-
-
[求助]KsBinSword中一段代码的疑惑
-
发表于:
2009-2-27 10:23
4008
-
IsValidProcess函数中通过PspCidTable搜索进程的代码有一处不能理解
如下
//对cid从0x0到0x4e1c进行遍历
for(i=0x0;i<0x4e1c;i++)
{
if(i<=0x800)
{
if(MmIsAddressValid((PULONG)(table1+i*2)))
{
object=*(PULONG)(table1+i*2);
if(MmIsAddressValid((PULONG)(table1+i*2+NEXTFREETABLEENTRY)))
{
NextFreeTableEntry=*(PULONG)(table1+i*2+NEXTFREETABLEENTRY);
if(NextFreeTableEntry==0x0)//正常的_HANDLE_TABLE_ENTRY中NextFreeTableEntry为0x0
{
object=((object | 0x80000000)& 0xfffffff8);//转换为对象(体)指针
objectheader=(ULONG)OBJECT_TO_OBJECT_HEADER(object);//获取对象(头)指针
if(MmIsAddressValid((PULONG)(objectheader+TYPE)))
{
type=*(PULONG)(objectheader+TYPE);
if(type==processtype)
{
flags=*(PULONG)((ULONG)object+FLAGS);
if((flags&0xc)!=0xc)
RecordInfo(object);//flags显示进程没有退出
}
}
}
}
}
}
else
{
if(table2!=0)
{
if(MmIsAddressValid((PULONG)(table2+(i-0x800)*2)))
{
object=*(PULONG)(table2+(i-0x800)*2);
if(MmIsAddressValid((PULONG)((table2+(i-0x800)*2)+NEXTFREETABLEENTRY)))
{
NextFreeTableEntry=*(PULONG)((table2+(i-0x800)*2)+NEXTFREETABLEENTRY);
if(NextFreeTableEntry==0x0)
{
object=((object | 0x80000000)& 0xfffffff8);
objectheader=(ULONG)OBJECT_TO_OBJECT_HEADER(object);
if(MmIsAddressValid((PULONG)(objectheader+TYPE)))
{
type=*(PULONG)(objectheader+TYPE);
if(type==processtype)
{
flags=*(PULONG)((ULONG)object+FLAGS);
if((flags&0xc)!=0xc)
RecordInfo(object);
}
}
}
}
}
}
}
}
这里为什么是对cid从0x0到0x4e1c进行遍历?
另外if(i<=0x800)又是什么?
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
