I'm trying to view the Windows file system structure _FILE_ID_BOTH_DIR_INFORMATION in memory using WinDbg, but for some reason it tells me that the symbol is not found.
I connected WinDbg with a pipe to a Windows XP virtual machine in order to debug its kernel.
I tried viewing the structure's data using the command dt _FILE_ID_BOTH_DIR_INFORMATION esi because the value of ESI is an address which contains the structure in question that I want to inspect.
All I got was the following output:
3: kd> dt _FILE_ID_BOTH_DIR_INFORMATION esi
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: _FILE_ID_BOTH_DIR_INFORMATION ***
*** ***
*************************************************************************
Symbol _FILE_ID_BOTH_DIR_INFORMATION not found.
Other structures are working for me, like _DRIVER_OBJECT.
All I know about the _FILE_ID_BOTH_DIR_INFORMATION symbol is that it is included in ntifs.h, according to Microsoft's documentation. I couldn't find information regarding whether this symbol is provided from Microsoft Symbol Server.
no it appears this type info is not available in the public pdbs provided by ms
you can check yourself using wildcards
0: kd> dt nt!*_FILE_*
ntkrnlmp!_FILE_INFORMATION_CLASS
ntkrnlmp!_FILE_OBJECT
ntkrnlmp!_PF_FILE_ACCESS_TYPE
ntkrnlmp!_FILE_SEGMENT_ELEMENT
ntkrnlmp!_IOP_FILE_OBJECT_EXTENSION
ntkrnlmp!_CREATE_FILE_TYPE
ntkrnlmp!_FILE_OBJECT_EXTENSION_TYPE
ntkrnlmp!_DUMMY_FILE_OBJECT
ntkrnlmp!_IMAGE_FILE_HEADER
ntkrnlmp!_FILE_BASIC_INFORMATION
ntkrnlmp!_FILE_GET_QUOTA_INFORMATION
ntkrnlmp!_FILE_NETWORK_OPEN_INFORMATION
ntkrnlmp!_MMPAGE_FILE_EXPANSION
ntkrnlmp!_FILE_STANDARD_INFORMATION
ntkrnlmp!_MAPPED_FILE_SEGMENT
ntkrnlmp!_MMPAGE_FILE_EXPANSION_FLAGS
ntkrnlmp!_MI_PAGING_FILE_SPACE_BITMAPS
0: kd> dt nt!*_FILE_I*
ntkrnlmp!_FILE_INFORMATION_CLASS
as to view them you can view the Raw Contents of memory just do dd @esi and corelate them with the Structure in ntifs.h
or use .printf and some find replace in notepad to print a formatted output
I just copy pasted the Structure From Documentation into notepad++
stuffed the .printf in front using find replace
stuffed the \t%x in the end using same procedure
tweaked the offsets to the PseudoRegister and saved it as .txt
used $$>a< to run it as windbg script providing a random offset to the Pseudo Register (just made sure there is some Unicode string at offset+0x48 the results are as below
r $t0 = (fffff805`19ec53e0-48)
.printf "typedef struct _FILE_ID_BOTH_DIR_INFORMATION { \n"
.printf " ULONG NextEntryOffset; \t%x\n" , @$t0+0
.printf " ULONG FileIndex; \t%x\n" , @$t0+4
.printf " LARGE_INTEGER CreationTime; \t%N\n" , @$t0+8
.printf " LARGE_INTEGER LastAccessTime; \t%N\n" , @$t0+10
.printf " LARGE_INTEGER LastWriteTime; \t%N\n" , @$t0+18
.printf " LARGE_INTEGER ChangeTime; \t%N\n" , @$t0+20
.printf " LARGE_INTEGER EndOfFile; \t%N\n" , @$t0+28
.printf " LARGE_INTEGER AllocationSize; \t%N\n" , @$t0+30
.printf " ULONG FileAttributes; \t%x\n" , @$t0+38
.printf " ULONG FileNameLength; \t%x\n" , @$t0+3c
.printf " ULONG EaSize; \t%x\n" , @$t0+40
.printf " CCHAR ShortNameLength; \t%x\n" , @$t0+44
.printf " WCHAR ShortName[12]; \t%mu\n" , @$t0+48
.printf " LARGE_INTEGER FileId; \t%N\n" , @$t0+54
.printf " WCHAR FileName[1]; \t%mu\n" , @$t0+58
.printf "} FILE_ID_BOTH_DIR_INFORMATION, *PFILE_ID_BOTH_DIR_INFORMATION; \n"
results
0: kd> $$>a< f:\wdscr\fileid.wds
typedef struct _FILE_ID_BOTH_DIR_INFORMATION {
ULONG NextEntryOffset; 19ec5398
ULONG FileIndex; 19ec539c
LARGE_INTEGER CreationTime; FFFFF80519EC53A0
LARGE_INTEGER LastAccessTime; FFFFF80519EC53A8
LARGE_INTEGER LastWriteTime; FFFFF80519EC53B0
LARGE_INTEGER ChangeTime; FFFFF80519EC53B8
LARGE_INTEGER EndOfFile; FFFFF80519EC53C0
LARGE_INTEGER AllocationSize; FFFFF80519EC53C8
ULONG FileAttributes; 19ec53d0
ULONG FileNameLength; 19ec53d4
ULONG EaSize; 19ec53d8
CCHAR ShortNameLength; 19ec53dc
WCHAR ShortName[12]; KeRevertToUserGroupAffinityThread
LARGE_INTEGER FileId; FFFFF80519EC53EC
WCHAR FileName[1]; ToUserGroupAffinityThread
} FILE_ID_BOTH_DIR_INFORMATION, *PFILE_ID_BOTH_DIR_INFORMATION;