티스토리 뷰
|
typedef struct _HANDLE_TABLE_ENTRY { union { PVOID Object; ULONG ObAttributes; PHANDLE_TABLE_ENTRY_INFO InfoTable; ULONG Value; }; union { ULONG GrantedAccess; struct { WORD GrantedAccessIndex; WORD CreatorBackTraceIndex; }; LONG NextFreeTableEntry; }; } HANDLE_TABLE_ENTRY, *PHANDLE_TABLE_ENTRY; |
|
typedef struct _KPHP_ENUMERATE_PROCESS_HANDLES_CONTEXT { PVOID Buffer; PVOID BufferLimit; PVOID CurrentEntry; ULONG Count; NTSTATUS Status; } KPHP_ENUMERATE_PROCESS_HANDLES_CONTEXT, *PKPHP_ENUMERATE_PROCESS_HANDLES_CONTEXT;
|
|
typedef struct _OBJECT_HEADER { LONG PointerCount; union { LONG HandleCount; PVOID NextToFree; }; POBJECT_TYPE Type; UCHAR NameInfoOffset; UCHAR HandleInfoOffset; UCHAR QuotaInfoOffset; UCHAR Flags; union { POBJECT_CREATE_INFORMATION ObjectCreateInfo; PVOID QuotaBlockCharged; }; PVOID SecurityDescriptor; QUAD Body; } OBJECT_HEADER, *POBJECT_HEADER;
|
|
typedef struct _KPH_PROCESS_HANDLE { HANDLE Handle; PVOID Object; ACCESS_MASK GrantedAccess; USHORT ObjectTypeIndex; USHORT Reserved1; ULONG HandleAttributes; ULONG Reserved2; } KPH_PROCESS_HANDLE, *PKPH_PROCESS_HANDLE;
|
|
typedef POBJECT_TYPE (NTAPI *_ObGetObjectType)( __in PVOID Object );
|
|
FORCEINLINE PVOID ObpDecodeObject(PVOID Object) { #ifdef _M_X64 if (KphDynNtVersion >= PHNT_WIN8) { if (KphDynObDecodeShift != -1) return (PVOID)(((LONG_PTR)Object >> KphDynObDecodeShift) & ~(ULONG_PTR)0xf); else return NULL; } else { return (PVOID)((ULONG_PTR)Object & ~OBJ_HANDLE_ATTRIBUTES); } #else return (PVOID)((ULONG_PTR)Object & ~OBJ_HANDLE_ATTRIBUTES); #endif }
|
|
FORCEINLINE ULONG ObpGetHandleAttributes(PHANDLE_TABLE_ENTRY HandleTableEntry) { #ifdef _M_X64 if (KphDynNtVersion >= PHNT_WIN8) { if (KphDynObAttributesShift != -1) return (ULONG)(HandleTableEntry->Value >> KphDynObAttributesShift) & 0x3; else return 0; } else { return (HandleTableEntry->ObAttributes & (OBJ_INHERIT | OBJ_AUDIT_OBJECT_CLOSE)) | ((HandleTableEntry->GrantedAccess & ObpAccessProtectCloseBit) ? OBJ_PROTECT_CLOSE : 0); } #else return (HandleTableEntry->ObAttributes & (OBJ_INHERIT | OBJ_AUDIT_OBJECT_CLOSE)) | ((HandleTableEntry->GrantedAccess & ObpAccessProtectCloseBit) ? OBJ_PROTECT_CLOSE : 0); #endif }
|
|
POBJECT_TYPE KphGetObjectType( __in PVOID Object ) { PAGED_CODE();
// XP to Vista: A pointer to the object type is // stored in the object header. if ( KphDynNtVersion >= PHNT_WINXP && KphDynNtVersion <= PHNT_VISTA ) { return OBJECT_TO_OBJECT_HEADER(Object)->Type; } // Seven and above: An index to an internal object type // table is stored in the object header. Luckily we have // a new exported function, ObGetObjectType, to get // the object type. else if (KphDynNtVersion >= PHNT_WIN7) { if (ObGetObjectType_I) return ObGetObjectType_I(Object); else return NULL; } else { return NULL; } }
|
흠... CallBack 함수 포인터에 대한 타입 정리가 된 곳인가???
함수의 주소를 담는다... 함수의 주소를 담는다...
|
typedef BOOLEAN (NTAPI *PEX_ENUM_HANDLE_CALLBACK_61)( __inout PHANDLE_TABLE_ENTRY HandleTableEntry, __in HANDLE Handle, __in PVOID Context );
// since WIN8 typedef BOOLEAN (NTAPI *PEX_ENUM_HANDLE_CALLBACK)( __in PHANDLE_TABLE HandleTable, __inout PHANDLE_TABLE_ENTRY HandleTableEntry, __in HANDLE Handle, __in PVOID Context );
|
[참고 자료]
http://processhacker.sourceforge.net/doc/files.html
MSDN
[구글 키워드]
구조체
processhacker
'Free Note' 카테고리의 다른 글
| 블로그 옮겼습니다. (2) | 2016.06.01 |
|---|