📄 fspykd.c
字号:
/*++
Copyright (c) 1992-2004 Microsoft Corporation
Module Name:
FilmonKd.c
Abstract:
KD Extension API for examining FileSpy specific data structures.
Note: While this extension can only build in the Windows XP and Server 2003
environments, it can still be used to debug a version of this FileSpy
sample built for Windows 2000.
Environment:
User Mode.
--*/
#include "pch.h"
//
// Windows.h doesn't include this definition
//
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
#ifndef MAX
#define MAX(a,b) (((a) > (b))?(a):(b))
#endif
//
// Typedefs and constants
//
typedef PVOID (*PSTRUCT_DUMP_ROUTINE)(
IN ULONG64 Address,
IN LONG Options,
USHORT Processor,
HANDLE hCurrentThread
);
//
// The help strings printed out
//
static LPSTR Extensions[] = {
"FileSpy Debugger Extensions:\n",
"attachments [1|2] Dump all the devices FileSpy is attached to ",
"devext [address] [1|2] Dump FileSpy device extension",
"filenames [1|2] Dumps all the file names cached",
0
};
//
// Function prototypes
//
VOID
PrintHelp (
VOID
);
//
// Useful macros
//
#define xGetFieldValue(Address, Type, Field, Value) \
{ \
if (GetFieldValue(Address, Type, Field, Value)) { \
dprintf("\nCould not read field %s of %s from address: %08p\n", \
(Field), (Type), (Address)); \
return; \
} \
}
#define xGetFieldOffset(Type, Field, Offset) \
{ \
if (GetFieldOffset(Type, Field, Offset)) { \
dprintf("\nCould not read offset of field %s from type %s\n", \
(Field), (Type)); \
return; \
} \
}
//
// Entry points, parameter parsers, etc. below
//
VOID
DumpDeviceExtension (
IN ULONG64 Address,
IN LONG Options,
USHORT Processor,
HANDLE hCurrentThread
)
/*++
Routine Description:
Dump a specific device extension.
Arguments:
Address - Gives the address of the device extension to dump.
Return Value:
None
--*/
{
ULONG64 pointer, pName, userName;
PUNICODE_STRING dosname;
UNICODE_STRING string1;
UCHAR buffer[256];
USHORT length;
ULONG offset;
ULONG result;
ULONG value;
ULONG memRetVal;
BOOLEAN boolean;
UNREFERENCED_PARAMETER( Processor );
UNREFERENCED_PARAMETER( hCurrentThread );
dprintf( "\nFileSpy device extension: %08p", Address );
//
// Dump the interesting parts of the device extension.
//
if (Options <= 1) {
//
// Get the device name length.
//
xGetFieldOffset( "FileSpy!_FILESPY_DEVICE_EXTENSION",
"NLExtHeader.DeviceName.Buffer",
&offset );
xGetFieldValue( Address,
"FileSpy!_FILESPY_DEVICE_EXTENSION",
"NLExtHeader.DeviceName.Length",
length );
xGetFieldValue( Address,
"FileSpy!_FILESPY_DEVICE_EXTENSION",
"NLExtHeader.DeviceName.Buffer",
pName );
//
// Read in the string: assuming it's NULL terminated here.
//
memRetVal = ReadMemory( pName, buffer, (ULONG)length, &result);
if (memRetVal && (result == (ULONG)length)) {
string1.Length = string1.MaximumLength = length;
string1.Buffer = (PWSTR) buffer;
dprintf( "\n\t(%03x) %s %wZ",
offset,
"DeviceName ",
&string1 );
}
//
// Display FLAGS
//
xGetFieldOffset( "FileSpy!_FILESPY_DEVICE_EXTENSION",
"Flags",
&offset );
xGetFieldValue( Address,
"FileSpy!_FILESPY_DEVICE_EXTENSION",
"Flags",
value );
dprintf( "\n\t(%03x) %s %x",
offset,
"Flags ",
value );
} else if (Options == 2) {
//
// Process level 2 information
//
dprintf( "\n\t(OFF) %s",
"FIELD NAME VALUE" );
dprintf( "\n\t%s",
"----------------------------------------------" );
//
// ThisDeviceObject
//
xGetFieldOffset( "FileSpy!_FILESPY_DEVICE_EXTENSION",
"NLExtHeader.ThisDeviceObject",
&offset );
xGetFieldValue( Address,
"FileSpy!_FILESPY_DEVICE_EXTENSION",
"NLExtHeader.ThisDeviceObject",
pointer );
dprintf( "\n\t(%03x) %s %08p",
offset,
"ThisDeviceObject ",
pointer );
//
// AttachedToDeviceObject
//
xGetFieldOffset( "FileSpy!_FILESPY_DEVICE_EXTENSION",
"NLExtHeader.AttachedToDeviceObject",
&offset );
xGetFieldValue( Address,
"FileSpy!_FILESPY_DEVICE_EXTENSION",
"NLExtHeader.AttachedToDeviceObject",
pointer );
dprintf( "\n\t(%03x) %s %08p",
offset,
"AttachedToDeviceObject ",
pointer );
//
// StorageStackDeviceObject
//
xGetFieldOffset( "FileSpy!_FILESPY_DEVICE_EXTENSION",
"NLExtHeader.StorageStackDeviceObject",
&offset );
xGetFieldValue(Address,
"FileSpy!_FILESPY_DEVICE_EXTENSION",
"NLExtHeader.StorageStackDeviceObject",
pointer );
dprintf( "\n\t(%03x) %s %08p",
offset,
"StorageStackDeviceObject ",
pointer );
//
// DosName
//
xGetFieldOffset( "FileSpy!_FILESPY_DEVICE_EXTENSION",
"NLExtHeader.DosName.Length",
&offset );
xGetFieldValue( Address,
"FileSpy!_FILESPY_DEVICE_EXTENSION",
"NLExtHeader.DosName.Length",
length );
dprintf( "\n\t(%03x) %s %04x",
offset,
"DosName.Length(bytes) ",
length );
xGetFieldOffset( "FileSpy!_FILESPY_DEVICE_EXTENSION",
"NLExtHeader.DosName.MaximumLength",
&offset );
xGetFieldValue( Address,
"FileSpy!_FILESPY_DEVICE_EXTENSION",
"NLExtHeader.DosName.MaximumLength",
length );
dprintf( "\n\t(%03x) %s %04x",
offset,
"DosName.MaximumLength(bytes) ",
length );
xGetFieldOffset( "FileSpy!_FILESPY_DEVICE_EXTENSION",
"NLExtHeader.DosName.Buffer",
&offset );
xGetFieldValue( Address,
"FileSpy!_FILESPY_DEVICE_EXTENSION",
"NLExtHeader.DosName.Buffer",
pointer );
dprintf( "\n\t(%03x) %s %08p",
offset,
"DosNameName.Buffer ",
pointer );
//
// display name
//
xGetFieldValue( Address,
"FileSpy!_FILESPY_DEVICE_EXTENSION",
"NLExtHeader.DosName.Length",
length );
xGetFieldValue( Address,
"FileSpy!_FILESPY_DEVICE_EXTENSION",
"NLExtHeader.DosName.Buffer",
pName );
memRetVal = ReadMemory( pName, buffer, (ULONG)length, &result);
if (memRetVal && (result == (ULONG)length)) {
string1.Length = string1.MaximumLength = length;
string1.Buffer = (PWSTR) buffer;
dprintf( "\n\t %s %wZ",
"DosName ",
&string1 );
}
//
// DeviceName
//
xGetFieldOffset( "FileSpy!_FILESPY_DEVICE_EXTENSION",
"NLExtHeader.DeviceName.Length",
&offset );
xGetFieldValue( Address,
"FileSpy!_FILESPY_DEVICE_EXTENSION",
"NLExtHeader.DeviceName.Length",
length );
dprintf( "\n\t(%03x) %s %04x",
offset,
"DeviceName.Length(bytes) ",
length );
xGetFieldOffset( "FileSpy!_FILESPY_DEVICE_EXTENSION",
"NLExtHeader.DeviceName.MaximumLength",
&offset );
xGetFieldValue( Address,
"FileSpy!_FILESPY_DEVICE_EXTENSION",
"NLExtHeader.DeviceName.MaximumLength",
length );
dprintf( "\n\t(%03x) %s %04x",
offset,
"DeviceName.MaximumLength(bytes) ",
length );
xGetFieldOffset( "FileSpy!_FILESPY_DEVICE_EXTENSION",
"NLExtHeader.DeviceName.Buffer",
&offset );
xGetFieldValue( Address,
"FileSpy!_FILESPY_DEVICE_EXTENSION",
"NLExtHeader.DeviceName.Buffer",
pointer );
dprintf( "\n\t(%03x) %s %08p",
offset,
"DeviceName.Buffer ",
pointer );
//
// Display string
//
xGetFieldValue( Address,
"FileSpy!_FILESPY_DEVICE_EXTENSION",
"NLExtHeader.DeviceName.Length",
length );
xGetFieldValue( Address,
"FileSpy!_FILESPY_DEVICE_EXTENSION",
"NLExtHeader.DeviceName.Buffer",
pName );
memRetVal = ReadMemory( pName, buffer, (ULONG)length, &result);
if (memRetVal && (result == (ULONG)length)) {
string1.Length = string1.MaximumLength = length;
string1.Buffer = (PWSTR) buffer;
dprintf( "\n\t %s %wZ",
"DeviceName ",
&string1 );
}
//
// Flags
//
xGetFieldOffset( "FileSpy!_FILESPY_DEVICE_EXTENSION",
"Flags",
&offset );
xGetFieldValue( Address,
"FileSpy!_FILESPY_DEVICE_EXTENSION",
"Flags",
value );
dprintf( "\n\t(%03x) %s %x",
offset,
"Flags ",
value );
//
// AllContextsTemporary
//
xGetFieldOffset( "FileSpy!_FILESPY_DEVICE_EXTENSION",
"AllContextsTemporary",
&offset );
xGetFieldValue( Address,
"FileSpy!_FILESPY_DEVICE_EXTENSION",
"AllContextsTemporary",
value );
dprintf( "\n\t(%03x) %s %x",
offset,
"AllContextsTemporary ",
value );
//
// UserNames
//
xGetFieldOffset( "FileSpy!_FILESPY_DEVICE_EXTENSION",
"UserNames.Length",
&offset );
xGetFieldValue( Address,
"FileSpy!_FILESPY_DEVICE_EXTENSION",
"UserNames.Length",
length );
dprintf( "\n\t(%03x) %s %04x",
offset,
"UserNames.Length(bytes) ",
length );
xGetFieldOffset( "FileSpy!_FILESPY_DEVICE_EXTENSION",
"UserNames.MaximumLength",
&offset );
xGetFieldValue( Address,
"FileSpy!_FILESPY_DEVICE_EXTENSION",
"UserNames.MaximumLength",
length );
dprintf( "\n\t(%03x) %s %04x",
offset,
"UserNames.MaximumLength(bytes) ",
length );
xGetFieldOffset( "FileSpy!_FILESPY_DEVICE_EXTENSION",
"UserNames.Buffer",
&offset );
xGetFieldValue( Address,
"FileSpy!_FILESPY_DEVICE_EXTENSION",
"UserNames.Buffer",
pointer );
dprintf( "\n\t(%03x) %s %08p",
offset,
"UserNames.Buffer ",
pointer );
//
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -