标题:查看minifilter的Context的UseCount。
因为Context是自己申请和定义的结构,如何查看呢?
因为他们的前面都有一个统一的结构,或者说是头。
如何查看呢?
!fltkd.help命令可打印出:
......
ctx [addr] [detail] Dump CONTEXT_NODE
......
注意,还有个:
contextlist [addr] [detail] Dump CONTEXT_LIST_CTRL
注意命令的格式及参数的个数。
1.instanceContext示例。
0: kd> dt _context_node (instanceContext - @@(sizeof(_context_node)))
fltMgr!_CONTEXT_NODE
+0x000 RegInfo : 0x805372c4 _ALLOCATE_CONTEXT_HEADER
+0x004 AttachedObject : __unnamed
+0x008 TreeLink : _TREE_NODE
+0x008 WorkItem : _WORK_QUEUE_ITEM
+0x024 UseCount : 0n26
0: kd> !fltkd.ctx (poi(instanceContext)-@@(sizeof(_context_node)))
CONTEXT_NODE: 822421b8 [0002] InstanceContext NonPagedPool
ALLOCATE_CONTEXT_NODE: 81cc4768 "test" [01] LookasideList
Could not read field "NonPaged.L.Size" of FltMgr!_ALLOCATE_CONTEXT_LOOKASIDE from address: 81cc4768
AttachedObject : 81cfe550
UseCount : 2
TREE_NODE: 822421c0 (k1=00690044, k2=00700073) [00010000] InTree
UserData : 822421e0
2.streamContext示例。
1: kd> dt _context_node (streamContext - @@(sizeof(_context_node)))
fltMgr!_CONTEXT_NODE
+0x000 RegInfo : 0xef90d978 _ALLOCATE_CONTEXT_HEADER
+0x004 AttachedObject : __unnamed
+0x008 TreeLink : _TREE_NODE
+0x008 WorkItem : _WORK_QUEUE_ITEM
+0x024 UseCount : 0n1
1: kd> !fltkd.ctx (poi(streamContext)-@@(sizeof(_context_node)))
CONTEXT_NODE: e1c6d6a8 [0008] StreamContext PagedPool
ALLOCATE_CONTEXT_NODE: 81cc48f8 "test" [01] LookasideList
Could not read field "NonPaged.L.Size" of FltMgr!_ALLOCATE_CONTEXT_LOOKASIDE from address: 81cc48f8
AttachedObject : 81e0aa48
UseCount : 2
TREE_NODE: e1c6d6b0 (k1=81cf8008, k2=00000000) [00010001] InTree
UserData : e1c6d6d0
3.streamHandleContext示例。
1: kd> dt _context_node (streamHandleContext - @@(sizeof(_context_node)))
fltMgr!_CONTEXT_NODE
+0x000 RegInfo : 0x00000001 _ALLOCATE_CONTEXT_HEADER
+0x004 AttachedObject : __unnamed
+0x008 TreeLink : _TREE_NODE
+0x008 WorkItem : _WORK_QUEUE_ITEM
+0x024 UseCount : 0n0
1: kd> !fltkd.ctx (poi(streamHandleContext)-@@(sizeof(_context_node)))
CONTEXT_NODE: e247d728 [0010] StreamHandleContext PagedPool
ALLOCATE_CONTEXT_NODE: 81cc49c0 "test" [01] LookasideList
Could not read field "NonPaged.L.Size" of FltMgr!_ALLOCATE_CONTEXT_LOOKASIDE from address: 81cc49c0
AttachedObject : 81e0aa48
UseCount : 2
TREE_NODE: e247d730 (k1=81d525e8, k2=81cf8008) [00010001] InTree
UserData : e247d750
更多的还有FLT_VOLUME_CONTEXT,FLT_FILE_CONTEXT,FLT_TRANSACTION_CONTEXT的查看。
注意:
1.用过CONTEXT之后,无论是设置还是获取,都把UseCount减一。
2.在卸载驱动之前应该把所有的CONTEXT释放完毕,否则FltUnregisterFilter永远等待。
3.建议用!fltkd.ctx,而不建议用dt _context_node。
获取结构的大小是这样用的。
0: kd> ?? sizeof(_context_node)
unsigned int 0x28
参考资料:
http://blogs.msdn.com/b/alexcarp/archive/2009/07/01/filter-manager-concepts-part-5-context-node.aspx
made by correy
made at 10:31 2015/10/22
homepage:http://correy.webs.com
[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》,视频+靶场+题目!助力进入CTF世界
最后于 2019-1-19 11:37
被correy编辑
,原因:
