能力值:
( LV3,RANK:30 )
|
-
-
2 楼
<div class="quote"><i><i>最初由 <strong>kz丶cn<strong>发布<i>:<br >
比如我获取到的是file对象那么object_header后面跟着就是_FILE_OBJECT 里面有文件名 那么问题来了 比如我得到了一个mutant对象<br />
那么后面跟着的对象结构是在windbg里面查看是怎么写?就是那个互斥体对象的结构是什么样...<i><div> <br \/>问题可以转化为如何获取句柄名称
|
能力值:
( LV3,RANK:30 )
|
-
-
3 楼
额 好像偏移算错了 应该还有createinfo的偏移…起床试试…
|
能力值:
( LV3,RANK:20 )
|
-
-
4 楼
楼主凌乱的表达看得我一头雾水...
|
能力值:
( LV3,RANK:30 )
|
-
-
5 楼
help!!!
|
能力值:
( LV3,RANK:20 )
|
-
-
6 楼
问题1:并不是所有句柄都有名字的!
名字得到方法: _OBJECT_HEADER_NAME_INFO结构里。_OBJECT_HEADER-0x10就是 _OBJECT_HEADER_NAME_INFO
问题2:没明白你的意思。
以下环境为XP sp3。Win7的_OBJECT_TYPE有所不同.通过ObGetObjectType函数获得(好像是这个)。
查询本机进程列表。从中随便选取一个进程查看。比如QQProtect.exe.我这里eprocess是822e48f8 .
!process 0 0
............................
PROCESS 822e48f8 SessionId: 0 Cid: 07ec Peb: 7ffd3000 ParentCid: 02b0
DirBase: 1682d000 ObjectTable: e17f3378 HandleCount: 337.
Image: QQProtect.exe
...........................
==============================
通过eprocess查询该进程的句柄表。
lkd> !handle 0 7 822E48F8
PROCESS 822e48f8 SessionId: 0 Cid: 07ec Peb: 7ffd3000 ParentCid: 02b0
DirBase: 1682d000 ObjectTable: e17f3378 HandleCount: 345.
Image: QQProtect.exe
Handle table at e12a0000 with 345 entries in use
0004: Object: e10094c0 GrantedAccess: 000f0003 Entry: e12a0008
Object: e10094c0 Type: (823b5900) KeyedEvent
ObjectHeader: e10094a8 (old version)
HandleCount: 29 PointerCount: 30
Directory Object: e1004748 Name: CritSecOutOfMemoryEvent
0008: Object: e152a100 GrantedAccess: 00000003 Entry: e12a0010
Object: e152a100 Type: (823b9040) Directory
ObjectHeader: e152a0e8 (old version)
HandleCount: 29 PointerCount: 65
Directory Object: e1001100 Name: KnownDlls
000c: Object: 822e4c80 GrantedAccess: 00100020 (Inherit) Entry: e12a0018
Object: 822e4c80 Type: (823ebca0) File
ObjectHeader: 822e4c68 (old version)
HandleCount: 1 PointerCount: 1
Directory Object: 00000000 Name: \WINDOWS\system32 {HarddiskVolume1}
0010: Object: 8213e740 GrantedAccess: 001f0003 (Protected) Entry: e12a0020
Object: 8213e740 Type: (823b6708) Event
ObjectHeader: 8213e728 (old version)
HandleCount: 1 PointerCount: 2
0014: Object: e1398640 GrantedAccess: 000f000f Entry: e12a0028
Object: e1398640 Type: (823b9040) Directory
ObjectHeader: e1398628 (old version)
HandleCount: 28 PointerCount: 32
Directory Object: e1001100 Name: Windows
.....................................
==================================
查看eprocess结构获取到ObjectTable地址.(通过0x88链表获取所有进程eprocess结构)
dt _eprocess 822E48F8
+0x000 Pcb : _KPROCESS
+0x06c ProcessLock : _EX_PUSH_LOCK
+0x070 CreateTime : _LARGE_INTEGER 0x1d147e7`cc083544
+0x078 ExitTime : _LARGE_INTEGER 0x0
+0x080 RundownProtect : _EX_RUNDOWN_REF
+0x084 UniqueProcessId : 0x000007ec Void
+0x088 ActiveProcessLinks : _LIST_ENTRY [ 0x81ff58a0 - 0x81faa818 ]
+0x090 QuotaUsage : [3] 0x2848
+0x09c QuotaPeak : [3] 0x3650
+0x0a8 CommitCharge : 0x12c6
+0x0ac PeakVirtualSize : 0x52df000
+0x0b0 VirtualSize : 0x4edf000
+0x0b4 SessionProcessLinks : _LIST_ENTRY [ 0x81ff58cc - 0x81faa844 ]
+0x0bc DebugPort : (null)
+0x0c0 ExceptionPort : 0xe167f798 Void
+0x0c4 ObjectTable : 0xe17f3378 _HANDLE_TABLE
............................
查看 _HANDLE_TABLE 获取到TableCode地址(是否遍历0x1c链表可以取句柄表数A???)
lkd> dt _HANDLE_TABLE 0xe17f3378
ntdll!_HANDLE_TABLE
+0x000 TableCode : 0xe12a0000
+0x004 QuotaProcess : 0x822e48f8 _EPROCESS
+0x008 UniqueProcessId : 0x000007ec Void
+0x00c HandleTableLock : [4] _EX_PUSH_LOCK
+0x01c HandleTableList : _LIST_ENTRY [ 0xe10a01a4 - 0xe15f6614 ]
e12a0000 最后的0表示句柄表只有L0层,句柄表最大L2层(L0也算一层)。
L0可以存放511个句柄项
TableCode也有可能如下
e12a0000 L0句柄表
e12a0001 L1句柄表
e12a0002 L2句柄表
这里获取序号 为4的句柄名.(序号从4开始,为4的倍数。如4.8.C.10)
从1开始,到A结束???.地址总是8的倍数、
lkd> dd 0xe12a0000+1*8
e12a0008 e10094a9 000f0003 e152a0e9 00000003
e12a0018 822e4c6b 00100020 8213e729 021f0003
e12a0028 e1398629 000f000f e11db771 021f0001
e12a0038 82038551 000f016e 81fc15d1 000f00cf
e12a0048 82038551 000f016e 81fb73f9 00100003
e12a0058 81f43831 00100003 e12a7cb1 020f003f
e12a0068 e15e8b39 0002000f 82301f69 001f0003
e12a0078 81fa6b69 00100001 82140959 00100020
查询对象头地址要用TableCode(e12a0008)指针地址减 1.
lkd> dt _object_header e10094a9 - 1
nt!_OBJECT_HEADER
+0x000 PointerCount : 0n30
+0x004 HandleCount : 0n29
+0x004 NextToFree : 0x0000001d Void
+0x008 Type : 0x823b5900 _OBJECT_TYPE
+0x00c NameInfoOffset : 0x10 ''
+0x00d HandleInfoOffset : 0 ''
+0x00e QuotaInfoOffset : 0 ''
+0x00f Flags : 0x32 '2'
+0x010 ObjectCreateInfo : 0x00000001 _OBJECT_CREATE_INFORMATION
+0x010 QuotaBlockCharged : 0x00000001 Void
+0x014 SecurityDescriptor : 0xe100a716 Void
+0x018 Body : _QUAD
查看对象名。如果有的话.
lkd> dt _object_header_name_info e10094a8-10
nt!_OBJECT_HEADER_NAME_INFO
+0x000 Directory : 0xe1004748 _OBJECT_DIRECTORY
+0x004 Name : _UNICODE_STRING "CritSecOutOfMemoryEvent"
+0x00c QueryReferences : 1
用!object查看对象体加上Body 0x18偏移
e10094a9-1=e10094a8
lkd> !object e10094a8+0x18
Object: e10094c0 Type: (823b5900) KeyedEvent
ObjectHeader: e10094a8 (old version)
HandleCount: 29 PointerCount: 30
Directory Object: e1004748 Name: CritSecOutOfMemoryEvent
查看对象类型
lkd> dt _OBJECT_TYPE 0x823b5900
ntdll!_OBJECT_TYPE
+0x000 Mutex : _ERESOURCE
+0x038 TypeList : _LIST_ENTRY [ 0x823b5938 - 0x823b5938 ]
+0x040 Name : _UNICODE_STRING "KeyedEvent"
+0x048 DefaultObject : 0x80561960 Void
+0x04c Index : 0x10
+0x050 TotalNumberOfObjects : 1
+0x054 TotalNumberOfHandles : 0x1d
+0x058 HighWaterNumberOfObjects : 1
+0x05c HighWaterNumberOfHandles : 0x20
+0x060 TypeInfo : _OBJECT_TYPE_INITIALIZER
+0x0ac Key : 0x6579654b
+0x0b0 ObjectLocks : [4] _ERESOURCE
|
|
|
