-
-
[旧帖] [求助]网络上OBJECT_TYPE的定义怎么这么多? 0.00雪花
-
发表于: 2009-6-22 16:36
-
网上搜索:OBJECT_TYPE,竟然发现有关它的定义就有7种
,也许还有更多!我给贴上了。是不是各个windows版本的OBJECT_TYPE都不一样啊?小弟不才,请大虾给指名各属于什么windows版本的OBJECT_TYPE。
//第1种OBJECT_TYPE
typedef struct OBJECT_TYPE
{
UNICODE_STRING ObjectTypeName;
POPEN_OBJECT_ROUTINE OpenRoutine;
PPARSE_OBJECT_ROUTINE ParseRoutine;
PCLOSE_OBJECT_ROUTINE CloseRoutine;
PDELETE_OBJECT_ROUTINE DeleteRoutine;
PQUERY_OBJECT_NAME_ROUTINE QueryNameRoutine;
BOOLEAN PagedPool;
ULONG OwnerTag;
ULONG ObjectCount;
} *POBJECT_TYPE;
//第2种OBJECT_TYPE
typedef struct _OBJECT_TYPE
{
ERESOURCE Mutex;
LIST_ENTRY TypeList;
UNICODE_STRING Name;
PVOID DefaultObject;
ULONG Index;
ULONG TotalNumberOfObjects;
ULONG TotalNumberOfHandles;
ULONG HighWaterNumberOfObjects;
ULONG HighWaterNumberOfHandles;
OBJECT_TYPE_INITIALIZER TypeInfo;
ULONG Key;
EX_PUSH_LOCK ObjectLocks[32];
} OBJECT_TYPE, *POBJECT_TYPE;//Windows Vista
//第3种OBJECT_TYPE
typedef struct _OBJECT_TYPE
{
ERESOURCE Mutex;
LIST_ENTRY TypeList;
UNICODE_STRING Name;
PVOID DefaultObject;
ULONG Index;
ULONG TotalNumberOfObjects;
ULONG TotalNumberOfHandles;
ULONG HighWaterNumberOfObjects;
ULONG HighWaterNumberOfHandles;
OBJECT_TYPE_INITIALIZER TypeInfo;
#ifdef POOL_TAGGING
ULONG Key;
#endif //POOL_TAGGING
} OBJECT_TYPE, *POBJECT_TYPE;
//第4种OBJECT_TYPE
typedef struct _OBJECT_TYPE {
UCHAR Mutex[0x38];
LIST_ENTRY TypeList;
UNICODE_STRING Name;
PVOID DefaultObject;
ULONG Index;
ULONG TotalNumberOfObjects;
ULONG TotalNumberOfHandles;
ULONG HighWaterNumberOfObjects;
ULONG HighWaterNumberOfHandles;
OBJECT_TYPE_INITIALIZER TypeInfo;
} OBJECT_TYPE, *POBJECT_TYPE;
//第5种OBJECT_TYPE
typedef struct _OBJECT_TYPE
{
ERESOURCE TypeAsResource; //0x0 可用作资源
//34h
PLIST_ENTRY FirstCreatorInfo;//38h 我注意到了这个结构体
PLIST_ENTRY LastCreatorInfo; //3ch 只是用于object type
UNICODE_STRING TypeName; //40h 类型名
DWORD Unknown2[2]; //48h
DWORD RefCount; //50h 该类型对象的计数
DWORD HanCount; //54h 该类型句柄的计数
DWORD PeakRef; //58h 对象的峰值
DWORD PeakHandles; //5ch 句柄的峰值
DWORD Unknown3; //60h
DWORD AllowedAttributeMask;//64h 可能的属性 0 - 允许所有的
GENERIC_MAPPING GenericMapping;//68 отображение родовых прав на специальные
DWORD AllowedAccessMask; //78h (ACCESS_SYSTEM_SECURITY 总是设置的)
BOOLEAN bInNameSpace; //7ch 这个类型的对象在对象路径中
// 可能我会弄错, 但也类似.
BOOLEAN bHandleDB; //7dh 是否包含对象句柄的信息(HANDLE_DB)
BOOLEAN bCreatorInfo; //7eh ----//---- CreatorInfo + 38h处的链表
BOOLEAN Unknown5; //7fh
DWORD Unknown6; //80h 如果 !=0 则在NpSuccess里创建
DWORD PagedPoollQuota; //84h default
DWORD NonPagedPollQuota; //88h 限额
PVOID DumpProcedure; //8ch 原型未知 (?)
PVOID OpenProcedure; //90h 原型已知
PVOID CloseProcedure; //94h 原型已知
PVOID DeleteProcedure; //98h 原型已知
PVOID ParseProcedure; //9ch 原型已知
PVOID SecurityProcedure; //a0h 原型已知
// 可以有4种调用情况:
//0-set sec_info, 1-query descriptor, 2-delete, 3-assign
PVOID QueryNameProcedure; //a4h 原型已知
PVOID Tag; //a8h 通过高层次信息判断
// 这应该是方法OkayToCloseProcedure;
// 实际上, 对于所有的对象我都发现在这个地址上有四字符的类型Tag,例如Dire (Directory)
} OBJECT_TYPE,*POBJECT_TYPE;
//第6种OBJECT_TYPE win7
_OBJECT_TYPE
+0x000 TypeList : _LIST_ENTRY
+0x008 Name : _UNICODE_STRING
+0x010 DefaultObject : Ptr32 Void
+0x014 Index : UChar
+0x018 TotalNumberOfObjects : Uint4B
+0x01c TotalNumberOfHandles : Uint4B
+0x020 HighWaterNumberOfObjects : Uint4B
+0x024 HighWaterNumberOfHandles : Uint4B
+0x028 TypeInfo : _OBJECT_TYPE_INITIALIZER
+0x078 TypeLock : _EX_PUSH_LOCK
+0x07c Key : Uint4B
+0x080 CallbackList : _LIST_ENTRY
//第7种OBJECT_TYPE
-typedef struct _OBJECT_TYPE
-{
- ULONG Tag;
- UNICODE_STRING TypeName;
- ULONG TotalObjects;
- ULONG TotalHandles;
- ULONG MaxObjects;
- ULONG MaxHandles;
- ULONG PagedPoolCharge;
- ULONG NonpagedPoolCharge;
- PGENERIC_MAPPING Mapping;
- VOID STDCALL_FUNC (*Dump)(VOID);
- VOID STDCALL_FUNC (*Open)(VOID);
- VOID STDCALL_FUNC (*Close)(PVOID ObjectBody,
- ULONG HandleCount);
- VOID STDCALL_FUNC (*Delete)(PVOID ObjectBody);
- NTSTATUS STDCALL_FUNC (*Parse)(PVOID ParsedObject,
- PVOID *NextObject,
- PUNICODE_STRING FullPath,
- PWSTR *Path,
- ULONG Attributes);
- NTSTATUS STDCALL_FUNC (*Security)(PVOID ObjectBody,
- SECURITY_OPERATION_CODE
OperationCode,
- SECURITY_INFORMATION
SecurityInformation,
- PSECURITY_DESCRIPTOR
SecurityDescriptor,
- PULONG BufferLength);
- NTSTATUS STDCALL_FUNC (*QueryName)(PVOID ObjectBody,
- POBJECT_NAME_INFORMATION
ObjectNameInfo,
- ULONG Length,
- PULONG ReturnLength);
- VOID STDCALL_FUNC (*OkayToClose)(VOID);
-
- NTSTATUS STDCALL_FUNC (*Create)(PVOID ObjectBody,
- PVOID Parent,
- PWSTR RemainingPath,
- struct _OBJECT_ATTRIBUTES*
ObjectAttributes);
-
- VOID STDCALL_FUNC (*DuplicationNotify)(PEPROCESS DuplicateTo,
- PEPROCESS DuplicateFrom,
- PVOID Object);
-} OBJECT_TYPE;
,也许还有更多!我给贴上了。是不是各个windows版本的OBJECT_TYPE都不一样啊?小弟不才,请大虾给指名各属于什么windows版本的OBJECT_TYPE。//第1种OBJECT_TYPE
typedef struct OBJECT_TYPE
{
UNICODE_STRING ObjectTypeName;
POPEN_OBJECT_ROUTINE OpenRoutine;
PPARSE_OBJECT_ROUTINE ParseRoutine;
PCLOSE_OBJECT_ROUTINE CloseRoutine;
PDELETE_OBJECT_ROUTINE DeleteRoutine;
PQUERY_OBJECT_NAME_ROUTINE QueryNameRoutine;
BOOLEAN PagedPool;
ULONG OwnerTag;
ULONG ObjectCount;
} *POBJECT_TYPE;
//第2种OBJECT_TYPE
typedef struct _OBJECT_TYPE
{
ERESOURCE Mutex;
LIST_ENTRY TypeList;
UNICODE_STRING Name;
PVOID DefaultObject;
ULONG Index;
ULONG TotalNumberOfObjects;
ULONG TotalNumberOfHandles;
ULONG HighWaterNumberOfObjects;
ULONG HighWaterNumberOfHandles;
OBJECT_TYPE_INITIALIZER TypeInfo;
ULONG Key;
EX_PUSH_LOCK ObjectLocks[32];
} OBJECT_TYPE, *POBJECT_TYPE;//Windows Vista
//第3种OBJECT_TYPE
typedef struct _OBJECT_TYPE
{
ERESOURCE Mutex;
LIST_ENTRY TypeList;
UNICODE_STRING Name;
PVOID DefaultObject;
ULONG Index;
ULONG TotalNumberOfObjects;
ULONG TotalNumberOfHandles;
ULONG HighWaterNumberOfObjects;
ULONG HighWaterNumberOfHandles;
OBJECT_TYPE_INITIALIZER TypeInfo;
#ifdef POOL_TAGGING
ULONG Key;
#endif //POOL_TAGGING
} OBJECT_TYPE, *POBJECT_TYPE;
//第4种OBJECT_TYPE
typedef struct _OBJECT_TYPE {
UCHAR Mutex[0x38];
LIST_ENTRY TypeList;
UNICODE_STRING Name;
PVOID DefaultObject;
ULONG Index;
ULONG TotalNumberOfObjects;
ULONG TotalNumberOfHandles;
ULONG HighWaterNumberOfObjects;
ULONG HighWaterNumberOfHandles;
OBJECT_TYPE_INITIALIZER TypeInfo;
} OBJECT_TYPE, *POBJECT_TYPE;
//第5种OBJECT_TYPE
typedef struct _OBJECT_TYPE
{
ERESOURCE TypeAsResource; //0x0 可用作资源
//34h
PLIST_ENTRY FirstCreatorInfo;//38h 我注意到了这个结构体
PLIST_ENTRY LastCreatorInfo; //3ch 只是用于object type
UNICODE_STRING TypeName; //40h 类型名
DWORD Unknown2[2]; //48h
DWORD RefCount; //50h 该类型对象的计数
DWORD HanCount; //54h 该类型句柄的计数
DWORD PeakRef; //58h 对象的峰值
DWORD PeakHandles; //5ch 句柄的峰值
DWORD Unknown3; //60h
DWORD AllowedAttributeMask;//64h 可能的属性 0 - 允许所有的
GENERIC_MAPPING GenericMapping;//68 отображение родовых прав на специальные
DWORD AllowedAccessMask; //78h (ACCESS_SYSTEM_SECURITY 总是设置的)
BOOLEAN bInNameSpace; //7ch 这个类型的对象在对象路径中
// 可能我会弄错, 但也类似.
BOOLEAN bHandleDB; //7dh 是否包含对象句柄的信息(HANDLE_DB)
BOOLEAN bCreatorInfo; //7eh ----//---- CreatorInfo + 38h处的链表
BOOLEAN Unknown5; //7fh
DWORD Unknown6; //80h 如果 !=0 则在NpSuccess里创建
DWORD PagedPoollQuota; //84h default
DWORD NonPagedPollQuota; //88h 限额
PVOID DumpProcedure; //8ch 原型未知 (?)
PVOID OpenProcedure; //90h 原型已知
PVOID CloseProcedure; //94h 原型已知
PVOID DeleteProcedure; //98h 原型已知
PVOID ParseProcedure; //9ch 原型已知
PVOID SecurityProcedure; //a0h 原型已知
// 可以有4种调用情况:
//0-set sec_info, 1-query descriptor, 2-delete, 3-assign
PVOID QueryNameProcedure; //a4h 原型已知
PVOID Tag; //a8h 通过高层次信息判断
// 这应该是方法OkayToCloseProcedure;
// 实际上, 对于所有的对象我都发现在这个地址上有四字符的类型Tag,例如Dire (Directory)
} OBJECT_TYPE,*POBJECT_TYPE;
//第6种OBJECT_TYPE win7
_OBJECT_TYPE
+0x000 TypeList : _LIST_ENTRY
+0x008 Name : _UNICODE_STRING
+0x010 DefaultObject : Ptr32 Void
+0x014 Index : UChar
+0x018 TotalNumberOfObjects : Uint4B
+0x01c TotalNumberOfHandles : Uint4B
+0x020 HighWaterNumberOfObjects : Uint4B
+0x024 HighWaterNumberOfHandles : Uint4B
+0x028 TypeInfo : _OBJECT_TYPE_INITIALIZER
+0x078 TypeLock : _EX_PUSH_LOCK
+0x07c Key : Uint4B
+0x080 CallbackList : _LIST_ENTRY
//第7种OBJECT_TYPE
-typedef struct _OBJECT_TYPE
-{
- ULONG Tag;
- UNICODE_STRING TypeName;
- ULONG TotalObjects;
- ULONG TotalHandles;
- ULONG MaxObjects;
- ULONG MaxHandles;
- ULONG PagedPoolCharge;
- ULONG NonpagedPoolCharge;
- PGENERIC_MAPPING Mapping;
- VOID STDCALL_FUNC (*Dump)(VOID);
- VOID STDCALL_FUNC (*Open)(VOID);
- VOID STDCALL_FUNC (*Close)(PVOID ObjectBody,
- ULONG HandleCount);
- VOID STDCALL_FUNC (*Delete)(PVOID ObjectBody);
- NTSTATUS STDCALL_FUNC (*Parse)(PVOID ParsedObject,
- PVOID *NextObject,
- PUNICODE_STRING FullPath,
- PWSTR *Path,
- ULONG Attributes);
- NTSTATUS STDCALL_FUNC (*Security)(PVOID ObjectBody,
- SECURITY_OPERATION_CODE
OperationCode,
- SECURITY_INFORMATION
SecurityInformation,
- PSECURITY_DESCRIPTOR
SecurityDescriptor,
- PULONG BufferLength);
- NTSTATUS STDCALL_FUNC (*QueryName)(PVOID ObjectBody,
- POBJECT_NAME_INFORMATION
ObjectNameInfo,
- ULONG Length,
- PULONG ReturnLength);
- VOID STDCALL_FUNC (*OkayToClose)(VOID);
-
- NTSTATUS STDCALL_FUNC (*Create)(PVOID ObjectBody,
- PVOID Parent,
- PWSTR RemainingPath,
- struct _OBJECT_ATTRIBUTES*
ObjectAttributes);
-
- VOID STDCALL_FUNC (*DuplicationNotify)(PEPROCESS DuplicateTo,
- PEPROCESS DuplicateFrom,
- PVOID Object);
-} OBJECT_TYPE;
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
|
|
|
|
