Finding a stream ctx associated with a file object?

Dejan_Maksimovic · September 20, 2015, 12:32pm

I am trying to find an FltMgr Stream Context associated with a
particular file (I have the file object address), but I can’t seem to
find any way to get there.
!fltkd.streamList on the file object fails, even though it’s a valid
FO (!fileobj)

kd> !fileobj a4622908
\Test\Data.txt
Device Object: 0x89d9f030 \Driver\volmgr
Vpb: 0x89ca5110
Event signalled
Access: Read SharedRead SharedWrite
Flags: 0x4000a
Synchronous IO
No Intermediate Buffering
Handle Created
FsContext: 0x81f190f8 FsContext2: 0x82528f78
CurrentByteOffset: 0
Cache Data:
Section Object Pointers: 89ff4978
Shared Cache Map: 00000000

File object extension is at 86fb7498:
Flags: 00000001
Ignore share access checks.

kd> !fltkd.streamList a4622908
Could not read field “Type” of NT!FILE_OBJECT from address: a4622908

I am sure I am missing something simple here

Kind regards, Dejan.

raj_r · September 21, 2015, 5:17pm

you are not missing anything it is broken and there are many such
extensions with broken types

THE TYPE here is misspelled it needs an underscore in front of file_object

if you edit it the complaint will be fltmgr!STREAM_LIST_CTRL type is missing

you have tp scour around and add this type to fltmgr.pdb then it will work

On 9/20/15, Dejan Maksimovic wrote:
> I am trying to find an FltMgr Stream Context associated with a
> particular file (I have the file object address), but I can’t seem to
> find any way to get there.
> !fltkd.streamList on the file object fails, even though it’s a valid
> FO (!fileobj)
>
> kd> !fileobj a4622908
> \Test\Data.txt
> Device Object: 0x89d9f030 \Driver\volmgr
> Vpb: 0x89ca5110
> Event signalled
> Access: Read SharedRead SharedWrite
> Flags: 0x4000a
> Synchronous IO
> No Intermediate Buffering
> Handle Created
> FsContext: 0x81f190f8 FsContext2: 0x82528f78
> CurrentByteOffset: 0
> Cache Data:
> Section Object Pointers: 89ff4978
> Shared Cache Map: 00000000
>
> File object extension is at 86fb7498:
> Flags: 00000001
> Ignore share access checks.
>
> kd> !fltkd.streamList a4622908
> Could not read field “Type” of NT!FILE_OBJECT from address: a4622908
>
> I am sure I am missing something simple here
>
> Kind regards, Dejan.
>
> —
> NTFSD is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Dejan_Maksimovic · September 22, 2015, 9:21am

Awesome… is there any other to get the FltMgr context associated
with a particular file object?
Kind regards, Dejan.

On Mon, Sep 21, 2015 at 11:17 PM, raj r wrote:
> you are not missing anything it is broken and there are many such
> extensions with broken types
>
> THE TYPE here is misspelled it needs an underscore in front of file_object
>
> if you edit it the complaint will be fltmgr!STREAM_LIST_CTRL type is missing
>
> you have tp scour around and add this type to fltmgr.pdb then it will work
>
> On 9/20/15, Dejan Maksimovic wrote:
>> I am trying to find an FltMgr Stream Context associated with a
>> particular file (I have the file object address), but I can’t seem to
>> find any way to get there.
>> !fltkd.streamList on the file object fails, even though it’s a valid
>> FO (!fileobj)
>>
>> kd> !fileobj a4622908
>> \Test\Data.txt
>> Device Object: 0x89d9f030 \Driver\volmgr
>> Vpb: 0x89ca5110
>> Event signalled
>> Access: Read SharedRead SharedWrite
>> Flags: 0x4000a
>> Synchronous IO
>> No Intermediate Buffering
>> Handle Created
>> FsContext: 0x81f190f8 FsContext2: 0x82528f78
>> CurrentByteOffset: 0
>> Cache Data:
>> Section Object Pointers: 89ff4978
>> Shared Cache Map: 00000000
>>
>> File object extension is at 86fb7498:
>> Flags: 00000001
>> Ignore share access checks.
>>
>> kd> !fltkd.streamList a4622908
>> Could not read field “Type” of NT!FILE_OBJECT from address: a4622908
>>
>> I am sure I am missing something simple here
>>
>> Kind regards, Dejan.
>>
>> —
>> NTFSD is sponsored by OSR
>>
>> OSR is hiring!! Info at http://www.osr.com/careers
>>
>> For our schedule of debugging and file system seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> —
> NTFSD is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

raj_r · September 23, 2015, 12:02am

first try that one liner from my first reply and look at the list
entry if it appears to be what you are looking after then disassembple
dumpstreamlist() function

On 9/22/15, Dejan Maksimovic wrote:
> Awesome… is there any other to get the FltMgr context associated
> with a particular file object?
> Kind regards, Dejan.
>
>
> On Mon, Sep 21, 2015 at 11:17 PM, raj r wrote:
>> you are not missing anything it is broken and there are many such
>> extensions with broken types
>>
>> THE TYPE here is misspelled it needs an underscore in front of
>> file_object
>>
>> if you edit it the complaint will be fltmgr!STREAM_LIST_CTRL type is
>> missing
>>
>> you have tp scour around and add this type to fltmgr.pdb then it will
>> work
>>
>> On 9/20/15, Dejan Maksimovic wrote:
>>> I am trying to find an FltMgr Stream Context associated with a
>>> particular file (I have the file object address), but I can’t seem to
>>> find any way to get there.
>>> !fltkd.streamList on the file object fails, even though it’s a valid
>>> FO (!fileobj)
>>>
>>> kd> !fileobj a4622908
>>> \Test\Data.txt
>>> Device Object: 0x89d9f030 \Driver\volmgr
>>> Vpb: 0x89ca5110
>>> Event signalled
>>> Access: Read SharedRead SharedWrite
>>> Flags: 0x4000a
>>> Synchronous IO
>>> No Intermediate Buffering
>>> Handle Created
>>> FsContext: 0x81f190f8 FsContext2: 0x82528f78
>>> CurrentByteOffset: 0
>>> Cache Data:
>>> Section Object Pointers: 89ff4978
>>> Shared Cache Map: 00000000
>>>
>>> File object extension is at 86fb7498:
>>> Flags: 00000001
>>> Ignore share access checks.
>>>
>>> kd> !fltkd.streamList a4622908
>>> Could not read field “Type” of NT!FILE_OBJECT from address: a4622908
>>>
>>> I am sure I am missing something simple here
>>>
>>> Kind regards, Dejan.
>>>
>>> —
>>> NTFSD is sponsored by OSR
>>>
>>> OSR is hiring!! Info at http://www.osr.com/careers
>>>
>>> For our schedule of debugging and file system seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>> —
>> NTFSD is sponsored by OSR
>>
>> OSR is hiring!! Info at http://www.osr.com/careers
>>
>> For our schedule of debugging and file system seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> NTFSD is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Alex_Carp · September 29, 2015, 7:29pm

Alternatively, you could do the following:
assuming the FILE_OBJECT in question is 0x85e41c90:

dt 0x85e41c90 nt!_FILE_OBJECT FsContext
+0x00c FsContext : 0xc865b888 Void

dt 0xc865b888 _FSRTL_ADVANCED_FCB_HEADER
nt!_FSRTL_ADVANCED_FCB_HEADER
+0x000 NodeTypeCode : 0n1797
+0x002 NodeByteSize : 0n344
+0x004 Flags : 0x40 ‘@’
+0x005 IsFastIoPossible : 0x2 ‘’
+0x006 Flags2 : 0x6 ‘’
+0x007 Reserved : 0y0000
+0x007 Version : 0y0001
+0x008 Resource : 0x8588dcb4 _ERESOURCE
+0x00c PagingIoResource : 0x8588dd14 _ERESOURCE
+0x010 AllocationSize : _LARGE_INTEGER 0xc30000
+0x018 FileSize : _LARGE_INTEGER 0xc20c9b
+0x020 ValidDataLength : _LARGE_INTEGER 0xc20c9b
+0x028 FastMutex : 0x8588dc94 _FAST_MUTEX
+0x02c FilterContexts : _LIST_ENTRY [0x8513f68c - 0x8513f68c]
+0x034 PushLock : _EX_PUSH_LOCK
+0x038 FileContextSupportPointer : 0xc865b884 -> (null)

Look at FilterContexts… It’s a linked list and you need to find the right
Fltmgr one… On my machine there’s just one entry (just one legacy filter,
and that is FltMgr):
dl 0x8513f68c
8513f68c c865b8b4 c865b8b4 862d9ae0 c865b888
c865b8b4 8513f68c 8513f68c 00000000 c865b884

!pool 0x8513f68c
Pool page 8513f68c region is Nonpaged pool
…
8513f678 size: 8 previous size: 68 (Free) Ntfi
*8513f680 size: 68 previous size: 8 (Allocated) *FMsl
Pooltag FMsl : STREAM_LIST_CTRL structure, Binary : fltmgr.sys

dt fltmgr!_STREAM_LIST_CTRL
+0x000 Type : _FLT_TYPE
+0x004 ContextCtrl : _FSRTL_PER_STREAM_CONTEXT
+0x018 VolumeLink : _LIST_ENTRY
+0x020 Flags : _STREAM_LIST_CTRL_FLAGS
+0x024 UseCount : Int4B
+0x028 ContextLock : _EX_PUSH_LOCK
+0x02c StreamContexts : _CONTEXT_LIST_CTRL
+0x030 StreamHandleContexts : _CONTEXT_LIST_CTRL
+0x034 NameCacheLock : _EX_PUSH_LOCK
+0x038 LastRenameCompleted : _LARGE_INTEGER
+0x040 NormalizedNameCache : _NAME_CACHE_LIST_CTRL
+0x048 ShortNameCache : _NAME_CACHE_LIST_CTRL
+0x050 OpenedNameCache : _NAME_CACHE_LIST_CTRL
+0x058 AllNameContextsTemporary : Int4B

Clearly, the pointer we have is ContextCtrl, so we can do:
dt (0x8513f68c-4) fltmgr!_STREAM_LIST_CTRL
+0x000 Type : _FLT_TYPE
+0x004 ContextCtrl : _FSRTL_PER_STREAM_CONTEXT
+0x018 VolumeLink : _LIST_ENTRY [0x862d9e0c - 0x85f23230]
+0x020 Flags : 0x211 (No matching name)
+0x024 UseCount : 0n3
+0x028 ContextLock : _EX_PUSH_LOCK
+0x02c StreamContexts : _CONTEXT_LIST_CTRL
+0x030 StreamHandleContexts : _CONTEXT_LIST_CTRL
+0x034 NameCacheLock : _EX_PUSH_LOCK
+0x038 LastRenameCompleted : _LARGE_INTEGER 0x0
+0x040 NormalizedNameCache : _NAME_CACHE_LIST_CTRL
+0x048 ShortNameCache : _NAME_CACHE_LIST_CTRL
+0x050 OpenedNameCache : _NAME_CACHE_LIST_CTRL
+0x058 AllNameContextsTemporary : 0n0

From here we need StreamContexts…
dt (0x8513f68c-4) fltmgr!_STREAM_LIST_CTRL StreamContexts.
+0x02c StreamContexts :
+0x000 List : _TREE_ROOT

So…
dt (0x8513f68c-4+0x2c) _TREE_ROOT
fltmgr!_TREE_ROOT
+0x000 Tree : 0xd87161b4 _RTL_SPLAY_LINKS

So we can do:
dt 0xd87161b4 _RTL_SPLAY_LINKS
fltmgr!_RTL_SPLAY_LINKS
+0x000 Parent : 0xd87161b4 _RTL_SPLAY_LINKS
+0x004 LeftChild : (null)
+0x008 RightChild : 0x8dd1b61c _RTL_SPLAY_LINKS

Let’s see what contexts we have:
!pool 0xd87161b4
Pool page d87161b4 region is Paged pool
d8716000 size: 1a0 previous size: 0 (Free) FMfn
*d87161a0 size: 68 previous size: 1a0 (Allocated) *FIcs
Pooltag FIcs : FileInfo FS-filter Stream Context, Binary : fileinfo.sys
(ok, this isn’t mine…)

Let’s try RightChild:

!pool 0x8dd1b61c
Pool page 8dd1b61c region is Paged pool
…
8dd1b5b0 size: 58 previous size: 80 (Allocated) AtmA
*8dd1b608 size: 60 previous size: 58 (Allocated) *dbSC

Ok, that’s my tag (dbSC)… this is FltMgr’s context though and my data is
right after… let’s see the size
dt /v fltmgr!_CONTEXT_NODE
struct _CONTEXT_NODE, 7 elements, 0x30 bytes
+0x000 TxCtxExtension : Ptr32 to struct _TX_CONTEXT_EXTENSION, 5
elements, 0x24 bytes
+0x000 Data : Ptr32 to Void
+0x004 RegInfo : Ptr32 to struct _ALLOCATE_CONTEXT_HEADER, 6
elements, 0x10 bytes
+0x008 AttachedObject : union , 6 elements, 0x4 bytes
+0x00c TreeLink : struct _TREE_NODE, 5 elements, 0x1c bytes
+0x00c FltWork : struct _FLTP_WORKITEM, 2 elements, 0x14 bytes
+0x028 UseCount : Int4B

So, naturally, TreeLink is the RightChild, so we need to remove 0xC… and
then add the size of the structure…

db (0x8dd1b61c-0xC+0x30)
8dd1b640 58 ab 75 85 50 81 f0 bd-18 ab 75 85 de a1 a1 ac X.u.P…u…
8dd1b650 12 3a e5 11 82 e0 a4 5e-60 eb 62 32 b8 05 de 85 .:…^.b2.... ..... This is it.. Let's compare with the address I know: db @@(streamContext) 8dd1b640 58 ab 75 85 50 81 f0 bd-18 ab 75 85 de a1 a1 ac X.u.P.....u..... 8dd1b650 12 3a e5 11 82 e0 a4 5e-60 eb 62 32 b8 05 de 85 .:.....^.b2…
…

So there you have it… We’ve manually walked from a FILE_OBJECT to a
StreamContext…

Hope this helps…

Thanks,
Alex

On Tue, Sep 22, 2015 at 9:02 PM, raj r wrote:

> first try that one liner from my first reply and look at the list
> entry if it appears to be what you are looking after then disassembple
> dumpstreamlist() function
>
> On 9/22/15, Dejan Maksimovic wrote:
> > Awesome… is there any other to get the FltMgr context associated
> > with a particular file object?
> > Kind regards, Dejan.
> >
> >
> > On Mon, Sep 21, 2015 at 11:17 PM, raj r wrote:
> >> you are not missing anything it is broken and there are many such
> >> extensions with broken types
> >>
> >> THE TYPE here is misspelled it needs an underscore in front of
> >> file_object
> >>
> >> if you edit it the complaint will be fltmgr!STREAM_LIST_CTRL type is
> >> missing
> >>
> >> you have tp scour around and add this type to fltmgr.pdb then it will
> >> work
> >>
> >> On 9/20/15, Dejan Maksimovic wrote:
> >>> I am trying to find an FltMgr Stream Context associated with a
> >>> particular file (I have the file object address), but I can’t seem to
> >>> find any way to get there.
> >>> !fltkd.streamList on the file object fails, even though it’s a valid
> >>> FO (!fileobj)
> >>>
> >>> kd> !fileobj a4622908
> >>> \Test\Data.txt
> >>> Device Object: 0x89d9f030 \Driver\volmgr
> >>> Vpb: 0x89ca5110
> >>> Event signalled
> >>> Access: Read SharedRead SharedWrite
> >>> Flags: 0x4000a
> >>> Synchronous IO
> >>> No Intermediate Buffering
> >>> Handle Created
> >>> FsContext: 0x81f190f8 FsContext2: 0x82528f78
> >>> CurrentByteOffset: 0
> >>> Cache Data:
> >>> Section Object Pointers: 89ff4978
> >>> Shared Cache Map: 00000000
> >>>
> >>> File object extension is at 86fb7498:
> >>> Flags: 00000001
> >>> Ignore share access checks.
> >>>
> >>> kd> !fltkd.streamList a4622908
> >>> Could not read field “Type” of NT!FILE_OBJECT from address: a4622908
> >>>
> >>> I am sure I am missing something simple here
> >>>
> >>> Kind regards, Dejan.
> >>>
> >>> —
> >>> NTFSD is sponsored by OSR
> >>>
> >>> OSR is hiring!! Info at http://www.osr.com/careers
> >>>
> >>> For our schedule of debugging and file system seminars visit:
> >>> http://www.osr.com/seminars
> >>>
> >>> To unsubscribe, visit the List Server section of OSR Online at
> >>> http://www.osronline.com/page.cfm?name=ListServer
> >>>
> >>
> >> —
> >> NTFSD is sponsored by OSR
> >>
> >> OSR is hiring!! Info at http://www.osr.com/careers
> >>
> >> For our schedule of debugging and file system seminars visit:
> >> http://www.osr.com/seminars
> >>
> >> To unsubscribe, visit the List Server section of OSR Online at
> >> http://www.osronline.com/page.cfm?name=ListServer
> >
> > —
> > NTFSD is sponsored by OSR
> >
> > OSR is hiring!! Info at http://www.osr.com/careers
> >
> > For our schedule of debugging and file system seminars visit:
> > http://www.osr.com/seminars
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
> >
>
> —
> NTFSD is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

raj_r · September 30, 2015, 8:39am

@Alex Carp
Thanks a lot for taking the time to write a clear walkthrough

i gave dejan this one liner to walk the linked list in a private
exchange (as i had no data for newer os behavior i refrained from
posting this in a public exchange
now that i have some thing to lean onto i am putting this oneliner for posterity

if i remember right

_FILE_OBJECT ->FsContext is not a void type but
nt!_FSRTL_ADVANCED_FCB_HEADER Type

if you map it as such FilterContext is a LIST_ENTRY

lkd> ?? ((nt!_FSRTL_ADVANCED_FCB_HEADER *)((nt!_FILE_OBJECT *)
@@masm(8a1c6028) )->FsContext)-> FilterContexts
struct _LIST_ENTRY
[0xe52cfa24 - 0xe52cfa24]
+0x000 Flink : 0xe52cfa24 _LIST_ENTRY [0xe52cfa24 - 0xe52cfa24]
+0x004 Blink : 0xe52cfa24 _LIST_ENTRY [0xe52cfa24 - 0xe52cfa24]

and walk the linked list with dl

the fscontext in the file below is leeched from awk “{print $6}”
from !filecache -> column 6
20 is maxflinks to dump 1 is max ULONG_PTR to dump per flink

.foreach (place {.shell -i c:\fscont.txt cat -}) {dl
@@c++(((nt!_FSRTL_ADVANCED_FCB_HEADER *) @@masm( place
))->FilterContexts.Flink) 20 1;.echo ========}
89c1d744 e132aa24
e132aa24 89c1d744

8a20128c e3b83bb4
e3b83bb4 8a20128c

On 9/30/15, Alex Carp wrote:
> Alternatively, you could do the following:
> assuming the FILE_OBJECT in question is 0x85e41c90:
>
> dt 0x85e41c90 nt!_FILE_OBJECT FsContext
> +0x00c FsContext : 0xc865b888 Void
>
> dt 0xc865b888 _FSRTL_ADVANCED_FCB_HEADER
> nt!_FSRTL_ADVANCED_FCB_HEADER
> +0x000 NodeTypeCode : 0n1797
> +0x002 NodeByteSize : 0n344
> +0x004 Flags : 0x40 ‘@’
> +0x005 IsFastIoPossible : 0x2 ‘’
> +0x006 Flags2 : 0x6 ‘’
> +0x007 Reserved : 0y0000
> +0x007 Version : 0y0001
> +0x008 Resource : 0x8588dcb4 _ERESOURCE
> +0x00c PagingIoResource : 0x8588dd14 _ERESOURCE
> +0x010 AllocationSize : _LARGE_INTEGER 0xc30000
> +0x018 FileSize : _LARGE_INTEGER 0xc20c9b
> +0x020 ValidDataLength : _LARGE_INTEGER 0xc20c9b
> +0x028 FastMutex : 0x8588dc94 _FAST_MUTEX
> +0x02c FilterContexts : _LIST_ENTRY [0x8513f68c - 0x8513f68c]
> +0x034 PushLock : _EX_PUSH_LOCK
> +0x038 FileContextSupportPointer : 0xc865b884 -> (null)
>
> Look at FilterContexts… It’s a linked list and you need to find the right
> Fltmgr one… On my machine there’s just one entry (just one legacy filter,
> and that is FltMgr):
> dl 0x8513f68c
> 8513f68c c865b8b4 c865b8b4 862d9ae0 c865b888
> c865b8b4 8513f68c 8513f68c 00000000 c865b884
>
> !pool 0x8513f68c
> Pool page 8513f68c region is Nonpaged pool
> …
> 8513f678 size: 8 previous size: 68 (Free) Ntfi
> *8513f680 size: 68 previous size: 8 (Allocated) *FMsl
> Pooltag FMsl : STREAM_LIST_CTRL structure, Binary : fltmgr.sys
>
> dt fltmgr!_STREAM_LIST_CTRL
> +0x000 Type : _FLT_TYPE
> +0x004 ContextCtrl : _FSRTL_PER_STREAM_CONTEXT
> +0x018 VolumeLink : _LIST_ENTRY
> +0x020 Flags : _STREAM_LIST_CTRL_FLAGS
> +0x024 UseCount : Int4B
> +0x028 ContextLock : _EX_PUSH_LOCK
> +0x02c StreamContexts : _CONTEXT_LIST_CTRL
> +0x030 StreamHandleContexts : _CONTEXT_LIST_CTRL
> +0x034 NameCacheLock : _EX_PUSH_LOCK
> +0x038 LastRenameCompleted : _LARGE_INTEGER
> +0x040 NormalizedNameCache : _NAME_CACHE_LIST_CTRL
> +0x048 ShortNameCache : _NAME_CACHE_LIST_CTRL
> +0x050 OpenedNameCache : _NAME_CACHE_LIST_CTRL
> +0x058 AllNameContextsTemporary : Int4B
>
> Clearly, the pointer we have is ContextCtrl, so we can do:
> dt (0x8513f68c-4) fltmgr!_STREAM_LIST_CTRL
> +0x000 Type : _FLT_TYPE
> +0x004 ContextCtrl : _FSRTL_PER_STREAM_CONTEXT
> +0x018 VolumeLink : _LIST_ENTRY [0x862d9e0c - 0x85f23230]
> +0x020 Flags : 0x211 (No matching name)
> +0x024 UseCount : 0n3
> +0x028 ContextLock : _EX_PUSH_LOCK
> +0x02c StreamContexts : _CONTEXT_LIST_CTRL
> +0x030 StreamHandleContexts : _CONTEXT_LIST_CTRL
> +0x034 NameCacheLock : _EX_PUSH_LOCK
> +0x038 LastRenameCompleted : _LARGE_INTEGER 0x0
> +0x040 NormalizedNameCache : _NAME_CACHE_LIST_CTRL
> +0x048 ShortNameCache : _NAME_CACHE_LIST_CTRL
> +0x050 OpenedNameCache : _NAME_CACHE_LIST_CTRL
> +0x058 AllNameContextsTemporary : 0n0
>
> From here we need StreamContexts…
> dt (0x8513f68c-4) fltmgr!_STREAM_LIST_CTRL StreamContexts.
> +0x02c StreamContexts :
> +0x000 List : _TREE_ROOT
>
> So…
> dt (0x8513f68c-4+0x2c) _TREE_ROOT
> fltmgr!_TREE_ROOT
> +0x000 Tree : 0xd87161b4 _RTL_SPLAY_LINKS
>
> So we can do:
> dt 0xd87161b4 _RTL_SPLAY_LINKS
> fltmgr!_RTL_SPLAY_LINKS
> +0x000 Parent : 0xd87161b4 _RTL_SPLAY_LINKS
> +0x004 LeftChild : (null)
> +0x008 RightChild : 0x8dd1b61c _RTL_SPLAY_LINKS
>
> Let’s see what contexts we have:
> !pool 0xd87161b4
> Pool page d87161b4 region is Paged pool
> d8716000 size: 1a0 previous size: 0 (Free) FMfn
> *d87161a0 size: 68 previous size: 1a0 (Allocated) *FIcs
> Pooltag FIcs : FileInfo FS-filter Stream Context, Binary : fileinfo.sys
> (ok, this isn’t mine…)
>
> Let’s try RightChild:
>
> !pool 0x8dd1b61c
> Pool page 8dd1b61c region is Paged pool
> …
> 8dd1b5b0 size: 58 previous size: 80 (Allocated) AtmA
> *8dd1b608 size: 60 previous size: 58 (Allocated) *dbSC
>
> Ok, that’s my tag (dbSC)… this is FltMgr’s context though and my data is
> right after… let’s see the size
> dt /v fltmgr!_CONTEXT_NODE
> struct _CONTEXT_NODE, 7 elements, 0x30 bytes
> +0x000 TxCtxExtension : Ptr32 to struct _TX_CONTEXT_EXTENSION, 5
> elements, 0x24 bytes
> +0x000 Data : Ptr32 to Void
> +0x004 RegInfo : Ptr32 to struct _ALLOCATE_CONTEXT_HEADER, 6
> elements, 0x10 bytes
> +0x008 AttachedObject : union , 6 elements, 0x4 bytes
> +0x00c TreeLink : struct _TREE_NODE, 5 elements, 0x1c bytes
> +0x00c FltWork : struct _FLTP_WORKITEM, 2 elements, 0x14 bytes
> +0x028 UseCount : Int4B
>
> So, naturally, TreeLink is the RightChild, so we need to remove 0xC… and
> then add the size of the structure…
>
> db (0x8dd1b61c-0xC+0x30)
> 8dd1b640 58 ab 75 85 50 81 f0 bd-18 ab 75 85 de a1 a1 ac X.u.P…u…
> 8dd1b650 12 3a e5 11 82 e0 a4 5e-60 eb 62 32 b8 05 de 85 .:…^.b2.... > ..... > > This is it.. Let's compare with the address I know: > db @@(streamContext) > 8dd1b640 58 ab 75 85 50 81 f0 bd-18 ab 75 85 de a1 a1 ac X.u.P.....u..... > 8dd1b650 12 3a e5 11 82 e0 a4 5e-60 eb 62 32 b8 05 de 85 .:.....^.b2…
> …
>
> So there you have it… We’ve manually walked from a FILE_OBJECT to a
> StreamContext…
>
> Hope this helps…
>
> Thanks,
> Alex
>
>
>
>
>
>
>
>
>
> On Tue, Sep 22, 2015 at 9:02 PM, raj r wrote:
>
>> first try that one liner from my first reply and look at the list
>> entry if it appears to be what you are looking after then disassembple
>> dumpstreamlist() function
>>
>> On 9/22/15, Dejan Maksimovic wrote:
>> > Awesome… is there any other to get the FltMgr context associated
>> > with a particular file object?
>> > Kind regards, Dejan.
>> >
>> >
>> > On Mon, Sep 21, 2015 at 11:17 PM, raj r wrote:
>> >> you are not missing anything it is broken and there are many such
>> >> extensions with broken types
>> >>
>> >> THE TYPE here is misspelled it needs an underscore in front of
>> >> file_object
>> >>
>> >> if you edit it the complaint will be fltmgr!STREAM_LIST_CTRL type is
>> >> missing
>> >>
>> >> you have tp scour around and add this type to fltmgr.pdb then it will
>> >> work
>> >>
>> >> On 9/20/15, Dejan Maksimovic wrote:
>> >>> I am trying to find an FltMgr Stream Context associated with a
>> >>> particular file (I have the file object address), but I can’t seem to
>> >>> find any way to get there.
>> >>> !fltkd.streamList on the file object fails, even though it’s a valid
>> >>> FO (!fileobj)
>> >>>
>> >>> kd> !fileobj a4622908
>> >>> \Test\Data.txt
>> >>> Device Object: 0x89d9f030 \Driver\volmgr
>> >>> Vpb: 0x89ca5110
>> >>> Event signalled
>> >>> Access: Read SharedRead SharedWrite
>> >>> Flags: 0x4000a
>> >>> Synchronous IO
>> >>> No Intermediate Buffering
>> >>> Handle Created
>> >>> FsContext: 0x81f190f8 FsContext2: 0x82528f78
>> >>> CurrentByteOffset: 0
>> >>> Cache Data:
>> >>> Section Object Pointers: 89ff4978
>> >>> Shared Cache Map: 00000000
>> >>>
>> >>> File object extension is at 86fb7498:
>> >>> Flags: 00000001
>> >>> Ignore share access checks.
>> >>>
>> >>> kd> !fltkd.streamList a4622908
>> >>> Could not read field “Type” of NT!FILE_OBJECT from address: a4622908
>> >>>
>> >>> I am sure I am missing something simple here
>> >>>
>> >>> Kind regards, Dejan.
>> >>>
>> >>> —
>> >>> NTFSD is sponsored by OSR
>> >>>
>> >>> OSR is hiring!! Info at http://www.osr.com/careers
>> >>>
>> >>> For our schedule of debugging and file system seminars visit:
>> >>> http://www.osr.com/seminars
>> >>>
>> >>> To unsubscribe, visit the List Server section of OSR Online at
>> >>> http://www.osronline.com/page.cfm?name=ListServer
>> >>>
>> >>
>> >> —
>> >> NTFSD is sponsored by OSR
>> >>
>> >> OSR is hiring!! Info at http://www.osr.com/careers
>> >>
>> >> For our schedule of debugging and file system seminars visit:
>> >> http://www.osr.com/seminars
>> >>
>> >> To unsubscribe, visit the List Server section of OSR Online at
>> >> http://www.osronline.com/page.cfm?name=ListServer
>> >
>> > —
>> > NTFSD is sponsored by OSR
>> >
>> > OSR is hiring!! Info at http://www.osr.com/careers
>> >
>> > For our schedule of debugging and file system seminars visit:
>> > http://www.osr.com/seminars
>> >
>> > To unsubscribe, visit the List Server section of OSR Online at
>> > http://www.osronline.com/page.cfm?name=ListServer
>> >
>>
>> —
>> NTFSD is sponsored by OSR
>>
>> OSR is hiring!! Info at http://www.osr.com/careers
>>
>> For our schedule of debugging and file system seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> —
> NTFSD is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

Dejan_Maksimovic · September 30, 2015, 2:36pm

I will use this definitely another time, but in the case for which I
posted, it turns out there is no stream ctx associated yet!
The issue was another DELETE sharing, no IRP_MJ_CLOSE sent.

Thanks to raj for helping out, and AC for posting a detailed explanation.
Kind regards, Dejan.

On Wed, Sep 30, 2015 at 2:39 PM, raj r wrote:
> @Alex Carp
> Thanks a lot for taking the time to write a clear walkthrough
>
> i gave dejan this one liner to walk the linked list in a private
> exchange (as i had no data for newer os behavior i refrained from
> posting this in a public exchange
> now that i have some thing to lean onto i am putting this oneliner for posterity
>
>
>
> if i remember right
>
> _FILE_OBJECT ->FsContext is not a void type but
> nt!_FSRTL_ADVANCED_FCB_HEADER Type
>
> if you map it as such FilterContext is a LIST_ENTRY
>
>
> lkd> ?? ((nt!_FSRTL_ADVANCED_FCB_HEADER *)((nt!_FILE_OBJECT *)
> @@masm(8a1c6028) )->FsContext)-> FilterContexts
> struct _LIST_ENTRY
> [0xe52cfa24 - 0xe52cfa24]
> +0x000 Flink : 0xe52cfa24 _LIST_ENTRY [0xe52cfa24 - 0xe52cfa24]
> +0x004 Blink : 0xe52cfa24 _LIST_ENTRY [0xe52cfa24 - 0xe52cfa24]
>
> and walk the linked list with dl
>
> the fscontext in the file below is leeched from awk “{print $6}”
> from !filecache -> column 6
> 20 is maxflinks to dump 1 is max ULONG_PTR to dump per flink
>
> .foreach (place {.shell -i c:\fscont.txt cat -}) {dl
> @@c++(((nt!_FSRTL_ADVANCED_FCB_HEADER *) @@masm( place
> ))->FilterContexts.Flink) 20 1;.echo ========}
> 89c1d744 e132aa24
> e132aa24 89c1d744
> ========
> 8a20128c e3b83bb4
> e3b83bb4 8a20128c
> ========
>
>
>
> On 9/30/15, Alex Carp wrote:
>> Alternatively, you could do the following:
>> assuming the FILE_OBJECT in question is 0x85e41c90:
>>
>> dt 0x85e41c90 nt!_FILE_OBJECT FsContext
>> +0x00c FsContext : 0xc865b888 Void
>>
>> dt 0xc865b888 _FSRTL_ADVANCED_FCB_HEADER
>> nt!_FSRTL_ADVANCED_FCB_HEADER
>> +0x000 NodeTypeCode : 0n1797
>> +0x002 NodeByteSize : 0n344
>> +0x004 Flags : 0x40 ‘@’
>> +0x005 IsFastIoPossible : 0x2 ‘’
>> +0x006 Flags2 : 0x6 ‘’
>> +0x007 Reserved : 0y0000
>> +0x007 Version : 0y0001
>> +0x008 Resource : 0x8588dcb4 _ERESOURCE
>> +0x00c PagingIoResource : 0x8588dd14 _ERESOURCE
>> +0x010 AllocationSize : _LARGE_INTEGER 0xc30000
>> +0x018 FileSize : _LARGE_INTEGER 0xc20c9b
>> +0x020 ValidDataLength : _LARGE_INTEGER 0xc20c9b
>> +0x028 FastMutex : 0x8588dc94 _FAST_MUTEX
>> +0x02c FilterContexts : _LIST_ENTRY [0x8513f68c - 0x8513f68c]
>> +0x034 PushLock : _EX_PUSH_LOCK
>> +0x038 FileContextSupportPointer : 0xc865b884 -> (null)
>>
>> Look at FilterContexts… It’s a linked list and you need to find the right
>> Fltmgr one… On my machine there’s just one entry (just one legacy filter,
>> and that is FltMgr):
>> dl 0x8513f68c
>> 8513f68c c865b8b4 c865b8b4 862d9ae0 c865b888
>> c865b8b4 8513f68c 8513f68c 00000000 c865b884
>>
>> !pool 0x8513f68c
>> Pool page 8513f68c region is Nonpaged pool
>> …
>> 8513f678 size: 8 previous size: 68 (Free) Ntfi
>> *8513f680 size: 68 previous size: 8 (Allocated) *FMsl
>> Pooltag FMsl : STREAM_LIST_CTRL structure, Binary : fltmgr.sys
>>
>> dt fltmgr!_STREAM_LIST_CTRL
>> +0x000 Type : _FLT_TYPE
>> +0x004 ContextCtrl : _FSRTL_PER_STREAM_CONTEXT
>> +0x018 VolumeLink : _LIST_ENTRY
>> +0x020 Flags : _STREAM_LIST_CTRL_FLAGS
>> +0x024 UseCount : Int4B
>> +0x028 ContextLock : _EX_PUSH_LOCK
>> +0x02c StreamContexts : _CONTEXT_LIST_CTRL
>> +0x030 StreamHandleContexts : _CONTEXT_LIST_CTRL
>> +0x034 NameCacheLock : _EX_PUSH_LOCK
>> +0x038 LastRenameCompleted : _LARGE_INTEGER
>> +0x040 NormalizedNameCache : _NAME_CACHE_LIST_CTRL
>> +0x048 ShortNameCache : _NAME_CACHE_LIST_CTRL
>> +0x050 OpenedNameCache : _NAME_CACHE_LIST_CTRL
>> +0x058 AllNameContextsTemporary : Int4B
>>
>> Clearly, the pointer we have is ContextCtrl, so we can do:
>> dt (0x8513f68c-4) fltmgr!_STREAM_LIST_CTRL
>> +0x000 Type : _FLT_TYPE
>> +0x004 ContextCtrl : _FSRTL_PER_STREAM_CONTEXT
>> +0x018 VolumeLink : _LIST_ENTRY [0x862d9e0c - 0x85f23230]
>> +0x020 Flags : 0x211 (No matching name)
>> +0x024 UseCount : 0n3
>> +0x028 ContextLock : _EX_PUSH_LOCK
>> +0x02c StreamContexts : _CONTEXT_LIST_CTRL
>> +0x030 StreamHandleContexts : _CONTEXT_LIST_CTRL
>> +0x034 NameCacheLock : _EX_PUSH_LOCK
>> +0x038 LastRenameCompleted : _LARGE_INTEGER 0x0
>> +0x040 NormalizedNameCache : _NAME_CACHE_LIST_CTRL
>> +0x048 ShortNameCache : _NAME_CACHE_LIST_CTRL
>> +0x050 OpenedNameCache : _NAME_CACHE_LIST_CTRL
>> +0x058 AllNameContextsTemporary : 0n0
>>
>> From here we need StreamContexts…
>> dt (0x8513f68c-4) fltmgr!_STREAM_LIST_CTRL StreamContexts.
>> +0x02c StreamContexts :
>> +0x000 List : _TREE_ROOT
>>
>> So…
>> dt (0x8513f68c-4+0x2c) _TREE_ROOT
>> fltmgr!_TREE_ROOT
>> +0x000 Tree : 0xd87161b4 _RTL_SPLAY_LINKS
>>
>> So we can do:
>> dt 0xd87161b4 _RTL_SPLAY_LINKS
>> fltmgr!_RTL_SPLAY_LINKS
>> +0x000 Parent : 0xd87161b4 _RTL_SPLAY_LINKS
>> +0x004 LeftChild : (null)
>> +0x008 RightChild : 0x8dd1b61c _RTL_SPLAY_LINKS
>>
>> Let’s see what contexts we have:
>> !pool 0xd87161b4
>> Pool page d87161b4 region is Paged pool
>> d8716000 size: 1a0 previous size: 0 (Free) FMfn
>> *d87161a0 size: 68 previous size: 1a0 (Allocated) *FIcs
>> Pooltag FIcs : FileInfo FS-filter Stream Context, Binary : fileinfo.sys
>> (ok, this isn’t mine…)
>>
>> Let’s try RightChild:
>>
>> !pool 0x8dd1b61c
>> Pool page 8dd1b61c region is Paged pool
>> …
>> 8dd1b5b0 size: 58 previous size: 80 (Allocated) AtmA
>> *8dd1b608 size: 60 previous size: 58 (Allocated) *dbSC
>>
>> Ok, that’s my tag (dbSC)… this is FltMgr’s context though and my data is
>> right after… let’s see the size
>> dt /v fltmgr!_CONTEXT_NODE
>> struct _CONTEXT_NODE, 7 elements, 0x30 bytes
>> +0x000 TxCtxExtension : Ptr32 to struct _TX_CONTEXT_EXTENSION, 5
>> elements, 0x24 bytes
>> +0x000 Data : Ptr32 to Void
>> +0x004 RegInfo : Ptr32 to struct _ALLOCATE_CONTEXT_HEADER, 6
>> elements, 0x10 bytes
>> +0x008 AttachedObject : union , 6 elements, 0x4 bytes
>> +0x00c TreeLink : struct _TREE_NODE, 5 elements, 0x1c bytes
>> +0x00c FltWork : struct _FLTP_WORKITEM, 2 elements, 0x14 bytes
>> +0x028 UseCount : Int4B
>>
>> So, naturally, TreeLink is the RightChild, so we need to remove 0xC… and
>> then add the size of the structure…
>>
>> db (0x8dd1b61c-0xC+0x30)
>> 8dd1b640 58 ab 75 85 50 81 f0 bd-18 ab 75 85 de a1 a1 ac X.u.P…u…
>> 8dd1b650 12 3a e5 11 82 e0 a4 5e-60 eb 62 32 b8 05 de 85 .:…^.b2.... >> ..... >> >> This is it.. Let's compare with the address I know: >> db @@(streamContext) >> 8dd1b640 58 ab 75 85 50 81 f0 bd-18 ab 75 85 de a1 a1 ac X.u.P.....u..... >> 8dd1b650 12 3a e5 11 82 e0 a4 5e-60 eb 62 32 b8 05 de 85 .:.....^.b2…
>> …
>>
>> So there you have it… We’ve manually walked from a FILE_OBJECT to a
>> StreamContext…
>>
>> Hope this helps…
>>
>> Thanks,
>> Alex
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Tue, Sep 22, 2015 at 9:02 PM, raj r wrote:
>>
>>> first try that one liner from my first reply and look at the list
>>> entry if it appears to be what you are looking after then disassembple
>>> dumpstreamlist() function
>>>
>>> On 9/22/15, Dejan Maksimovic wrote:
>>> > Awesome… is there any other to get the FltMgr context associated
>>> > with a particular file object?
>>> > Kind regards, Dejan.
>>> >
>>> >
>>> > On Mon, Sep 21, 2015 at 11:17 PM, raj r wrote:
>>> >> you are not missing anything it is broken and there are many such
>>> >> extensions with broken types
>>> >>
>>> >> THE TYPE here is misspelled it needs an underscore in front of
>>> >> file_object
>>> >>
>>> >> if you edit it the complaint will be fltmgr!STREAM_LIST_CTRL type is
>>> >> missing
>>> >>
>>> >> you have tp scour around and add this type to fltmgr.pdb then it will
>>> >> work
>>> >>
>>> >> On 9/20/15, Dejan Maksimovic wrote:
>>> >>> I am trying to find an FltMgr Stream Context associated with a
>>> >>> particular file (I have the file object address), but I can’t seem to
>>> >>> find any way to get there.
>>> >>> !fltkd.streamList on the file object fails, even though it’s a valid
>>> >>> FO (!fileobj)
>>> >>>
>>> >>> kd> !fileobj a4622908
>>> >>> \Test\Data.txt
>>> >>> Device Object: 0x89d9f030 \Driver\volmgr
>>> >>> Vpb: 0x89ca5110
>>> >>> Event signalled
>>> >>> Access: Read SharedRead SharedWrite
>>> >>> Flags: 0x4000a
>>> >>> Synchronous IO
>>> >>> No Intermediate Buffering
>>> >>> Handle Created
>>> >>> FsContext: 0x81f190f8 FsContext2: 0x82528f78
>>> >>> CurrentByteOffset: 0
>>> >>> Cache Data:
>>> >>> Section Object Pointers: 89ff4978
>>> >>> Shared Cache Map: 00000000
>>> >>>
>>> >>> File object extension is at 86fb7498:
>>> >>> Flags: 00000001
>>> >>> Ignore share access checks.
>>> >>>
>>> >>> kd> !fltkd.streamList a4622908
>>> >>> Could not read field “Type” of NT!FILE_OBJECT from address: a4622908
>>> >>>
>>> >>> I am sure I am missing something simple here
>>> >>>
>>> >>> Kind regards, Dejan.
>>> >>>
>>> >>> —
>>> >>> NTFSD is sponsored by OSR
>>> >>>
>>> >>> OSR is hiring!! Info at http://www.osr.com/careers
>>> >>>
>>> >>> For our schedule of debugging and file system seminars visit:
>>> >>> http://www.osr.com/seminars
>>> >>>
>>> >>> To unsubscribe, visit the List Server section of OSR Online at
>>> >>> http://www.osronline.com/page.cfm?name=ListServer
>>> >>>
>>> >>
>>> >> —
>>> >> NTFSD is sponsored by OSR
>>> >>
>>> >> OSR is hiring!! Info at http://www.osr.com/careers
>>> >>
>>> >> For our schedule of debugging and file system seminars visit:
>>> >> http://www.osr.com/seminars
>>> >>
>>> >> To unsubscribe, visit the List Server section of OSR Online at
>>> >> http://www.osronline.com/page.cfm?name=ListServer
>>> >
>>> > —
>>> > NTFSD is sponsored by OSR
>>> >
>>> > OSR is hiring!! Info at http://www.osr.com/careers
>>> >
>>> > For our schedule of debugging and file system seminars visit:
>>> > http://www.osr.com/seminars
>>> >
>>> > To unsubscribe, visit the List Server section of OSR Online at
>>> > http://www.osronline.com/page.cfm?name=ListServer
>>> >
>>>
>>> —
>>> NTFSD is sponsored by OSR
>>>
>>> OSR is hiring!! Info at http://www.osr.com/careers
>>>
>>> For our schedule of debugging and file system seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>> —
>> NTFSD is sponsored by OSR
>>
>> OSR is hiring!! Info at http://www.osr.com/careers
>>
>> For our schedule of debugging and file system seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> NTFSD is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Finding a stream ctx associated with a file object?

.foreach (place {.shell -i c:\fscont.txt cat -}) {dl @@c++(((nt!_FSRTL_ADVANCED_FCB_HEADER *) @@masm( place ))->FilterContexts.Flink) 20 1;.echo ========} 89c1d744 e132aa24 e132aa24 89c1d744

8a20128c e3b83bb4 e3b83bb4 8a20128c

.foreach (place {.shell -i c:\fscont.txt cat -}) {dl
@@c++(((nt!_FSRTL_ADVANCED_FCB_HEADER *) @@masm( place
))->FilterContexts.Flink) 20 1;.echo ========}
89c1d744 e132aa24
e132aa24 89c1d744

8a20128c e3b83bb4
e3b83bb4 8a20128c