如何獲得一個Section對象的內核轉儲

Question

從3thParty供應商的部分對象命名爲rpsPdf10.mutex的內容和它的用途是通過編寫一個布爾標誌，它模仿一個信號。

使用LiveKd以及來自SO的大量幫助，我發佈了以下命令，試圖獲取此Section對象的詳細信息。

0: kd>!process 0 0 3thParty.exe 
... 
PROCESS fffffa800ea80060 
    SessionId: 0 Cid: 0a00 Peb: fffdf000 ParentCid: 014c 
    DirBase: 99349000 ObjectTable: fffff8a004448bf0 HandleCount: 338. 
    Image: 3thParty.exe 
...  

0: kd> !handle 0 7 fffffa800ea80060 
     ... 
     08 fffff8a012e26710 Section     rpsPdf10.mutex 
     ... 

0: kd> !object fffff8a012e26710 
Object: fffff8a012e26710 Type: (fffffa800cd7cea0) Section 
    ObjectHeader: fffff8a012e266e0 (new version) 
    HandleCount: 38 PointerCount: 39 
    Directory Object: fffff8a00a980080 Name: rpsPdf10.mutex 

0: kd> dt -r1 nt!_SECTION_OBJECT 0xfffff8a012e26710 
    +0x000 StartingVa  : 0x00000022`00000100 Void 
    +0x008 EndingVa   : 0x00000000`0008dfb0 Void 
    +0x010 Parent   : 0xfffffa80`c0000001 Void 
    +0x018 LeftChild  : (null) 
    +0x020 RightChild  : 0xfffffa80`00000034 Void 
    +0x028 Segment   : 0xfffff8a0`102d7820 _SEGMENT_OBJECT 
     +0x000 BaseAddress  : 0xfffffa80`0fbed900 Void 
     +0x008 TotalNumberOfPtes : 1 
     +0x010 SizeOfSegment : _LARGE_INTEGER 0x1 
     +0x018 NonExtendedPtes : 0x1000 
     +0x01c ImageCommitment : 0 
     +0x020 ControlArea  : (null) 
     +0x028 Subsection  : (null) 
     +0x030 MmSectionFlags : 0xfffffa80`10987b10 _MMSECTION_FLAGS 
     +0x038 MmSubSectionFlags : 0x00000000`03400000 _MMSUBSECTION_FLAGS 

所有這些對我來說都是正確的，但我如何找到該部分的內容？需要注意的

Answer 1

點在earlier answer機是32位和OS是Win7和WinDbg的版本是內幕預覽16278個命令如果有任何拱依賴
的走拱無關，指針運算通過是活的二進制不在傾倒，因爲是我要補充這個答案後

獲取內容構成部分很公平的機會，頁面可能已經在轉儲和演示調出可能是不確定的是有點令人費解
（有幾種類型的部分如
1）ALPC部分（com objects）
2）文件備份第
3）PageFileBacked科等

下面演練爲頁面文件備份部（最常見的類型）

假設你編譯和執行下面
代碼的exe將創建一個SectionObject在全局命名空間
和內容將被PagingFile備份，將等待 按鍵

#include <windows.h> 
#include <stdio.h> 
#define bsize 256 
int main(){ 
    char szMsg[]={"Message from blabb to lieven from Stack Overflow."}; 
    int ret = NULL; 
    HANDLE hMap = CreateFileMapping((HANDLE)-1,NULL,4,0,bsize,"Global\\MyMap"); 
    if(hMap){ 
     PCHAR buff = (PCHAR) MapViewOfFile(hMap,0xf001f,0,0,bsize); 
     if(buff){ 
      CopyMemory(buff, szMsg, sizeof(szMsg)); 
      ret = getchar(); 
      UnmapViewOfFile(buff); 
     } 
     CloseHandle(hMap); 
    } 
    return ret; 
} 

地設想ming該進程正在等待按鍵啓動livekd或設置一個實時內核調試連接，如果它正在遠程計算機上運行/ vm

C：> livekd -k「c：\ Program Files \ Windows Kits \ 10 \調試器\ 86 \的Cdb.exe」

LiveKd v5.62 - Execute kd/windbg on a live system 
Launching c:\Program Files\Windows Kits\10\Debuggers\x86\cdb.exe: 

Microsoft (R) Windows Debugger Version 10.0.16278.1000 X86 

得到的_EPROCESS並設置背景

kd> !process 0 0 secobj.exe 

PROCESS 8605ab28 SessionId: 1 Cid: 0fbc Peb: 7ffd9000 ParentCid: 0af4 
    DirBase: 7e2712e0 ObjectTable: c288ba00 HandleCount: 9. 
    Image: secobj.exe 

kd> .process /p /r 8605ab28 

Implicit process is now 8605ab28 

kd> ? @$proc 
Evaluate expression: -2046448856 = 8605ab28 

kd> ?? (char *)@$proc->ImageFileName 
char * 0x8605ac94 
"secobj.exe" 

找，因爲我們 部分類型部分的當前進程通知句柄全球命名南協商WinDbg的解密，對我們

kd> !handle 0 3 @$proc Section 

Searching for handles of type Section 

PROCESS 8605ab28 SessionId: 1 Cid: 0fbc Peb: 7ffd9000 ParentCid: 0af4 
    DirBase: 7e2712e0 ObjectTable: c288ba00 HandleCount: 9. 
    Image: secobj.exe 

Handle table at c288ba00 with 9 entries in use 

0024: Object: c238e9c8 GrantedAccess: 000f0007 Entry: c37b7048 
Object: c238e9c8 Type: (84ec6040) Section 
    ObjectHeader: c238e9b0 (new version) 
     HandleCount: 1 PointerCount: 2 
     Directory Object: 98a0f170 Name: MyMap 

傾銷SectionObject

kd> dt nt!_SECTION_OBJECT c238e9c8 
    +0x000 StartingVa  : 0xc227e2c8 Void 
    +0x004 EndingVa   : 0x00d3db6c Void 
    +0x008 Parent   : 0xb0d3db20 Void 
    +0x00c LeftChild  : (null) 
    +0x010 RightChild  : 0x00000003 Void 
    +0x014 Segment   : 0xc36aba20 _SEGMENT_OBJECT 

KD> $$注意，最後段成員它不是SEGMENT_OBJECT但
NT！_segment或實際指針的ControlArea此節

kd> dt nt!_SEGMENT 0xc36aba20 
    +0x000 ControlArea  : 0x85182d08 _CONTROL_AREA 
    +0x004 TotalNumberOfPtes : 1 
    +0x008 SegmentFlags  : _SEGMENT_FLAGS 
    +0x00c NumberOfCommittedPages : 1 
    +0x010 SizeOfSegment : 0x1000 
    +0x018 ExtendInfo  : (null) 
    +0x018 BasedAddress  : (null) 
    +0x01c SegmentLock  : _EX_PUSH_LOCK 
    +0x020 u1    : <unnamed-tag> 
    +0x024 u2    : <unnamed-tag> 
    +0x028 PrototypePte  : 0xc36aba50 _MMPTE 
    +0x030 ThePtes   : [1] _MMPTE 

KD> $$可以擴大工會U2和轉儲工會FirstMappedVa看看這部分的內容

kd> dt nt!_SEGMENT u2.FirstMappedVa 0xc36aba20 
    +0x024 u2    : 
     +0x000 FirstMappedVa : 0x000e0000 Void 

傾倒內容

kd> da 0xe0000 
000e0000 "Message from blabb to lieven fro" 
000e0020 "m Stack Overflow." 
kd> 

或做！CA獲得它指向第一頁FirstMappedVa
如果內容是大於一個頁面邊界獲取他們是
有點乏味，因爲它們可能已經被調出，將需要執行 操作，因而，頁面錯誤處理，讓他們眼簾

kd> !ca poi(0xc36aba20) 

ControlArea @ 85182d08 
    Segment  c36aba20 Flink  00000000 Blink  00000000 
    Section Ref   1 Pfn Ref   0 Mapped Views  1 
    User Ref   2 WaitForDel  0 Flush Count   0 
    File Object 00000000 ModWriteCount  0 System Views  0 
    WritableRefs  0 
    Flags (2000) Commit 

     Pagefile-backed section 

Segment @ c36aba20 
    ControlArea  85182d08 ExtendInfo 00000000 
    Total Ptes    1 
    Segment Size   1000 Committed   1 
    CreatingProcess 8605ab28 FirstMappedVa e0000 <------------- 
    ProtoPtes   c36aba50 
    Flags (80000) ProtectionMask 

Subsection 1 @ 85182d58 
    ControlArea 85182d08 Starting Sector  0 Number Of Sectors 0 
    Base Pte  c36aba50 Ptes In Subsect  1 Unused Ptes   0 
    Flags    8 Sector Offset   0 Protection   4 
kd> 

Answer 2

添加另一種答案顯示另一個頁面文件支持的部分內容 ，你可能需要去創建過程，並在其虛擬地址看的過程，是當前的，而不是

你可能知道的外殼保持一定global counters在共享部分

0104: Object: c2255450 GrantedAccess: 00000006 Entry: c5d9b208 
Object: c2255450 Type: (84ec6040) Section 
    ObjectHeader: c2255438 (new version) 
     HandleCount: 6 PointerCount: 7 
     Directory Object: 9d662520 Name: windows_shell_global_counters 

代碼來檢索他們

#include <stdio.h> 
#include <windows.h> 
#include <stdlib.h> 
#include <shlwapi.h> 
#pragma comment(lib,"shlwapi.lib") 

//add all items in the ... place holder in arrays below 
PCHAR enuname[] = { "GLOBALCOUNTER_SEARCHMANAGER",...}; 
int foo [] = { GLOBALCOUNTER_SEARCHMANAGER,...}; 

void main (void) { 
    long cval = NULL; 
    for(int i =0; i < _countof(foo) ;i++) { 
     cval = SHGlobalCounterGetValue((SHGLOBALCOUNTER)foo[i]); 
     printf ("%65s = %0x\n" ,enuname[i], cval); 
    } 
} 

編譯和執行這一點，你可能會得到這樣的結果（記住計數器是揮發性的，所以你可能需要快速夠比較）

C:\secobj\shglob>shglob.exe | head -n 13 
             GLOBALCOUNTER_SEARCHMANAGER = 0 
             GLOBALCOUNTER_SEARCHOPTIONS = 0 
           GLOBALCOUNTER_FOLDERSETTINGSCHANGE = 0 
              GLOBALCOUNTER_RATINGS = 0 
             GLOBALCOUNTER_APPROVEDSITES = 0 
             GLOBALCOUNTER_RESTRICTIONS = 5 
           GLOBALCOUNTER_SHELLSETTINGSCHANGED = 2 
            GLOBALCOUNTER_SYSTEMPIDLCHANGE = 0 
            GLOBALCOUNTER_OVERLAYMANAGER = 0 
            GLOBALCOUNTER_QUERYASSOCIATIONS = 0 
             GLOBALCOUNTER_IESESSIONS = 0 
            GLOBALCOUNTER_IEONLY_SESSIONS = 0 
          GLOBALCOUNTER_APPLICATION_DESTINATIONS = 83 

看當前進程

kd> ? @$proc 
Evaluate expression: -2033240552 = 86cf3618 
kd> ?? (char *)@$proc->ImageFileName 
char * 0x86cf3784 
"cdb.exe" 
kd> !handle 0 3 @$proc Section 
0164: Object: c2255450 GrantedAccess: 00000006 Entry: c3df32c8 
Object: c2255450 Type: (84ec6040) Section 
    ObjectHeader: c2255438 (new version) 
     HandleCount: 11 PointerCount: 12 
     Directory Object: 9d662520 Name: windows_shell_global_counters 

kd> dc @@c++(((nt!_segment *)((nt!_section_object *) 0xc2255450)->Segment)->u2.FirstMappedVa) 
00290000 ???????? ???????? ???????? ???????? ???????????????? 
00290010 ???????? ???????? ???????? ???????? ???????????????? 
00290020 ???????? ???????? ???????? ???????? ???????????????? 
00290030 ???????? ???????? ???????? ???????? ???????????????? 
00290040 ???????? ???????? ???????? ???????? ???????????????? 
00290050 ???????? ???????? ???????? ???????? ???????????????? 
00290060 ???????? ???????? ???????? ???????? ???????????????? 
00290070 ???????? ???????? ???????? ???????? ???????????????? 

它可能是這個當前進程獲得一個手柄OpenFileMapping但還沒有將其映射或頁面調出（livekd不能使用頁面調）無論我們似乎無法查看這部分內容

讓我們看看誰創造了這個共享部分

kd> ? @@c++(((nt!_segment *)((nt!_section_object *) 0xc2255450)->Segment)->u1.CreatingProcess) 
Evaluate expression: -2050635184 = 85c5ca50 

kd> !process 85c5ca50 0 
PROCESS 85c5ca50 SessionId: 1 Cid: 0af4 Peb: 7ffd9000 ParentCid: 0704 
    DirBase: 7e271420 ObjectTable: c5d873c8 HandleCount: 888. 
    Image: explorer.exe 

它看起來合乎邏輯的explorer.exe似乎從創建進程的虛擬地址傾銷0n13雙字創造了這個共享部分

讓檢查

kd> .process /p /r 85c5ca50 

kd> dc @@c++(((nt!_segment *)((nt!_section_object *) 0xc2255450)->Segment)->u2.FirstMappedVa) l0n13 
00290000 00000000 00000000 00000000 00000000 ................ 
00290010 00000000 00000005 00000002 00000000 ................ 
00290020 00000000 00000000 00000000 00000000 ................ 
00290030 00000083        ....