由ObReferenceObject推导windows对象管理器

#define ObReferenceObject(Object) ObfReferenceObject(Object)

LONG_PTRFASTCALLObfReferenceObject (    __in PVOID Object    )/*++Routine Description:    This function increments the reference count for an object.    N.B. This function should be used to increment the reference count        when the accessing mode is kernel or the objct type is known.Arguments:    Object - Supplies a pointer to the object whose reference count is        incremented.Return Value:    None.--*/{    POBJECT_HEADER ObjectHeader;    LONG_PTR RetVal;    ObjectHeader = OBJECT_TO_OBJECT_HEADER( Object );    RetVal = ObpIncrPointerCount( ObjectHeader );    ASSERT (RetVal != 1);    return RetVal;}

为什么要有这句话

ObjectHeader = OBJECT_TO_OBJECT_HEADER( Object );

#define OBJECT_TO_OBJECT_HEADER( o ) \    CONTAINING_RECORD( (o), OBJECT_HEADER, Body )

关于CONTAINING_RECORD 这个宏的推导

//// Calculate the address of the base of the structure given its type, and an// address of a field within the structure.//#define CONTAINING_RECORD(address, type, field) ((type *)( \                                                  (PCHAR)(address) - \                                                  (ULONG_PTR)(&((type *)0)->field)))

有一篇文章介绍的很清楚 

这应该是原文地址吧   《我对CONTAINING_RECORD宏的详细解释》 不是的话请作者指出 我进行修正

到这里 我们引申出一个很重要的概念 Windows对象 (Object) 结构， 即对象管理器，不同类型的对象具有相同的Object Header，但Object Body部分却是不同的。

这里有一篇文章介绍的很清楚   Windows对象 (Object) 结构 （http://blog.csdn.net/sqqsongqiqi/article/details/42557815）

我们看一下 OBJECT_HEADER 这个结构体

typedef struct _OBJECT_HEADER {    LONG_PTR PointerCount;    union {        LONG_PTR HandleCount;        PVOID NextToFree;    };    POBJECT_TYPE Type;    UCHAR NameInfoOffset;    UCHAR HandleInfoOffset;    UCHAR QuotaInfoOffset;    UCHAR Flags;    union {        POBJECT_CREATE_INFORMATION ObjectCreateInfo;        PVOID QuotaBlockCharged;    };    PSECURITY_DESCRIPTOR SecurityDescriptor;    QUAD Body;} OBJECT_HEADER, *POBJECT_HEADER;

我们看见 QUAD Body; 这个字段便是对象的实体部分，也就是我们经常接触到的DEVICE_OBJECT， FILE_OBJECT等具体的对象类型。

分析完

ObjectHeader = OBJECT_TO_OBJECT_HEADER( Object );

这句话之后， 我们继续分析

RetVal = ObpIncrPointerCount( ObjectHeader );

#define ObpIncrPointerCount(np)           ObpInterlockedIncrement( &np->PointerCount )

很简单的就是 OBJECT_HEADER 其中一个字段PointerCount的引用加1 。

至此ObReferenceObject(Object) 分析完毕。

如有错误，敬请指出， 不胜感激。