driver.h

一个拷贝系统的SAM 文件的示例,附带驱动源码.

#define RVATOVA(base, offset) ((PVOID)((ULONG)base + (ULONG)(offset)))

typedef PVOID PHANDLE_TABLE_ENTRY_INFO;
typedef PVOID PHANDLE_TABLE;

#define WIN2K_TABLE_ENTRY_LOCK_BIT    0x80000000
#define TABLE_LEVEL_MASK              3
#define XP_TABLE_ENTRY_LOCK_BIT       1

typedef struct _EX_PUSH_LOCK 
{
	union
	{
		struct
		{
			ULONG Waiting   :0x01;
			ULONG Exclusive :0x01;
			ULONG Shared    :0x1E;
		};

		ULONG Value;
		PVOID Ptr;
	};
} EX_PUSH_LOCK, *PEX_PUSH_LOCK;


typedef struct _HANDLE_TRACE_DB_ENTRY 
{
	CLIENT_ID ClientId;
	HANDLE    Handle;
	ULONG     Type;
	PVOID     StackTrace[16];
} HANDLE_TRACE_DB_ENTRY, *PHANDLE_TRACE_DB_ENTRY;

typedef struct _HANDLE_TRACE_DEBUG_INFO
{
	ULONG                 CurrentStackIndex;
	HANDLE_TRACE_DB_ENTRY TraceDb[4096];
} HANDLE_TRACE_DEBUG_INFO, *PHANDLE_TRACE_DEBUG_INFO;

typedef struct _HANDLE_TABLE_ENTRY 
{
	union 
	{
		PVOID                    Object;
        ULONG                    ObAttributes;
		PHANDLE_TABLE_ENTRY_INFO InfoTable;
		ULONG                    Value;
    };

	union 
	{
		union 
		{
			ACCESS_MASK GrantedAccess;

            struct 
			{
				USHORT GrantedAccessIndex;
                USHORT CreatorBackTraceIndex;
            };
        };

        LONG NextFreeTableEntry;
    };

} HANDLE_TABLE_ENTRY, *PHANDLE_TABLE_ENTRY;

typedef struct _EXHANDLE 
{
	union 
	{
		struct 
		{
			ULONG TagBits : 02;
			ULONG Index   : 30;
        };

        HANDLE GenericHandleOverlay;
    };

} EXHANDLE, *PEXHANDLE;

typedef struct _XP_HANDLE_TABLE 
{
	ULONG                    TableCode;
	PEPROCESS                QuotaProcess;
	PVOID                    UniqueProcessId;
	EX_PUSH_LOCK             HandleTableLock[4];
	LIST_ENTRY               HandleTableList;
	EX_PUSH_LOCK             HandleContentionEvent;
	PHANDLE_TRACE_DEBUG_INFO DebugInfo;
	LONG                     ExtraInfoPages;
	ULONG                    FirstFree;
	ULONG                    LastFree;
	ULONG                    NextHandleNeedingPool;
	LONG                     HandleCount;
	LONG                     Flags;
	UCHAR                    StrictFIFO;
} XP_HANDLE_TABLE, *PXP_HANDLE_TABLE;


typedef struct _WIN2K_HANDLE_TABLE 
{
	ULONG                 Flags;
	LONG                  HandleCount;
	PHANDLE_TABLE_ENTRY **Table;
	PEPROCESS             QuotaProcess;
    HANDLE                UniqueProcessId;
	LONG                  FirstFreeTableEntry;
    LONG                  NextIndexNeedingPool;
	ERESOURCE             HandleTableLock;
	LIST_ENTRY            HandleTableList;
	KEVENT                HandleContentionEvent;
} WIN2K_HANDLE_TABLE , *PWIN2K_HANDLE_TABLE ;

typedef 
  PHANDLE_TABLE_ENTRY 
	(*ExLookupHandleTableEntryPtr)(
	           IN PHANDLE_TABLE HandleTable,
	           IN EXHANDLE      Handle
	           );

extern 
PUSHORT NtBuildNumber;