Alternatively, you could do the following:
assuming the FILE_OBJECT in question is 0x85e41c90:
dt 0x85e41c90 nt!_FILE_OBJECT FsContext
+0x00c FsContext : 0xc865b888 Void
dt 0xc865b888 _FSRTL_ADVANCED_FCB_HEADER
nt!_FSRTL_ADVANCED_FCB_HEADER
+0x000 NodeTypeCode : 0n1797
+0x002 NodeByteSize : 0n344
+0x004 Flags : 0x40 ‘@’
+0x005 IsFastIoPossible : 0x2 ‘’
+0x006 Flags2 : 0x6 ‘’
+0x007 Reserved : 0y0000
+0x007 Version : 0y0001
+0x008 Resource : 0x8588dcb4 _ERESOURCE
+0x00c PagingIoResource : 0x8588dd14 _ERESOURCE
+0x010 AllocationSize : _LARGE_INTEGER 0xc30000
+0x018 FileSize : _LARGE_INTEGER 0xc20c9b
+0x020 ValidDataLength : _LARGE_INTEGER 0xc20c9b
+0x028 FastMutex : 0x8588dc94 _FAST_MUTEX
+0x02c FilterContexts : _LIST_ENTRY [0x8513f68c - 0x8513f68c]
+0x034 PushLock : _EX_PUSH_LOCK
+0x038 FileContextSupportPointer : 0xc865b884 -> (null)
Look at FilterContexts… It’s a linked list and you need to find the right
Fltmgr one… On my machine there’s just one entry (just one legacy filter,
and that is FltMgr):
dl 0x8513f68c
8513f68c c865b8b4 c865b8b4 862d9ae0 c865b888
c865b8b4 8513f68c 8513f68c 00000000 c865b884
!pool 0x8513f68c
Pool page 8513f68c region is Nonpaged pool
…
8513f678 size: 8 previous size: 68 (Free) Ntfi
*8513f680 size: 68 previous size: 8 (Allocated) *FMsl
Pooltag FMsl : STREAM_LIST_CTRL structure, Binary : fltmgr.sys
dt fltmgr!_STREAM_LIST_CTRL
+0x000 Type : _FLT_TYPE
+0x004 ContextCtrl : _FSRTL_PER_STREAM_CONTEXT
+0x018 VolumeLink : _LIST_ENTRY
+0x020 Flags : _STREAM_LIST_CTRL_FLAGS
+0x024 UseCount : Int4B
+0x028 ContextLock : _EX_PUSH_LOCK
+0x02c StreamContexts : _CONTEXT_LIST_CTRL
+0x030 StreamHandleContexts : _CONTEXT_LIST_CTRL
+0x034 NameCacheLock : _EX_PUSH_LOCK
+0x038 LastRenameCompleted : _LARGE_INTEGER
+0x040 NormalizedNameCache : _NAME_CACHE_LIST_CTRL
+0x048 ShortNameCache : _NAME_CACHE_LIST_CTRL
+0x050 OpenedNameCache : _NAME_CACHE_LIST_CTRL
+0x058 AllNameContextsTemporary : Int4B
Clearly, the pointer we have is ContextCtrl, so we can do:
dt (0x8513f68c-4) fltmgr!_STREAM_LIST_CTRL
+0x000 Type : _FLT_TYPE
+0x004 ContextCtrl : _FSRTL_PER_STREAM_CONTEXT
+0x018 VolumeLink : _LIST_ENTRY [0x862d9e0c - 0x85f23230]
+0x020 Flags : 0x211 (No matching name)
+0x024 UseCount : 0n3
+0x028 ContextLock : _EX_PUSH_LOCK
+0x02c StreamContexts : _CONTEXT_LIST_CTRL
+0x030 StreamHandleContexts : _CONTEXT_LIST_CTRL
+0x034 NameCacheLock : _EX_PUSH_LOCK
+0x038 LastRenameCompleted : _LARGE_INTEGER 0x0
+0x040 NormalizedNameCache : _NAME_CACHE_LIST_CTRL
+0x048 ShortNameCache : _NAME_CACHE_LIST_CTRL
+0x050 OpenedNameCache : _NAME_CACHE_LIST_CTRL
+0x058 AllNameContextsTemporary : 0n0
From here we need StreamContexts…
dt (0x8513f68c-4) fltmgr!_STREAM_LIST_CTRL StreamContexts.
+0x02c StreamContexts :
+0x000 List : _TREE_ROOT
So…
dt (0x8513f68c-4+0x2c) _TREE_ROOT
fltmgr!_TREE_ROOT
+0x000 Tree : 0xd87161b4 _RTL_SPLAY_LINKS
So we can do:
dt 0xd87161b4 _RTL_SPLAY_LINKS
fltmgr!_RTL_SPLAY_LINKS
+0x000 Parent : 0xd87161b4 _RTL_SPLAY_LINKS
+0x004 LeftChild : (null)
+0x008 RightChild : 0x8dd1b61c _RTL_SPLAY_LINKS
Let’s see what contexts we have:
!pool 0xd87161b4
Pool page d87161b4 region is Paged pool
d8716000 size: 1a0 previous size: 0 (Free) FMfn
*d87161a0 size: 68 previous size: 1a0 (Allocated) *FIcs
Pooltag FIcs : FileInfo FS-filter Stream Context, Binary : fileinfo.sys
(ok, this isn’t mine…)
Let’s try RightChild:
!pool 0x8dd1b61c
Pool page 8dd1b61c region is Paged pool
…
8dd1b5b0 size: 58 previous size: 80 (Allocated) AtmA
*8dd1b608 size: 60 previous size: 58 (Allocated) *dbSC
Ok, that’s my tag (dbSC)… this is FltMgr’s context though and my data is
right after… let’s see the size
dt /v fltmgr!_CONTEXT_NODE
struct _CONTEXT_NODE, 7 elements, 0x30 bytes
+0x000 TxCtxExtension : Ptr32 to struct _TX_CONTEXT_EXTENSION, 5
elements, 0x24 bytes
+0x000 Data : Ptr32 to Void
+0x004 RegInfo : Ptr32 to struct _ALLOCATE_CONTEXT_HEADER, 6
elements, 0x10 bytes
+0x008 AttachedObject : union , 6 elements, 0x4 bytes
+0x00c TreeLink : struct _TREE_NODE, 5 elements, 0x1c bytes
+0x00c FltWork : struct _FLTP_WORKITEM, 2 elements, 0x14 bytes
+0x028 UseCount : Int4B
So, naturally, TreeLink is the RightChild, so we need to remove 0xC… and
then add the size of the structure…
db (0x8dd1b61c-0xC+0x30)
8dd1b640 58 ab 75 85 50 81 f0 bd-18 ab 75 85 de a1 a1 ac X.u.P…u…
8dd1b650 12 3a e5 11 82 e0 a4 5e-60 eb 62 32 b8 05 de 85 .:…^.b2....<br>.....<br><br>This is it.. Let's compare with the address I know:<br>db @@(streamContext)<br>8dd1b640 58 ab 75 85 50 81 f0 bd-18 ab 75 85 de a1 a1 ac X.u.P.....u.....<br>8dd1b650 12 3a e5 11 82 e0 a4 5e-60 eb 62 32 b8 05 de 85 .:.....^
.b2…
…
So there you have it… We’ve manually walked from a FILE_OBJECT to a
StreamContext…
Hope this helps…
Thanks,
Alex
On Tue, Sep 22, 2015 at 9:02 PM, raj r wrote:
> first try that one liner from my first reply and look at the list
> entry if it appears to be what you are looking after then disassembple
> dumpstreamlist() function
>
> On 9/22/15, Dejan Maksimovic wrote:
> > Awesome… is there any other to get the FltMgr context associated
> > with a particular file object?
> > Kind regards, Dejan.
> >
> >
> > On Mon, Sep 21, 2015 at 11:17 PM, raj r wrote:
> >> you are not missing anything it is broken and there are many such
> >> extensions with broken types
> >>
> >> THE TYPE here is misspelled it needs an underscore in front of
> >> file_object
> >>
> >> if you edit it the complaint will be fltmgr!STREAM_LIST_CTRL type is
> >> missing
> >>
> >> you have tp scour around and add this type to fltmgr.pdb then it will
> >> work
> >>
> >> On 9/20/15, Dejan Maksimovic wrote:
> >>> I am trying to find an FltMgr Stream Context associated with a
> >>> particular file (I have the file object address), but I can’t seem to
> >>> find any way to get there.
> >>> !fltkd.streamList on the file object fails, even though it’s a valid
> >>> FO (!fileobj)
> >>>
> >>> kd> !fileobj a4622908
> >>> \Test\Data.txt
> >>> Device Object: 0x89d9f030 \Driver\volmgr
> >>> Vpb: 0x89ca5110
> >>> Event signalled
> >>> Access: Read SharedRead SharedWrite
> >>> Flags: 0x4000a
> >>> Synchronous IO
> >>> No Intermediate Buffering
> >>> Handle Created
> >>> FsContext: 0x81f190f8 FsContext2: 0x82528f78
> >>> CurrentByteOffset: 0
> >>> Cache Data:
> >>> Section Object Pointers: 89ff4978
> >>> Shared Cache Map: 00000000
> >>>
> >>> File object extension is at 86fb7498:
> >>> Flags: 00000001
> >>> Ignore share access checks.
> >>>
> >>> kd> !fltkd.streamList a4622908
> >>> Could not read field “Type” of NT!FILE_OBJECT from address: a4622908
> >>>
> >>> I am sure I am missing something simple here
> >>>
> >>> Kind regards, Dejan.
> >>>
> >>> —
> >>> NTFSD is sponsored by OSR
> >>>
> >>> OSR is hiring!! Info at http://www.osr.com/careers
> >>>
> >>> For our schedule of debugging and file system seminars visit:
> >>> http://www.osr.com/seminars
> >>>
> >>> To unsubscribe, visit the List Server section of OSR Online at
> >>> http://www.osronline.com/page.cfm?name=ListServer
> >>>
> >>
> >> —
> >> NTFSD is sponsored by OSR
> >>
> >> OSR is hiring!! Info at http://www.osr.com/careers
> >>
> >> For our schedule of debugging and file system seminars visit:
> >> http://www.osr.com/seminars
> >>
> >> To unsubscribe, visit the List Server section of OSR Online at
> >> http://www.osronline.com/page.cfm?name=ListServer
> >
> > —
> > NTFSD is sponsored by OSR
> >
> > OSR is hiring!! Info at http://www.osr.com/careers
> >
> > For our schedule of debugging and file system seminars visit:
> > http://www.osr.com/seminars
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
> >
>
> —
> NTFSD is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>