커널 오브젝트 보는 방법

MYDN

커널 오브젝트 보는 방법

Ring0 2009. 10. 9. 11:24

kd> !process 0140 0
Searching for Process with Cid == 140
Cid Handle table at e1003000 with 256 Entries in use
PROCESS 81f32be0 SessionId: none Cid: 0140    Peb: 7ffd9000 ParentCid: 0004
DirBase: 037d0000 ObjectTable: e100f658 HandleCount: 18.
Image: smss.exe

kd> dt nt!_HANDLE_TABLE e100f658
nt!_HANDLE_TABLE
   +0x000 TableCode    : 0xe1293000
   +0x004 QuotaProcess : 0x81f32be0 _EPROCESS
   +0x008 UniqueProcessId : 0x00000140
   +0x00c HandleTableLock : [4] _EX_PUSH_LOCK
   +0x01c HandleTableList : _LIST_ENTRY [ 0xe1374a4c - 0xe1000d84 ]
   +0x024 HandleContentionEvent : _EX_PUSH_LOCK
   +0x028 DebugInfo    : (null)
   +0x02c ExtraInfoPages : 0
   +0x030 FirstFree    : 0x50
   +0x034 LastFree : 0
   +0x038 NextHandleNeedingPool : 0x800
   +0x03c HandleCount    : 18
   +0x040 Flags    : 0
   +0x040 StrictFIFO : 0y0

kd> dd 0xe1293000
e1293000 00000000 fffffffe e1008591 000f0003
e1293010 81ecdd53 00100020 e1350639 001f0001
e1293020 e14a7bb1 001f0001 e1009e89 000f000f
e1293030 e1387dc1 000f000f 81ed2691 00100001
e1293040 e1004fc9 000f0001 e137c9f9 000f000f
e1293050 81efa4f1 001f0003 e13c5459 00020006
e1293060 81f827e9 001f0003 81f8c009 001f0fff
e1293070 81f8c009 00000400 e13fd539 001f0001

kd> dt nt!_HANDLE_TABLE_ENTRY
   +0x000 Object : Ptr32 Void
   +0x000 ObAttributes : Uint4B
   +0x000 InfoTable    : Ptr32 _HANDLE_TABLE_ENTRY_INFO
   +0x000 Value    : Uint4B
   +0x004 GrantedAccess    : Uint4B
   +0x004 GrantedAccessIndex : Uint2B
   +0x006 CreatorBackTraceIndex : Uint2B
   +0x004 NextFreeTableEntry : Int4B

kd> dt nt!_OBJECT_HEADER e1008591&0xfffffffc
   +0x000 PointerCount : 17
   +0x004 HandleCount    : 16
   +0x004 NextToFree : 0x00000010
   +0x008 Type : 0x81fb5040 _OBJECT_TYPE
   +0x00c NameInfoOffset : 0x10 ''
   +0x00d HandleInfoOffset : 0 ''
   +0x00e QuotaInfoOffset : 0 ''
   +0x00f Flags    : 0x32 '2'
   +0x010 ObjectCreateInfo : 0x00000001 _OBJECT_CREATE_INFORMATION
   +0x010 QuotaBlockCharged : 0x00000001
   +0x014 SecurityDescriptor : 0xe100a77a
   +0x018 Body : _QUAD

kd> dt nt!_OBJECT_TYPE 0x81fb5040
   +0x000 Mutex    : _ERESOURCE
   +0x038 TypeList : _LIST_ENTRY [ 0x81fb5078 - 0x81fb5078 ]
   +0x040 Name : _UNICODE_STRING "KeyedEvent"
   +0x048 DefaultObject    : 0x80561b40
   +0x04c Index    : 0x10
   +0x050 TotalNumberOfObjects : 1
   +0x054 TotalNumberOfHandles : 0x10
   +0x058 HighWaterNumberOfObjects : 1
   +0x05c HighWaterNumberOfHandles : 0x11
   +0x060 TypeInfo : _OBJECT_TYPE_INITIALIZER
   +0x0ac Key    : 0x6579654b
   +0x0b0 ObjectLocks    : [4] _ERESOURCE