There are some information about the object management in the
1. Windows internals Chapter 3.
The Windows Object Manager controls objects that are part of the kernel-mode operating system. An object is a collection of data that the operating system manages.
Kernel-mode objects can be referenced by pointers. An object may have an object name. For more information about object names, see Object Names.
User-mode programmers can reference objects only through indirection, using a handle. If an object has a name, you can use it to obtain the handle in user mode. For more information about handles, see Object Handles.
Kernel-mode objects have a very specific life-cycle. For more information about object life-cycles, see Life Cycle of an Object.
Object security is a prime concern for kernel-mode programming. For more information on object security, see Object Security.
There are two ways to investigate Windows Object.
1. WinObj.exe utility in the http://technet.microsoft.com/en-us/sysinternals/bb896657
2. !object command in the windbg utility
How to implement !object
Root Directory Object address: ObpRootDirectoryObject
//http://www.nirsoft.net/kernel_struct/vista/OBJECT_DIRECTORY.html
typedef struct _OBJECT_DIRECTORY
{
POBJECT_DIRECTORY_ENTRY HashBuckets[37];
EX_PUSH_LOCK Lock;
PDEVICE_MAP DeviceMap;
ULONG SessionId;
PVOID NamespaceEntry;
ULONG Flags;
} OBJECT_DIRECTORY, *POBJECT_DIRECTORY;
typedef struct _OBJECT_DIRECTORY_ENTRY
{
POBJECT_DIRECTORY_ENTRY ChainLink;
PVOID Object;
ULONG HashValue;
} OBJECT_DIRECTORY_ENTRY, *POBJECT_DIRECTORY_ENTRY;
typedef struct _OBJECT_HEADER_NAME_INFO
{
POBJECT_DIRECTORY Directory;
UNICODE_STRING Name;
ULONG QueryReferences;
} OBJECT_HEADER_NAME_INFO, *POBJECT_HEADER_NAME_INFO;
0: kd> dq ObpRootDirectoryObject
fffff800`02e25790 fffff8a0`00005b40 fffffa80`03691c90
fffff800`02e257a0 fffffa80`03691de0 fffffa80`03691f30
fffff800`02e257b0 00000000`00000000 00000000`00000000
fffff800`02e257c0 fffffa80`03691f30 fffffa80`03691de0
fffff800`02e257d0 fffffa80`03691c90 fffffa80`03691980
fffff800`02e257e0 fffffa80`0368ba70 fffffa80`0368b920
fffff800`02e257f0 fffffa80`0368b7d0 fffffa80`0368b680
fffff800`02e25800 fffffa80`0368b530 fffffa80`0368b2e0
0: kd> dt _OBJECT_DIRECTORY 0xfffff8a0`00005b40 -b
nt!_OBJECT_DIRECTORY
+0x000 HashBuckets :
[00] (null)
[01] 0xfffff8a0`000059a0
[02] (null)
[03] (null)
[04] (null)
[05] 0xfffff8a0`001e11e0
[06] 0xfffff8a0`00278a90
[07] (null)
[08] 0xfffff8a0`0000be30
[09] 0xfffff8a0`000909f0
[10] 0xfffff8a0`00008bd0
[11] 0xfffff8a0`00276d00
[12] (null)
[13] 0xfffff8a0`06fbb8d0
[14] 0xfffff8a0`001bf6b0
[15] 0xfffff8a0`004cc250
[16] 0xfffff8a0`000086d0
[17] 0xfffff8a0`038221c0
[18] 0xfffff8a0`0000b390
[19] 0xfffff8a0`00105bb0
[20] 0xfffff8a0`00074cc0
[21] 0xfffff8a0`015213b0
[22] 0xfffff8a0`0381f1c0
[23] 0xfffff8a0`00005770
[24] (null)
[25] (null)
[26] 0xfffff8a0`00008450
[27] (null)
[28] 0xfffff8a0`0000a9a0
[29] 0xfffff8a0`01b3a830
[30] 0xfffff8a0`0000bc50
[31] (null)
[32] (null)
[33] (null)
[34] 0xfffff8a0`00274050
[35] (null)
[36] 0xfffff8a0`00073b00
+0x128 Lock : _EX_PUSH_LOCK
+0x000 Locked : 0y0
+0x000 Waiting : 0y0
+0x000 Waking : 0y0
+0x000 MultipleShared : 0y0
+0x000 Shared : 0y000000000000000000000000000000000000000000000000000000000000 (0)
+0x000 Value : 0
+0x000 Ptr : (null)
+0x130 DeviceMap : (null)
+0x138 SessionId : 0xffffffff
+0x140 NamespaceEntry : (null)
+0x148 Flags : 0
0: kd> dt _OBJECT_DIRECTORY_ENTRY 0xfffff8a0`000059a0
nt!_OBJECT_DIRECTORY_ENTRY
+0x000 ChainLink : (null)
+0x008 Object : 0xfffff8a0`00005560 Void
+0x010 HashValue : 0x6c1c47fb
0: kd> !object 0xfffff8a0`00005560
Object: fffff8a000005560 Type: (fffffa8003691de0) Directory
ObjectHeader: fffff8a000005530 (new version)
HandleCount: 0 PointerCount: 44
Directory Object: fffff8a000005b40 Name: ObjectTypes
Hash Address Type Name
---- ------- ---- ----
00 fffffa8003721f30 Type TmTm
01 fffffa8003718660 Type Desktop
fffffa800368b920 Type Process
03 fffffa800368b2e0 Type DebugObject
04 fffffa800371f080 Type TpWorkerFactory
05 fffffa800371ff30 Type Adapter
fffffa8003691980 Type Token
08 fffffa8003711570 Type EventPair
09 fffffa800514a620 Type PcwObject
fffffa8003750350 Type WmiGuid
11 fffffa8003752350 Type EtwRegistration
12 fffffa8003724570 Type Session
fffffa8003718ba0 Type Timer
13 fffffa800370f270 Type Mutant
16 fffffa800371f9f0 Type IoCompletion
17 fffffa80037187b0 Type WindowStation
fffffa8003718a50 Type Profile
18 fffffa800371f8a0 Type File
21 fffffa8003718cf0 Type Semaphore
23 fffffa8003753350 Type EtwConsumer
25 fffffa8003721de0 Type TmTx
fffffa8003691c90 Type SymbolicLink
26 fffffa800372b660 Type Key
fffffa8003718900 Type KeyedEvent
fffffa800370f120 Type Callback
fffffa8005108a80 Type FilterConnectionPort
28 fffffa800368b680 Type UserApcReserve
fffffa800368ba70 Type Job
29 fffffa800371fde0 Type Controller
fffffa800368b530 Type IoCompletionReserve
30 fffffa800371fc90 Type Device
fffffa8003691de0 Type Directory
31 fffffa8003723570 Type Section
fffffa8003721b40 Type TmEn
fffffa800368b7d0 Type Thread
32 fffffa8003691f30 Type Type
33 fffffa8005108930 Type FilterCommunicationPort
fffffa8003731840 Type PowerRequest
35 fffffa8003721c90 Type TmRm
fffffa8003710570 Type Event
36 fffffa8003730ba0 Type ALPC Port
fffffa800371fb40 Type Driver
沒有留言:
張貼留言