT *,_IRP *)]
[+0x068] DriverUnload : 0x0 : 0x0 [Type: void (__cdecl*)(_DRIVER_OBJECT *)]
[+0x070] MajorFunction [Type: long (__cdecl* [28])(_DEVICE_OBJECT *,_IRP *)]