标题:查看minifilter的Context的UseCount。
因为Context是自己申请和定义的结构,如何查看呢?
因为他们的前面都有一个统一的结构,或者说是头。
如何查看呢?
!fltkd.help命令可打印出:
......
ctx [addr] [detail] Dump CONTEXT_NODE
......
注意,还有个:
contextlist [addr] [detail] Dump CONTEXT_LIST_CTRL
注意命令的格式及参数的个数。
1.instanceContext示例。
0: kd> dt _context_node (instanceContext - @@(sizeof(_context_node)))
fltMgr!_CONTEXT_NODE
+0x000 RegInfo : 0x805372c4 _ALLOCATE_CONTEXT_HEADER
+0x004 AttachedObject : __unnamed
+0x008 TreeLink : _TREE_NODE
+0x008 WorkItem : _WORK_QUEUE_ITEM
+0x024 UseCount : 0n26
0: kd> !fltkd.ctx (poi(instanceContext)-@@(sizeof(_context_node)))
CONTEXT_NODE: 822421b8 [0002] InstanceContext NonPagedPool
ALLOCATE_CONTEXT_NODE: 81cc4768 "test" [01] LookasideList
Could not read field "NonPaged.L.Size" of FltMgr!_ALLOCATE_CONTEXT_LOOKASIDE from address: 81cc4768
AttachedObject : 81cfe550
UseCount : 2
TREE_NODE: 822421c0 (k1=00690044, k2=00700073) [00010000] InTree
UserData : 822421e0
2.streamContext示例。
1: kd> dt _context_node (streamContext - @@(sizeof(_context_node)))
fltMgr!_CONTEXT_NODE
+0x000 RegInfo : 0xef90d978 _ALLOCATE_CONTEXT_HEADER
+0x004 AttachedObject : __unnamed
+0x008 TreeLink : _TREE_NODE
+0x008 WorkItem : _WORK_QUEUE_ITEM
+0x024 UseCount : 0n1
1: kd> !fltkd.ctx (poi(streamContext)-@@(sizeof(_context_node)))
CONTEXT_NODE: e1c6d6a8 [0008] StreamContext PagedPool
ALLOCATE_CONTEXT_NODE: 81cc48f8 "test" [01] LookasideList
Could not read field "NonPaged.L.Size" of FltMgr!_ALLOCATE_CONTEXT_LOOKASIDE from address: 81cc48f8
AttachedObject : 81e0aa48
UseCount : 2
TREE_NODE: e1c6d6b0 (k1=81cf8008, k2=00000000) [00010001] InTree
UserData : e1c6d6d0
3.streamHandleContext示例。
1: kd> dt _context_node (streamHandleContext - @@(sizeof(_context_node)))
fltMgr!_CONTEXT_NODE
+0x000 RegInfo : 0x00000001 _ALLOCATE_CONTEXT_HEADER
+0x004 AttachedObject : __unnamed
+0x008 TreeLink : _TREE_NODE
+0x008 WorkItem : _WORK_QUEUE_ITEM
+0x024 UseCount : 0n0
1: kd> !fltkd.ctx (poi(streamHandleContext)-@@(sizeof(_context_node)))
CONTEXT_NODE: e247d728 [0010] StreamHandleContext PagedPool
ALLOCATE_CONTEXT_NODE: 81cc49c0 "test" [01] LookasideList
Could not read field "NonPaged.L.Size" of FltMgr!_ALLOCATE_CONTEXT_LOOKASIDE from address: 81cc49c0
AttachedObject : 81e0aa48
UseCount : 2
TREE_NODE: e247d730 (k1=81d525e8, k2=81cf8008) [00010001] InTree
UserData : e247d750
更多的还有FLT_VOLUME_CONTEXT,FLT_FILE_CONTEXT,FLT_TRANSACTION_CONTEXT的查看。
注意:
1.用过CONTEXT之后,无论是设置还是获取,都把UseCount减一。
2.在卸载驱动之前应该把所有的CONTEXT释放完毕,否则FltUnregisterFilter永远等待。
3.建议用!fltkd.ctx,而不建议用dt _context_node。
获取结构的大小是这样用的。
0: kd> ?? sizeof(_context_node)
unsigned int 0x28
参考资料:
cf2K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3u0D9L8$3N6K6i4K6u0W2L8i4y4V1L8W2)9J5k6h3y4G2L8g2)9J5c8X3u0Q4x3V1k6S2L8r3g2^5j5$3q4J5M7q4)9J5c8X3q4J5j5$3S2A6N6X3g2Q4x3V1j5J5x3o6l9&6i4K6u0r3x3o6N6Q4x3V1j5H3x3g2)9J5c8X3k6A6L8s2c8W2M7W2)9J5k6r3#2S2L8X3q4Y4k6i4u0Q4x3X3c8U0L8$3&6U0k6i4m8@1M7#2)9J5k6s2m8S2M7Y4c8Q4x3X3b7#2i4K6u0V1j5$3!0F1N6r3g2^5N6q4)9J5k6r3&6G2k6r3g2Q4x3X3g2S2M7%4m8^5
made by correy
made at 10:31 2015/10/22
homepage:137K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3y4G2M7Y4u0W2P5g2)9J5k6i4N6W2j5Y4y4Q4x3X3g2U0L8$3@1`.
[培训]科锐逆向工程师培训第53期2025年7月8日开班!
最后于 2019-1-19 11:37
被correy编辑
,原因:
