📄 jiurl玩玩win2k 对象.htm
字号:
0x10,紧跟着 OBJECT_HEADER 大小 0x18,紧跟着的才是对象体<BR>而 !object 的参数是对象体的指针<BR>kd>
!object 81452720<BR>!object 81452720<BR>Object: 81452720 Type: (81452920)
Type<BR>ObjectHeader: 81452708<BR>HandleCount: 0 PointerCount:
1<BR>Directory Object: 8141ebf0 Name: SymbolicLink<BR>// 可以看到链上的下一项是Type
Object "SymbolicLink",可见ObjectList是同一类型的对象的链<BR>kd> dd 814526f8 l
4<BR>dd 814526f8 l 4<BR>814526f8 814525f8 814527f8 00000000 00000000<BR>//
我们顺着LIST_ENTRY 的Flink 一直走下去,直到遇到814527f8,表明已经循环了。<BR>kd> dd 814525f8 l
4<BR>dd 814525f8 l 4<BR>814525f8 814524b8 814526f8 00000000
00000000<BR><BR>kd> dd 814524b8 l 4<BR>dd 814524b8 l 4<BR>814524b8
814523b8 814525f8 00000000 00000000<BR><BR>kd> dd 814523b8 l 4<BR>dd
814523b8 l 4<BR>814523b8 814522b8 814524b8 00000000 00000000<BR><BR>kd>
dd 814522b8 l 4<BR>dd 814522b8 l 4<BR>814522b8 8141e438 814523b8 00000000
00000000<BR><BR>kd> dd 8141e438 l 4<BR>dd 8141e438 l 4<BR>8141e438
8141e338 814522b8 00000008 00000000<BR><BR>kd> dd 8141e338 l 4<BR>dd
8141e338 l 4<BR>8141e338 8141cc98 8141e438 00000008 00000000<BR><BR>kd>
dd 8141cc98 l 4<BR>dd 8141cc98 l 4<BR>8141cc98 8141cb98 8141e338 00000008
00000000<BR><BR>kd> dd 8141cb98 l 4<BR>dd 8141cb98 l 4<BR>8141cb98
8141c878 8141cc98 00000008 00000000<BR><BR>kd> dd 8141c878 l 4<BR>dd
8141c878 l 4<BR>8141c878 8141c778 8141cb98 00000008 00000000<BR><BR>kd>
dd 8141c778 l 4<BR>dd 8141c778 l 4<BR>8141c778 8141c678 8141c878 00000008
00000000<BR><BR>kd> dd 8141c678 l 4<BR>dd 8141c678 l 4<BR>8141c678
8141c578 8141c778 00000008 00000000<BR><BR>kd> dd 8141c578 l 4<BR>dd
8141c578 l 4<BR>8141c578 8141c478 8141c678 00000008 00000000<BR><BR>kd>
dd 8141c478 l 4<BR>dd 8141c478 l 4<BR>8141c478 8141b738 8141c578 00000008
00000000<BR><BR>kd> dd 8141b738 l 4<BR>dd 8141b738 l 4<BR>8141b738
8141b098 8141c478 00000008 00000000<BR><BR>kd> dd 8141b098 l 4<BR>dd
8141b098 l 4<BR>8141b098 81416e58 8141b738 00000008 00000000<BR><BR>kd>
dd 81416e58 l 4<BR>dd 81416e58 l 4<BR>81416e58 81416d58 8141b098 00000008
00000000<BR><BR>kd> dd 81416d58 l 4<BR>dd 81416d58 l 4<BR>81416d58
81416af8 81416e58 00000008 00000000<BR><BR>kd> dd 81416af8 l 4<BR>dd
81416af8 l 4<BR>81416af8 814169f8 81416d58 00000008 00000000<BR><BR>kd>
dd 814169f8 l 4<BR>dd 814169f8 l 4<BR>814169f8 814168f8 81416af8 00000008
00000000<BR><BR>kd> dd 814168f8 l 4<BR>dd 814168f8 l 4<BR>814168f8
814167f8 814169f8 00000008 00000000<BR><BR>kd> dd 814167f8 l 4<BR>dd
814167f8 l 4<BR>814167f8 814166f8 814168f8 00000008 00000000<BR><BR>kd>
dd 814166f8 l 4<BR>dd 814166f8 l 4<BR>814166f8 814165f8 814167f8 00000008
00000000<BR><BR>kd> dd 814165f8 l 4<BR>dd 814165f8 l 4<BR>814165f8
814379b8 814166f8 00000008 00000000<BR><BR>kd> dd 814379b8 l 4<BR>dd
814379b8 l 4<BR>814379b8 81452958 814165f8 00000008 003f0000<BR><BR>kd>
dd 81452958 l 4<BR>dd 81452958 l 4<BR>81452958 814528f8 814379b8 000a0008
e1000ce8<BR><BR>kd> dd 814528f8 l 4<BR>dd 814528f8 l 4<BR>814528f8
814527f8 81452958 00000000 00000000<BR><BR>kd> dd 814527f8 l 4<BR>dd
814527f8 l 4<BR>814527f8 814526f8 814528f8 00000000 00000000<BR>//
遇到814527f8,表明已经循环了。<BR><BR>下面我们看一下 Type Object 的对象体<BR><BR>typedef struct
_OBJECT_TYPE<BR>{<BR>/*000*/ ERESOURCE Lock;<BR>/*038*/ LIST_ENTRY
ObjectListHead; // OBJECT_CREATOR_INFO<BR>/*040*/ UNICODE_STRING
ObjectTypeName; // see above<BR>/*048*/ union<BR>{<BR>/*048*/ PVOID
DefaultObject; // ObpDefaultObject<BR>/*048*/ DWORD Code; // File: 5C,
WaitablePort: A0<BR>};<BR>/*04C*/ DWORD ObjectTypeIndex; //
OB_TYPE_INDEX_*<BR>/*050*/ DWORD ObjectCount;<BR>/*054*/ DWORD
HandleCount;<BR>/*058*/ DWORD PeakObjectCount;<BR>/*05C*/ DWORD
PeakHandleCount;<BR>/*060*/ OBJECT_TYPE_INITIALIZER
ObjectTypeInitializer;<BR>/*0AC*/ DWORD ObjectTypeTag; //
OB_TYPE_TAG_*<BR>/*0B0*/ }<BR>OBJECT_TYPE;<BR><BR>// 地址
81452820,OBJECT_TYPE 结构长0xB0个字节<BR>kd> dd 81452820 l b0/4<BR>dd
81452820 l b0/4<BR>81452820 81452720 81452920 00000000
00000000<BR>81452830 00000000 00000000 00000000 00000000<BR>81452840
00000000 00000000 00000000 00000000<BR>81452850 00000000 00000000 81452858
81452858<BR>81452860 00140012 e1001948 00000000 00000002<BR>81452870
00000018 0000002d 00000018 00000032<BR>81452880 0000004c 00000100 00020003
0002000c<BR>81452890 00020003 000f000f 000f000f 00000000<BR>814528a0
00000000 00000000 000000d0 00000000<BR>814528b0 00000000 00000000 00000000
00000000<BR>814528c0 804bfb34 00000000 00000000 65726944<BR><BR>/*000*/
ERESOURCE Lock;<BR>81452820 81452720 81452920 00000000
00000000<BR>81452830 00000000 00000000 00000000 00000000<BR>81452840
00000000 00000000 00000000 00000000<BR>81452850 00000000
00000000 <BR><BR>/*038*/ LIST_ENTRY ObjectListHead; //
OBJECT_CREATOR_INFO<BR>81452858 81452858<BR><BR>/*040*/ UNICODE_STRING
ObjectTypeName; <BR>0012 0014 e1001948<BR>// 看看 ObjectTypeName
中所指的字符串吧,<BR>kd> du e1001948<BR>du e1001948<BR>e1001948
"Directory"<BR>// 它是 "Directory"<BR><BR>/*048*/ PVOID DefaultObject; //
ObpDefaultObject<BR>/*048*/ DWORD Code; // File: 5C, WaitablePort:
A0<BR>00000000<BR><BR>/*04C*/ DWORD ObjectTypeIndex; //
OB_TYPE_INDEX_*<BR>00000002<BR>// #define OB_TYPE_INDEX_DIRECTORY 2 //
[Dire]
"Directory"<BR>系统应该是由这里来判断类型的,类型名只是给人看的。其他类型的定义将在后面列出。<BR><BR>/*050*/
DWORD ObjectCount;<BR>00000018<BR><BR>/*054*/ DWORD
HandleCount;<BR>00000038<BR><BR>/*058*/ DWORD
PeakObjectCount;<BR>00000018<BR><BR>/*05C*/ DWORD
PeakHandleCount;<BR>00000044<BR><BR>/*060*/ OBJECT_TYPE_INITIALIZER
ObjectTypeInitializer;<BR>81452880 0000004c 00000100 00020003
0002000c<BR>81452890 00020003 000f000f 000f000f 00000000<BR>814528a0
00000000 00000000 000000d0 00000000<BR>814528b0 00000000 00000000 00000000
00000000<BR>814528c0 804bfb34 00000000 00000000<BR><BR>/*0AC*/ DWORD
ObjectTypeTag; // OB_TYPE_TAG_*<BR>65726944<BR>// 就是ascii的"eriD" ,#define
OB_TYPE_TAG_DIRECTORY 'eriD' // [Dire] "Directory"<BR>其他类型的定义将在后面列出。</P>
<P><BR>OBJECT_TYPE_INITIALIZER 结构定义如下<BR><BR>typedef struct
_OBJECT_TYPE_INITIALIZER<BR>{<BR>/*000*/ WORD Length; //0x004C<BR>/*002*/
BOOLEAN UseDefaultObject;//OBJECT_TYPE.DefaultObject<BR>/*003*/ BOOLEAN
Reserved1;<BR>/*004*/ DWORD InvalidAttributes;<BR>/*008*/ GENERIC_MAPPING
GenericMapping;<BR>/*018*/ ACCESS_MASK ValidAccessMask;<BR>/*01C*/ BOOLEAN
SecurityRequired;<BR>/*01D*/ BOOLEAN MaintainHandleCount; //
OBJECT_HANDLE_DB<BR>/*01E*/ BOOLEAN MaintainTypeList; //
OBJECT_CREATOR_INFO<BR>/*01F*/ BYTE Reserved2;<BR>/*020*/ BOOL
PagedPool;<BR>/*024*/ DWORD DefaultPagedPoolCharge;<BR>/*028*/ DWORD
DefaultNonPagedPoolCharge;<BR>/*02C*/ NTPROC DumpProcedure;<BR>/*030*/
NTPROC OpenProcedure;<BR>/*034*/ NTPROC CloseProcedure;<BR>/*038*/ NTPROC
DeleteProcedure;<BR>/*03C*/ NTPROC_VOID ParseProcedure;<BR>/*040*/
NTPROC_VOID SecurityProcedure; // SeDefaultObjectMethod<BR>/*044*/
NTPROC_VOID QueryNameProcedure;<BR>/*048*/ NTPROC_BOOLEAN
OkayToCloseProcedure;<BR>/*04C*/
}<BR>OBJECT_TYPE_INITIALIZER;<BR><BR>/*000*/ WORD Length;
//0x004C<BR>004c<BR>/*002*/ BOOLEAN
UseDefaultObject;//OBJECT_TYPE.DefaultObject<BR>00<BR>/*003*/ BOOLEAN
Reserved1;<BR>00<BR>/*004*/ DWORD
InvalidAttributes;<BR>00000100<BR>/*008*/ GENERIC_MAPPING
GenericMapping; <BR>struct _GENERIC_MAPPING (sizeof=16)<BR>+00 uint32
GenericRead<BR>+04 uint32 GenericWrite<BR>+08 uint32 GenericExecute<BR>+0c
uint32 GenericAll<BR>00020003 0002000c<BR>/*018*/ ACCESS_MASK
ValidAccessMask;<BR>typedef ULONG ACCESS_MASK;<BR>00020003<BR>/*01C*/
BOOLEAN SecurityRequired;<BR>0f<BR>/*01D*/ BOOLEAN MaintainHandleCount; //
OBJECT_HANDLE_DB<BR>00<BR>/*01E*/ BOOLEAN MaintainTypeList; //
OBJECT_CREATOR_INFO<BR>0f<BR>/*01F*/ BYTE Reserved2;<BR>00<BR>/*020*/ BOOL
PagedPool;<BR>00000000<BR>/*024*/ DWORD
DefaultPagedPoolCharge;<BR>00000000<BR>/*028*/ DWORD
DefaultNonPagedPoolCharge;<BR>000000d0<BR>/*02C*/ NTPROC
DumpProcedure;<BR>00000000<BR>/*030*/ NTPROC
OpenProcedure;<BR>00000000<BR>/*034*/ NTPROC
CloseProcedure;<BR>00000000<BR>/*038*/ NTPROC
DeleteProcedure;<BR>00000000<BR>/*03C*/ NTPROC_VOID
ParseProcedure;<BR>00000000<BR>/*040*/ NTPROC_VOID SecurityProcedure; //
SeDefaultObjectMethod<BR>804bfb34<BR>kd> u 804bfb34<BR>u
804bfb34<BR>ntoskrnl!SeDefaultObjectMethod:<BR><BR>/*044*/ NTPROC_VOID
QueryNameProcedure;<BR>00000000<BR>/*048*/ NTPROC_BOOLEAN
OkayToCloseProcedure;<BR>00000000<BR><BR>可以看到 Type Object 中的
OBJECT_TYPE_INITIALIZER 中有用于保存了函数例程的地方。<BR>而关于这些函数概括性的介绍可以参考 《Inside
Windows 2000 Third Edition》"Chapter 3 System Mechanisms" 中的 "Object
Manager" 中的 Object Methods 部分。<BR>Type Object 的对象体的描述就到这里。<BR><BR>对于 Type
Object 还有几个问题需要注意<BR><BR>对于同一个类型的对象,他们的对象头中指向类型的指针,指到的是同一个地址。<BR>比如,对于
Directory 类型的对象,他们指向类型的指针都指向 Type Object "Directory"<BR><BR>kd> !object
\Device\Harddiskdmvolumes<BR>!object \Device\Harddiskdmvolumes<BR>Object:
813d2890 Type: (81452820) Directory<BR>\\ 注意对象 \Device\Harddiskdmvolumes
的类型指针指向 81452820<BR>kd> !object
\Device\Harddiskdmvolumes\physicaldmvolumes<BR>!object
\Device\Harddiskdmvolumes\physicaldmvolumes<BR>Object: 813d26d0 Type:
(81452820) Directory<BR>\\ 注意对象
\Device\Harddiskdmvolumes\physicaldmvolumes 的类型指针指向
81452820<BR><BR>所以,如果没有新的类型加入的话,类型对象一共就27个。<BR><BR><BR>所有的 Type Object 的
OBJECT_HEADER 中的 ObjectType 都指向名字叫"Type"的 Type Object。<BR>名字叫"Type"的 Type
Object,也是Type Object,所以它的OBJECT_HEADER 中的 ObjectType 指向自己。<BR><BR>kd>
!object 81452920<BR>!object 81452920<BR>Object: 81452920 Type: (81452920)
Type<BR>ObjectHeader: 81452908<BR>HandleCount: 0 PointerCount:
1<BR>Directory Object: 8141ebf0 Name: Type<BR><BR>就是说所有的类型对象的对象头中的
ObjectType 指针,指向27个类型对象中的叫"Type"的那个。而叫"Type"的那个类型对象的对象头中的 ObjectType
指针,指向自己。<BR><BR>所有的类型对象被放在了 \ObjectTypes\
下,我们可以在"\"目录对象的结构中找"ObjectTypes"目录对象,来得到所有的类型对象的指针。也可以通过一个叫
ObpTypeDirectoryObject
的全局变量,这个全局变量中放着"ObjectTypes"目录对象的地址。使用第一种方法保险一些。</P>
<P>下面列出 ObjectTypeIndex 和 ObjectTypeTag </P>
<P>#define OB_TYPE_INDEX_TYPE 1 // [ObjT] "Type"<BR>#define
OB_TYPE_INDEX_DIRECTORY 2 // [Dire] "Directory"<BR>#define
OB_TYPE_INDEX_SYMBOLIC_LINK 3 // [Symb] "SymbolicLink"<BR>#define
OB_TYPE_INDEX_TOKEN 4 // [Toke] "Token"<BR>#define OB_TYPE_INDEX_PROCESS 5
// [Proc] "Process"<BR>#define OB_TYPE_INDEX_THREAD 6 // [Thre]
"Thread"<BR>#define OB_TYPE_INDEX_JOB 7 // [Job ] "Job"<BR>#define
OB_TYPE_INDEX_EVENT 8 // [Even] "Event"<BR>#define
OB_TYPE_INDEX_EVENT_PAIR 9 // [Even] "EventPair"<BR>#define
OB_TYPE_INDEX_MUTANT 10 // [Muta] "Mutant"<BR>#define
OB_TYPE_INDEX_CALLBACK 11 // [Call] "Callback"<BR>#define
OB_TYPE_INDEX_SEMAPHORE 12 // [Sema] "Semaphore"<BR>#define
OB_TYPE_INDEX_TIMER 13 // [Time] "Timer"<BR>#define OB_TYPE_INDEX_PROFILE
14 // [Prof] "Profile"<BR>#define OB_TYPE_INDEX_WINDOW_STATION 15 //
[Wind] "WindowStation"<BR>#define OB_TYPE_INDEX_DESKTOP 16 // [Desk]
"Desktop"<BR>#define OB_TYPE_INDEX_SECTION 17 // [Sect]
"Section"<BR>#define OB_TYPE_INDEX_KEY 18 // [Key ] "Key"<BR>#define
OB_TYPE_INDEX_PORT 19 // [Port] "Port"<BR>#define
OB_TYPE_INDEX_WAITABLE_PORT 20 // [Wait] "WaitablePort"<BR>#define
OB_TYPE_INDEX_ADAPTER 21 // [Adap] "Adapter"<BR>#define
OB_TYPE_INDEX_CONTROLLER 22 // [Cont] "Controller"<BR>#define
OB_TYPE_INDEX_DEVICE 23 // [Devi] "Device"<BR>#define OB_TYPE_INDEX_DRIVER
24 // [Driv] "Driver"<BR>#define OB_TYPE_INDEX_IO_COMPLETION 25 // [IoCo]
"IoCompletion"<BR>#define OB_TYPE_INDEX_FILE 26 // [File]
"File"<BR>#define OB_TYPE_INDEX_WMI_GUID 27 // [WmiG]
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -