Reading FileName from _FILE_OBJECT structure.

[Cesar Reyes]

Hello,

I'm trying to read the FileName field from a _FILE_OBJECT structure address on a Windows 10 Virtual machine in a Xen hypervisor, but I'm unable to find the proper offset/address for that field.

The offset for "_FILE_OBJECT", "FileName" is at 88, and it points to a "_UNICODE_STRING".

So far, I'm able to get the _FILE_OBJECT address correctly. I verified this using volatility's filescan to compare.

This is what I have so far , but no luck trying to find the FileName, or any other _FILE_OBJECT's fields from the address given: 

void printFileName(unsigned long fileObject, vmi_instance_t vmi){
    //fileObject Sample address: 0xffff9f033a9a9ef0
    unsigned long fileNameOffset = 88; //From rekall profile

    printf("fileObject: @0x%lx\n", fileObject);   //Address to fileObject

    vmi_read_64_va(vmi,  fileObject + fileNameOffset , 0, (uint64_t*)&fileNameAddress);
    unicodeFileName = vmi_read_unicode_str_va(vmi, fileNameAddress, 0);    
    unicode_string_t out = { .contents = NULL };
    if(unicodeFileName && VMI_SUCCESS == vmi_convert_str_encoding(unicodeFileName, &out, "UTF-8")){
        printf("%dtest: %s \n",tempA,out.contents);
    }
}  

Any hint would be appreciated.

Thanks!

Cesar Reyes.

[speddoju]

I too have same problem with KVM. Can anybody help in this regards. 

Thanks in advance.

[Cesar Reyes]

Update: I was able to get the info. The issue is that I was reading the unicode string wrongly.

This is how it is supposed to be: unicodeFileName = vmi_read_unicode_str_va(vmi, fileObject + fileNameOffset, 0);

We can close this.


Thanks!

Cesar Reyes.

On Monday, June 24, 2019 at 11:20:18 AM UTC-4, Cesar Reyes wrote:

[speddoju]

Thanks Cesar!!!