Driver Problems? Questions? Issues?
Put OSR's experience to work for you! Contact us for assistance with:
  • Creating the right design for your requirements
  • Reviewing your existing driver code
  • Analyzing driver reliability/performance issues
  • Custom training mixed with consulting and focused directly on your specific areas of interest/concern.
Check us out. OSR, the Windows driver experts.

Go Back   OSR Online Lists > windbg
Welcome, Guest
You must login to post to this list
  Message 1 of 8  
12 May 17 18:29
David F.
xxxxxx@terabyteunlimited.com
Join Date: 12 Jan 2012
Posts To This List: 15
Attached ot loaded module or list open handles

After running deleteservice (reports success) the module is still loaded (lm). Trying to manully stop service, delete pending, manually start, can't service disable. So I want to see what is holding up the module. But how do I attach to the module when lm just shows start/end address? How would I tell what file handles it may have open (for !handle I need a process id), etc.. ? I can't set a break point in there because it's not going to be called since can't open handle to it. In summary, what are the series of commands to get into this module that shows in "lm" ? TIA!!
  Message 2 of 8  
12 May 17 19:38
Tim Roberts
xxxxxx@probo.com
Join Date: 28 Jan 2005
Posts To This List: 485
Attached ot loaded module or list open handles

xxxxx@terabyteunlimited.com wrote: > After running deleteservice (reports success) the module is still loaded (lm). Are you talking about a kernel driver service or a user-mode service? I'm going to assume you meant a kernel service. If you actually have a user-mode service, then the rest of my message will be gobbledygook. > Trying to manully stop service, delete pending, manually start, can't service disable. So I want to see what is holding up the module. But how do I attach to the module when lm just shows start/end address? For a kernel service, there's nothing to "attach" to. If it can't stop, either there's still an open handle to it, or you don't have a DrvUnload entry point. > How would I tell what file handles it may have open (for !handle I need a process id), etc.. ? Kernel drivers (like DLLs) do not own file handles. File handles are owned by processes. > I can't set a break point in there because it's not going to be called since can't open handle to it. In summary, what are the series of commands to get into this module that shows in "lm" ? What do you mean by "get into"? You can't "get into" a driver. If it won't unload, then there must be an open handle to it somewhere. Do you have a process that opens the service? Does it keep the handle open forever? -- Tim Roberts, xxxxx@probo.com Providenza & Boekelheide, Inc.
  Message 3 of 8  
12 May 17 20:45
David F.
xxxxxx@terabyteunlimited.com
Join Date: 12 Jan 2012
Posts To This List: 15
Attached ot loaded module or list open handles

it's a driver that loads, then unloads. Seemed to be fine under W7, XP doesn't let go, know it's older, but bugs me as to what it is. It's a basic install of x86 version. What command would I use to find what is holding it open (on reboot it does finally get removed). The user mode app that loaded it and sent the deviceiocontrol ended and i tried closing the cmd.exe session as well.
  Message 4 of 8  
12 May 17 20:46
David F.
xxxxxx@terabyteunlimited.com
Join Date: 12 Jan 2012
Posts To This List: 15
Attached ot loaded module or list open handles

it basically goes into stop pending mode.
  Message 5 of 8  
12 May 17 22:06
David F.
xxxxxx@terabyteunlimited.com
Join Date: 12 Jan 2012
Posts To This List: 15
Attached ot loaded module or list open handles

It was open handles (implemented changes but had returns in the body, implemented try/finally block inside the try/except block and takes care of it). I presume that will be called on exception as well (based on sample https://msdn.microsoft.com/en-us/library/s58ftw19.aspx) But still would like to know the whole steps to find open handles a module may have not closed to put in my notes and will be found via google here. can't find much out there.
  Message 6 of 8  
18 May 17 14:52
Scott Noone
xxxxxx@osr.com
Join Date: 10 Jul 2002
Posts To This List: 538
List Moderator
Attached ot loaded module or list open handles

There's no easy answer. If the driver wasn't unloading due to an open handle to the device, then you need to find the handle that points to the file object that references the device. The traditional way would be to run "!handle 0 3 0 File" and search the output for a file object referencing your device object. Or if you really cared you could write an extension that uses the handle walking interface in extsfns.h (never cared enough to do this myself but always thought it would be amusing). These days JavaScript extensions and LINQ are the thing. You can access the handles in a process using the debugger's object model (it's under Process.Io.Handles) and you could walk through each one looking for a file object that references your device object. The query for a specific process would look something like: dx Debugger.Sessions[0].Processes[0x318].Io.Handles.Where(obj => ((nt!_FILE_OBJECT *)&obj.Object.Body)->DeviceObject == (nt!_DEVICE_OBJECT *)0xffffd0823dbfd870) Note that this just brute forces each handle into being a file object. A more elegant solution would extend the query to ignore non-file object types. For fun I did this a JavaScript extension as well, though I skipped using LINQ. Very likely that there's a better way to do this but here's what I came up with. Example success output is: kd> dx Debugger.State.Scripts.FindDevHandle.Contents.FindDevHandle(0xffff8e018f704140) Finding handle to device 0xffff8e018f704140! ... Process SearchFilterHost.exe Process audiodg.exe Process OSRLOADER.exe Process NothingTest.exe Found one! PID : 0x1300 Name : NothingTest.exe Handle : 0x9c Object : 0xffff8e018e619690 // // FindDevHandle.js // // Walk the current list of processes and look for a handle to a file object // that is accessing the specified device // // OSR Open Systems Resources, inc. // // http://www.osr.com // http://www.osronline.com // // // To run: // // .load jsprovider.dll // .scriptload FindDevHandle.js // dx Debugger.State.Scripts.FindDevHandle.Contents.FindDevHandle(0x12345678) // function FindDevHandle(devObjParam) { // Get easy access to the debug output method var dbgOutput = host.diagnostics.debugLog; // Get a typed device object for the incoming parameter var devObj = host.createTypedObject(devObjParam, "nt", "_DEVICE_OBJECT"); dbgOutput("Finding handle to device ", devObj.targetLocation, "!\n\n"); // Loop over each process var processes = host.currentSession.Processes; for (var process of processes) { dbgOutput("Process ", process.Name, "\n"); // And each handle in every process var handles = process.Io.Handles; // Note that an exception can be raised while looping over the handles // (e.g. an empty handle table) try { for (var handle of handles) { // NOTE: We just treat every handle like it's a file handle // and catch exceptions along the way. A better idea would // be to key off of the type, but that appears to be broken // with public PDBs at the moment try { // Cast the object to a file object var fileObj = host.createTypedObject(handle.Object.Body.targetLocation, "nt", "_FILE_OBJECT"); // Dereference the DeviceObject field and get the target location if (fileObj.DeviceObject.dereference().targetLocation == devObj.targetLocation) { dbgOutput("\tFound one!\n"); dbgOutput("\t PID : ", process.Id, "\n"); dbgOutput("\t Name : ", process.Name, "\n"); dbgOutput("\t Handle : ", handle.Handle, "\n"); dbgOutput("\t Object : ", fileObj.targetLocation, "\n\n"); } } catch (e) { dbgOutput("\tException parsing handle!\n"); } } } catch (e) { dbgOutput("\tException parsing handle table!\n"); } } } I also wrote more about this here: https://www.osr.com/blog/2017/05/18/windbg-debugger-objects-javascript-oh/ -scott OSR @OSRDrivers
  Message 7 of 8  
19 May 17 11:39
David F.
xxxxxx@terabyteunlimited.com
Join Date: 12 Jan 2012
Posts To This List: 15
Attached ot loaded module or list open handles

Thanks, and to find the device object address for a module would be found using which command?
  Message 8 of 8  
19 May 17 11:47
Don Burn
xxxxxx@windrvr.com
Join Date: 13 Mar 2011
Posts To This List: 34
Attached ot loaded module or list open handles

!object \Device will give you a list of objects in the \Device directory. Don Burn Windows Driver Consulting Website: http://www.windrvr.com -----Original Message----- From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@terabyteunlimited.com Sent: Friday, May 19, 2017 11:40 AM To: Kernel Debugging Interest List <xxxxx@lists.osr.com> Subject: RE:[windbg] Attached ot loaded module or list open handles Thanks, and to find the device object address for a module would be found using which command? --- WINDBG is sponsored by OSR OSR is hiring!! Info at http://www.osr.com/careers MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at <http://www.osr.com/seminars> To unsubscribe, visit the List Server section of OSR Online at <http://www.osronline.com/page.cfm?name=ListServer>
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the windbg list to be able to post.

All times are GMT -5. The time now is 03:22.


Copyright ©2015, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license