能力值:
( LV4,RANK:50 )
|
-
-
2 楼
ExEnumHandleTable
|
能力值:
( LV2,RANK:10 )
|
-
-
3 楼
请windbg举一下例子好吗?
|
能力值:
( LV8,RANK:130 )
|
-
-
4 楼
lkd> dt_object_header
nt!_OBJECT_HEADER
+0x000 PointerCount : Int4B
+0x004 HandleCount : Int4B
+0x004 NextToFree : Ptr32 Void
+0x008 Type : Ptr32 _OBJECT_TYPE
+0x00c NameInfoOffset : UChar
+0x00d HandleInfoOffset : UChar
+0x00e QuotaInfoOffset : UChar
+0x00f Flags : UChar
+0x010 ObjectCreateInfo : Ptr32 _OBJECT_CREATE_INFORMATION
+0x010 QuotaBlockCharged : Ptr32 Void
+0x014 SecurityDescriptor : Ptr32 Void
+0x018 Body : _QUAD
那个Type~~~~~~~~~~~~~
lkd> !process
PROCESS 89258498 SessionId: 0 Cid: 078c Peb: 7ffda000 ParentCid: 00e0
lkd> dt_object_header 89258498-0x18
nt!_OBJECT_HEADER
+0x000 PointerCount : 44
+0x004 HandleCount : 2
+0x004 NextToFree : 0x00000002
+0x008 Type : 0x8a3ebe70 _OBJECT_TYPE
+0x00c NameInfoOffset : 0 ''
+0x00d HandleInfoOffset : 0 ''
+0x00e QuotaInfoOffset : 0 ''
+0x00f Flags : 0x20 ' '
+0x010 ObjectCreateInfo : 0x89556e78 _OBJECT_CREATE_INFORMATION
+0x010 QuotaBlockCharged : 0x89556e78
+0x014 SecurityDescriptor : 0xe20866f4
+0x018 Body : _QUAD
lkd> dt_OBJECT_TYPE 0x8a3ebe70
nt!_OBJECT_TYPE
+0x000 Mutex : _ERESOURCE
+0x038 TypeList : _LIST_ENTRY [ 0x8a3ebea8 - 0x8a3ebea8 ]
+0x040 Name : _UNICODE_STRING "Process"
+0x048 DefaultObject : (null)
+0x04c Index : 5
+0x050 TotalNumberOfObjects : 0x22
/////////////////////
lkd> !thread
THREAD 8913b020 Cid 078c.0adc Teb: 7ffdf000 Win32Thread: e467e350 RUNNING on processor 0
lkd> dt_object_header 8913b020-0x18
nt!_OBJECT_HEADER
+0x000 PointerCount : 5
+0x004 HandleCount : 3
+0x004 NextToFree : 0x00000003
+0x008 Type : 0x8a3ebca0 _OBJECT_TYPE
+0x00c NameInfoOffset : 0 ''
+0x00d HandleInfoOffset : 0 ''
+0x00e QuotaInfoOffset : 0 ''
+0x00f Flags : 0x20 ' '
+0x010 ObjectCreateInfo : 0x89556e78 _OBJECT_CREATE_INFORMATION
+0x010 QuotaBlockCharged : 0x89556e78
+0x014 SecurityDescriptor : 0xe2310224
+0x018 Body : _QUAD
lkd> dt_object_type 0x8a3ebca0
nt!_OBJECT_TYPE
+0x000 Mutex : _ERESOURCE
+0x038 TypeList : _LIST_ENTRY [ 0x8a3ebcd8 - 0x8a3ebcd8 ]
+0x040 Name : _UNICODE_STRING "Thread"
+0x048 DefaultObject : (null)
+0x04c Index : 6
+0x050 TotalNumberOfObjects : 0x1b9
+0x054 TotalNumberOfHandles : 0x2fc
+0x058 HighWaterNumberOfObjects : 0x1f5
+0x05c HighWaterNumberOfHandles : 0x374
+0x060 TypeInfo : _OBJECT_TYPE_INITIALIZER
+0x0ac Key : 0x65726854
+0x0b0 ObjectLocks : [4] _ERESOURCE
|
能力值:
( LV2,RANK:10 )
|
-
-
5 楼
从进程的句柄表中搜到的对象,为什么对象类型的名称为空。
pObjectHeader=0x805F0038 pObjectType=0xFF01B101 Name:(null)
kd> dt _object_header 805F0038
nt!_OBJECT_HEADER
+0x000 PointerCount : 1946761524
+0x004 HandleCount : 1228981772
+0x004 NextToFree : 0x4940c60c
+0x008 Type : 0xff01b101 _OBJECT_TYPE
+0x00c NameInfoOffset : 0x15 ''
+0x00d HandleInfoOffset : 0 ''
+0x00e QuotaInfoOffset : 0x87 ''
+0x00f Flags : 0x4d 'M'
+0x010 ObjectCreateInfo : 0xe8ce8b80 _OBJECT_CREATE_INFORMATION
+0x010 QuotaBlockCharged : 0xe8ce8b80
+0x014 SecurityDescriptor : 0xfff32d98
+0x018 Body : _QUAD
kd> dt _object_type 0xFF01B101
nt!_OBJECT_TYPE
+0x000 Mutex : _ERESOURCE
+0x038 TypeList : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x040 Name : _UNICODE_STRING ""
+0x048 DefaultObject : (null)
+0x04c Index : 0
+0x050 TotalNumberOfObjects : 0
+0x054 TotalNumberOfHandles : 0
+0x058 HighWaterNumberOfObjects : 0
+0x05c HighWaterNumberOfHandles : 0
+0x060 TypeInfo : _OBJECT_TYPE_INITIALIZER
+0x0ac Key : 0
+0x0b0 ObjectLocks : [4] _ERESOURCE
弄不明白,除非我得到的句柄是错误。还是什么原因,请有这个问题的指点指点。
|
能力值:
( LV2,RANK:10 )
|
-
-
6 楼
代码如下:
// 对表进行遍历
table1=table1 +8;
for (i = 0; i <HandleCount; i++)
{
//显示对象类型
pObjectHeader=(POBJECT_HEADER)((((*(PULONG)table1)|0x80000000) & 0xfffffff8)-0x18);
if (MmIsAddressValid( (PULONG)(pObjectHeader) ))
{
DbgPrint("pObjectHeader=0x%08X",(ULONG)pObjectHeader);
pObjectType=(POBJECT_TYPE)(pObjectHeader->Type);
if (MmIsAddressValid( (PULONG)(pObjectType) ))
{
DbgPrint(" pObjectType=0x%08X",(ULONG)pObjectType);
DbgPrint(" Name:%-16wZ\n",&(pObjectType->Name));
}
DbgPrint("\n");
}
table1=table1+8;
}
到最后是:DbgPrint(" Name:%-16wZ\n",&(pObjectType->Name));产生崩溃。应该是地址无效。
|
|
|
|
