问题
How I can obtain file path from handle with windbg/kd in kernel mode?
回答1:
Use !handle <handle_num> 7 <proc_id> to display detailed information for that handle where <handle_num> is the handle value and <proc_id> is the process id value (both hex based) see this msdn link for further information.
You can gleam your process id from a user mode session, this is the easiest method, just attach in user mode and enter the pipe command | and it will output like so:
. 0 id: 1680 attach name: D:\test\MyApp.exe
so 1680 would be the proc id, then list the handles using !handle and then in kernel mode enter:
!handle <handle_num> 7 1680
will display what you want, there is a useful blog entry on this here.
来源:https://stackoverflow.com/questions/14857736/how-get-file-path-by-handle-in-windbg