Retrieving Device/File Name from File handle WinDBG

4
votes

Is it possible to retrieve target device name (\Device\ExampleDevice) or file name from a file/device handle (which is returned by CreateFile API).

Actually, I have an user mode application which communicates with Kernel driver using DeviceIoControl(). So when the application is running, I've set a break point at Kernel32!DeviceIoControl. so when the application hit the break point, From stack I've collected the target device handle, to which the application is sending IOCTL. We know that second parameter is the target device handle.

I want to know, is there any way I can get the Device Name (\Device\ExampleDevice) from the handle which is 0x000007bc in this case without setting break point at CreateFile?

I tried below thing.Please suggest.

0:000> bp Kernel32!DeviceIoControl
0:000> g
ModLoad: 76360000 76370000   C:\WINDOWS\system32\WINSTA.dll
ModLoad: 77e70000 77f01000   C:\WINDOWS\system32\RPCRT4.dll
ModLoad: 77dd0000 77e6b000   C:\WINDOWS\system32\ADVAPI32.dll
ModLoad: 5b860000 5b8b4000   C:\WINDOWS\system32\NETAPI32.dll
ModLoad: 77d40000 77dd0000   C:\WINDOWS\system32\USER32.dll
ModLoad: 77f10000 77f56000   C:\WINDOWS\system32\GDI32.dll
Breakpoint 1 hit
eax=0022f6a4 ebx=0022f850 ecx=77e46520 edx=000007bc esi=00000000 edi=00000000
eip=7c801625 esp=0022f620 ebp=0022f678 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246
kernel32!DeviceIoControl:
7c801625 6a14            push    14h
0:000> d esp
0022f620  77dd9672 000007bc 00390008 77e462c0
0022f630  00000100 0022f6b0 00000100 0022f6a4
0022f640  00000000 77e462a0 0022f7c8 00000018
0022f650  00000000 0022f66c 00000040 00000000
0022f660  00000000 00000000 00000000 001e001c
0022f670  77dd988c 000007bc 0022f7b4 77dd8724
0022f680  77e462c0 00000100 0022f6b0 0022f6a4
0022f690  00000000 00000000 00000000 00000100
0:000> !handle 000007bc f
Handle 7bc
  Type          File
  Attributes    0
  GrantedAccess 0x100001:
         Synch
         Read/List
  HandleCount   2
  PointerCount  3
  No Object Specific Information available
0:000> !handle 000007bc
Handle 7bc
  Type          File
0:000> !handle 000007bc 7
Handle 7bc
  Type          File
  Attributes    0
  GrantedAccess 0x100001:
         Synch
         Read/List
  HandleCount   2
  PointerCount  3

Thanks in Advance,

2
windowsdebuggingdriverwindbgdevice-driver
What you are doing is correct but object specific information is not available for some reason which is strange, presumably all your symbols are correct? - EdChum
Yes!I guess so! Does "!handle 000007bc 7" out put should contain the dev. name in general case?? - Dev.K.
It outputs handle object specific information if available, so I would expect file path to be there - EdChum
I have the exact same problem. Using procdump -ma, I couldn't get specific object information. A dump taken from another process at another time didn't have this problem. I'm left now with it either being a rights problem or a difference between taking a dump of a service and a plain process. - Lieven Keersmaekers
See related: stackoverflow.com/questions/14857736/… - EdChum

2 Answers

4
votes

very late answer

kernel32!beep does not call CreateFileA or W it calls NtCreateFile in ntdll.dll Directly so breakpoints in kernel32.dll do not get hit

in this specific case the FILE is always \Device\Beep

0:000> kbL;!obja poi(@esp + 0xc)
ChildEBP RetAddr  Args to Child              
0013fef0 7c837b44 0013ff60 00000003 0013ff2c ntdll!ZwCreateFile
0013ff68 00401013 000002ee 0000012c 0013ffc0 kernel32!Beep+0xc4
0013ff78 00401192 00000001 00033ae8 00033b18 Beep!main+0x13
0013ffc0 7c817077 009af6ee 009af71a 7ffde000 Beep!__tmainCRTStartup+0x10b
0013fff0 00000000 004011e8 00000000 78746341 kernel32!BaseProcessStart+0x23
Obja +0013ff2c at 0013ff2c:
    Name is \Device\Beep

as said earlier Name Info is available in kernel mode and not user mode

0:000> !handle  poi(0x0013ff60) 7
Handle fa4
  Type          File
  Attributes    0
  GrantedAccess 0x3:
         None
         Read/List,Write/Add
  HandleCount   2
  PointerCount  3

name can be found in a parallel local kernel debugging session
for OS > vista LKd needs /DEBUG switch enabled 

find the pid find the object and get the name of the object

C:\>wmic process get name,Processid | grep -i beep
Beep.exe                2796

C:\>kd -kl -c "!handle 0xfa4 7  0n2796;q " | grep -i object:

0fa4: Object: 86325028  GrantedAccess: 00000003 Entry: e1274f48
Object: 86325028  Type: (86fe9e70) File

C:\>kd -kl -c "!fileobj 86325028;q" | grep -i Device

Device Object: 0x868a6b90   \Driver\Beep

C:\>
1
votes

As i see you connected windbg as usermode debugger. !handle can`t display such information in usermode because mapping beetwen FILE_OBJECT (object manager object) and handle avaiable only in kernelmode. Connect windbg as kernelmode debugger and you will be able to see file names with !handle extension.