핸들을 통한 파일 사이즈 확인

lkd> !handle

………………………….

………………………….

………………………….

0114: Object: 85324a48 GrantedAccess: 00120089 Entry: e7afb228

Object: 85324a48 Type: (8a527560) File

ObjectHeader: 85324a30 (old version)

HandleCount: 1 PointerCount: 2

Directory Object: 00000000 Name: \symbols.pub\ntkrpamp.pdb\D8743252F83B4F59985D6E19F33BFCAF1\ntkrpamp.pdb {HarddiskVolume1}

 

0118: Object: 85933148 GrantedAccess: 00100003 Entry: e7afb230

Object: 85933148 Type: (8a53c490) Event

ObjectHeader: 85933130 (old version)

HandleCount: 1 PointerCount: 1

 

lkd> !fileobj 85324a48

 

\symbols.pub\ntkrpamp.pdb\D8743252F83B4F59985D6E19F33BFCAF1\ntkrpamp.pdb

 

Device Object: 0x89ac36c8 \Driver\Ftdisk

Vpb: 0x8a46d6a8

Event signalled

Access: Read SharedRead SharedDelete

 

Flags: 0x1c0042

Synchronous IO

Cache Supported

Handle Created

Fast IO Read

Random Access

 

FsContext: 0xe7bcad90        FsContext2: 0xe7bcaee8

Private Cache Map: 0x847eaab0

CurrentByteOffset: 19d838

Cache Data:

Section Object Pointers: 848144c4

Shared Cache Map: 847ea9d8 File Offset: 19d838 in VACB number 6

Vacb: 8a52a4a8

Your data is at: d1d1d838

lkd> dt _FILE_OBJECT 85324a48

nt!_FILE_OBJECT

+0x000 Type : 5

+0x002 Size : 112

+0x004 DeviceObject : 0x89ac36c8 _DEVICE_OBJECT

+0x008 Vpb : 0x8a46d6a8 _VPB

+0x00c FsContext : 0xe7bcad90

+0x010 FsContext2 : 0xe7bcaee8

+0x014 SectionObjectPointer : 0x848144c4 _SECTION_OBJECT_POINTERS

+0x018 PrivateCacheMap : 0x847eaab0

+0x01c FinalStatus : 0

+0x020 RelatedFileObject : (null)

+0x024 LockOperation : 0 ”

+0x025 DeletePending : 0 ”

+0x026 ReadAccess : 0x1 ”

+0x027 WriteAccess : 0 ”

+0x028 DeleteAccess : 0 ”

+0x029 SharedRead : 0x1 ”

+0x02a SharedWrite : 0 ”

+0x02b SharedDelete : 0x1 ”

+0x02c Flags : 0x1c0042

+0x030 FileName : _UNICODE_STRING “\symbols.pub\ntkrpamp.pdb\D8743252F83B4F59985D6E19F33BFCAF1\ntkrpamp.pdb”

+0x038 CurrentByteOffset : _LARGE_INTEGER 0x19d838

+0x040 Waiters : 0

+0x044 Busy : 0

+0x048 LastLock : (null)

+0x04c Lock : _KEVENT

+0x05c Event : _KEVENT

+0x06c CompletionContext : (null)

lkd> dt _SECTION_OBJECT_POINTERS 0x848144c4

nt!_SECTION_OBJECT_POINTERS

+0x000 DataSectionObject : 0x847cb0b0

+0x004 SharedCacheMap : 0x847ea9d8

+0x008 ImageSectionObject : (null)

lkd> dt _SHARED_CACHE_MAP 0x847ea9d8

nt!_SHARED_CACHE_MAP

+0x000 NodeTypeCode : 767

+0x002 NodeByteSize : 304

+0x004 OpenCount : 1

+0x008 FileSize : _LARGE_INTEGER 0x1a4c00

+0x010 BcbList : _LIST_ENTRY [ 0x847ea9e8 – 0x847ea9e8 ]

+0x018 SectionSize : _LARGE_INTEGER 0x1c0000

+0x020 ValidDataLength : _LARGE_INTEGER 0x1a4c00

+0x028 ValidDataGoal : _LARGE_INTEGER 0x1a4c00

+0x030 InitialVacbs : [4] (null)

+0x040 Vacbs : 0x84f47338 -> 0x8a529068 _VACB

+0x044 FileObject : 0x85324a48 _FILE_OBJECT

+0x048 ActiveVacb : 0x8a52a4a8 _VACB

+0x04c NeedToZero : (null)

+0x050 ActivePage : 0x180

+0x054 NeedToZeroPage : 0

+0x058 ActiveVacbSpinLock : 0

+0x05c VacbActiveCount : 1

+0x060 DirtyPages : 0

+0x064 SharedCacheMapLinks : _LIST_ENTRY [ 0x84f7c06c – 0x844d78bc ]

+0x06c Flags : 0x1000

+0x070 Status : 0

+0x074 Mbcb : (null)

+0x078 Section : 0xeb326d50

+0x07c CreateEvent : (null)

+0x080 WaitOnActiveCount : (null)

+0x084 PagesToWrite : 0

+0x088 BeyondLastFlush : 0

+0x090 Callbacks : 0xb9c2d22c _CACHE_MANAGER_CALLBACKS

+0x094 LazyWriteContext : 0xe7bcad90

+0x098 PrivateList : _LIST_ENTRY [ 0x847eaafc – 0x847eaafc ]

+0x0a0 LogHandle : (null)

+0x0a4 FlushToLsnRoutine : (null)

+0x0a8 DirtyPageThreshold : 0

+0x0ac LazyWritePassCount : 0

+0x0b0 UninitializeEvent : (null)

+0x0b4 NeedToZeroVacb : (null)

+0x0b8 BcbSpinLock : 0

+0x0bc Reserved : (null)

+0x0c0 Event : _KEVENT

+0x0d0 VacbPushLock : _EX_PUSH_LOCK

+0x0d8 PrivateCacheMap : _PRIVATE_CACHE_MAP

Facebook Comments

Leave A Reply

이메일은 공개되지 않습니다. 필수 입력창은 * 로 표시되어 있습니다.