Windows系統的各種資源以物件(Object)的形式來組織,例如File Object, Driver Object, Device Object等等,但實際上這些所謂的“物件”在系統的物件管理器(Object Manager)看來只是完整物件的一個部分——物件實體(Object Body)。Windows XP中有31種不同型別的物件,Object Body反映了某一型別物件的特徵資訊,例如,檔案物件使用FILE_OBJECT結構描述、驅動物件使用DRIVER_OBJECT結構描述、DEVICE_OBJECT用於描述裝置物件等等。而各種Object的共有的資訊(例如,物件型別、物件的引用計數、控制程式碼數等資訊)儲存在OBJECT_HEADER與其他的幾個結構中。換而言之,在物件管理器內部,不同型別的物件具有相同的Object Header,但Object Body部分卻是不同的。
先放上一張Windows Object完整的結構圖,其中OBJECT_HEADER取自Windows XP SP2 英文版。
先放上一張Windows Object完整的結構圖,其中OBJECT_HEADER取自Windows XP SP2 英文版。
+----------------------------------------------------------------+
+------->| ( OBJECT_HEADER_QUOTA_INFO ) |
| +---->| ( OBJECT_HEADER_HANDLE_INFO ) |
| | +->| ( OBJECT_HEADER_NAME_INFO ) |
| | | | ( OBJECT_HEADER_CREATOR_INFO ) |
| | | +------------------------[ Object Header ]-----------------------+
| | | | nt!_OBJECT_HEADER |
| | | | +0x000 PointerCount : Int4B |
| | | | +0x004 HandleCount : Int4B |
| | | | +0x004 NextToFree : Ptr32 Void |
| | | | +0x008 Type : Ptr32 _OBJECT_TYPE |
| | +--| +0x00c NameInfoOffset : UChar |
| +-----| +0x00d HandleInfoOffset : UChar |
+--------| +0x00e QuotaInfoOffset : UChar |
| +0x00f Flags : UChar |
| +0x010 ObjectCreateInfo : Ptr32 _OBJECT_CREATE_INFORMATION |
| +0x010 QuotaBlockCharged : Ptr32 Void |
| +0x014 SecurityDescriptor : Ptr32 Void |
| +0x018 Body : _QUAD |
+-------------------------[ Object Body ]------------------------+
| OBJECT_DIRECTORY, DRIVER_OBJECT, DEVICE_OBJECT, FILE_OBJECT... |
+----------------------------------------------------------------+
一個物件由三部分組成,在Object Header之前是一段變長的區域,由四個獨立的結構體組成:
typedef struct _OBJECT_HEADER_QUOTA_INFO {
ULONG PagedPoolCharge;
ULONG NonPagedPoolCharge;
ULONG SecurityDescriptorCharge;
PEPROCESS ExclusiveProcess;
#ifdef _WIN64
ULONG64 Reserved; // Win64 requires these structures to be 16 byte aligned.
#endif
} OBJECT_HEADER_QUOTA_INFO, *POBJECT_HEADER_QUOTA_INFO;typedef struct _OBJECT_HEADER_HANDLE_INFO {
union {
POBJECT_HANDLE_COUNT_DATABASE HandleCountDataBase;
OBJECT_HANDLE_COUNT_ENTRY SingleEntry;
};
} OBJECT_HEADER_HANDLE_INFO, *POBJECT_HEADER_HANDLE_INFO;
union {
POBJECT_HANDLE_COUNT_DATABASE HandleCountDataBase;
OBJECT_HANDLE_COUNT_ENTRY SingleEntry;
};
} OBJECT_HEADER_HANDLE_INFO, *POBJECT_HEADER_HANDLE_INFO;
// begin_ntosp
typedef struct _OBJECT_HEADER_NAME_INFO {
POBJECT_DIRECTORY Directory;
UNICODE_STRING Name;
ULONG QueryReferences;
#if DBG
ULONG Reserved2;
LONG DbgDereferenceCount;
#ifdef _WIN64
ULONG64 Reserved3; // Win64 requires these structures to be 16 byte aligned.
#endif
#endif
} OBJECT_HEADER_NAME_INFO, *POBJECT_HEADER_NAME_INFO;
// end_ntosp
typedef struct _OBJECT_HEADER_NAME_INFO {
POBJECT_DIRECTORY Directory;
UNICODE_STRING Name;
ULONG QueryReferences;
#if DBG
ULONG Reserved2;
LONG DbgDereferenceCount;
#ifdef _WIN64
ULONG64 Reserved3; // Win64 requires these structures to be 16 byte aligned.
#endif
#endif
} OBJECT_HEADER_NAME_INFO, *POBJECT_HEADER_NAME_INFO;
// end_ntosp
typedef struct _OBJECT_HEADER_CREATOR_INFO {
LIST_ENTRY TypeList;
HANDLE CreatorUniqueProcess;
USHORT CreatorBackTraceIndex;
USHORT Reserved;
} OBJECT_HEADER_CREATOR_INFO, *POBJECT_HEADER_CREATOR_INFO;
LIST_ENTRY TypeList;
HANDLE CreatorUniqueProcess;
USHORT CreatorBackTraceIndex;
USHORT Reserved;
} OBJECT_HEADER_CREATOR_INFO, *POBJECT_HEADER_CREATOR_INFO;