WINDOWS OBJECT笔记

来源：互联网发布：apache默认首页编辑：程序博客网时间：2024/06/06 04:47

dd obpRootDirectoryObject

kd> dd obpRootDirectoryObject

80561978 e10001c0 00000000 00000001 00000000

80561988 00000000 00040001 00000000 80561994

80561998 80561994 00000000 867eb478 00000000

805619a8 00000000 00000000 00000000 00000000

805619b8 00000000 00000000 00000000 805632d0

805619c8 80574021 00000000 00000000 867eb2a8

805619d8 e1001ca0 00000000 00000000 00000000

805619e8 00000000 00000000 00000000 00000000

kd> dt _OBJECT_DIRECTORY e10001c0

nt!_OBJECT_DIRECTORY

+0x000 HashBuckets : [37] 0xe1009420 _OBJECT_DIRECTORY_ENTRY

+0x094 Lock : _EX_PUSH_LOCK

+0x098 DeviceMap : (null)

+0x09c SessionId : 0xffffffff

+0x0a0 Reserved : 0

+0x0a2 SymbolicLinkUsageCount : 0x6f

kd> dd e10001c0

e10001c0 e1009420 e160dbd8 e1021ab8 e100d460

e10001d0 00000000 e17e98a0 e18df9e8 00000000

e10001e0 00000000 e1611318 e1005490 00000000

e10001f0 00000000 e1020c38 e157c9c0 00000000

e1000200 e1566f00 00000000 00000000 e100a488

e1000210 e15eca00 e181c4b8 e157b9a0 e1615c08

e1000220 e1566ef0 e177a858 e1e085c8 e1009440

e1000230 00000000 00000000 00000000 e100c518

kd> dt nt!_OBJECT_DIRECTORY_ENTRY e1009420

+0x000 ChainLink : (null)

+0x004 Object : 0xe100d748 Void

根据OBJECT得到object_header

kd> dt!_object_header 0xe100d748-18

nt!_OBJECT_HEADER

+0x000 PointerCount : 0n7

+0x004 HandleCount : 0n0

+0x004 NextToFree : (null)

+0x008 Type : 0x867eb478 _OBJECT_TYPE

+0x00c NameInfoOffset : 0x10 ''

+0x00d HandleInfoOffset : 0 ''

+0x00e QuotaInfoOffset : 0 ''

+0x00f Flags : 0x32 '2'

+0x010 ObjectCreateInfo : 0x00000001 _OBJECT_CREATE_INFORMATION

+0x010 QuotaBlockCharged : 0x00000001 Void

+0x014 SecurityDescriptor : 0xe1000102 Void

+0x018 Body : _QUAD

根据OBJECT得到NameInfo（）

nt!_OBJECT_HEADER_NAME_INFO

+0x000 Directory : 0xe10001c0 _OBJECT_DIRECTORY

+0x004 Name : _UNICODE_STRING "ArcName"

+0x00c QueryReferences : 1

HashBuckets为偏移0地址为e10001c0 37个4字节的!_OBJECT_DIRECTORY_ENTRY

e10001c0

kd> !object \

Object: e10001c0 Type: (867eb478) Directory

ObjectHeader: e10001a8 (old version)

HandleCount: 0 PointerCount: 40

Directory Object: 00000000 Name: \

111 symbolic links snapped through this directory

Hash Address Type Name

---- ------- ---- ----

00 e100d748 Directory ArcName

01 e1716030 Port SeLsaCommandPort

02 867b9910 Device FatCdrom

03 e100e458 Key \REGISTRY

05 e1819f68 Port ThemeApiPort

06 e17e2928 Port XactSrvLpcPort

09 e168b458 Directory NLS

10 e1008738 SymbolicLink DosDevices

13 e1566590 Port SeRmCommandPort

14 867b8650 Device Dfs

e1802f68 Port LsaAuthenticationPort

866c65e0 Event LanmanServerAnnounceEvent

16 e1566f38 Directory Driver

19 e100d670 Directory Device

20 e15d2328 Directory Windows

21 86646238 Event SAM_SERVICE_STARTED

e15ed0c0 Directory Sessions

22 e1004368 Directory RPC Control

e15e9c80 Port SmApiPort

867b9a28 Device Fat

23 e15d9900 Directory BaseNamedObjects

e10011d8 Directory KernelObjects

24 e156d4c0 Directory FileSystem

e1004510 Directory GLOBAL??

25 866269a8 WaitablePort NLAPublicPort

26 e1e161c8 Port SmSsWinStationApiPort

e10010f0 Directory ObjectTypes

27 e100a550 Directory Security

e1721c58 Port ErrorLogPort

e1951380 Port FusApiPort

31 e100a460 SymbolicLink SystemRoot

866b75e8 Device Cdfs

32 86557958 WaitablePort NLAPrivatePort

e10085f0 Directory Callback

33 86648ff0 Event EFSInitEvent

866c79a8 Event SeLsaInitEvent

8677b6c8 Event UniqueSessionIdEvent

35 e15f02b0 Directory KnownDlls

dd obptypedirectoryobject 对象类型目录

obptypedirectoryobject值向对象目录的根

单层目录，除一个目录节点外，其余都是叶节点

kd> dt !_object_directory e10010f0

kd> dd obptypedirectoryobject

80561974 e10010f0 e10001c0 00000000 00000001

80561984 00000000 00000000 00040001 00000000

80561994 80561994 80561994 00000000 867eb478

805619a4 00000000 00000000 00000000 00000000

805619b4 00000000 00000000 00000000 00000000

805619c4 805632d0 80574021 00000000 00000000

805619d4 867eb2a8 e1001ca0 00000000 00000000

805619e4 00000000 00000000 00000000 00000000

nt!_OBJECT_DIRECTORY

+0x000 HashBuckets : [37] 0xe10046a8 _OBJECT_DIRECTORY_ENTRY

+0x094 Lock : _EX_PUSH_LOCK

+0x098 DeviceMap : (null)

+0x09c SessionId : 0xffffffff

+0x0a0 Reserved : 0

+0x0a2 SymbolicLinkUsageCount : 0

kd> dd e10010f0

e10010f0 e10046a8 e1005468 00000000 e157cb70

e1001100 00000000 e156c1b8 00000000 e100b7d8

e1001110 00000000 e100d638 e100b718 e100b7e8

e1001120 e155f530 00000000 00000000 00000000

e1001130 e155f558 00000000 e1005280 e1564118

e1001140 e1004678 e1565410 e1001088 00000000

e1001150 e100a608 00000000 e100c420 00000000

e1001160 e1001078 00000000 00000000 e155f0f0

kd> dt !_object_directory_entry e10046a8

nt!_OBJECT_DIRECTORY_ENTRY

+0x000 ChainLink : (null) 除一个目录节点外，其余都是叶节点

+0x004 Object : 0x867eb478 Void

kd> dt !_object_header 0x867eb478-0x18

nt!_OBJECT_HEADER

+0x000 PointerCount : 0n1

+0x004 HandleCount : 0n0

+0x004 NextToFree : (null)

+0x008 Type : 0x867eb648 _OBJECT_TYPE

+0x00c NameInfoOffset : 0x20 ' '

+0x00d HandleInfoOffset : 0 ''

+0x00e QuotaInfoOffset : 0 ''

+0x00f Flags : 0x17 ''

+0x010 ObjectCreateInfo : (null)

+0x010 QuotaBlockCharged : (null)

+0x014 SecurityDescriptor : (null)

+0x018 Body : _QUAD

kd> dt !_OBJECT_TYPE 0x867eb648

nt!_OBJECT_TYPE

+0x000 Mutex : _ERESOURCE

+0x038 TypeList : _LIST_ENTRY [ 0x867eb620 - 0x867b9e48 ]

+0x040 Name : _UNICODE_STRING "Type"

+0x048 DefaultObject : 0x80561960 Void

+0x04c Index : 1

+0x050 TotalNumberOfObjects : 0x1f

+0x054 TotalNumberOfHandles : 0

+0x058 HighWaterNumberOfObjects : 0x1f

+0x05c HighWaterNumberOfHandles : 0

+0x060 TypeInfo : _OBJECT_TYPE_INITIALIZER

+0x0ac Key : 0x546a624f

+0x0b0 ObjectLocks : [4] _ERESOURCE

kd> dt !_OBJECT_HEADER_NAME_INFO 0x867eb478-0x18-0x20

nt!_OBJECT_HEADER_NAME_INFO

+0x000 Directory : 0xe10010f0 _OBJECT_DIRECTORY

+0x004 Name : _UNICODE_STRING "Directory"

+0x00c QueryReferences : 1

kd> dd obpobjecttypes
805618a0 867eb648 867eb478 867eb2a8 867eb0d8
805618b0 867b7e38 867b7c68 867b7a98 867b7398
805618c0 867b2bf8 867b2a28 867b2858 867b2688
805618d0 867b24b8 867b22e8 867b1040 867b1e70
805618e0 867b1ca0 867b1ad0 867b1738 867ae980
805618f0 867ea818 867ea648 867a1e70 867a1ca0
80561900 867a1ad0 867a1900 867a1730 867a1560
80561910 867e4490 867b9040 867b9e70 00000000

kd> !object \
Object: e10001c0 Type: (867eb478) Directory
    ObjectHeader: e10001a8 (old version)
    HandleCount: 0 PointerCount: 40
    Directory Object: 00000000 Name: \
    111 symbolic links snapped through this directory

    Hash Address Type          Name
    ---- ------- ----          ----
     00 e100d748 Directory     ArcName
     01 e1716030 Port          SeLsaCommandPort
     02 867b9910 Device        FatCdrom
     03 e100e458 Key           \REGISTRY
     05 e1819f68 Port          ThemeApiPort
     06 e17e2928 Port          XactSrvLpcPort
     09 e168b458 Directory     NLS
     10 e1008738 SymbolicLink DosDevices
     13 e1566590 Port          SeRmCommandPort
     14 867b8650 Device        Dfs
         e1802f68 Port          LsaAuthenticationPort
         866c65e0 Event         LanmanServerAnnounceEvent
     16 e1566f38 Directory     Driver
     19 e100d670 Directory     Device
     20 e15d2328 Directory     Windows
     21 86646238 Event         SAM_SERVICE_STARTED
         e15ed0c0 Directory     Sessions
     22 e1004368 Directory     RPC Control
         e15e9c80 Port          SmApiPort
         867b9a28 Device        Fat
     23 e15d9900 Directory     BaseNamedObjects
         e10011d8 Directory     KernelObjects
     24 e156d4c0 Directory     FileSystem
         e1004510 Directory     GLOBAL??
     25 866269a8 WaitablePort NLAPublicPort
     26 e1e161c8 Port          SmSsWinStationApiPort
         e10010f0 Directory     ObjectTypes
     27 e100a550 Directory     Security
         e1721c58 Port          ErrorLogPort
         e1951380 Port          FusApiPort
     31 e100a460 SymbolicLink SystemRoot
         866b75e8 Device        Cdfs
     32 86557958 WaitablePort NLAPrivatePort
         e10085f0 Directory     Callback
     33 86648ff0 Event         EFSInitEvent
         866c79a8 Event         SeLsaInitEvent
         8677b6c8 Event         UniqueSessionIdEvent
     35 e15f02b0 Directory     KnownDlls
kd> !object e100d748
Object: e100d748 Type: (867eb478) Directory
    ObjectHeader: e100d730 (old version)
    HandleCount: 0 PointerCount: 7
    Directory Object: e10001c0 Name: ArcName

    Hash Address Type          Name
    ---- ------- ----          ----
     00 e15dd9b8 SymbolicLink multi(0)disk(0)rdisk(0)
         e15d8220 SymbolicLink multi(0)disk(0)rdisk(0)partition(3)
     03 e1011be0 SymbolicLink multi(0)disk(0)rdisk(0)partition(4)
     30 e156d8b8 SymbolicLink multi(0)disk(0)rdisk(0)partition(1)
     33 e1602340 SymbolicLink multi(0)disk(0)fdisk(0)
         e15d7220 SymbolicLink multi(0)disk(0)rdisk(0)partition(2)
kd> dt _object_header e100d730
nt!_OBJECT_HEADER
   +0x000 PointerCount     : 0n7
   +0x004 HandleCount      : 0n0
   +0x004 NextToFree       : (null)
   +0x008 Type             : 0x867eb478 _OBJECT_TYPE
   +0x00c NameInfoOffset   : 0x10 ''
   +0x00d HandleInfoOffset : 0 ''
   +0x00e QuotaInfoOffset : 0 ''
   +0x00f Flags            : 0x32 '2'
   +0x010 ObjectCreateInfo : 0x00000001 _OBJECT_CREATE_INFORMATION
   +0x010 QuotaBlockCharged : 0x00000001 Void
   +0x014 SecurityDescriptor : 0xe1000102 Void
   +0x018 Body             : _QUAD

e100d748 对应obpobjecttypes[1] 表示 Type: (867eb478) Directory

而Type: (867eb478) Directory 的TYPE对应的是obpobjecttypes[0] （类型为TYPE对象）