none
Trying to view the _FILE_ID_BOTH_DIR_INFORMATION structure in memory with WinDbg RRS feed

  • Question

  • I'm trying to view the Windows file system structure _FILE_ID_BOTH_DIR_INFORMATION in memory using WinDbg, but for some reason it tells me that the symbol is not found.

    I connected WinDbg with a pipe to a Windows XP virtual machine in order to debug its kernel. I tried viewing the structure's data using the command "dt _FILE_ID_BOTH_DIR_INFORMATION esi" because the value of ESI is an address which contains the structure in question that I want to inspect.

    All I got was the following output:

    3: kd> dt _FILE_ID_BOTH_DIR_INFORMATION esi
    *************************************************************************
    ***                                                                   ***
    ***                                                                   ***
    ***    Either you specified an unqualified symbol, or your debugger   ***
    ***    doesn't have full symbol information.  Unqualified symbol      ***
    ***    resolution is turned off by default. Please either specify a   ***
    ***    fully qualified symbol module!symbolname, or enable resolution ***
    ***    of unqualified symbols by typing ".symopt- 100". Note that     ***
    ***    enabling unqualified symbol resolution with network symbol     ***
    ***    server shares in the symbol path may cause the debugger to     ***
    ***    appear to hang for long periods of time when an incorrect      ***
    ***    symbol name is typed or the network symbol server is down.     ***
    ***                                                                   ***
    ***    For some commands to work properly, your symbol path           ***
    ***    must point to .pdb files that have full type information.      ***
    ***                                                                   ***
    ***    Certain .pdb files (such as the public OS symbols) do not      ***
    ***    contain the required information.  Contact the group that      ***
    ***    provided you with these symbols if you need this command to    ***
    ***    work.                                                          ***
    ***                                                                   ***
    ***    Type referenced: _FILE_ID_BOTH_DIR_INFORMATION                 ***
    ***                                                                   ***
    *************************************************************************
    Symbol _FILE_ID_BOTH_DIR_INFORMATION not found.

    Other structures are working for me, like _DRIVER_OBJECT.

    All I know about the _FILE_ID_BOTH_DIR_INFORMATION symbol is that it is included in ntifs.h, according to Microsoft's documentation. I couldn't find information regarding whether this symbol is provided from Microsoft Symbol Server.

    dimanche 6 octobre 2019 21:00

Toutes les réponses