Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Attached ot loaded module or list open handles

David_F.David_F. Member Posts: 198
After running deleteservice (reports success) the module is still loaded (lm). Trying to manully stop service, delete pending, manually start, can't service disable. So I want to see what is holding up the module. But how do I attach to the module when lm just shows start/end address? How would I tell what file handles it may have open (for !handle I need a process id), etc.. ? I can't set a break point in there because it's not going to be called since can't open handle to it. In summary, what are the series of commands to get into this module that shows in "lm" ?

TIA!!

Comments

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,483
    [email protected] wrote:
    > After running deleteservice (reports success) the module is still loaded (lm).

    Are you talking about a kernel driver service or a user-mode service?
    I'm going to assume you meant a kernel service. If you actually have a
    user-mode service, then the rest of my message will be gobbledygook.


    > Trying to manully stop service, delete pending, manually start, can't service disable. So I want to see what is holding up the module. But how do I attach to the module when lm just shows start/end address?

    For a kernel service, there's nothing to "attach" to. If it can't stop,
    either there's still an open handle to it, or you don't have a DrvUnload
    entry point.


    > How would I tell what file handles it may have open (for !handle I need a process id), etc.. ?

    Kernel drivers (like DLLs) do not own file handles. File handles are
    owned by processes.


    > I can't set a break point in there because it's not going to be called since can't open handle to it. In summary, what are the series of commands to get into this module that shows in "lm" ?

    What do you mean by "get into"? You can't "get into" a driver. If it
    won't unload, then there must be an open handle to it somewhere. Do you
    have a process that opens the service? Does it keep the handle open
    forever?

    --
    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • David_F.David_F. Member Posts: 198
    it's a driver that loads, then unloads. Seemed to be fine under W7, XP doesn't let go, know it's older, but bugs me as to what it is. It's a basic install of x86 version. What command would I use to find what is holding it open (on reboot it does finally get removed). The user mode app that loaded it and sent the deviceiocontrol ended and i tried closing the cmd.exe session as well.
  • David_F.David_F. Member Posts: 198
    it basically goes into stop pending mode.
  • David_F.David_F. Member Posts: 198
    It was open handles (implemented changes but had returns in the body, implemented try/finally block inside the try/except block and takes care of it). I presume that will be called on exception as well (based on sample https://msdn.microsoft.com/en-us/library/s58ftw19.aspx)

    But still would like to know the whole steps to find open handles a module may have not closed to put in my notes and will be found via google here. can't find much out there.
  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,302
    There's no easy answer. If the driver wasn't unloading due to an open handle
    to the device, then you need to find the handle that points to the file
    object that references the device. The traditional way would be to run
    "!handle 0 3 0 File" and search the output for a file object referencing
    your device object. Or if you really cared you could write an extension
    that uses the handle walking interface in extsfns.h (never cared enough to
    do this myself but always thought it would be amusing).

    These days JavaScript extensions and LINQ are the thing. You can access the
    handles in a process using the debugger's object model (it's under
    Process.Io.Handles) and you could walk through each one looking for a file
    object that references your device object. The query for a specific process
    would look something like:

    dx Debugger.Sessions[0].Processes[0x318].Io.Handles.Where(obj =>
    ((nt!_FILE_OBJECT *)&obj.Object.Body)->DeviceObject == (nt!_DEVICE_OBJECT
    *)0xffffd0823dbfd870)

    Note that this just brute forces each handle into being a file object. A
    more elegant solution would extend the query to ignore non-file object
    types.

    For fun I did this a JavaScript extension as well, though I skipped using
    LINQ. Very likely that there's a better way to do this but here's what I
    came up with. Example success output is:

    kd> dx
    Debugger.State.Scripts.FindDevHandle.Contents.FindDevHandle(0xffff8e018f704140)
    Finding handle to device 0xffff8e018f704140!
    ...
    Process SearchFilterHost.exe
    Process audiodg.exe
    Process OSRLOADER.exe
    Process NothingTest.exe
    Found one!
    PID : 0x1300
    Name : NothingTest.exe
    Handle : 0x9c
    Object : 0xffff8e018e619690


    //
    // FindDevHandle.js
    //
    // Walk the current list of processes and look for a handle to a file object
    // that is accessing the specified device
    //
    // OSR Open Systems Resources, inc.
    //
    // http://www.osr.com
    // http://www.osronline.com
    //
    //
    // To run:
    //
    // .load jsprovider.dll
    // .scriptload FindDevHandle.js
    // dx
    Debugger.State.Scripts.FindDevHandle.Contents.FindDevHandle(0x12345678)
    //
    function FindDevHandle(devObjParam) {

    // Get easy access to the debug output method
    var dbgOutput = host.diagnostics.debugLog;

    // Get a typed device object for the incoming parameter
    var devObj = host.createTypedObject(devObjParam, "nt",
    "_DEVICE_OBJECT");

    dbgOutput("Finding handle to device ", devObj.targetLocation, "!\n\n");

    // Loop over each process
    var processes = host.currentSession.Processes;

    for (var process of processes) {

    dbgOutput("Process ", process.Name, "\n");

    // And each handle in every process
    var handles = process.Io.Handles;

    // Note that an exception can be raised while looping over the
    handles
    // (e.g. an empty handle table)
    try {

    for (var handle of handles) {

    // NOTE: We just treat every handle like it's a file handle
    // and catch exceptions along the way. A better idea would
    // be to key off of the type, but that appears to be broken
    // with public PDBs at the moment
    try {

    // Cast the object to a file object
    var fileObj =
    host.createTypedObject(handle.Object.Body.targetLocation, "nt",
    "_FILE_OBJECT");

    // Dereference the DeviceObject field and get the target
    location
    if (fileObj.DeviceObject.dereference().targetLocation ==
    devObj.targetLocation) {

    dbgOutput("\tFound one!\n");
    dbgOutput("\t PID : ", process.Id, "\n");
    dbgOutput("\t Name : ", process.Name, "\n");
    dbgOutput("\t Handle : ", handle.Handle, "\n");
    dbgOutput("\t Object : ", fileObj.targetLocation,
    "\n\n");
    }

    } catch (e) {

    dbgOutput("\tException parsing handle!\n");

    }

    }

    } catch (e) {

    dbgOutput("\tException parsing handle table!\n");

    }

    }

    }

    I also wrote more about this here:

    https://www.osr.com/blog/2017/05/18/windbg-debugger-objects-javascript-oh/

    -scott
    OSR
    @OSRDrivers

    -scott
    OSR

  • David_F.David_F. Member Posts: 198
    Thanks, and to find the device object address for a module would be found using which command?
  • Don_BurnDon_Burn Member - All Emails Posts: 1,695
    !object \Device will give you a list of objects in the \Device directory.


    Don Burn
    Windows Driver Consulting
    Website: http://www.windrvr.com



    -----Original Message-----
    From: [email protected]
    [mailto:[email protected]] On Behalf Of
    [email protected]
    Sent: Friday, May 19, 2017 11:40 AM
    To: Kernel Debugging Interest List <[email protected]>
    Subject: RE:[windbg] Attached ot loaded module or list open handles

    Thanks, and to find the device object address for a module would be found
    using which command?

    ---
    WINDBG is sponsored by OSR

    OSR is hiring!! Info at http://www.osr.com/careers


    MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
    drivers!
    Details at <http://www.osr.com/seminars&gt;

    To unsubscribe, visit the List Server section of OSR Online at
    <http://www.osronline.com/page.cfm?name=ListServer&gt;
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA