我正在尝试使用WinDbg在内存中查看Windows文件系统结构_FILE_ID_BOTH_DIR_INFORMATION,但由于某种原因,它告诉我找不到该符号。
我通过管道将WinDbg连接到Windows XP虚拟机,以调试其内核。我尝试使用命令dt _FILE_ID_BOTH_DIR_INFORMATION esi查看结构的数据,因为ESI的值是一个包含我要检查的结构的地址。
我所得到的是以下输出:
3: kd> dt _FILE_ID_BOTH_DIR_INFORMATION esi
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: _FILE_ID_BOTH_DIR_INFORMATION ***
*** ***
*************************************************************************
Symbol _FILE_ID_BOTH_DIR_INFORMATION not found.
[其他结构正在为我工作,例如_DRIVER_OBJECT。
根据Microsoft的文档,我对_FILE_ID_BOTH_DIR_INFORMATION符号的全部了解是,它已包含在ntifs.h中。我找不到有关此符号是否由Microsoft Symbol Server提供的信息。
没有,此类型信息在ms提供的公共pdb中不可用
您可以使用通配符检查自己
0: kd> dt nt!*_FILE_*
ntkrnlmp!_FILE_INFORMATION_CLASS
ntkrnlmp!_FILE_OBJECT
ntkrnlmp!_PF_FILE_ACCESS_TYPE
ntkrnlmp!_FILE_SEGMENT_ELEMENT
ntkrnlmp!_IOP_FILE_OBJECT_EXTENSION
ntkrnlmp!_CREATE_FILE_TYPE
ntkrnlmp!_FILE_OBJECT_EXTENSION_TYPE
ntkrnlmp!_DUMMY_FILE_OBJECT
ntkrnlmp!_IMAGE_FILE_HEADER
ntkrnlmp!_FILE_BASIC_INFORMATION
ntkrnlmp!_FILE_GET_QUOTA_INFORMATION
ntkrnlmp!_FILE_NETWORK_OPEN_INFORMATION
ntkrnlmp!_MMPAGE_FILE_EXPANSION
ntkrnlmp!_FILE_STANDARD_INFORMATION
ntkrnlmp!_MAPPED_FILE_SEGMENT
ntkrnlmp!_MMPAGE_FILE_EXPANSION_FLAGS
ntkrnlmp!_MI_PAGING_FILE_SPACE_BITMAPS
0: kd> dt nt!*_FILE_I*
ntkrnlmp!_FILE_INFORMATION_CLASS
要查看它们,您可以查看内存的原始内容,只需执行dd @esi并使用ntifs.h中的“结构”将它们关联
或在记事本中使用.printf和一些find替换来打印格式化的输出
我只是将结构从Documentation
复制粘贴到记事本++使用find replace将.printf塞在前面最后使用相同的步骤填充\ t%x将偏移量调整为PseudoRegister并将其保存为.txtusd> a
r $t0 = (fffff805`19ec53e0-48) .printf "typedef struct _FILE_ID_BOTH_DIR_INFORMATION { \n" .printf " ULONG NextEntryOffset; \t%x\n" , @$t0+0 .printf " ULONG FileIndex; \t%x\n" , @$t0+4 .printf " LARGE_INTEGER CreationTime; \t%N\n" , @$t0+8 .printf " LARGE_INTEGER LastAccessTime; \t%N\n" , @$t0+10 .printf " LARGE_INTEGER LastWriteTime; \t%N\n" , @$t0+18 .printf " LARGE_INTEGER ChangeTime; \t%N\n" , @$t0+20 .printf " LARGE_INTEGER EndOfFile; \t%N\n" , @$t0+28 .printf " LARGE_INTEGER AllocationSize; \t%N\n" , @$t0+30 .printf " ULONG FileAttributes; \t%x\n" , @$t0+38 .printf " ULONG FileNameLength; \t%x\n" , @$t0+3c .printf " ULONG EaSize; \t%x\n" , @$t0+40 .printf " CCHAR ShortNameLength; \t%x\n" , @$t0+44 .printf " WCHAR ShortName[12]; \t%mu\n" , @$t0+48 .printf " LARGE_INTEGER FileId; \t%N\n" , @$t0+54 .printf " WCHAR FileName[1]; \t%mu\n" , @$t0+58 .printf "} FILE_ID_BOTH_DIR_INFORMATION, *PFILE_ID_BOTH_DIR_INFORMATION; \n"结果
0: kd> $$>a< f:\wdscr\fileid.wds
typedef struct _FILE_ID_BOTH_DIR_INFORMATION {
ULONG NextEntryOffset; 19ec5398
ULONG FileIndex; 19ec539c
LARGE_INTEGER CreationTime; FFFFF80519EC53A0
LARGE_INTEGER LastAccessTime; FFFFF80519EC53A8
LARGE_INTEGER LastWriteTime; FFFFF80519EC53B0
LARGE_INTEGER ChangeTime; FFFFF80519EC53B8
LARGE_INTEGER EndOfFile; FFFFF80519EC53C0
LARGE_INTEGER AllocationSize; FFFFF80519EC53C8
ULONG FileAttributes; 19ec53d0
ULONG FileNameLength; 19ec53d4
ULONG EaSize; 19ec53d8
CCHAR ShortNameLength; 19ec53dc
WCHAR ShortName[12]; KeRevertToUserGroupAffinityThread
LARGE_INTEGER FileId; FFFFF80519EC53EC
WCHAR FileName[1]; ToUserGroupAffinityThread
} FILE_ID_BOTH_DIR_INFORMATION, *PFILE_ID_BOTH_DIR_INFORMATION;