ObReferenceObjectByPointerWithTag()例程介绍参考ddk文档。这个函数和ObReferenceObjectByHandleWithTag()最后要完成的任务是一样的—“ReferenceObejct”,只不过方法不一样。通过指针引用对象相对通过句柄来说,逻辑要简单得多,可以将二者结合起来看,上一个写的不清楚的地方在这里可能有答案。
lkd> dt nt!_object_header (win7 32)不同版本可能有变动
+0x000 PointerCount : Int4B //与'ByPointer'相关
+0x004 HandleCount : Int4B //与'ByHandle'相关
+0x004 NextToFree : Ptr32 Void
+0x008 Lock : _EX_PUSH_LOCK
+0x00c TypeIndex : UChar //要用到的
+0x00d TraceFlags : UChar //两个成员
+0x00e InfoMask : UChar
+0x00f Flags : UChar
+0x010 ObjectCreateInfo : Ptr32_OBJECT_CREATE_INFORMATION
+0x010 QuotaBlockCharged : Ptr32 Void
+0x014 SecurityDescriptor : Ptr32 Void
+0x018 Body : _QUAD
(from ddk)
NTSTATUS ObReferenceObjectByPointerWithTag(
__in PVOID Object,
__in ACCESS_MASK DesiredAccess,
__in_opt POBJECT_TYPE ObjectType,
__in KPROCESSOR_MODE AccessMode,
__in ULONG Tag
)
{
if(!(*ObjectType)) //jne 0x1f
{
if(KernelMode!=AccessMode) //0x13
{
//je 0x2c //0x16
return STATUS_OBJECT_TYPE_MISMATCH; //0XC0000024 //0X18
}
else
{
if((*ObpTraceFlags)) //0x2c je 0x49
{
if(1&Object->ObjectHeader->TraceFlags) //0x39 je 0x49
{
ObpPushStackInfo(Object,1,1,Tag); //0X3e
}
lock xadd dword ptr [esi],ebx //0x49
//Object->ObjectHeader->PointerCount ebx=1
//通过指针(pointer)访问,PointerCount++
return STATUS_SUCCESS;
}
else
{
lock xadd dword ptr [esi],ebx //0x49
return STATUS_SUCCESS;
}
}
}
else if(*ObjectType==*ObpTypeIndexTable[Object->ObejctHeader->TypeIndex])
//0x1f je 0x2c
{
if((*ObpTraceFlags)) //0x2c je 0x49
{
if(1&Object->ObjectHeader->TraceFlags) //0x39 je 0x49
{
ObpPushStackInfo(Object,1,1,Tag); //0X3e
}
lock xadd dword ptr [esi],ebx //0x49
//Object->ObjectHeader->PointerCount ebx=1
//通过指针(pointer)访问,PointerCount++
return STATUS_SUCCESS;
}
else
{
lock xadd dword ptr [esi],ebx //0x49
return STATUS_SUCCESS;
}
}
else
{
return STATUS_OBJECT_TYPE_MISMATCH; //0XC0000024 //0X18
}
}