我正在分析一个事后内核转储,我正在尝试识别可能引用USB存储驱动器的所有进程和过滤器驱动程序,或者有对它开放的句柄。我已经尝试检查所有打开的句柄,但即使将其限制为仅File对象,数据也是不可管理的。所以我浏览了!object \ list来找到我正在寻找的音量:
window.onload=function() {
//all of your JavaScript code
}
是否有可能找到所有这34个参考文献? 是否有一种简单的方法可以识别内存转储中使用任何给定卷的内容?
答案 0 :(得分:4)
在devobject上没有!devhandle为您提供任何细节?
<强> KD&GT; .shell -ci“!object \ Device”grep -i harddisk
xxxxxxxxxx
20 849a8e20 Device HarddiskVolume8
xxxxxxxx
<强> KD&GT; !devobj 849a8e20
Device object (849a8e20) is for:
HarddiskVolume8 \Driver\volmgr DriverObject 851708b0
Current Irp 00000000 RefCount 5 Type 00000007 Flags 00003050
Vpb 8594de78 Dacl b0c8b8a4 DevExt 849a8ed8 DevObjExt 849a8fc0 Dope 8493ee10 DevNode 86643708
ExtensionFlags (0000000000)
Characteristics (0x00000001) FILE_REMOVABLE_MEDIA <--------
AttachedDevice (Upper) 866f04c8 \Driver\fvevol
Device queue is not busy.
<强> KD&GT; !devhandles 849a8e20
Checking handle table for process 0x84830ae8
Kernel handle table at 89601b80 with 636 entries in use
xxxxxxxxxxxxxxxxxxxxxxxx
PROCESS 86479210 SessionId: 1 Cid: 05e8 Peb: 7ffdf000 ParentCid: 05b0
DirBase: 7e28f2c0 ObjectTable: 94dcc900 HandleCount: 923.
Image: explorer.exe
121c: Object: 84a03550 GrantedAccess: 00100081 Entry: adac3438
Object: 84a03550 Type: (848adde8) File
ObjectHeader: 84a03538 (new version)
HandleCount: 1 PointerCount: 2
Directory Object: 00000000 Name: \ {HarddiskVolume8} <----
PROCESS 86479210 SessionId: 1 Cid: 05e8 Peb: 7ffdf000 ParentCid: 05b0
DirBase: 7e28f2c0 ObjectTable: 94dcc900 HandleCount: 923.
Image: explorer.exe
12ac: Object: 84a0a038 GrantedAccess: 00100081 Entry: adac3558
Object: 84a0a038 Type: (848adde8) File
ObjectHeader: 84a0a020 (new version)
HandleCount: 1 PointerCount: 2
Directory Object: 00000000 Name: \ {HarddiskVolume8} <-----