Skip to content

标题: 从文件句柄到文件名

创建: 2017-11-27 11:43 更新: 2017-11-28 11:22 链接: https://scz.617.cn/windows/201711271143.txt

临时补一小节,起因是有人问我!handle怎么直接看到文件名。然后顺便说一下 sysinternals的handle.exe。上下文是调试工具的使用,非句柄表的实现。

kd> !process 0 0 notepad.exe PROCESS ffffbd0cb03135c0 SessionId: 1 Cid: 0c88 Peb: c1cb228000 ParentCid: 169c DirBase: 6e414000 ObjectTable: ffffa505ec001600 HandleCount: 520. Image: notepad.exe

查看notepad.exe的所有文件句柄:

kd> !handle 0 3 0xffffbd0cb03135c0 File

Searching for handles of type File

PROCESS ffffbd0cb03135c0 SessionId: 1 Cid: 0c88 Peb: c1cb228000 ParentCid: 169c DirBase: 6e414000 ObjectTable: ffffa505ec001600 HandleCount: 520. Image: notepad.exe

Handle table at ffffa505ec001600 with 520 entries in use ... 03d0: Object: ffffbd0cae9bf670 GrantedAccess: 00120089 (Audit) Entry: ffffa505ec074f40 Object: ffffbd0cae9bf670 Type: (ffffbd0cabc92b00) File ObjectHeader: ffffbd0cae9bf640 (new version) HandleCount: 1 PointerCount: 32765 Directory Object: 00000000 Name: \Windows\System32\en-US\user32.dll.mui {HarddiskVolume4} ...

查看notepad.exe的0x3d0号句柄:

kd> !handle 0x3d0 3 0xffffbd0cb03135c0

用户态时!handle的UMFlags参数不同于KMFlags:

!handle -? !handle [] [] [] - Handle to get information about 0 or -1 means all handles - Output control flags 1 - Get type information (default) 2 - Get basic information 4 - Get name information 8 - Get object specific info (where available) (space-delimited, 32-bit max) - Limit query to handles of the given type Display information about open handles

试了一下,用户态的!handle稀烂的,居然没法直接显示文件名:

!handle 0 0xf File

!handle 0x3d0 0xf Handle 00000000000003d0 Type File Attributes 0 GrantedAccess 0x120089: ReadControl,Synch Read/List,ReadEA,ReadAttr HandleCount 2 PointerCount 65530 No object specific information available

估计原提问者问的正是用户态!handle吧,我按kd上下文回复的。

如果不用各种调试器,可以试试sysinternals的Process Explorer、handle。

用Process Explorer看不到句柄号,以前没注意过这事,还奇怪单独提供的handle命 令有什么存在的必要。Process Explorer可以看到0xFFFFBD0CAE9BF670,这是 nt!_FILE_OBJECT对象地址:

kd> !fileobj 0xFFFFBD0CAE9BF670

\Windows\System32\en-US\user32.dll.mui

Device Object: 0xffffbd0cad667c70 \Driver\volmgr Vpb: 0xffffbd0cad4c4bd0 Event signalled Access: Read SharedRead SharedDelete

Flags: 0x40040 Cache Supported Handle Created

FsContext: 0xffffa505ea4e6150 FsContext2: 0xffffa505ef0183c0 CurrentByteOffset: 0 Cache Data: Section Object Pointers: ffffbd0cae184ad8 Shared Cache Map: 00000000

sysinternals的handle.exe可以显示句柄号(0x3d0),但无法查询指定句柄号,只能 全显示后再人工过滤。

$ handle.exe -h

Nthandle v4.1 - Handle viewer Copyright (C) 1997-2016 Mark Russinovich Sysinternals - www.sysinternals.com

usage: handle [[-a [-l]] [-u] | [-c [-y]] | [-s]] [-p |] [name] [-nobanner] -a Dump all handle information. -l Just show pagefile-backed section handles. -c Closes the specified handle (interpreted as a hexadecimal number). You must specify the process by its PID. WARNING: Closing handles can cause application or system instability. -y Don't prompt for close handle confirmation. -s Print count of each type of handle open. -u Show the owning user name when searching for handles. -p Dump handles belonging to process (partial name accepted). name Search for handles to objects with (fragment accepted). -nobanner Do not display the startup banner and copyright message.

No arguments will dump all file references.

$ handle.exe -p notepad.exe ... 3D0: File (R-D) C:\Windows\System32\en-US\user32.dll.mui ...

handle.exe可以反向查询句柄号:

$ handle.exe -nobanner -p notepad.exe user32.dll.mui notepad.exe pid: 3208 type: File 3D0: C:\Windows\System32\en-US\user32.dll.mui

handle.exe指定pid时,只能用10进制,不支持16进制。如果pid使用0x前缀,它认为 这是进程名,而不是pid,结果啥也找不到。实在太扯淡了。

2017-11-28 10:47 scz

这段跟标题没本质关系,只是探讨一下从windbg中执行外部命令的事。

.shell -ci ".printf \"handle.exe -nobanner -p %#u\n\",@$tpid" .shell -ci ".printf \"handle.exe -nobanner -a -p %#u\n\",@$tpid"

? @$tpid Evaluate expression: 8424 = 00000000`000020e8 .shell -ci ".echo handle.exe -nobanner -p 8424"

.shell -ci "x" handle.exe -nobanner -p 8424

第一组可以直接使用@$tpid,先进入cmd提示符,然后执行指定命令,最后退出cmd提 示符;虽然都是自动完成的,但输出看着很不清爽。

第二组与第一组类似,但无法直接使用@$tpid,好处是不必考虑转义符。

第三组的输出最清爽,但无法直接使用@$tpid。虽然看着怪异,但这应该是从windbg 中执行外部命令的最佳方案。"x"可换,只要是不会引发输出的windbg命令即可。

2017-11-27 12:10 god_bless_me_pls

前面Process Explorer那儿有人指正了一下,可以把句柄号调出来:

View->Select Columns->

Type File(举例) Name C:\Windows\System32\en-US\user32.dll.mui Handle Value 0x3D0 Access Mask 0x00120089 File Share Flags R-D Object Address 用!object查看,如果是文件,此处即nt!_FILE_OBJECT对象地址 Decoded Access Mask READ_CONTROL | SYNCHRONIZE | FILE_GENERIC_READ

我都不确认缺省设置是啥了,很久以前根据个人需求调过这些设置,然后就没关注过。