Reputation: 3
Trying to view the _FILE_ID_BOTH_DIR_INFORMATION structure in memory with WinDbg
I'm trying to view the Windows file system structure _FILE_ID_BOTH_DIR_INFORMATION in memory using WinDbg, but for some reason it tells me that the symbol is not found.
I connected WinDbg with a pipe to a Windows XP virtual machine in order to debug its kernel.
I tried viewing the structure's data using the command dt _FILE_ID_BOTH_DIR_INFORMATION esi because the value of ESI is an address which contains the structure in question that I want to inspect.
All I got was the following output:
3: kd> dt _FILE_ID_BOTH_DIR_INFORMATION esi
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: _FILE_ID_BOTH_DIR_INFORMATION ***
*** ***
*************************************************************************
Symbol _FILE_ID_BOTH_DIR_INFORMATION not found.
Other structures are working for me, like _DRIVER_OBJECT.
All I know about the _FILE_ID_BOTH_DIR_INFORMATION symbol is that it is included in ntifs.h, according to Microsoft's documentation. I couldn't find information regarding whether this symbol is provided from Microsoft Symbol Server.
Upvotes: 0
Views: 365
Answers (1)
Reputation: 8987
no it appears this type info is not available in the public pdbs provided by ms
you can check yourself using wildcards
0: kd> dt nt!*_FILE_*
ntkrnlmp!_FILE_INFORMATION_CLASS
ntkrnlmp!_FILE_OBJECT
ntkrnlmp!_PF_FILE_ACCESS_TYPE
ntkrnlmp!_FILE_SEGMENT_ELEMENT
ntkrnlmp!_IOP_FILE_OBJECT_EXTENSION
ntkrnlmp!_CREATE_FILE_TYPE
ntkrnlmp!_FILE_OBJECT_EXTENSION_TYPE
ntkrnlmp!_DUMMY_FILE_OBJECT
ntkrnlmp!_IMAGE_FILE_HEADER
ntkrnlmp!_FILE_BASIC_INFORMATION
ntkrnlmp!_FILE_GET_QUOTA_INFORMATION
ntkrnlmp!_FILE_NETWORK_OPEN_INFORMATION
ntkrnlmp!_MMPAGE_FILE_EXPANSION
ntkrnlmp!_FILE_STANDARD_INFORMATION
ntkrnlmp!_MAPPED_FILE_SEGMENT
ntkrnlmp!_MMPAGE_FILE_EXPANSION_FLAGS
ntkrnlmp!_MI_PAGING_FILE_SPACE_BITMAPS
0: kd> dt nt!*_FILE_I*
ntkrnlmp!_FILE_INFORMATION_CLASS
as to view them you can view the Raw Contents of memory just do dd @esi and corelate them with the Structure in ntifs.h
or use .printf and some find replace in notepad to print a formatted output
I just copy pasted the Structure From Documentation into notepad++
stuffed the .printf in front using find replace
stuffed the \t%x in the end using same procedure
tweaked the offsets to the PseudoRegister and saved it as .txt
used $$>a< to run it as windbg script providing a random offset to the Pseudo Register (just made sure there is some Unicode string at offset+0x48 the results are as below
r $t0 = (fffff805`19ec53e0-48)
.printf "typedef struct _FILE_ID_BOTH_DIR_INFORMATION { \n"
.printf " ULONG NextEntryOffset; \t%x\n" , @$t0+0
.printf " ULONG FileIndex; \t%x\n" , @$t0+4
.printf " LARGE_INTEGER CreationTime; \t%N\n" , @$t0+8
.printf " LARGE_INTEGER LastAccessTime; \t%N\n" , @$t0+10
.printf " LARGE_INTEGER LastWriteTime; \t%N\n" , @$t0+18
.printf " LARGE_INTEGER ChangeTime; \t%N\n" , @$t0+20
.printf " LARGE_INTEGER EndOfFile; \t%N\n" , @$t0+28
.printf " LARGE_INTEGER AllocationSize; \t%N\n" , @$t0+30
.printf " ULONG FileAttributes; \t%x\n" , @$t0+38
.printf " ULONG FileNameLength; \t%x\n" , @$t0+3c
.printf " ULONG EaSize; \t%x\n" , @$t0+40
.printf " CCHAR ShortNameLength; \t%x\n" , @$t0+44
.printf " WCHAR ShortName[12]; \t%mu\n" , @$t0+48
.printf " LARGE_INTEGER FileId; \t%N\n" , @$t0+54
.printf " WCHAR FileName[1]; \t%mu\n" , @$t0+58
.printf "} FILE_ID_BOTH_DIR_INFORMATION, *PFILE_ID_BOTH_DIR_INFORMATION; \n"
results
0: kd> $$>a< f:\wdscr\fileid.wds
typedef struct _FILE_ID_BOTH_DIR_INFORMATION {
ULONG NextEntryOffset; 19ec5398
ULONG FileIndex; 19ec539c
LARGE_INTEGER CreationTime; FFFFF80519EC53A0
LARGE_INTEGER LastAccessTime; FFFFF80519EC53A8
LARGE_INTEGER LastWriteTime; FFFFF80519EC53B0
LARGE_INTEGER ChangeTime; FFFFF80519EC53B8
LARGE_INTEGER EndOfFile; FFFFF80519EC53C0
LARGE_INTEGER AllocationSize; FFFFF80519EC53C8
ULONG FileAttributes; 19ec53d0
ULONG FileNameLength; 19ec53d4
ULONG EaSize; 19ec53d8
CCHAR ShortNameLength; 19ec53dc
WCHAR ShortName[12]; KeRevertToUserGroupAffinityThread
LARGE_INTEGER FileId; FFFFF80519EC53EC
WCHAR FileName[1]; ToUserGroupAffinityThread
} FILE_ID_BOTH_DIR_INFORMATION, *PFILE_ID_BOTH_DIR_INFORMATION;
Upvotes: 2
Related Questions
- _NT_SYMBOL_PATH format
- Read symbols in WinDBG without exe
- Syntax for viewing structs in the WinDbg Memory Window?
- How do I find a memory mapped file's name in WinDbg?
- Extracting structure member names from C File
- OVERLAPPED STRUCTURES and LARGE_INTEGER
- How should I read the filename in FILE_NOTIFY_INFORMATION struct
- How to print the data of a C structure in Windbg
- windbg:how to get a symbol's source file name?
- WinDBG Dump Analysis without symbols