32位/64位WINDOWS驱动之windbg分析ObReferenceObjectByHandle取回进程句柄的过程
`
windbg调试技巧
逆向分析
windbg访问断点
dt查看结构指令
windbg使用帮助
参考 https://docs.microsoft.com/zh-cn/windows-hardware/drivers/debugger/commands
.cls 清屏
u ObReferenceObjectByHandle
u ExpLookupHandleTableEntry
u NtQueryInformationProcess
ba r4 地址 //对地址下4字节访问断点
一、驱动层在进程句柄与对象句柄.c中添加断点 __debugbreak();
和调试信息
KdPrint((“yjx:SYS ObReferenceObjectByHandle break entry &info=%p\n”, &info));
KdPrint((“yjx:SYS ObReferenceObjectByHandle break ret \n”));
二、我们打开WinDbg连接上虚拟机,把最新驱动复制到虚拟机,加载驱动
打开驱动设备-单击获取句柄对象
然后就断下来了
K 看到堆栈
F8或F11单步走或者输入t
我们来到这个函数,K查看他的堆栈
ObReferenceObjectByHandleWithTag
kd> u ObReferenceObjectByHandleWithTag l 100
nt!ObReferenceObjectByHandleWithTag:
fffff800`041770e0 44884c2420 mov byte ptr [rsp+20h],r9b
fffff800`041770e5 4c89442418 mov qword ptr [rsp+18h],r8
fffff800`041770ea 89542410 mov dword ptr [rsp+10h],edx
fffff800`041770ee 53 push rbx
fffff800`041770ef 55 push rbp
fffff800`041770f0 56 push rsi
fffff800`041770f1 57 push rdi
fffff800`041770f2 4154 push r12
fffff800`041770f4 4155 push r13
fffff800`041770f6 4156 push r14
fffff800`041770f8 4157 push r15
fffff800`041770fa 4881ec88000000 sub rsp,88h
fffff800`04177101 65488b3c2588010000 mov rdi,qword ptr gs:[188h]
fffff800`0417710a 488b9c24f8000000 mov rbx,qword ptr [rsp+0F8h]
fffff800`04177112 4533e4 xor r12d,r12d
fffff800`04177115 4c8b7f70 mov r15,qword ptr [rdi+70h]
fffff800`04177119 4032ed xor bpl,bpl
fffff800`0417711c 450fb6f1 movzx r14d,r9b
fffff800`04177120 4c8923 mov qword ptr [rbx],r12
fffff800`04177123 4c8be9 mov r13,rcx
fffff800`04177126 4088ac24d0000000 mov byte ptr [rsp+0D0h],bpl
fffff800`0417712e 85c9 test ecx,ecx
fffff800`04177130 0f88e1010000 js nt!ObReferenceObjectByHandleWithTag+0x237 (fffff800`04177317)
fffff800`04177136 4c3925937bebff cmp qword ptr [nt!ViVerifierDriverAddedThunkListHead (fffff800`0402ecd0)],r12
fffff800`0417713d 0f85ef3cf6ff jne nt! ?? ::NNGAKEGL::`string'+0x20220 (fffff800`040dae32)
fffff800`04177143 4c3bbf10020000 cmp r15,qword ptr [rdi+210h]
fffff800`0417714a 0f85f63cf6ff jne nt! ?? ::NNGAKEGL::`string'+0x20234 (fffff800`040dae46)
fffff800`04177150 498bb700020000 mov rsi,qword ptr [r15+200h]
fffff800`04177157 4885f6 test rsi,rsi
fffff800`0417715a 0f84283df6ff je nt! ?? ::NNGAKEGL::`string'+0x2027e (fffff800`040dae88)
fffff800`04177160 483b3559a0ebff cmp rsi,qword ptr [nt!ObpKernelHandleTable (fffff800`040311c0)]
fffff800`04177167 0f84f43cf6ff je nt! ?? ::NNGAKEGL::`string'+0x2024f (fffff800`040dae61)
fffff800`0417716d 66ff8fc4010000 dec word ptr [rdi+1C4h]
fffff800`04177174 41f7c5fc030000 test r13d,3FCh
fffff800`0417717b 0f8402030000 je nt!ObReferenceObjectByHandleWithTag+0x3a3 (fffff800`04177483)
fffff800`04177181 418bc5 mov eax,r13d
fffff800`04177184 4c896c2430 mov qword ptr [rsp+30h],r13
fffff800`04177189 83e0fc and eax,0FFFFFFFCh
fffff800`0417718c 89442430 mov dword ptr [rsp+30h],eax
fffff800`04177190 8b465c mov eax,dword ptr [rsi+5Ch]
fffff800`04177193 4c8b4c2430 mov r9,qword ptr [rsp+30h]
fffff800`04177198 4c3bc8 cmp r9,rax
fffff800`0417719b 0f83e2020000 jae nt!ObReferenceObjectByHandleWithTag+0x3a3 (fffff800`04177483)
fffff800`041771a1 4c8b06 mov r8,qword ptr [rsi]
fffff800`041771a4 418bc8 mov ecx,r8d
fffff800`041771a7 83e103 and ecx,3
fffff800`041771aa 8bc1 mov eax,ecx
fffff800`041771ac 4c2bc0 sub r8,rax
fffff800`041771af 85c9 test ecx,ecx
fffff800`041771b1 0f853a010000 jne nt!ObReferenceObjectByHandleWithTag+0x211 (fffff800`041772f1)
fffff800`041771b7 4b8d1c88 lea rbx,[r8+r9*4]
fffff800`041771bb 4885db test rbx,rbx
fffff800`041771be 0f84c2020000 je nt!ObReferenceObjectByHandleWithTag+0x3a6 (fffff800`04177486)
fffff800`041771c4 0f0d0b prefetchw [rbx]
fffff800`041771c7 488b03 mov rax,qword ptr [rbx]
fffff800`041771ca a801 test al,1
fffff800`041771cc 0f8422020000 je nt!ObReferenceObjectByHandleWithTag+0x314 (fffff800`041773f4)
fffff800`041771d2 488d48ff lea rcx,[rax-1]
fffff800`041771d6 f0480fb10b lock cmpxchg qword ptr [rbx],rcx
fffff800`041771db 0f851c020000 jne nt!ObReferenceObjectByHandleWithTag+0x31d (fffff800`041773fd)
fffff800`041771e1 488b2b mov rbp,qword ptr [rbx]
fffff800`041771e4 4883e5f8 and rbp,0FFFFFFFFFFFFFFF8h
fffff800`041771e8 0f0d4d00 prefetchw [rbp]
fffff800`041771ec 0fb64518 movzx eax,byte ptr [rbp+18h]
fffff800`041771f0 4c8b9424e0000000 mov r10,qword ptr [rsp+0E0h]
fffff800`041771f8 488d0d41bbebff lea rcx,[nt!ObTypeIndexTable (fffff800`04032d40)]
fffff800`041771ff 41be01000000 mov r14d,1
fffff800`04177205 4c3914c1 cmp qword ptr [rcx+rax*8],r10
fffff800`04177209 0f8530010000 jne nt!ObReferenceObjectByHandleWithTag+0x25f (fffff800`0417733f)
fffff800`0417720f 448b5b08 mov r11d,dword ptr [rbx+8]
fffff800`04177213 8b8c24d8000000 mov ecx,dword ptr [rsp+0D8h]
fffff800`0417721a 410fbaf319 btr r11d,19h
fffff800`0417721f 418bc3 mov eax,r11d
fffff800`04177222 f7d0 not eax
fffff800`04177224 85c1 test ecx,eax
fffff800`04177226 0f85af010000 jne nt!ObReferenceObjectByHandleWithTag+0x2fb (fffff800`041773db)
fffff800`0417722c 44396640 cmp dword ptr [rsi+40h],r12d
fffff800`04177230 0f85983cf6ff jne nt! ?? ::NNGAKEGL::`string'+0x202c4 (fffff800`040daece)
fffff800`04177236 498bd4 mov rdx,r12
fffff800`04177239 488b842400010000 mov rax,qword ptr [rsp+100h]
fffff800`04177241 4885c0 test rax,rax
fffff800`04177244 0f8585000000 jne nt!ObReferenceObjectByHandleWithTag+0x1ef (fffff800`041772cf)
fffff800`0417724a f60304 test byte ptr [rbx],4
fffff800`0417724d 0f85993cf6ff jne nt! ?? ::NNGAKEGL::`string'+0x202e2 (fffff800`040daeec)
fffff800`04177253 443925bab3eaff cmp dword ptr [nt!ObpTraceFlags (fffff800`04022614)],r12d
fffff800`0417725a 0f85ba3cf6ff jne nt! ?? ::NNGAKEGL::`string'+0x20310 (fffff800`040daf1a)
fffff800`04177260 f04c017500 lock add qword ptr [rbp],r14
fffff800`04177265 488b8c24f8000000 mov rcx,qword ptr [rsp+0F8h]
fffff800`0417726d 488d4530 lea rax,[rbp+30h]
fffff800`04177271 488901 mov qword ptr [rcx],rax
fffff800`04177274 f04c0fc133 lock xadd qword ptr [rbx],r14
fffff800`04177279 488d4e30 lea rcx,[rsi+30h]
fffff800`0417727d f0830c2400 lock or dword ptr [rsp],0
fffff800`04177282 0faee8 lfence
fffff800`04177285 48833900 cmp qword ptr [rcx],0
fffff800`04177289 0f85ac010000 jne nt!ObReferenceObjectByHandleWithTag+0x35b (fffff800`0417743b)
fffff800`0417728f 0fb6ac24d0000000 movzx ebp,byte ptr [rsp+0D0h]
fffff800`04177297 668387c401000001 add word ptr [rdi+1C4h],1
fffff800`0417729f 750d jne nt!ObReferenceObjectByHandleWithTag+0x1ce (fffff800`041772ae)
fffff800`041772a1 488d4750 lea rax,[rdi+50h]
fffff800`041772a5 483900 cmp qword ptr [rax],rax
fffff800`041772a8 0f85ed010000 jne nt!ObReferenceObjectByHandleWithTag+0x3bb (fffff800`0417749b)
fffff800`041772ae 4080fd01 cmp bpl,1
fffff800`041772b2 0f842c3df6ff je nt! ?? ::NNGAKEGL::`string'+0x203e2 (fffff800`040dafe4)
fffff800`041772b8 418bc4 mov eax,r12d
fffff800`041772bb 4881c488000000 add rsp,88h
fffff800`041772c2 415f pop r15
fffff800`041772c4 415e pop r14
fffff800`041772c6 415d pop r13
fffff800`041772c8 415c pop r12
fffff800`041772ca 5f pop rdi
fffff800`041772cb 5e pop rsi
fffff800`041772cc 5d pop rbp
fffff800`041772cd 5b pop rbx
fffff800`041772ce c3 ret
fffff800`041772cf 44895804 mov dword ptr [rax+4],r11d
fffff800`041772d3 8b0b mov ecx,dword ptr [rbx]
fffff800`041772d5 83e106 and ecx,6
fffff800`041772d8 0fba630819 bt dword ptr [rbx+8],19h
fffff800`041772dd 0f828f010000 jb nt!ObReferenceObjectByHandleWithTag+0x392 (fffff800`04177472)
fffff800`041772e3 8908 mov dword ptr [rax],ecx
fffff800`041772e5 8b8c24d8000000 mov ecx,dword ptr [rsp+0D8h]
fffff800`041772ec e959ffffff jmp nt!ObReferenceObjectByHandleWithTag+0x16a (fffff800`0417724a)
fffff800`041772f1 83f901 cmp ecx,1
fffff800`041772f4 0f85983bf6ff jne nt! ?? ::NNGAKEGL::`string'+0x20288 (fffff800`040dae92)
fffff800`041772fa 498bc9 mov rcx,r9
fffff800`041772fd 81e1ff030000 and ecx,3FFh
fffff800`04177303 4c2bc9 sub r9,rcx
fffff800`04177306 49c1e907 shr r9,7
fffff800`0417730a 4b8b0401 mov rax,qword ptr [r9+r8]
fffff800`0417730e 488d1c88 lea rbx,[rax+rcx*4]
fffff800`04177312 e9a4feffff jmp nt!ObReferenceObjectByHandleWithTag+0xdb (fffff800`041771bb)
fffff800`04177317 4883f9ff cmp rcx,0FFFFFFFFFFFFFFFFh
fffff800`0417731b 7475 je nt!ObReferenceObjectByHandleWithTag+0x2b2 (fffff800`04177392)
fffff800`0417731d 4883f9fe cmp rcx,0FFFFFFFFFFFFFFFEh
fffff800`04177321 742a je nt!ObReferenceObjectByHandleWithTag+0x26d (fffff800`0417734d)
fffff800`04177323 4584f6 test r14b,r14b
fffff800`04177326 0f855c3bf6ff jne nt! ?? ::NNGAKEGL::`string'+0x2027e (fffff800`040dae88)
fffff800`0417732c 488b358d9eebff mov rsi,qword ptr [nt!ObpKernelHandleTable (fffff800`040311c0)]
fffff800`04177333 4981f500000080 xor r13,0FFFFFFFF80000000h
fffff800`0417733a e92efeffff jmp nt!ObReferenceObjectByHandleWithTag+0x8d (fffff800`0417716d)
fffff800`0417733f 4d85d2 test r10,r10
fffff800`04177342 0f84c7feffff je nt!ObReferenceObjectByHandleWithTag+0x12f (fffff800`0417720f)
fffff800`04177348 e9763bf6ff jmp nt! ?? ::NNGAKEGL::`string'+0x202b9 (fffff800`040daec3)
fffff800`0417734d 4c3b05fc0cf4ff cmp r8,qword ptr [nt!PsThreadType (fffff800`040b8050)]
fffff800`04177354 0f85863af6ff jne nt! ?? ::NNGAKEGL::`string'+0x201ce (fffff800`040dade0)
fffff800`0417735a f7c20000e0ff test edx,0FFE00000h
fffff800`04177360 0f85883af6ff jne nt! ?? ::NNGAKEGL::`string'+0x201dc (fffff800`040dadee)
fffff800`04177366 488b842400010000 mov rax,qword ptr [rsp+100h]
fffff800`0417736e 4885c0 test rax,rax
fffff800`04177371 0f85813af6ff jne nt! ?? ::NNGAKEGL::`string'+0x201e6 (fffff800`040dadf8)
fffff800`04177377 44392596b2eaff cmp dword ptr [nt!ObpTraceFlags (fffff800`04022614)],r12d
fffff800`0417737e 0f85833af6ff jne nt! ?? ::NNGAKEGL::`string'+0x201f5 (fffff800`040dae07)
fffff800`04177384 f0488347d001 lock add qword ptr [rdi-30h],1
fffff800`0417738a 48893b mov qword ptr [rbx],rdi
fffff800`0417738d e926ffffff jmp nt!ObReferenceObjectByHandleWithTag+0x1d8 (fffff800`041772b8)
fffff800`04177392 4c3b05870cf4ff cmp r8,qword ptr [nt!PsProcessType (fffff800`040b8020)]
fffff800`04177399 0f85bf000000 jne nt!ObReferenceObjectByHandleWithTag+0x37e (fffff800`0417745e)
fffff800`0417739f 488b7770 mov rsi,qword ptr [rdi+70h]
fffff800`041773a3 f7c20000e0ff test edx,0FFE00000h
fffff800`041773a9 0f85e339f6ff jne nt! ?? ::NNGAKEGL::`string'+0x20180 (fffff800`040dad92)
fffff800`041773af 488b842400010000 mov rax,qword ptr [rsp+100h]
fffff800`041773b7 4885c0 test rax,rax
fffff800`041773ba 0f85e639f6ff jne nt! ?? ::NNGAKEGL::`string'+0x20194 (fffff800`040dada6)
fffff800`041773c0 4439254db2eaff cmp dword ptr [nt!ObpTraceFlags (fffff800`04022614)],r12d
fffff800`041773c7 0f85e839f6ff jne nt! ?? ::NNGAKEGL::`string'+0x201a3 (fffff800`040dadb5)
fffff800`041773cd f0488346d001 lock add qword ptr [rsi-30h],1
fffff800`041773d3 488933 mov qword ptr [rbx],rsi
fffff800`041773d6 e9ddfeffff jmp nt!ObReferenceObjectByHandleWithTag+0x1d8 (fffff800`041772b8)
fffff800`041773db 4438a424e8000000 cmp byte ptr [rsp+0E8h],r12b
fffff800`041773e3 0f8443feffff je nt!ObReferenceObjectByHandleWithTag+0x14c (fffff800`0417722c)
fffff800`041773e9 41bc220000c0 mov r12d,0C0000022h
fffff800`041773ef e980feffff jmp nt!ObReferenceObjectByHandleWithTag+0x194 (fffff800`04177274)
fffff800`041773f4 4885c0 test rax,rax
fffff800`041773f7 0f8489000000 je nt!ObReferenceObjectByHandleWithTag+0x3a6 (fffff800`04177486)
fffff800`041773fd 488d4e30 lea rcx,[rsi+30h]
fffff800`04177401 c744247402000000 mov dword ptr [rsp+74h],2
fffff800`04177409 0f0d09 prefetchw [rcx]
fffff800`0417740c 488b01 mov rax,qword ptr [rcx]
fffff800`0417740f 4889442458 mov qword ptr [rsp+58h],rax
fffff800`04177414 488d542440 lea rdx,[rsp+40h]
fffff800`04177419 f0480fb111 lock cmpxchg qword ptr [rcx],rdx
fffff800`0417741e 75ef jne nt!ObReferenceObjectByHandleWithTag+0x32f (fffff800`0417740f)
fffff800`04177420 488b03 mov rax,qword ptr [rbx]
fffff800`04177423 4885c0 test rax,rax
fffff800`04177426 741f je nt!ObReferenceObjectByHandleWithTag+0x367 (fffff800`04177447)
fffff800`04177428 a801 test al,1
fffff800`0417742a 751b jne nt!ObReferenceObjectByHandleWithTag+0x367 (fffff800`04177447)
fffff800`0417742c 488d542440 lea rdx,[rsp+40h]
fffff800`04177431 e86aadcbff call nt!ExWaitForUnblockPushLock (fffff800`03e321a0)
fffff800`04177436 e989fdffff jmp nt!ObReferenceObjectByHandleWithTag+0xe4 (fffff800`041771c4)
fffff800`0417743b 33d2 xor edx,edx
fffff800`0417743d e8ce3accff call nt!ExfUnblockPushLock (fffff800`03e3af10)
fffff800`04177442 e948feffff jmp nt!ObReferenceObjectByHandleWithTag+0x1af (fffff800`0417728f)
fffff800`04177447 f044092424 lock or dword ptr [rsp],r12d
fffff800`0417744c 0faee8 lfence
fffff800`0417744f 488d542440 lea rdx,[rsp+40h]
fffff800`04177454 e8b73accff call nt!ExfUnblockPushLock (fffff800`03e3af10)
fffff800`04177459 e966fdffff jmp nt!ObReferenceObjectByHandleWithTag+0xe4 (fffff800`041771c4)
fffff800`0417745e 4d85c0 test r8,r8
fffff800`04177461 0f8438ffffff je nt!ObReferenceObjectByHandleWithTag+0x2bf (fffff800`0417739f)
fffff800`04177467 41bc240000c0 mov r12d,0C0000024h
fffff800`0417746d e946feffff jmp nt!ObReferenceObjectByHandleWithTag+0x1d8 (fffff800`041772b8)
fffff800`04177472 410bce or ecx,r14d
fffff800`04177475 8908 mov dword ptr [rax],ecx
fffff800`04177477 8b8c24d8000000 mov ecx,dword ptr [rsp+0D8h]
fffff800`0417747e e9c7fdffff jmp nt!ObReferenceObjectByHandleWithTag+0x16a (fffff800`0417724a)
fffff800`04177483 498bdc mov rbx,r12
fffff800`04177486 4c396638 cmp qword ptr [rsi+38h],r12
fffff800`0417748a 0f85b13af6ff jne nt! ?? ::NNGAKEGL::`string'+0x20337 (fffff800`040daf41)
fffff800`04177490 41bc080000c0 mov r12d,0C0000008h
fffff800`04177496 e9fcfdffff jmp nt!ObReferenceObjectByHandleWithTag+0x1b7 (fffff800`04177297)
fffff800`0417749b 6683bfc601000000 cmp word ptr [rdi+1C6h],0
fffff800`041774a3 0f8505feffff jne nt!ObReferenceObjectByHandleWithTag+0x1ce (fffff800`041772ae)
fffff800`041774a9 e8c269cbff call nt!KiCheckForKernelApcDelivery (fffff800`03e2de70)
fffff800`041774ae e9fbfdffff jmp nt!ObReferenceObjectByHandleWithTag+0x1ce (fffff800`041772ae)
fffff800`041774b3 90 nop
fffff800`041774b4 90 nop
fffff800`041774b5 90 nop
fffff800`041774b6 90 nop
fffff800`041774b7 90 nop
fffff800`041774b8 90 nop
fffff800`041774b9 90 nop
fffff800`041774ba 90 nop
fffff800`041774bb 90 nop
fffff800`041774bc 90 nop
fffff800`041774bd 90 nop
fffff800`041774be 90 nop
fffff800`041774bf 90 nop
大槪就是看这个句柄是当前进程的句柄还是当前线程的句柄,
最后再看看这AccessMode是内核还是用户态下,内核的话,
句柄表就用ObpKernelHandleTable,
用户态的话就用当前进程的句柄表
NTSTATUS
ObReferenceObjectByHandle (
__in HANDLE Handle,
__in ACCESS_MASK DesiredAccess,
__in_opt POBJECT_TYPE ObjectType,
__in KPROCESSOR_MODE AccessMode,
__out PVOID *Object,
__out_opt POBJECT_HANDLE_INFORMATION HandleInformation
)
/*++
Routine Description:
Given a handle to an object this routine returns a pointer
to the body of the object with proper ref counts
Arguments:
Handle - Supplies a handle to the object being referenced. It can
also be the result of NtCurrentProcess or NtCurrentThread
DesiredAccess - Supplies the access being requested by the caller
ObjectType - Optionally supplies the type of the object we
are expecting
AccessMode - Supplies the processor mode of the access
Object - Receives a pointer to the object body if the operation
is successful
HandleInformation - Optionally receives information regarding the
input handle.
Return Value:
An appropriate NTSTATUS value
--*/
{
ACCESS_MASK GrantedAccess;
PHANDLE_TABLE HandleTable;
POBJECT_HEADER ObjectHeader;
PHANDLE_TABLE_ENTRY ObjectTableEntry;
PEPROCESS Process;
NTSTATUS Status;
PETHREAD Thread;
ObpValidateIrql("ObReferenceObjectByHandle");
Thread = PsGetCurrentThread ();//得到调用ObReferenceObjectByHandle当前线程
*Object = NULL;
//
// Check is this handle is a kernel handle or one of the two builtin pseudo handles
//FFFFFFFF 7FFF FFFF
if ((LONG)(ULONG_PTR) Handle < 0) { //-1 -2 FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE //0x78 0x7C 0x80
//
// If the handle is equal to the current process handle and the object
// type is NULL or type process, then attempt to translate a handle to
// the current process. Otherwise, check if the handle is the current
// thread handle.
//
if (Handle == NtCurrentProcess()) { //如果句柄等于当前进程的句柄
if ((ObjectType == PsProcessType) || (ObjectType == NULL)) {
Process = PsGetCurrentProcessByThread(Thread);//得到当前Eprocess对象
GrantedAccess = Process->GrantedAccess;
if ((SeComputeDeniedAccesses(GrantedAccess, DesiredAccess) == 0) ||
(AccessMode == KernelMode)) {
ObjectHeader = OBJECT_TO_OBJECT_HEADER(Process);//得到Eprocess对象头
if (ARGUMENT_PRESENT(HandleInformation)) {
HandleInformation->GrantedAccess = GrantedAccess;
HandleInformation->HandleAttributes = 0;
}
ObpIncrPointerCount(ObjectHeader);//增加对象引用计数
*Object = Process;//返回对象体指针
ASSERT( *Object != NULL );
Status = STATUS_SUCCESS;
} else {
Status = STATUS_ACCESS_DENIED;
}
} else {
Status = STATUS_OBJECT_TYPE_MISMATCH;
}
return Status;
//
// If the handle is equal to the current thread handle and the object
// type is NULL or type thread, then attempt to translate a handle to
// the current thread. Otherwise, the we'll try and translate the
// handle
//
} else if (Handle == NtCurrentThread()) {
if ((ObjectType == PsThreadType) || (ObjectType == NULL)) {
GrantedAccess = Thread->GrantedAccess;
if ((SeComputeDeniedAccesses(GrantedAccess, DesiredAccess) == 0) ||
(AccessMode == KernelMode)) {
ObjectHeader = OBJECT_TO_OBJECT_HEADER(Thread);//得到当前线程的对象头
if (ARGUMENT_PRESENT(HandleInformation)) {
HandleInformation->GrantedAccess = GrantedAccess;
HandleInformation->HandleAttributes = 0;
}
ObpIncrPointerCount(ObjectHeader);//增加对象头的引用计数
*Object = Thread;//返回对象体指针
ASSERT( *Object != NULL );
Status = STATUS_SUCCESS;
} else {
Status = STATUS_ACCESS_DENIED;
}
} else {
Status = STATUS_OBJECT_TYPE_MISMATCH;
}
return Status;
} else if (AccessMode == KernelMode)//如果是在内核模式调用的
{
//
// Make the handle look like a regular handle
//
Handle = DecodeKernelHandle( Handle );
//
// The global kernel handle table
//
HandleTable = ObpKernelHandleTable;
} else {
//
// The previous mode was user for this kernel handle value. Reject it here.
//
return STATUS_INVALID_HANDLE;
}
} else
{ //这里 PsGetCurrentProcessByThread(Thread) PEPROCESS
// +0x200 ObjectTable : Ptr64 _HANDLE_TABLE //win7
//下载当前内核版本对应的pdb文件 符号文件
HandleTable = PsGetCurrentProcessByThread(Thread)->ObjectTable;//否则的话等于当前调用进程的句柄表
}
ASSERT(HandleTable != NULL);
//
// Protect this thread from being suspended while we hold the handle table entry lock
//
KeEnterCriticalRegionThread(&Thread->Tcb);
//
// Translate the specified handle to an object table index.
//
//AccessMode UserMode KernelMode
ObjectTableEntry = ExMapHandleToPointerEx ( HandleTable, Handle, AccessMode );//得到Handle_Table_Entry结构指针
//
// Make sure the object table entry really does exist
//
if (ObjectTableEntry != NULL) {
ObjectHeader = (POBJECT_HEADER)(((ULONG_PTR)(ObjectTableEntry->Object)) & ~OBJ_HANDLE_ATTRIBUTES);//得到对象头
//
// Optimize for a successful reference by bringing the object header
// into the cache exclusive.
//
ReadForWriteAccess(ObjectHeader);
if ((ObjectHeader->Type == ObjectType) || (ObjectType == NULL)) {
#if i386
if (NtGlobalFlag & FLG_KERNEL_STACK_TRACE_DB) {
GrantedAccess = ObpTranslateGrantedAccessIndex( ObjectTableEntry->GrantedAccessIndex );
} else {
GrantedAccess = ObpDecodeGrantedAccess(ObjectTableEntry->GrantedAccess);
}
#else
GrantedAccess = ObpDecodeGrantedAccess(ObjectTableEntry->GrantedAccess);
#endif // i386
if ((SeComputeDeniedAccesses(GrantedAccess, DesiredAccess) == 0) ||
(AccessMode == KernelMode)) {
PHANDLE_TABLE_ENTRY_INFO ObjectInfo;
ObjectInfo = ExGetHandleInfo(HandleTable, Handle, TRUE);
//
// Access to the object is allowed. Return the handle
// information is requested, increment the object
// pointer count, unlock the handle table and return
// a success status.
//
// Note that this is the only successful return path
// out of this routine if the user did not specify
// the current process or current thread in the input
// handle.
//
if (ARGUMENT_PRESENT(HandleInformation)) {
HandleInformation->GrantedAccess = GrantedAccess;//权限 0x1FFFFF
HandleInformation->HandleAttributes = ObpGetHandleAttributes(ObjectTableEntry);
}
//
// If this object was audited when it was opened, it may
// be necessary to generate an audit now. Check the audit
// mask that was saved when the handle was created.
//
// It is safe to do this check in a non-atomic fashion,
// because bits will never be added to this mask once it is
// created.
//
if ( (ObjectTableEntry->ObAttributes & OBJ_AUDIT_OBJECT_CLOSE) &&
(ObjectInfo != NULL) &&
(ObjectInfo->AuditMask != 0) &&
(DesiredAccess != 0)) {
ObpAuditObjectAccess( Handle, ObjectInfo, &ObjectHeader->Type->Name, DesiredAccess );
}
ObpIncrPointerCount(ObjectHeader);
ExUnlockHandleTableEntry( HandleTable, ObjectTableEntry );
KeLeaveCriticalRegionThread(&Thread->Tcb);
*Object = &ObjectHeader->Body;
ASSERT( *Object != NULL );
return STATUS_SUCCESS;
} else {
Status = STATUS_ACCESS_DENIED;
}
} else {
Status = STATUS_OBJECT_TYPE_MISMATCH;
}
ExUnlockHandleTableEntry( HandleTable, ObjectTableEntry );
} else {
Status = STATUS_INVALID_HANDLE;
}
KeLeaveCriticalRegionThread(&Thread->Tcb);
return Status;
}
&info fffff88006fcd7a0
&info.GrantedAccess fffff88006fcd7a4
fffff8a002b3a1f0
rax=fffff88006fcd7a0 rbx=fffff8a002b3a1f0 rcx=00000000001f0033
rdx=0000000000000000 rsi=fffff8a00294e740 rdi=fffffa8032076620
rip=fffff800041772d3 rsp=fffff88006fcd640 rbp=fffffa8032076b00
r8=fffff8a002b3a000 r9=000000000000007c r10=fffffa8030e4c8f0
r11=00000000001fffff r12=0000000000000000 r13=000000000000007c
r14=0000000000000001 r15=fffffa8032076b30
nt!ObReferenceObjectByHandleWithTag+0x1ed:
fffff800`041772cd 5b pop rbx
fffff800`041772ce c3 ret
fffff800`041772cf 44895804 mov dword ptr [rax+4],r11d
fffff800`041772d3 8b0b mov ecx,dword ptr [rbx]
fffff800`041772d5 83e106 and ecx,6
fffff800`041772d8 0fba630819 bt dword ptr [rbx+8],19h
fffff800`041772dd 0f828f010000 jb nt!ObReferenceObjectByHandleWithTag+0x392 (fffff800`04177472)
fffff800`041772e3 8908 mov dword ptr [rax],ecx
: kd> u nt!ObReferenceObjectByHandleWithTag l 80
nt!ObReferenceObjectByHandleWithTag:
fffff800`041770e0 44884c2420 mov byte ptr [rsp+20h],r9b
fffff800`041770e5 4c89442418 mov qword ptr [rsp+18h],r8
fffff800`041770ea 89542410 mov dword ptr [rsp+10h],edx
fffff800`041770ee 53 push rbx
fffff800`041770ef 55 push rbp
fffff800`041770f0 56 push rsi
fffff800`041770f1 57 push rdi
fffff800`041770f2 4154 push r12
fffff800`041770f4 4155 push r13
fffff800`041770f6 4156 push r14
fffff800`041770f8 4157 push r15
fffff800`041770fa 4881ec88000000 sub rsp,88h
fffff800`04177101 65488b3c2588010000 mov rdi,qword ptr gs:[188h]
fffff800`0417710a 488b9c24f8000000 mov rbx,qword ptr [rsp+0F8h]
fffff800`04177112 4533e4 xor r12d,r12d
fffff800`04177115 4c8b7f70 mov r15,qword ptr [rdi+70h]
fffff800`04177119 4032ed xor bpl,bpl
fffff800`0417711c 450fb6f1 movzx r14d,r9b
fffff800`04177120 4c8923 mov qword ptr [rbx],r12
fffff800`04177123 4c8be9 mov r13,rcx
fffff800`04177126 4088ac24d0000000 mov byte ptr [rsp+0D0h],bpl
fffff800`0417712e 85c9 test ecx,ecx
fffff800`04177130 0f88e1010000 js nt!ObReferenceObjectByHandleWithTag+0x237 (fffff800`04177317)
fffff800`04177136 4c3925937bebff cmp qword ptr [nt!ViVerifierDriverAddedThunkListHead (fffff800`0402ecd0)],r12
fffff800`0417713d 0f85ef3cf6ff jne nt! ?? ::NNGAKEGL::`string'+0x20220 (fffff800`040dae32)
fffff800`04177143 4c3bbf10020000 cmp r15,qword ptr [rdi+210h]
fffff800`0417714a 0f85f63cf6ff jne nt! ?? ::NNGAKEGL::`string'+0x20234 (fffff800`040dae46)
fffff800`04177150 498bb700020000 mov rsi,qword ptr [r15+200h]
fffff800`04177157 4885f6 test rsi,rsi
fffff800`0417715a 0f84283df6ff je nt! ?? ::NNGAKEGL::`string'+0x2027e (fffff800`040dae88)
fffff800`04177160 483b3559a0ebff cmp rsi,qword ptr [nt!ObpKernelHandleTable (fffff800`040311c0)]
fffff800`04177167 0f84f43cf6ff je nt! ?? ::NNGAKEGL::`string'+0x2024f (fffff800`040dae61)
fffff800`0417716d 66ff8fc4010000 dec word ptr [rdi+1C4h]
fffff800`04177174 41f7c5fc030000 test r13d,3FCh
fffff800`0417717b 0f8402030000 je nt!ObReferenceObjectByHandleWithTag+0x3a3 (fffff800`04177483)
fffff800`04177181 418bc5 mov eax,r13d
fffff800`04177184 4c896c2430 mov qword ptr [rsp+30h],r13
fffff800`04177189 83e0fc and eax,0FFFFFFFCh
fffff800`0417718c 89442430 mov dword ptr [rsp+30h],eax
fffff800`04177190 8b465c mov eax,dword ptr [rsi+5Ch]
fffff800`04177193 4c8b4c2430 mov r9,qword ptr [rsp+30h]
fffff800`04177198 4c3bc8 cmp r9,rax
fffff800`0417719b 0f83e2020000 jae nt!ObReferenceObjectByHandleWithTag+0x3a3 (fffff800`04177483)
fffff800`041771a1 4c8b06 mov r8,qword ptr [rsi]
fffff800`041771a4 418bc8 mov ecx,r8d
fffff800`041771a7 83e103 and ecx,3
fffff800`041771aa 8bc1 mov eax,ecx
fffff800`041771ac 4c2bc0 sub r8,rax
fffff800`041771af 85c9 test ecx,ecx
fffff800`041771b1 0f853a010000 jne nt!ObReferenceObjectByHandleWithTag+0x211 (fffff800`041772f1)
fffff800`041771b7 4b8d1c88 lea rbx,[r8+r9*4]
fffff800`041771bb 4885db test rbx,rbx
fffff800`041771be 0f84c2020000 je nt!ObReferenceObjectByHandleWithTag+0x3a6 (fffff800`04177486)
fffff800`041771c4 0f0d0b prefetchw [rbx]
fffff800`041771c7 488b03 mov rax,qword ptr [rbx]
fffff800`041771ca a801 test al,1
fffff800`041771cc 0f8422020000 je nt!ObReferenceObjectByHandleWithTag+0x314 (fffff800`041773f4)
fffff800`041771d2 488d48ff lea rcx,[rax-1]
fffff800`041771d6 f0480fb10b lock cmpxchg qword ptr [rbx],rcx
fffff800`041771db 0f851c020000 jne nt!ObReferenceObjectByHandleWithTag+0x31d (fffff800`041773fd)
fffff800`041771e1 488b2b mov rbp,qword ptr [rbx]
fffff800`041771e4 4883e5f8 and rbp,0FFFFFFFFFFFFFFF8h
fffff800`041771e8 0f0d4d00 prefetchw [rbp]
fffff800`041771ec 0fb64518 movzx eax,byte ptr [rbp+18h]
fffff800`041771f0 4c8b9424e0000000 mov r10,qword ptr [rsp+0E0h]
fffff800`041771f8 488d0d41bbebff lea rcx,[nt!ObTypeIndexTable (fffff800`04032d40)]
fffff800`041771ff 41be01000000 mov r14d,1
fffff800`04177205 4c3914c1 cmp qword ptr [rcx+rax*8],r10
fffff800`04177209 0f8530010000 jne nt!ObReferenceObjectByHandleWithTag+0x25f (fffff800`0417733f)
fffff800`0417720f 448b5b08 mov r11d,dword ptr [rbx+8]
fffff800`04177213 8b8c24d8000000 mov ecx,dword ptr [rsp+0D8h]
fffff800`0417721a 410fbaf319 btr r11d,19h
fffff800`0417721f 418bc3 mov eax,r11d
fffff800`04177222 f7d0 not eax
fffff800`04177224 85c1 test ecx,eax
fffff800`04177226 0f85af010000 jne nt!ObReferenceObjectByHandleWithTag+0x2fb (fffff800`041773db)
fffff800`0417722c 44396640 cmp dword ptr [rsi+40h],r12d
fffff800`04177230 0f85983cf6ff jne nt! ?? ::NNGAKEGL::`string'+0x202c4 (fffff800`040daece)
fffff800`04177236 498bd4 mov rdx,r12
fffff800`04177239 488b842400010000 mov rax,qword ptr [rsp+100h]
fffff800`04177241 4885c0 test rax,rax
fffff800`04177244 0f8585000000 jne nt!ObReferenceObjectByHandleWithTag+0x1ef (fffff800`041772cf)
fffff800`0417724a f60304 test byte ptr [rbx],4
fffff800`0417724d 0f85993cf6ff jne nt! ?? ::NNGAKEGL::`string'+0x202e2 (fffff800`040daeec)
fffff800`04177253 443925bab3eaff cmp dword ptr [nt!ObpTraceFlags (fffff800`04022614)],r12d
fffff800`0417725a 0f85ba3cf6ff jne nt! ?? ::NNGAKEGL::`string'+0x20310 (fffff800`040daf1a)
fffff800`04177260 f04c017500 lock add qword ptr [rbp],r14
fffff800`04177265 488b8c24f8000000 mov rcx,qword ptr [rsp+0F8h]
fffff800`0417726d 488d4530 lea rax,[rbp+30h]
fffff800`04177271 488901 mov qword ptr [rcx],rax
fffff800`04177274 f04c0fc133 lock xadd qword ptr [rbx],r14
fffff800`04177279 488d4e30 lea rcx,[rsi+30h]
fffff800`0417727d f0830c2400 lock or dword ptr [rsp],0
fffff800`04177282 0faee8 lfence
fffff800`04177285 48833900 cmp qword ptr [rcx],0
fffff800`04177289 0f85ac010000 jne nt!ObReferenceObjectByHandleWithTag+0x35b (fffff800`0417743b)
fffff800`0417728f 0fb6ac24d0000000 movzx ebp,byte ptr [rsp+0D0h]
fffff800`04177297 668387c401000001 add word ptr [rdi+1C4h],1
fffff800`0417729f 750d jne nt!ObReferenceObjectByHandleWithTag+0x1ce (fffff800`041772ae)
fffff800`041772a1 488d4750 lea rax,[rdi+50h]
fffff800`041772a5 483900 cmp qword ptr [rax],rax
fffff800`041772a8 0f85ed010000 jne nt!ObReferenceObjectByHandleWithTag+0x3bb (fffff800`0417749b)
fffff800`041772ae 4080fd01 cmp bpl,1
fffff800`041772b2 0f842c3df6ff je nt! ?? ::NNGAKEGL::`string'+0x203e2 (fffff800`040dafe4)
fffff800`041772b8 418bc4 mov eax,r12d
fffff800`041772bb 4881c488000000 add rsp,88h
fffff800`041772c2 415f pop r15
fffff800`041772c4 415e pop r14
fffff800`041772c6 415d pop r13
fffff800`041772c8 415c pop r12
fffff800`041772ca 5f pop rdi
fffff800`041772cb 5e pop rsi
fffff800`041772cc 5d pop rbp
fffff800`041772cd 5b pop rbx
fffff800`041772ce c3 ret
fffff800`041772cf 44895804 mov dword ptr [rax+4],r11d
fffff800`041772d3 8b0b mov ecx,dword ptr [rbx]
fffff800`041772d5 83e106 and ecx,6
fffff800`041772d8 0fba630819 bt dword ptr [rbx+8],19h
fffff800`041772dd 0f828f010000 jb nt!ObReferenceObjectByHandleWithTag+0x392 (fffff800`04177472)
fffff800`041772e3 8908 mov dword ptr [rax],ecx
fffff800`041772e5 8b8c24d8000000 mov ecx,dword ptr [rsp+0D8h]
fffff800`041772ec e959ffffff jmp nt!ObReferenceObjectByHandleWithTag+0x16a (fffff800`0417724a)
fffff800`041772f1 83f901 cmp ecx,1
fffff800`041772f4 0f85983bf6ff jne nt! ?? ::NNGAKEGL::`string'+0x20288 (fffff800`040dae92)
fffff800`041772fa 498bc9 mov rcx,r9
fffff800`041772fd 81e1ff030000 and ecx,3FFh
fffff800`04177303 4c2bc9 sub r9,rcx
924
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
