32位/64位WINDOWS驱动之windbg分析ObReferenceObjectByHandle取回进程句柄的过程

已于 2023-07-16 20:27:29 修改
阅读量602 收藏
点赞数
分类专栏: windbg分析 驱动开发 文章标签: windows 单片机 stm32 驱动开发 java
于 2023-07-16 19:03:01 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/a756598009/article/details/131753653
版权

32位/64位WINDOWS驱动之windbg分析ObReferenceObjectByHandle取回进程句柄的过程

`
windbg调试技巧
逆向分析
windbg访问断点
dt查看结构指令

windbg使用帮助
参考 https://docs.microsoft.com/zh-cn/windows-hardware/drivers/debugger/commands
.cls 清屏
u ObReferenceObjectByHandle
u ExpLookupHandleTableEntry
u NtQueryInformationProcess
ba r4 地址 //对地址下4字节访问断点

一、驱动层在进程句柄与对象句柄.c中添加断点 __debugbreak();

和调试信息
KdPrint((“yjx:SYS ObReferenceObjectByHandle break entry &info=%p\n”, &info));
KdPrint((“yjx:SYS ObReferenceObjectByHandle break ret \n”));

在这里插入图片描述

二、我们打开WinDbg连接上虚拟机,把最新驱动复制到虚拟机,加载驱动

打开驱动设备-单击获取句柄对象
在这里插入图片描述
然后就断下来了

在这里插入图片描述

K 看到堆栈
F8或F11单步走或者输入t
我们来到这个函数,K查看他的堆栈

ObReferenceObjectByHandleWithTag
 kd> u ObReferenceObjectByHandleWithTag l 100
nt!ObReferenceObjectByHandleWithTag:
fffff800`041770e0 44884c2420      mov     byte ptr [rsp+20h],r9b
fffff800`041770e5 4c89442418      mov     qword ptr [rsp+18h],r8
fffff800`041770ea 89542410        mov     dword ptr [rsp+10h],edx
fffff800`041770ee 53              push    rbx
fffff800`041770ef 55              push    rbp
fffff800`041770f0 56              push    rsi
fffff800`041770f1 57              push    rdi
fffff800`041770f2 4154            push    r12
fffff800`041770f4 4155            push    r13
fffff800`041770f6 4156            push    r14
fffff800`041770f8 4157            push    r15
fffff800`041770fa 4881ec88000000  sub     rsp,88h
fffff800`04177101 65488b3c2588010000 mov   rdi,qword ptr gs:[188h]
fffff800`0417710a 488b9c24f8000000 mov     rbx,qword ptr [rsp+0F8h]
fffff800`04177112 4533e4          xor     r12d,r12d
fffff800`04177115 4c8b7f70        mov     r15,qword ptr [rdi+70h]
fffff800`04177119 4032ed          xor     bpl,bpl
fffff800`0417711c 450fb6f1        movzx   r14d,r9b
fffff800`04177120 4c8923          mov     qword ptr [rbx],r12
fffff800`04177123 4c8be9          mov     r13,rcx
fffff800`04177126 4088ac24d0000000 mov     byte ptr [rsp+0D0h],bpl
fffff800`0417712e 85c9            test    ecx,ecx
fffff800`04177130 0f88e1010000    js      nt!ObReferenceObjectByHandleWithTag+0x237 (fffff800`04177317)
fffff800`04177136 4c3925937bebff  cmp     qword ptr [nt!ViVerifierDriverAddedThunkListHead (fffff800`0402ecd0)],r12
fffff800`0417713d 0f85ef3cf6ff    jne     nt! ?? ::NNGAKEGL::`string'+0x20220 (fffff800`040dae32)
fffff800`04177143 4c3bbf10020000  cmp     r15,qword ptr [rdi+210h]
fffff800`0417714a 0f85f63cf6ff    jne     nt! ?? ::NNGAKEGL::`string'+0x20234 (fffff800`040dae46)
fffff800`04177150 498bb700020000  mov     rsi,qword ptr [r15+200h]
fffff800`04177157 4885f6          test    rsi,rsi
fffff800`0417715a 0f84283df6ff    je      nt! ?? ::NNGAKEGL::`string'+0x2027e (fffff800`040dae88)
fffff800`04177160 483b3559a0ebff  cmp     rsi,qword ptr [nt!ObpKernelHandleTable (fffff800`040311c0)]
fffff800`04177167 0f84f43cf6ff    je      nt! ?? ::NNGAKEGL::`string'+0x2024f (fffff800`040dae61)
fffff800`0417716d 66ff8fc4010000  dec     word ptr [rdi+1C4h]
fffff800`04177174 41f7c5fc030000  test    r13d,3FCh
fffff800`0417717b 0f8402030000    je      nt!ObReferenceObjectByHandleWithTag+0x3a3 (fffff800`04177483)
fffff800`04177181 418bc5          mov     eax,r13d
fffff800`04177184 4c896c2430      mov     qword ptr [rsp+30h],r13
fffff800`04177189 83e0fc          and     eax,0FFFFFFFCh
fffff800`0417718c 89442430        mov     dword ptr [rsp+30h],eax
fffff800`04177190 8b465c          mov     eax,dword ptr [rsi+5Ch]
fffff800`04177193 4c8b4c2430      mov     r9,qword ptr [rsp+30h]
fffff800`04177198 4c3bc8          cmp     r9,rax
fffff800`0417719b 0f83e2020000    jae     nt!ObReferenceObjectByHandleWithTag+0x3a3 (fffff800`04177483)
fffff800`041771a1 4c8b06          mov     r8,qword ptr [rsi]
fffff800`041771a4 418bc8          mov     ecx,r8d
fffff800`041771a7 83e103          and     ecx,3
fffff800`041771aa 8bc1            mov     eax,ecx
fffff800`041771ac 4c2bc0          sub     r8,rax
fffff800`041771af 85c9            test    ecx,ecx
fffff800`041771b1 0f853a010000    jne     nt!ObReferenceObjectByHandleWithTag+0x211 (fffff800`041772f1)
fffff800`041771b7 4b8d1c88        lea     rbx,[r8+r9*4]
fffff800`041771bb 4885db          test    rbx,rbx
fffff800`041771be 0f84c2020000    je      nt!ObReferenceObjectByHandleWithTag+0x3a6 (fffff800`04177486)
fffff800`041771c4 0f0d0b          prefetchw [rbx]
fffff800`041771c7 488b03          mov     rax,qword ptr [rbx]
fffff800`041771ca a801            test    al,1
fffff800`041771cc 0f8422020000    je      nt!ObReferenceObjectByHandleWithTag+0x314 (fffff800`041773f4)
fffff800`041771d2 488d48ff        lea     rcx,[rax-1]
fffff800`041771d6 f0480fb10b      lock cmpxchg qword ptr [rbx],rcx
fffff800`041771db 0f851c020000    jne     nt!ObReferenceObjectByHandleWithTag+0x31d (fffff800`041773fd)
fffff800`041771e1 488b2b          mov     rbp,qword ptr [rbx]
fffff800`041771e4 4883e5f8        and     rbp,0FFFFFFFFFFFFFFF8h
fffff800`041771e8 0f0d4d00        prefetchw [rbp]
fffff800`041771ec 0fb64518        movzx   eax,byte ptr [rbp+18h]
fffff800`041771f0 4c8b9424e0000000 mov     r10,qword ptr [rsp+0E0h]
fffff800`041771f8 488d0d41bbebff  lea     rcx,[nt!ObTypeIndexTable (fffff800`04032d40)]
fffff800`041771ff 41be01000000    mov     r14d,1
fffff800`04177205 4c3914c1        cmp     qword ptr [rcx+rax*8],r10
fffff800`04177209 0f8530010000    jne     nt!ObReferenceObjectByHandleWithTag+0x25f (fffff800`0417733f)
fffff800`0417720f 448b5b08        mov     r11d,dword ptr [rbx+8]
fffff800`04177213 8b8c24d8000000  mov     ecx,dword ptr [rsp+0D8h]
fffff800`0417721a 410fbaf319      btr     r11d,19h
fffff800`0417721f 418bc3          mov     eax,r11d
fffff800`04177222 f7d0            not     eax
fffff800`04177224 85c1            test    ecx,eax
fffff800`04177226 0f85af010000    jne     nt!ObReferenceObjectByHandleWithTag+0x2fb (fffff800`041773db)
fffff800`0417722c 44396640        cmp     dword ptr [rsi+40h],r12d
fffff800`04177230 0f85983cf6ff    jne     nt! ?? ::NNGAKEGL::`string'+0x202c4 (fffff800`040daece)
fffff800`04177236 498bd4          mov     rdx,r12
fffff800`04177239 488b842400010000 mov     rax,qword ptr [rsp+100h]
fffff800`04177241 4885c0          test    rax,rax
fffff800`04177244 0f8585000000    jne     nt!ObReferenceObjectByHandleWithTag+0x1ef (fffff800`041772cf)
fffff800`0417724a f60304          test    byte ptr [rbx],4
fffff800`0417724d 0f85993cf6ff    jne     nt! ?? ::NNGAKEGL::`string'+0x202e2 (fffff800`040daeec)
fffff800`04177253 443925bab3eaff  cmp     dword ptr [nt!ObpTraceFlags (fffff800`04022614)],r12d
fffff800`0417725a 0f85ba3cf6ff    jne     nt! ?? ::NNGAKEGL::`string'+0x20310 (fffff800`040daf1a)
fffff800`04177260 f04c017500      lock add qword ptr [rbp],r14
fffff800`04177265 488b8c24f8000000 mov     rcx,qword ptr [rsp+0F8h]
fffff800`0417726d 488d4530        lea     rax,[rbp+30h]
fffff800`04177271 488901          mov     qword ptr [rcx],rax
fffff800`04177274 f04c0fc133      lock xadd qword ptr [rbx],r14
fffff800`04177279 488d4e30        lea     rcx,[rsi+30h]
fffff800`0417727d f0830c2400      lock or dword ptr [rsp],0
fffff800`04177282 0faee8          lfence
fffff800`04177285 48833900        cmp     qword ptr [rcx],0
fffff800`04177289 0f85ac010000    jne     nt!ObReferenceObjectByHandleWithTag+0x35b (fffff800`0417743b)
fffff800`0417728f 0fb6ac24d0000000 movzx   ebp,byte ptr [rsp+0D0h]
fffff800`04177297 668387c401000001 add     word ptr [rdi+1C4h],1
fffff800`0417729f 750d            jne     nt!ObReferenceObjectByHandleWithTag+0x1ce (fffff800`041772ae)
fffff800`041772a1 488d4750        lea     rax,[rdi+50h]
fffff800`041772a5 483900          cmp     qword ptr [rax],rax
fffff800`041772a8 0f85ed010000    jne     nt!ObReferenceObjectByHandleWithTag+0x3bb (fffff800`0417749b)
fffff800`041772ae 4080fd01        cmp     bpl,1
fffff800`041772b2 0f842c3df6ff    je      nt! ?? ::NNGAKEGL::`string'+0x203e2 (fffff800`040dafe4)
fffff800`041772b8 418bc4          mov     eax,r12d
fffff800`041772bb 4881c488000000  add     rsp,88h
fffff800`041772c2 415f            pop     r15
fffff800`041772c4 415e            pop     r14
fffff800`041772c6 415d            pop     r13
fffff800`041772c8 415c            pop     r12
fffff800`041772ca 5f              pop     rdi
fffff800`041772cb 5e              pop     rsi
fffff800`041772cc 5d              pop     rbp
fffff800`041772cd 5b              pop     rbx
fffff800`041772ce c3              ret
fffff800`041772cf 44895804        mov     dword ptr [rax+4],r11d
fffff800`041772d3 8b0b            mov     ecx,dword ptr [rbx]
fffff800`041772d5 83e106          and     ecx,6
fffff800`041772d8 0fba630819      bt      dword ptr [rbx+8],19h
fffff800`041772dd 0f828f010000    jb      nt!ObReferenceObjectByHandleWithTag+0x392 (fffff800`04177472)
fffff800`041772e3 8908            mov     dword ptr [rax],ecx
fffff800`041772e5 8b8c24d8000000  mov     ecx,dword ptr [rsp+0D8h]
fffff800`041772ec e959ffffff      jmp     nt!ObReferenceObjectByHandleWithTag+0x16a (fffff800`0417724a)
fffff800`041772f1 83f901          cmp     ecx,1
fffff800`041772f4 0f85983bf6ff    jne     nt! ?? ::NNGAKEGL::`string'+0x20288 (fffff800`040dae92)
fffff800`041772fa 498bc9          mov     rcx,r9
fffff800`041772fd 81e1ff030000    and     ecx,3FFh
fffff800`04177303 4c2bc9          sub     r9,rcx
fffff800`04177306 49c1e907        shr     r9,7
fffff800`0417730a 4b8b0401        mov     rax,qword ptr [r9+r8]
fffff800`0417730e 488d1c88        lea     rbx,[rax+rcx*4]
fffff800`04177312 e9a4feffff      jmp     nt!ObReferenceObjectByHandleWithTag+0xdb (fffff800`041771bb)
fffff800`04177317 4883f9ff        cmp     rcx,0FFFFFFFFFFFFFFFFh
fffff800`0417731b 7475            je      nt!ObReferenceObjectByHandleWithTag+0x2b2 (fffff800`04177392)
fffff800`0417731d 4883f9fe        cmp     rcx,0FFFFFFFFFFFFFFFEh
fffff800`04177321 742a            je      nt!ObReferenceObjectByHandleWithTag+0x26d (fffff800`0417734d)
fffff800`04177323 4584f6          test    r14b,r14b
fffff800`04177326 0f855c3bf6ff    jne     nt! ?? ::NNGAKEGL::`string'+0x2027e (fffff800`040dae88)
fffff800`0417732c 488b358d9eebff  mov     rsi,qword ptr [nt!ObpKernelHandleTable (fffff800`040311c0)]
fffff800`04177333 4981f500000080  xor     r13,0FFFFFFFF80000000h
fffff800`0417733a e92efeffff      jmp     nt!ObReferenceObjectByHandleWithTag+0x8d (fffff800`0417716d)
fffff800`0417733f 4d85d2          test    r10,r10
fffff800`04177342 0f84c7feffff    je      nt!ObReferenceObjectByHandleWithTag+0x12f (fffff800`0417720f)
fffff800`04177348 e9763bf6ff      jmp     nt! ?? ::NNGAKEGL::`string'+0x202b9 (fffff800`040daec3)
fffff800`0417734d 4c3b05fc0cf4ff  cmp     r8,qword ptr [nt!PsThreadType (fffff800`040b8050)]
fffff800`04177354 0f85863af6ff    jne     nt! ?? ::NNGAKEGL::`string'+0x201ce (fffff800`040dade0)
fffff800`0417735a f7c20000e0ff    test    edx,0FFE00000h
fffff800`04177360 0f85883af6ff    jne     nt! ?? ::NNGAKEGL::`string'+0x201dc (fffff800`040dadee)
fffff800`04177366 488b842400010000 mov     rax,qword ptr [rsp+100h]
fffff800`0417736e 4885c0          test    rax,rax
fffff800`04177371 0f85813af6ff    jne     nt! ?? ::NNGAKEGL::`string'+0x201e6 (fffff800`040dadf8)
fffff800`04177377 44392596b2eaff  cmp     dword ptr [nt!ObpTraceFlags (fffff800`04022614)],r12d
fffff800`0417737e 0f85833af6ff    jne     nt! ?? ::NNGAKEGL::`string'+0x201f5 (fffff800`040dae07)
fffff800`04177384 f0488347d001    lock add qword ptr [rdi-30h],1
fffff800`0417738a 48893b          mov     qword ptr [rbx],rdi
fffff800`0417738d e926ffffff      jmp     nt!ObReferenceObjectByHandleWithTag+0x1d8 (fffff800`041772b8)
fffff800`04177392 4c3b05870cf4ff  cmp     r8,qword ptr [nt!PsProcessType (fffff800`040b8020)]
fffff800`04177399 0f85bf000000    jne     nt!ObReferenceObjectByHandleWithTag+0x37e (fffff800`0417745e)
fffff800`0417739f 488b7770        mov     rsi,qword ptr [rdi+70h]
fffff800`041773a3 f7c20000e0ff    test    edx,0FFE00000h
fffff800`041773a9 0f85e339f6ff    jne     nt! ?? ::NNGAKEGL::`string'+0x20180 (fffff800`040dad92)
fffff800`041773af 488b842400010000 mov     rax,qword ptr [rsp+100h]
fffff800`041773b7 4885c0          test    rax,rax
fffff800`041773ba 0f85e639f6ff    jne     nt! ?? ::NNGAKEGL::`string'+0x20194 (fffff800`040dada6)
fffff800`041773c0 4439254db2eaff  cmp     dword ptr [nt!ObpTraceFlags (fffff800`04022614)],r12d
fffff800`041773c7 0f85e839f6ff    jne     nt! ?? ::NNGAKEGL::`string'+0x201a3 (fffff800`040dadb5)
fffff800`041773cd f0488346d001    lock add qword ptr [rsi-30h],1
fffff800`041773d3 488933          mov     qword ptr [rbx],rsi
fffff800`041773d6 e9ddfeffff      jmp     nt!ObReferenceObjectByHandleWithTag+0x1d8 (fffff800`041772b8)
fffff800`041773db 4438a424e8000000 cmp     byte ptr [rsp+0E8h],r12b
fffff800`041773e3 0f8443feffff    je      nt!ObReferenceObjectByHandleWithTag+0x14c (fffff800`0417722c)
fffff800`041773e9 41bc220000c0    mov     r12d,0C0000022h
fffff800`041773ef e980feffff      jmp     nt!ObReferenceObjectByHandleWithTag+0x194 (fffff800`04177274)
fffff800`041773f4 4885c0          test    rax,rax
fffff800`041773f7 0f8489000000    je      nt!ObReferenceObjectByHandleWithTag+0x3a6 (fffff800`04177486)
fffff800`041773fd 488d4e30        lea     rcx,[rsi+30h]
fffff800`04177401 c744247402000000 mov     dword ptr [rsp+74h],2
fffff800`04177409 0f0d09          prefetchw [rcx]
fffff800`0417740c 488b01          mov     rax,qword ptr [rcx]
fffff800`0417740f 4889442458      mov     qword ptr [rsp+58h],rax
fffff800`04177414 488d542440      lea     rdx,[rsp+40h]
fffff800`04177419 f0480fb111      lock cmpxchg qword ptr [rcx],rdx
fffff800`0417741e 75ef            jne     nt!ObReferenceObjectByHandleWithTag+0x32f (fffff800`0417740f)
fffff800`04177420 488b03          mov     rax,qword ptr [rbx]
fffff800`04177423 4885c0          test    rax,rax
fffff800`04177426 741f            je      nt!ObReferenceObjectByHandleWithTag+0x367 (fffff800`04177447)
fffff800`04177428 a801            test    al,1
fffff800`0417742a 751b            jne     nt!ObReferenceObjectByHandleWithTag+0x367 (fffff800`04177447)
fffff800`0417742c 488d542440      lea     rdx,[rsp+40h]
fffff800`04177431 e86aadcbff      call    nt!ExWaitForUnblockPushLock (fffff800`03e321a0)
fffff800`04177436 e989fdffff      jmp     nt!ObReferenceObjectByHandleWithTag+0xe4 (fffff800`041771c4)
fffff800`0417743b 33d2            xor     edx,edx
fffff800`0417743d e8ce3accff      call    nt!ExfUnblockPushLock (fffff800`03e3af10)
fffff800`04177442 e948feffff      jmp     nt!ObReferenceObjectByHandleWithTag+0x1af (fffff800`0417728f)
fffff800`04177447 f044092424      lock or dword ptr [rsp],r12d
fffff800`0417744c 0faee8          lfence
fffff800`0417744f 488d542440      lea     rdx,[rsp+40h]
fffff800`04177454 e8b73accff      call    nt!ExfUnblockPushLock (fffff800`03e3af10)
fffff800`04177459 e966fdffff      jmp     nt!ObReferenceObjectByHandleWithTag+0xe4 (fffff800`041771c4)
fffff800`0417745e 4d85c0          test    r8,r8
fffff800`04177461 0f8438ffffff    je      nt!ObReferenceObjectByHandleWithTag+0x2bf (fffff800`0417739f)
fffff800`04177467 41bc240000c0    mov     r12d,0C0000024h
fffff800`0417746d e946feffff      jmp     nt!ObReferenceObjectByHandleWithTag+0x1d8 (fffff800`041772b8)
fffff800`04177472 410bce          or      ecx,r14d
fffff800`04177475 8908            mov     dword ptr [rax],ecx
fffff800`04177477 8b8c24d8000000  mov     ecx,dword ptr [rsp+0D8h]
fffff800`0417747e e9c7fdffff      jmp     nt!ObReferenceObjectByHandleWithTag+0x16a (fffff800`0417724a)
fffff800`04177483 498bdc          mov     rbx,r12
fffff800`04177486 4c396638        cmp     qword ptr [rsi+38h],r12
fffff800`0417748a 0f85b13af6ff    jne     nt! ?? ::NNGAKEGL::`string'+0x20337 (fffff800`040daf41)
fffff800`04177490 41bc080000c0    mov     r12d,0C0000008h
fffff800`04177496 e9fcfdffff      jmp     nt!ObReferenceObjectByHandleWithTag+0x1b7 (fffff800`04177297)
fffff800`0417749b 6683bfc601000000 cmp     word ptr [rdi+1C6h],0
fffff800`041774a3 0f8505feffff    jne     nt!ObReferenceObjectByHandleWithTag+0x1ce (fffff800`041772ae)
fffff800`041774a9 e8c269cbff      call    nt!KiCheckForKernelApcDelivery (fffff800`03e2de70)
fffff800`041774ae e9fbfdffff      jmp     nt!ObReferenceObjectByHandleWithTag+0x1ce (fffff800`041772ae)
fffff800`041774b3 90              nop
fffff800`041774b4 90              nop
fffff800`041774b5 90              nop
fffff800`041774b6 90              nop
fffff800`041774b7 90              nop
fffff800`041774b8 90              nop
fffff800`041774b9 90              nop
fffff800`041774ba 90              nop
fffff800`041774bb 90              nop
fffff800`041774bc 90              nop
fffff800`041774bd 90              nop
fffff800`041774be 90              nop
fffff800`041774bf 90              nop



大槪就是看这个句柄是当前进程的句柄还是当前线程的句柄,
最后再看看这AccessMode是内核还是用户态下,内核的话,
句柄表就用ObpKernelHandleTable,
用户态的话就用当前进程的句柄表

NTSTATUS
ObReferenceObjectByHandle (
    __in HANDLE Handle,
    __in ACCESS_MASK DesiredAccess,
    __in_opt POBJECT_TYPE ObjectType,
    __in KPROCESSOR_MODE AccessMode,
    __out PVOID *Object,
    __out_opt POBJECT_HANDLE_INFORMATION HandleInformation
    )

/*++

Routine Description:

    Given a handle to an object this routine returns a pointer
    to the body of the object with proper ref counts

Arguments:

    Handle - Supplies a handle to the object being referenced. It can
        also be the result of NtCurrentProcess or NtCurrentThread

    DesiredAccess - Supplies the access being requested by the caller

    ObjectType - Optionally supplies the type of the object we
        are expecting

    AccessMode - Supplies the processor mode of the access

    Object - Receives a pointer to the object body if the operation
        is successful

    HandleInformation - Optionally receives information regarding the
        input handle.

Return Value:

    An appropriate NTSTATUS value

--*/

{
    ACCESS_MASK GrantedAccess;
    PHANDLE_TABLE HandleTable;
    POBJECT_HEADER ObjectHeader;
    PHANDLE_TABLE_ENTRY ObjectTableEntry;
    PEPROCESS Process;
    NTSTATUS Status;
    PETHREAD Thread;

    ObpValidateIrql("ObReferenceObjectByHandle");

    Thread = PsGetCurrentThread ();//得到调用ObReferenceObjectByHandle当前线程
    *Object = NULL;

    //
    // Check is this handle is a kernel handle or one of the two builtin pseudo handles
    //FFFFFFFF 7FFF FFFF 
    if ((LONG)(ULONG_PTR) Handle < 0) { //-1 -2 FFFFFFFF  FFFFFFFF   FFFFFFFF  FFFFFFFE //0x78 0x7C 0x80
        //
        // If the handle is equal to the current process handle and the object
        // type is NULL or type process, then attempt to translate a handle to
        // the current process. Otherwise, check if the handle is the current
        // thread handle.
        //

        if (Handle == NtCurrentProcess()) {   //如果句柄等于当前进程的句柄

            if ((ObjectType == PsProcessType) || (ObjectType == NULL)) {

                Process = PsGetCurrentProcessByThread(Thread);//得到当前Eprocess对象
                GrantedAccess = Process->GrantedAccess;

                if ((SeComputeDeniedAccesses(GrantedAccess, DesiredAccess) == 0) ||
                    (AccessMode == KernelMode)) {

                    ObjectHeader = OBJECT_TO_OBJECT_HEADER(Process);//得到Eprocess对象头

                    if (ARGUMENT_PRESENT(HandleInformation)) {

                        HandleInformation->GrantedAccess = GrantedAccess;
                        HandleInformation->HandleAttributes = 0;
                    }

                    ObpIncrPointerCount(ObjectHeader);//增加对象引用计数
                    *Object = Process;//返回对象体指针

                    ASSERT( *Object != NULL );

                    Status = STATUS_SUCCESS;

                } else {

                    Status = STATUS_ACCESS_DENIED;
                }

            } else {

                Status = STATUS_OBJECT_TYPE_MISMATCH;
            }

            return Status;

        //
        // If the handle is equal to the current thread handle and the object
        // type is NULL or type thread, then attempt to translate a handle to
        // the current thread. Otherwise, the we'll try and translate the
        // handle
        //

        } else if (Handle == NtCurrentThread()) {

            if ((ObjectType == PsThreadType) || (ObjectType == NULL)) {

                GrantedAccess = Thread->GrantedAccess;

                if ((SeComputeDeniedAccesses(GrantedAccess, DesiredAccess) == 0) ||
                    (AccessMode == KernelMode)) {

                    ObjectHeader = OBJECT_TO_OBJECT_HEADER(Thread);//得到当前线程的对象头

                    if (ARGUMENT_PRESENT(HandleInformation)) {

                        HandleInformation->GrantedAccess = GrantedAccess;
                        HandleInformation->HandleAttributes = 0;
                    }

                    ObpIncrPointerCount(ObjectHeader);//增加对象头的引用计数
                    *Object = Thread;//返回对象体指针

                    ASSERT( *Object != NULL );

                    Status = STATUS_SUCCESS;

                } else {

                    Status = STATUS_ACCESS_DENIED;
                }

            } else {

                Status = STATUS_OBJECT_TYPE_MISMATCH;
            }

            return Status;

        } else if (AccessMode == KernelMode)//如果是在内核模式调用的
                            {
            //
            // Make the handle look like a regular handle
            //

            Handle = DecodeKernelHandle( Handle );

            //
            // The global kernel handle table
            //

            HandleTable = ObpKernelHandleTable;
        } else {
            //
            // The previous mode was user for this kernel handle value. Reject it here.
            //

            return STATUS_INVALID_HANDLE;
        }

    } else 
	{ //这里  PsGetCurrentProcessByThread(Thread) PEPROCESS
      // +0x200 ObjectTable      : Ptr64 _HANDLE_TABLE //win7
      //下载当前内核版本对应的pdb文件 符号文件
        HandleTable = PsGetCurrentProcessByThread(Thread)->ObjectTable;//否则的话等于当前调用进程的句柄表
    }

    ASSERT(HandleTable != NULL);

    //
    // Protect this thread from being suspended while we hold the handle table entry lock
    //

    KeEnterCriticalRegionThread(&Thread->Tcb);

    //
    // Translate the specified handle to an object table index.
    //
  //AccessMode UserMode KernelMode
    ObjectTableEntry = ExMapHandleToPointerEx ( HandleTable, Handle, AccessMode );//得到Handle_Table_Entry结构指针

    //
    // Make sure the object table entry really does exist
    //

    if (ObjectTableEntry != NULL) {

        ObjectHeader = (POBJECT_HEADER)(((ULONG_PTR)(ObjectTableEntry->Object)) & ~OBJ_HANDLE_ATTRIBUTES);//得到对象头

        //
        // Optimize for a successful reference by bringing the object header
        // into the cache exclusive.
        //

        ReadForWriteAccess(ObjectHeader);
        if ((ObjectHeader->Type == ObjectType) || (ObjectType == NULL)) {

#if i386
            if (NtGlobalFlag & FLG_KERNEL_STACK_TRACE_DB) {

                GrantedAccess = ObpTranslateGrantedAccessIndex( ObjectTableEntry->GrantedAccessIndex );

            } else {

                GrantedAccess = ObpDecodeGrantedAccess(ObjectTableEntry->GrantedAccess);
            }
#else
            GrantedAccess = ObpDecodeGrantedAccess(ObjectTableEntry->GrantedAccess);

#endif // i386

            if ((SeComputeDeniedAccesses(GrantedAccess, DesiredAccess) == 0) ||
                (AccessMode == KernelMode)) {

                PHANDLE_TABLE_ENTRY_INFO ObjectInfo;

                ObjectInfo = ExGetHandleInfo(HandleTable, Handle, TRUE);

                //
                // Access to the object is allowed. Return the handle
                // information is requested, increment the object
                // pointer count, unlock the handle table and return
                // a success status.
                //
                // Note that this is the only successful return path
                // out of this routine if the user did not specify
                // the current process or current thread in the input
                // handle.
                //

                if (ARGUMENT_PRESENT(HandleInformation)) {

                    HandleInformation->GrantedAccess = GrantedAccess;//权限 0x1FFFFF
                    HandleInformation->HandleAttributes = ObpGetHandleAttributes(ObjectTableEntry);
                }

                //
                // If this object was audited when it was opened, it may
                // be necessary to generate an audit now. Check the audit
                // mask that was saved when the handle was created.
                //
                // It is safe to do this check in a non-atomic fashion,
                // because bits will never be added to this mask once it is
                // created.
                //

                if ( (ObjectTableEntry->ObAttributes & OBJ_AUDIT_OBJECT_CLOSE) &&
                     (ObjectInfo != NULL) &&
                     (ObjectInfo->AuditMask != 0) &&
                     (DesiredAccess != 0)) {

                     
                      ObpAuditObjectAccess( Handle, ObjectInfo, &ObjectHeader->Type->Name, DesiredAccess );
                }

                ObpIncrPointerCount(ObjectHeader);

                ExUnlockHandleTableEntry( HandleTable, ObjectTableEntry );

                KeLeaveCriticalRegionThread(&Thread->Tcb);

                *Object = &ObjectHeader->Body;

                ASSERT( *Object != NULL );

                return STATUS_SUCCESS;

            } else {

                Status = STATUS_ACCESS_DENIED;
            }

        } else {

            Status = STATUS_OBJECT_TYPE_MISMATCH;
        }

        ExUnlockHandleTableEntry( HandleTable, ObjectTableEntry );

    } else {

        Status = STATUS_INVALID_HANDLE;
    }

    KeLeaveCriticalRegionThread(&Thread->Tcb);


    return Status;
}

 
 &info fffff88006fcd7a0
 &info.GrantedAccess fffff88006fcd7a4
 fffff8a002b3a1f0
 
rax=fffff88006fcd7a0 rbx=fffff8a002b3a1f0 rcx=00000000001f0033
rdx=0000000000000000 rsi=fffff8a00294e740 rdi=fffffa8032076620
rip=fffff800041772d3 rsp=fffff88006fcd640 rbp=fffffa8032076b00
 r8=fffff8a002b3a000  r9=000000000000007c r10=fffffa8030e4c8f0
r11=00000000001fffff r12=0000000000000000 r13=000000000000007c
r14=0000000000000001 r15=fffffa8032076b30

nt!ObReferenceObjectByHandleWithTag+0x1ed:
fffff800`041772cd 5b              pop     rbx
fffff800`041772ce c3              ret
fffff800`041772cf 44895804        mov     dword ptr [rax+4],r11d
fffff800`041772d3 8b0b            mov     ecx,dword ptr [rbx]
fffff800`041772d5 83e106          and     ecx,6
fffff800`041772d8 0fba630819      bt      dword ptr [rbx+8],19h
fffff800`041772dd 0f828f010000    jb      nt!ObReferenceObjectByHandleWithTag+0x392 (fffff800`04177472)
fffff800`041772e3 8908            mov     dword ptr [rax],ecx



: kd> u nt!ObReferenceObjectByHandleWithTag l 80
nt!ObReferenceObjectByHandleWithTag:
fffff800`041770e0 44884c2420      mov     byte ptr [rsp+20h],r9b
fffff800`041770e5 4c89442418      mov     qword ptr [rsp+18h],r8
fffff800`041770ea 89542410        mov     dword ptr [rsp+10h],edx
fffff800`041770ee 53              push    rbx
fffff800`041770ef 55              push    rbp
fffff800`041770f0 56              push    rsi
fffff800`041770f1 57              push    rdi
fffff800`041770f2 4154            push    r12
fffff800`041770f4 4155            push    r13
fffff800`041770f6 4156            push    r14
fffff800`041770f8 4157            push    r15
fffff800`041770fa 4881ec88000000  sub     rsp,88h
fffff800`04177101 65488b3c2588010000 mov   rdi,qword ptr gs:[188h]
fffff800`0417710a 488b9c24f8000000 mov     rbx,qword ptr [rsp+0F8h]
fffff800`04177112 4533e4          xor     r12d,r12d
fffff800`04177115 4c8b7f70        mov     r15,qword ptr [rdi+70h]
fffff800`04177119 4032ed          xor     bpl,bpl
fffff800`0417711c 450fb6f1        movzx   r14d,r9b
fffff800`04177120 4c8923          mov     qword ptr [rbx],r12
fffff800`04177123 4c8be9          mov     r13,rcx
fffff800`04177126 4088ac24d0000000 mov     byte ptr [rsp+0D0h],bpl
fffff800`0417712e 85c9            test    ecx,ecx
fffff800`04177130 0f88e1010000    js      nt!ObReferenceObjectByHandleWithTag+0x237 (fffff800`04177317)
fffff800`04177136 4c3925937bebff  cmp     qword ptr [nt!ViVerifierDriverAddedThunkListHead (fffff800`0402ecd0)],r12
fffff800`0417713d 0f85ef3cf6ff    jne     nt! ?? ::NNGAKEGL::`string'+0x20220 (fffff800`040dae32)
fffff800`04177143 4c3bbf10020000  cmp     r15,qword ptr [rdi+210h]
fffff800`0417714a 0f85f63cf6ff    jne     nt! ?? ::NNGAKEGL::`string'+0x20234 (fffff800`040dae46)
fffff800`04177150 498bb700020000  mov     rsi,qword ptr [r15+200h]
fffff800`04177157 4885f6          test    rsi,rsi
fffff800`0417715a 0f84283df6ff    je      nt! ?? ::NNGAKEGL::`string'+0x2027e (fffff800`040dae88)
fffff800`04177160 483b3559a0ebff  cmp     rsi,qword ptr [nt!ObpKernelHandleTable (fffff800`040311c0)]
fffff800`04177167 0f84f43cf6ff    je      nt! ?? ::NNGAKEGL::`string'+0x2024f (fffff800`040dae61)
fffff800`0417716d 66ff8fc4010000  dec     word ptr [rdi+1C4h]
fffff800`04177174 41f7c5fc030000  test    r13d,3FCh
fffff800`0417717b 0f8402030000    je      nt!ObReferenceObjectByHandleWithTag+0x3a3 (fffff800`04177483)
fffff800`04177181 418bc5          mov     eax,r13d
fffff800`04177184 4c896c2430      mov     qword ptr [rsp+30h],r13
fffff800`04177189 83e0fc          and     eax,0FFFFFFFCh
fffff800`0417718c 89442430        mov     dword ptr [rsp+30h],eax
fffff800`04177190 8b465c          mov     eax,dword ptr [rsi+5Ch]
fffff800`04177193 4c8b4c2430      mov     r9,qword ptr [rsp+30h]
fffff800`04177198 4c3bc8          cmp     r9,rax
fffff800`0417719b 0f83e2020000    jae     nt!ObReferenceObjectByHandleWithTag+0x3a3 (fffff800`04177483)
fffff800`041771a1 4c8b06          mov     r8,qword ptr [rsi]
fffff800`041771a4 418bc8          mov     ecx,r8d
fffff800`041771a7 83e103          and     ecx,3
fffff800`041771aa 8bc1            mov     eax,ecx
fffff800`041771ac 4c2bc0          sub     r8,rax
fffff800`041771af 85c9            test    ecx,ecx
fffff800`041771b1 0f853a010000    jne     nt!ObReferenceObjectByHandleWithTag+0x211 (fffff800`041772f1)
fffff800`041771b7 4b8d1c88        lea     rbx,[r8+r9*4]
fffff800`041771bb 4885db          test    rbx,rbx
fffff800`041771be 0f84c2020000    je      nt!ObReferenceObjectByHandleWithTag+0x3a6 (fffff800`04177486)
fffff800`041771c4 0f0d0b          prefetchw [rbx]
fffff800`041771c7 488b03          mov     rax,qword ptr [rbx]
fffff800`041771ca a801            test    al,1
fffff800`041771cc 0f8422020000    je      nt!ObReferenceObjectByHandleWithTag+0x314 (fffff800`041773f4)
fffff800`041771d2 488d48ff        lea     rcx,[rax-1]
fffff800`041771d6 f0480fb10b      lock cmpxchg qword ptr [rbx],rcx
fffff800`041771db 0f851c020000    jne     nt!ObReferenceObjectByHandleWithTag+0x31d (fffff800`041773fd)
fffff800`041771e1 488b2b          mov     rbp,qword ptr [rbx]
fffff800`041771e4 4883e5f8        and     rbp,0FFFFFFFFFFFFFFF8h
fffff800`041771e8 0f0d4d00        prefetchw [rbp]
fffff800`041771ec 0fb64518        movzx   eax,byte ptr [rbp+18h]
fffff800`041771f0 4c8b9424e0000000 mov     r10,qword ptr [rsp+0E0h]
fffff800`041771f8 488d0d41bbebff  lea     rcx,[nt!ObTypeIndexTable (fffff800`04032d40)]
fffff800`041771ff 41be01000000    mov     r14d,1
fffff800`04177205 4c3914c1        cmp     qword ptr [rcx+rax*8],r10
fffff800`04177209 0f8530010000    jne     nt!ObReferenceObjectByHandleWithTag+0x25f (fffff800`0417733f)
fffff800`0417720f 448b5b08        mov     r11d,dword ptr [rbx+8]
fffff800`04177213 8b8c24d8000000  mov     ecx,dword ptr [rsp+0D8h]
fffff800`0417721a 410fbaf319      btr     r11d,19h
fffff800`0417721f 418bc3          mov     eax,r11d
fffff800`04177222 f7d0            not     eax
fffff800`04177224 85c1            test    ecx,eax
fffff800`04177226 0f85af010000    jne     nt!ObReferenceObjectByHandleWithTag+0x2fb (fffff800`041773db)
fffff800`0417722c 44396640        cmp     dword ptr [rsi+40h],r12d
fffff800`04177230 0f85983cf6ff    jne     nt! ?? ::NNGAKEGL::`string'+0x202c4 (fffff800`040daece)
fffff800`04177236 498bd4          mov     rdx,r12
fffff800`04177239 488b842400010000 mov     rax,qword ptr [rsp+100h]
fffff800`04177241 4885c0          test    rax,rax
fffff800`04177244 0f8585000000    jne     nt!ObReferenceObjectByHandleWithTag+0x1ef (fffff800`041772cf)
fffff800`0417724a f60304          test    byte ptr [rbx],4
fffff800`0417724d 0f85993cf6ff    jne     nt! ?? ::NNGAKEGL::`string'+0x202e2 (fffff800`040daeec)
fffff800`04177253 443925bab3eaff  cmp     dword ptr [nt!ObpTraceFlags (fffff800`04022614)],r12d
fffff800`0417725a 0f85ba3cf6ff    jne     nt! ?? ::NNGAKEGL::`string'+0x20310 (fffff800`040daf1a)
fffff800`04177260 f04c017500      lock add qword ptr [rbp],r14
fffff800`04177265 488b8c24f8000000 mov     rcx,qword ptr [rsp+0F8h]
fffff800`0417726d 488d4530        lea     rax,[rbp+30h]
fffff800`04177271 488901          mov     qword ptr [rcx],rax
fffff800`04177274 f04c0fc133      lock xadd qword ptr [rbx],r14
fffff800`04177279 488d4e30        lea     rcx,[rsi+30h]
fffff800`0417727d f0830c2400      lock or dword ptr [rsp],0
fffff800`04177282 0faee8          lfence
fffff800`04177285 48833900        cmp     qword ptr [rcx],0
fffff800`04177289 0f85ac010000    jne     nt!ObReferenceObjectByHandleWithTag+0x35b (fffff800`0417743b)
fffff800`0417728f 0fb6ac24d0000000 movzx   ebp,byte ptr [rsp+0D0h]
fffff800`04177297 668387c401000001 add     word ptr [rdi+1C4h],1
fffff800`0417729f 750d            jne     nt!ObReferenceObjectByHandleWithTag+0x1ce (fffff800`041772ae)
fffff800`041772a1 488d4750        lea     rax,[rdi+50h]
fffff800`041772a5 483900          cmp     qword ptr [rax],rax
fffff800`041772a8 0f85ed010000    jne     nt!ObReferenceObjectByHandleWithTag+0x3bb (fffff800`0417749b)
fffff800`041772ae 4080fd01        cmp     bpl,1
fffff800`041772b2 0f842c3df6ff    je      nt! ?? ::NNGAKEGL::`string'+0x203e2 (fffff800`040dafe4)
fffff800`041772b8 418bc4          mov     eax,r12d
fffff800`041772bb 4881c488000000  add     rsp,88h
fffff800`041772c2 415f            pop     r15
fffff800`041772c4 415e            pop     r14
fffff800`041772c6 415d            pop     r13
fffff800`041772c8 415c            pop     r12
fffff800`041772ca 5f              pop     rdi
fffff800`041772cb 5e              pop     rsi
fffff800`041772cc 5d              pop     rbp
fffff800`041772cd 5b              pop     rbx
fffff800`041772ce c3              ret
fffff800`041772cf 44895804        mov     dword ptr [rax+4],r11d
fffff800`041772d3 8b0b            mov     ecx,dword ptr [rbx]
fffff800`041772d5 83e106          and     ecx,6
fffff800`041772d8 0fba630819      bt      dword ptr [rbx+8],19h
fffff800`041772dd 0f828f010000    jb      nt!ObReferenceObjectByHandleWithTag+0x392 (fffff800`04177472)
fffff800`041772e3 8908            mov     dword ptr [rax],ecx
fffff800`041772e5 8b8c24d8000000  mov     ecx,dword ptr [rsp+0D8h]
fffff800`041772ec e959ffffff      jmp     nt!ObReferenceObjectByHandleWithTag+0x16a (fffff800`0417724a)
fffff800`041772f1 83f901          cmp     ecx,1
fffff800`041772f4 0f85983bf6ff    jne     nt! ?? ::NNGAKEGL::`string'+0x20288 (fffff800`040dae92)
fffff800`041772fa 498bc9          mov     rcx,r9
fffff800`041772fd 81e1ff030000    and     ecx,3FFh
fffff800`04177303 4c2bc9          sub     r9,rcx
a756598009
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 打赏
    打赏
  • 0
    评论
专栏目录
通过ObReferenceObjectByHandle了解进程句柄三张表
qq_41610493的博客
04-05 915
逆向实战
inline hook ObReferenceObjectByHandle 程序代码
05-25
windows 驱动层,inline hook 简单的示例程序。其实是看了“详谈内核三步走Inline Hook实现“,网上的一篇文章做的一个示例程序,只做了第一个, hook ObReferenceObjectByHandle.里面还有一个说明文件。我想这可以作为inline hook 的入门,找找感觉。
ObReferenceObjectByHandle() 函数简略分析
93Storm
01-01 6048
原文链接 1. 逆向出来的 ObReferenceObjectByHandle() 函数实现 这个函数的实现请参考这个文章:ObReferenceObjectByHandle() 函数,这里不再重复贴出。 这个函数的原型是: NTSTATUS ObReferenceObjectByHandle( IN HANDLE Handle, IN ACCESS_MASK Desi
ObReferenceObjectByHandle内核函数
多媒体编程、网络编程、系统编程、网络安全编程、驱动编程
05-07 1498
大槪就是看这个句柄是当前进程句柄还是当前线程的句柄,最后再看看这AccessMode是内核还是用户态下,内核的话,句柄表就用ObpKernelHandleTable,用户态的话就用当前进程句柄表 NTSTATUS ObReferenceObjectByHandle (     __in HANDLE Handle,     __in ACCESS_MASK DesiredAccess,
ObReferenceObjectByHandle
zacklin的专栏
05-09 2566
调用方传递给驱动程序的句柄不会经过 I/O 管理器,因此 I/O 管理器不对这类句柄执行任何验证检查。决不要假设一个句柄有效;始终确保句柄拥有正确的对象类型、对于所需任务的合适的访问权、正确的访问模式,并且访问模式与请求的访问兼容。 驱动程序应该谨慎使用句柄,特别是那些从用户模式应用程序接收到的句柄。第一,这种句柄特定于进程上下文,因此它们仅在打开句柄进程中有效。当从不同的进程上下文或工作线程
winDBG 32位64位版本
10-18
4. 功能对比:32位64位版本的WinDbg在功能上基本保持一致,都提供了丰富的调试命令、图形用户界面、内存检查、崩溃转储分析等高级功能。然而,由于64位系统拥有更大的地址空间,64位WinDbg在处理大量数据时可能会...
windbg适用于win7系统,亲测32位64位可用
04-23
它在Windows 7系统上表现出色,无论是32位(x86)还是64位(x64)版本,都能顺利运行。在本文中,我们将深入探讨Windbg的核心功能、使用场景以及如何在Win7系统上进行配置和使用。 1. Windbg的主要功能: - **崩溃...
windbg 6.11 6.12 32位64位
09-03
The Windows debuggers can run on x86-based, x64-based, or ARM-based processors, and they can debug code that's running on x86-based, x64-based, or ARM-based processors. Sometimes the debugger and the ...
windbg10.0调试工具32位/64位版本下载
08-01
inDbg是在windows平台下,强大的用户态和内核态调试工具。它能够通过dmp文件轻松的定位到问题根源,可用于分析蓝屏、程序崩溃(IE崩溃)原因,是我们日常工作中必不可少的一个有力工具,学会使用它,将有效提升我们...
Windbg 调试工具64位32位安装包
02-28
Windbg调试工具是一款由微软开发的强大调试器,用于分析、诊断和排查Windows系统及应用程序的错误,特别是针对系统内核和驱动程序的问题。它在软件开发者、系统管理员和安全研究人员中广泛使用,因其丰富的功能和...
自己尝试还原的ObReferenceObjectByHandle
pureman_mega的博客
01-05 1173
ObReferencObjectByHandle()这个函数从字面上看就可以知道是通过句柄Handle)来访问对象。还原的过程中对汇编语言强大又有了进一步的认识,其效率之高令人惊叹,每个寄存器的使用都是那么的精妙绝伦,相同或类似的功能的代码很少重复出现。效率高的代价就是可读性较差,和C代码相比就会表现出巨大的差异;但是对于那些比较熟悉这两种语言的高手来说,随意在两者之间切换应该不是什么问题,而我看
ObReferenceObjectByHandle例程
mofabang的专栏
11-18 3009
ObReferenceObjectByHandle例程
Dissecting the Windows Kernel - 关于ObReferenceObjectByHandle中对句柄的处理
StanfordZhang的专栏
11-18 4425
Dissecting the Windows Kernel -   关于ObReferenceObjectByHandle中对句柄的处理 一、   摘要 在开发一个 Anti-Rootkit工具中的枚举进程句柄时,发现枚举System Process进程句柄信息在Windows XP和Windows 7/8的处理细节有一些不一样,遂想刨根问底,一探究竟。在获取句柄对象名和类型名的时候都会使
函数......ObReferenceObjectByHandle
天蓝的专栏
12-10 6161
ObReferenceObjectByHandle函数来获得这个Handle对应的FileObject。我们只能给FileObject发送IRP。 stat=ObReferenceObjectByHandle(handle,GENERIC_READ,*IoFileObjectType,KernelMode,(PVOID*)&fileob,0);ObReferenceObjectByHandle(
深入分析Win7的对象引用跟踪机制
多媒体编程、网络编程、系统编程、网络安全编程、驱动编程
07-26 1396
深入分析Win7的对象引用跟踪机制 2010年09月12日 19:34 Win7的内核新增了一系列带有Tag参数的对象增加引用(Refrence)/减少引用(Derefrence)函数,更易于找出对象使用中的“泄漏”(即Refrence和Derefrence次数不匹配)。 在Win7中,以下所有不带Tag的函数均使用一个默认的Tag("tlfD")直接调用带Tag参数
32位/64位WINDOWS驱动windbg双机调试
最新发布
a756598009的博客
06-24 3590
windbg双机调试环境配置第一步关掉虚拟机如果有打印机请移除打印机(打印机会占用端口)添加-添加串行端口-完成选择使用命名的通道-名字为 \.\pipe\abc123(对应下面的COM1) -确定-在开启虚拟机在虚拟机命令行里面输入 msconfig 来到系统配置 -引导-第二个高级选项 -勾选调试-勾选调试窗口-选择COM1;-确认-重新启动-启动的时候选择下面的调试系统来到自己电脑系统搜索windbg
ObReferenceObjectByPointer
pureman_mega的博客
01-06 648
ObReferenceObjectByPointerWithTag()例程介绍参考ddk文档。这个函数和ObReferenceObjectByHandleWithTag()最后要完成的任务是一样的—“ReferenceObejct”,只不过方法不一样。通过指针引用对象相对通过句柄来说,逻辑要简单得多,可以将二者结合起来看,上一个写的不清楚的地方在这里可能有答案。 lkd> dt nt!_object
windbg 32位64位区别
05-31
Windbg是一种用于Windows操作系统的调试器,它有32位64位两个版本。主要的区别在于: 1. 支持的目标操作系统版本不同。Windbg 32位版本仅支持32位Windows操作系统,而Windbg 64位版本则支持64位Windows操作系统。 2. 支持的调试器类型不同。Windbg 32位版本只能用于调试32位的应用程序,而Windbg 64位版本可以用于调试32位64位的应用程序。 3. 支持的内存访问空间不同。Windbg 32位版本只能访问32位的内存空间,而Windbg 64位版本可以访问64位的内存空间。 4. 支持的命令集不同。Windbg 64位版本支持更多的命令,可以更好地支持64位应用程序的调试。 总之,Windbg 32位版本适用于32位Windows操作系统和32位的应用程序,而Windbg 64位版本则适用于64位Windows操作系统和64位的应用程序。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

a756598009

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值