Читаем Windows® Internals, Sixth Edition, Part 1 полностью

You can look at the process object type data structure in the kernel debugger by first identifying a process object with the !process command:lkd> !process 0 0 **** NT ACTIVE PROCESS DUMP **** PROCESS fffffa800279cae0 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000 DirBase: 00187000 ObjectTable: fffff8a000001920 HandleCount: 541. Image: System

Then execute the !object command with the process object address as the argument:lkd> !object fffffa800279cae0 Object: fffffa800279cae0 Type: (fffffa8002755b60) Process ObjectHeader: fffffa800279cab0 (new version) HandleCount: 3 PointerCount: 172 3172

Notice that on 32-bit Windows, the object header starts 0x18 (24 decimal) bytes prior to the start of the object body, and on 64-bit Windows, it starts 0x30 (48 decimal) bytes prior—the size of the object header itself. You can view the object header with this command:lkd> dt nt!_OBJECT_HEADER fffffa800279cab0 +0x000 PointerCount : 172 +0x008 HandleCount : 33 +0x008 NextToFree : 0x000000000x00000000'00000003 +0x010 Lock : _EX_PUSH_LOCK +0x018 TypeIndex : 0x7 '' +0x019 TraceFlags : 0 '' +0x01a InfoMask : 0 '' +0x01b Flags : 0x2 '' +0x020 ObjectCreateInfo : 0xfffff800'01c53a80 _OBJECT_CREATE_INFORMATION +0x020 QuotaBlockCharged : 0xfffff800'01c53a80 +0x028 SecurityDescriptor : 0xfffff8a0'00004b29 +0x030 Body : _QUAD

Now look at the object type data structure by obtaining its address from the ObTypeIndexTable table for the entry associated with the TypeIndex field of the object header data structure:lkd> ?? ((nt!_OBJECT_TYPE**)@@(nt!ObTypeIndexTable))[((nt!_OBJECT_HEADER*)0xfffffa800279cab0)->TypeIndex] struct _OBJECT_TYPE * 0xfffffa80'02755b60 +0x000 TypeList : _LIST_ENTRY [ 0xfffffa80'02755b60 - 0xfffffa80'02755b60 ] +0x010 Name : _UNICODE_STRING "Process" +0x020 DefaultObject : (null) +0x028 Index : 0x70x7 '' +0x02c TotalNumberOfObjects : 0x380x38 +0x030 TotalNumberOfHandles : 0x1320x132 +0x034 HighWaterNumberOfObjects : 0x3d +0x038 HighWaterNumberOfHandles : 0x13c +0x040 TypeInfo : _OBJECT_TYPE_INITIALIZER +0x0b0 TypeLock : _EX_PUSH_LOCK +0x0b8 Key : 0x636f7250 +0x0c0 CallbackList : _LIST_ENTRY [ 0xfffffa80'02755c20 - 0xfffffa80'02755c20 ]

The output shows that the object type structure includes the name of the object type, tracks the total number of active objects of that type, and tracks the peak number of handles and objects of that type. The CallbackList also keeps track of any object manager filtering callbacks that are associated with this object type. The TypeInfo field stores the pointer to the data structure that stores attributes common to all objects of the object type as well as pointers to the object type’s methods:lkd> ?? ((nt!_OBJECT_TYPE*)0xfffffa8002755b60)->TypeInfo*)0xfffffa8002755b60)->TypeInfo +0x000 Length : 0x70 +0x002 ObjectTypeFlags : 0x4a 'J' +0x002 CaseInsensitive : 0y0 +0x002 UnnamedObjectsOnly : 0y1 +0x002 UseDefaultObject : 0y0 +0x002 SecurityRequired : 0y1 +0x002 MaintainHandleCount : 0y0 +0x002 MaintainTypeList : 0y0 +0x002 SupportsObjectCallbacks : 0y1 +0x004 ObjectTypeCode : 0 +0x008 InvalidAttributes : 0xb0 +0x00c GenericMapping : _GENERIC_MAPPING +0x01c ValidAccessMask : 0x1fffff +0x020 RetainAccess : 0x101000 +0x024 PoolType : 0 ( NonPagedPool ) +0x028 DefaultPagedPoolCharge : 0x1000 +0x02c DefaultNonPagedPoolCharge : 0x528 +0x030 DumpProcedure : (null) +0x038 OpenProcedure : 0xfffff800'01d98d58 long nt!PspProcessOpen+0 +0x040 CloseProcedure : 0xfffff800'01d833c4 void nt!PspProcessClose+0 +0x048 DeleteProcedure : 0xfffff800'01d83090 void nt!PspProcessDelete+0 +0x050 ParseProcedure : (null) +0x058 SecurityProcedure : 0xfffff800'01d8bb50 long nt!SeDefaultObjectMethod+0 +0x060 QueryNameProcedure : (null) +0x068 OkayToCloseProcedure : (null)

Type objects can’t be manipulated from user mode because the object manager supplies no services for them. However, some of the attributes they define are visible through certain native services and through Windows API routines. The information stored in the type initializers is described in Table 3-14.

Table 3-14. Type Initializer Fields

Attribute

Purpose

Type name

The name for objects of this type (“process,” “event,” “port,” and so on).

Pool type

Indicates whether objects of this type should be allocated from paged or nonpaged memory.

Default quota charges

Default paged and nonpaged pool values to charge to process quotas.

Valid access mask

The types of access a thread can request when opening a handle to an object of this type (“read,” “write,” “terminate,” “suspend,” and so on).