Читаем Windows® Internals, Sixth Edition, Part 1 полностью

Figure 3-22. Structure of a handle table entry

The first flag is a lock bit, indicating whether the entry is currently in use. The second flag is the inheritance designation—that is, it indicates whether processes created by this process will get a copy of this handle in their handle tables. As already noted, handle inheritance can be specified on handle creation or later with the SetHandleInformation function. The third flag indicates whether closing the object should generate an audit message. (This flag isn’t exposed to Windows—the object manager uses it internally.) Finally, the protect-from-close bit, stored in an unused portion of the access mask, indicates whether the caller is allowed to close this handle. (This flag can be set with the NtSetInformationObject system call.)

System components and device drivers often need to open handles to objects that user-mode applications shouldn’t have access to. This is done by creating handles in the kernel handle table (referenced internally with the name ObpKernelHandleTable). The handles in this table are accessible only from kernel mode and in any process context. This means that a kernel-mode function can reference the handle in any process context with no performance impact. The object manager recognizes references to handles from the kernel handle table when the high bit of the handle is set—that is, when references to kernel-handle-table handles have values greater than 0x80000000. The kernel handle table also serves as the handle table for the System process, and all handles created by the System process (such as code running in system threads) are automatically marked as kernel handles because they live in the kernel handle table by definition.

EXPERIMENT: Viewing the Handle Table with the Kernel Debugger

The !handle command in the kernel debugger takes three arguments:!handle

The handle index identifies the handle entry in the handle table. (Zero means “display all handles.”) The first handle is index 4, the second 8, and so on. For example, typing !handle 4 will show the first handle for the current process.

The flags you can specify are a bitmask, where bit 0 means “display only the information in the handle entry,” bit 1 means “display free handles (not just used handles),” and bit 2 means “display information about the object that the handle refers to.” The following command displays full details about the handle table for process ID 0x62C:lkd> !handle 0 7 62c processor number 0, process 000000000000062c Searching for Process with Cid == 62c PROCESS fffffa80052a7060 SessionId: 1 Cid: 062c Peb: 7fffffdb000 ParentCid: 0558 DirBase: 7e401000 ObjectTable: fffff8a00381fc80 HandleCount: 111. Image: windbg.exe Handle table at fffff8a0038fa000 with 113 Entries in use 0000: free handle, Entry address fffff8a0038fa000, Next Entry 00000000fffffffe 0004: Object: fffff8a005022b70 GrantedAccess: 00000003 Entry: fffff8a0038fa010 Object: fffff8a005022b70 Type: (fffffa8002778f30) Directory ObjectHeader: fffff8a005022b40fffff8a005022b40 (new version) HandleCount: 25 PointerCount: 63 Directory Object: fffff8a000004980 Name: KnownDlls 0008: Object: fffffa8005226070 GrantedAccess: 00100020 Entry: fffff8a0038fa020 Object: fffffa8005226070 Type: (fffffa80027b3080) File ObjectHeader: fffffa8005226040fffffa8005226040 (new version) HandleCount: 1 PointerCount: 1 Directory Object: 00000000 Name: \Program Files\Debugging Tools for Windows (x64) {HarddiskVolume2}

EXPERIMENT: Searching for Open Files with the Kernel Debugger

Although you can use Process Explorer, Handle, and the OpenFiles.exe utility to search for open file handles, these tools are not available when looking at a crash dump or analyzing a system remotely. You can instead use the !devhandles command to search for handles opened to files on a specific volume. (See Chapter 8 in Part 2 for more information on devices, files, and volumes.)

First you need to pick the drive letter you are interested in and obtain the pointer to its Device object. You can use the !object command as shown here:1: kd> !object \Global??\C: Object: fffff8a00016ea40 Type: (fffffa8000c38bb0) SymbolicLink ObjectHeader: fffff8a00016ea10 (new version) HandleCount: 0 PointerCount: 1 Directory Object: fffff8a000008060 Name: C: Target String is '\Device\HarddiskVolume1' Drive Letter Index is 3 (C:)

Next use the !object command to get the Device object of the target volume name:1: kd> !object \Device\HarddiskVolume1 Object: fffffa8001bd3cd0 Type: (fffffa8000ca0750) Device