How I can obtain file path from handle with windbg/kd in kernel mode?
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Use
!handle <handle_num> 7 <proc_id>to display detailed information for that handle where<handle_num>is the handle value and<proc_id>is the process id value (both hex based) see this msdn link for further information.You can gleam your process id from a user mode session, this is the easiest method, just attach in user mode and enter the pipe command
|and it will output like so:so
1680would be the proc id, then list the handles using!handleand then in kernel mode enter:will display what you want, there is a useful blog entry on this here.