如何在windbg中通过句柄获取文件路径? [英] How get file path by handle in windbg?

问题描述

如何在内核模式下使用windbg/kd从句柄获取文件路径?

How I can obtain file path from handle with windbg/kd in kernel mode?

推荐答案

使用!handle <handle_num> 7 <proc_id>显示该句柄的详细信息，其中<handle_num>是句柄值，而<proc_id>是进程ID值(均基于十六进制)看到此 msdn 链接以获取更多信息.

Use !handle <handle_num> 7 <proc_id> to display detailed information for that handle where <handle_num> is the handle value and <proc_id> is the process id value (both hex based) see this msdn link for further information.

您可以从用户模式会话中闪烁进程ID，这是最简单的方法，只需在用户模式下附加并输入管道命令|，它将输出如下:

You can gleam your process id from a user mode session, this is the easiest method, just attach in user mode and enter the pipe command | and it will output like so:

. 0 id:1680附加名称:D:\ test \ MyApp.exe

. 0 id: 1680 attach name: D:\test\MyApp.exe

所以1680是proc ID，然后使用!handle列出句柄，然后在内核模式下输入:

so 1680 would be the proc id, then list the handles using !handle and then in kernel mode enter:

!handle <handle_num> 7 1680

将显示您想要的内容，此

will display what you want, there is a useful blog entry on this here.

这篇关于如何在windbg中通过句柄获取文件路径?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！