今天利用Windbg(x86)进行了获得句柄表的调试,从中获益良多,对调试步骤和按键又一次进行了熟悉,对于句柄表的概念更是得到了进一步的清晰认识
3: kd> dt _EProcess 891ad030
nt!_EPROCESS
+0x0f4 ObjectTable : 0x9eca0ef0 _HANDLE_TABLE
3: kd> dt _HANDLE_TABLE 0x9eca0ef0
nt!_HANDLE_TABLE
+0x000 TableCode : 0x83b15001 //00 01 10 11
+0x004 QuotaProcess : 0x891ad030 _EPROCESS
+0x008 UniqueProcessId : 0x000008f0 Void
+0x00c HandleLock : _EX_PUSH_LOCK
+0x010 HandleTableList : _LIST_ENTRY [ 0xa5adf668 - 0x90347b38 ]
+0x018 HandleContentionEvent : _EX_PUSH_LOCK
+0x01c DebugInfo : (null)
+0x020 ExtraInfoPages : 0n0
+0x024 Flags : 0
+0x024 StrictFIFO : 0y0
+0x028 FirstFreeHandle : 0xb04
+0x02c LastFreeHandleEntry : 0xa73f6ff8 _HANDLE_TABLE_ENTRY
+0x030 HandleCount : 0x29d
+0x034 NextHandleNeedingPool : 0x1000
+0x038 HandleCountHighWatermark : 0x2f5
3: kd> dd 0x83b15000
83b15000 8f46f000 a73f6000 00000000 00000000
3: kd> dd 8f46f000
8f46f000 00000000 fffffffe 8e3ed141 00000003 //8个字节为一个_HANDLE_TABLE_ENTRY结构体
8f46f010 8a25bca9 00100020 8a3eb621 00100020 //第一组是"垃圾"
8f46f020 9ec983c1 00020019 88ed6109 001f0001 //_HANDLE_TABLE_ENTRY中的第一个成员&8 就是_Object_Header
8f46f030 8a414881 001f0001 8f5ff521 00020019
8f46f040 8a414841 001f0003 8a28af29 021f0003
8f46f050 8a120a81 000f037f 88e2ded1 000f01ff
8f46f060 8a120a81 000f037f 9eda6171 00000001
8f46f070 8a2a0a71 00000804 88d2bac1 00000804
3: kd> dt _HANDLE_TABLE_ENTRY 8f46f020
nt!_HANDLE_TABLE_ENTRY
+0x000 Object : 0x9ec983c1 Void
+0x000 ObAttributes : 0x9ec983c1
+0x000 InfoTable : 0x9ec983c1 _HANDLE_TABLE_ENTRY_INFO
+0x000 Value : 0x9ec983c1
+0x004 GrantedAccess : 0x20019
+0x004 GrantedAccessIndex : 0x19
+0x006 CreatorBackTraceIndex : 2
+0x004 NextFreeTableEntry : 0x20019
//88ed6109&8 这个重要
3: kd> dt _object_header 88ed6108
nt!_OBJECT_HEADER
+0x000 PointerCount : 0n3
+0x004 HandleCount : 0n1
+0x004 NextToFree : 0x00000001 Void
+0x008 Lock : _EX_PUSH_LOCK
+0x00c TypeIndex : 0x24 '$'
+0x00d TraceFlags : 0 ''
+0x00e InfoMask : 0xc ''
+0x00f Flags : 0x40 '@'
+0x010 ObjectCreateInfo : 0x8a184340 _OBJECT_CREATE_INFORMATION
+0x010 QuotaBlockCharged : 0x8a184340 Void
+0x014 SecurityDescriptor : (null)
+0x018 Body : _QUAD
3: kd> !object 88ed6108+0x18
Object: 88ed6120 Type: (8792e040) ALPC Port
ObjectHeader: 88ed6108 (new version)
HandleCount: 1 PointerCount: 3