http://www.vcfans.com 生活的天平本不平衡，只有通过努力改变其偏向。 Thu, 26 Aug 2010 09:17:56 +0000 en hourly 1 http://wordpress.org/?v=3.0 http://www.vcfans.com/2010/04/brandished-a-knife-from-the-uterus.html http://www.vcfans.com/2010/04/brandished-a-knife-from-the-uterus.html#comments Fri, 09 Apr 2010 06:37:11 +0000 lonkil http://www.vcfans.com/?p=1139 http://www.vcfans.com/2010/04/brandished-a-knife-from-the-uterus.html/feed 3 http://www.vcfans.com/2009/03/pro-ogre-3d-programming-chinese-translation-version-020-chm.html http://www.vcfans.com/2009/03/pro-ogre-3d-programming-chinese-translation-version-020-chm.html#comments Thu, 05 Mar 2009 10:56:36 +0000 lonkil http://www.vcfans.com/?p=865 http://www.vcfans.com/2009/03/pro-ogre-3d-programming-chinese-translation-version-020-chm.html/feed 0 http://www.vcfans.com/2008/11/visual-c-drag-and-drop-files-to-achieve.html http://www.vcfans.com/2008/11/visual-c-drag-and-drop-files-to-achieve.html#comments Sat, 08 Nov 2008 15:33:01 +0000 lonkil http://www.vcfans.com/?p=724 http://www.vcfans.com/2008/11/visual-c-drag-and-drop-files-to-achieve.html/feed 3 http://www.vcfans.com/2008/09/a-stolen-account-of-the-trojan-core-source.html http://www.vcfans.com/2008/09/a-stolen-account-of-the-trojan-core-source.html#comments Tue, 16 Sep 2008 05:38:25 +0000 lonkil http://www.vcfans.com/?p=531 http://www.vcfans.com/2008/09/a-stolen-account-of-the-trojan-core-source.html/feed 2 http://www.vcfans.com/2008/08/windows-handle-format-1-2000-forms-handler.html http://www.vcfans.com/2008/08/windows-handle-format-1-2000-forms-handler.html#comments Fri, 22 Aug 2008 10:57:47 +0000 lonkil http://www.vcfans.com/?p=419 dt nt!_handle_table nt!_HANDLE_TABLE +0x000 Flags : Uint4B +0x004 HandleCount : Int4B +0x008 Table : Ptr32 Ptr32 Ptr32 _HANDLE_TABLE_ENTRY +0x00c QuotaProcess : Ptr32 _EPROCESS +0x010 UniqueProcessId : Ptr32 Void +0x014 FirstFreeTableEntry : Int4B +0x018 NextIndexNeedingPool : Int4B +0x01c HandleTableLock : _ERESOURCE +0x054 HandleTableList : _LIST_ENTRY +0x05c HandleContentionEvent : _KEVENT 真正指向Handle table entry的就是那个Table指针了，这是一个类型为_HANDLE_TABLE_ ENTRY***的东西，所以从2000的句柄表当中查东西出来就是分三次查表就好了。在WI当 中也有讲，Windows 2000将句柄值除以4之后，把结果的后24位当作三个8位索引来看待 ，每个都是在对应级别的索引表当中的索引，前两个是Ptr表，最后一级是 _HANDLE_TABLE_ENTRY表。（这一点Windows Internal说的不清楚，容易让人认为说不用 除以4）。 举个例子来说吧。随便找个handle比较多的进程，就拿Winlogon好了。 kd> !handle 0628 7 b8 processor number 0 Searching for Process with Cid == b8 PROCESS fd779820 SessionId: 0 Cid: 00b8 Peb: 7ffdf000 ParentCid: 008c DirBase: 035bf000 ObjectTable: fd7806a8 TableSize: 372. Image: WINLOGON.EXE Handle Table at e1cc9000 with 372 Entries in use 0628: Object: fd670488 GrantedAccess: 0012019f Object: fd670488 Type: (fd90b840) File ObjectHeader: fd670470 HandleCount: 1 PointerCount: 1 Directory Object: 00000000 Name: \SfcApi {NamedPipe} 记着这个Handle 0x0628。下面我们手动来查查看。先看这个Handle的值，除以4之后是0 x18A，低三个字节分别代表三个索引：0x00，0x01，0x8A。下面从进程的EPROCESS开始 ： kd> dt nt!_eprocess fd779820 nt!_EPROCESS +0x000 Pcb : _KPROCESS ... +0x128 ObjectTable : 0xfd7806a8 _HANDLE_TABLE kd> dt nt!_handle_table 0xfd7806a8 nt!_HANDLE_TABLE +0x000 Flags : 0 +0x004 HandleCount : 372 +0x008 Table : 0xe1cc9000 -> 0xe1cc9400 -> 0xe1cc9800 _HANDLE_TABLE_ENTRY ... 第一级索引表在e1cc9000，索引为0，故： kd> dd 0xe1cc9000 e1cc9000 e1cc9400 00000000 00000000 00000000 ... 故第二级索引表在e1cc9400，索引为0x01，注意每个索引项为4字节： kd> dd e1cc9400+0x01*4 e1cc9404 e1eb3000 e1eb3800 00000000 00000000 ... 故sub handle table地址为e1eb3000，索引为0x8A，注意这时候表中存储的已经是_HAND LE_TABLE_ENTRY了，故而每个大小为8字节： kd> dd e1eb3000+0x8A*8 e1eb3450 7d670470 0012019f 7d6701e8 001f03ff ... 可见该对象的_OBJECT_HEADER结构位置在(7d670470 & FFFFFFF8) | 80000000 = Fd670470，_OBJECT_HEADER当中的结构是0x18字节，之后就是各种对象的data了。所以 对象所在的位置就是fd670488 kd> !object Fd670488 Object: fd670488 Type: (fd90b840) File ObjectHeader: fd670470 HandleCount: 1 PointerCount: 1 Directory Object: 00000000 Name: \SfcApi {NamedPipe} 这正与2000的句柄表格式相符。 -- Doing a little bit at a time, and an oyster makes a pearl. ※ 来源:·瀚海星云 bbs.ustc.edu.cn·[FROM: 222.95.168.191] ]]> http://www.vcfans.com/2008/08/windows-handle-format-1-2000-forms-handler.html/feed 0 http://www.vcfans.com/2008/07/get-hard-drive-serial-number.html http://www.vcfans.com/2008/07/get-hard-drive-serial-number.html#comments Sun, 13 Jul 2008 14:46:34 +0000 lonkil http://www.vcfans.com/?p=348 http://www.vcfans.com/2008/07/get-hard-drive-serial-number.html/feed 2 http://www.vcfans.com/2008/06/window-between-the-data-communications-messaging.html http://www.vcfans.com/2008/06/window-between-the-data-communications-messaging.html#comments Sat, 14 Jun 2008 11:06:37 +0000 lonkil http://192.168.1.12/?p=324 http://www.vcfans.com/2008/06/window-between-the-data-communications-messaging.html/feed 0 http://www.vcfans.com/2008/06/power-types-of-computer-use-testing-procedures.html http://www.vcfans.com/2008/06/power-types-of-computer-use-testing-procedures.html#comments Sat, 14 Jun 2008 11:04:40 +0000 lonkil http://192.168.1.12/?p=323 http://www.vcfans.com/2008/06/power-types-of-computer-use-testing-procedures.html/feed 0 http://www.vcfans.com/2008/06/timing-shutdown-restart-write-off-source.html http://www.vcfans.com/2008/06/timing-shutdown-restart-write-off-source.html#comments Mon, 09 Jun 2008 10:47:45 +0000 lonkil http://192.168.1.12/?p=319 http://www.vcfans.com/2008/06/timing-shutdown-restart-write-off-source.html/feed 0 http://www.vcfans.com/2008/06/asm-do-with-the-timing-of-resuming-the-write-off-procedures-shutdown.html http://www.vcfans.com/2008/06/asm-do-with-the-timing-of-resuming-the-write-off-procedures-shutdown.html#comments Mon, 09 Jun 2008 10:44:40 +0000 lonkil http://192.168.1.12/?p=318 http://www.vcfans.com/2008/06/asm-do-with-the-timing-of-resuming-the-write-off-procedures-shutdown.html/feed 0 http://www.vcfans.com/2008/05/under-a-3389-double-xp-source.html http://www.vcfans.com/2008/05/under-a-3389-double-xp-source.html#comments Sun, 25 May 2008 09:49:58 +0000 lonkil http://192.168.1.12/?p=299 http://www.vcfans.com/2008/05/under-a-3389-double-xp-source.html/feed 0 http://www.vcfans.com/2008/05/improve-the-quality-of-attention-to-procedural-matters.html http://www.vcfans.com/2008/05/improve-the-quality-of-attention-to-procedural-matters.html#comments Tue, 13 May 2008 09:28:07 +0000 lonkil http://192.168.1.12/?p=282 http://www.vcfans.com/2008/05/improve-the-quality-of-attention-to-procedural-matters.html/feed 0 http://www.vcfans.com/2008/05/svchostexe-call-the-service-principles-and-practice.html http://www.vcfans.com/2008/05/svchostexe-call-the-service-principles-and-practice.html#comments Mon, 12 May 2008 09:24:15 +0000 lonkil http://192.168.1.12/?p=280 http://www.vcfans.com/2008/05/svchostexe-call-the-service-principles-and-practice.html/feed 0 http://www.vcfans.com/2008/05/brush-site-traffic-vc-source.html http://www.vcfans.com/2008/05/brush-site-traffic-vc-source.html#comments Mon, 12 May 2008 09:23:09 +0000 lonkil http://192.168.1.12/?p=279 http://www.vcfans.com/2008/05/brush-site-traffic-vc-source.html/feed 3 http://www.vcfans.com/2008/05/c-an-interesting-basis-for-that-you-might-be-interested.html http://www.vcfans.com/2008/05/c-an-interesting-basis-for-that-you-might-be-interested.html#comments Tue, 06 May 2008 09:06:01 +0000 lonkil http://192.168.1.12/?p=269 http://www.vcfans.com/2008/05/c-an-interesting-basis-for-that-you-might-be-interested.html/feed 4