This article uses WinDbg to understand how functions in a program use handle to query a handle table. So first to open the Win7 under the WinDbg and debugging functions.
- Solve the kernel debugging problem under Win7
Win7 Debug is not available for kernel debugging by default (! Process and other commands are not available), unless it is a dual-machine debug. or use LIVEKD for debugging. Try the methods presented in http://blog.csdn.net/hutao1101175783/article/details/50522767 to turn on the internal and debug functions of WinDbg:
After rebooting, open the local Kernel debugging:
Open success:
After loading the symbol table, you can use it! The process command:
- Solve the problem of WinDbg source debugging:
To add a source file path:
To turn on source-level debugging:
Give TestHandle.exe the main function under the breakpoint: after the run automatically popup source debugging:
Open another windbg with kernel debugging. Process 0 0 command to find TestHandle.exe information:
View all the handle information for this process (and also show the object information to provide us with validation):
Now, with the help of TestHandle.exe, we know that the number 38th handle is hevent:
View the information for the 0x38 handle (this information is used by me as the "result" to verify my "inference" process):
To view the eprocess structure of Testhandle:
Get Tablecode, this value points to a one-level, two-level, or three-level handle table (specifically, a few levels of the handle table is determined by the end number):
Judging the level of the handle table based on the low two-bit. Tablecode Low is 1, description is a two level handle table (can refer to the analysis of this article: https://www.cnblogs.com/lsh123/p/7296423.html):
This shows a table of two first-level handles。 Different levels of handle tables can refer to articles: https://www.2cto.com/kf/201609/543902.html and graphs:
Then the handle value multiplied by 4 plus fffff8a0 ' 19ca8000 is pointing to the corresponding handle_table_entry://Why is this multiplied by 4? The handle is 0x38, the index is 0X38/4, and the size of each handle_table_entry is 16 bytes. So why is the index 0X38/4? Back will answer
Find the corresponding handle_table_entry:
Where Fffffa80 ' 11399951 is the object pointer, the offset 0x30-1 can be positioned to object:
Because it is under a 64-bit system, the offset is 0x30-1, and the offset has changed (0x17 under the 32-bit system):
This is through the handle to the kernel object, the whole process of thinking reference: Http://www.cppblog.com/sleepwom/archive/2011/10/19/72591.html and refer to the picture:
The handle defined in WinNT.h is this: typedef void* handle;
The Declare_handle (HWND) is: struct hwnd__ {int unused;}; typedef struct HWND__ *hwnd; so the role of Declare_handle is to define name as a pointer to the struct body. The handle is an untyped pointer, and the HWND is a pointer to the struct body. Handle is a void that stores an shaping data type as a "pseudo-index". Reference: https://www.cnblogs.com/zpcdbky/p/4656449.htmlhttp://cache.baiducontent.com/c?m= 9f65cb4a8c8507ed4fece7631046893b4c4380143fd3d1027fa3c215cc79051a0071e4cf6678475886d27b135bfc1541baae6b272a4266e4dd93d957d eb0902f248b2631701c844213d719a9c84524c627935ee3aa04f3ffad72c5a1888083020d9d44050bc2b4d60156&p= c449ca5f86cc41ac52a5d02d021494&newp= 81798f16d9c111a058ee9e124f43c9231610db2151d4d2116b82c825d7331b001c3bbfb423251007d7c07d6304aa4858eff6357033092ba3dda5c91d9 Fb4c57479&user=baidu&fm=sc&query=handle+pvoid&qid=b9f8680100001e9b&p1=5
This function is called if the corresponding Handle_table_entry is to be found based on the handle: Exmaphandletopointer (__in phandle_table handletable, __in HANDLE HANDLE)
The handle here is the 0x38 we passed in this example. Explookuphandletableentry is also called in Exmaphandletopointer. The function explookuphandletableentry is called when the handle is used to find the handle table of the process, and its prototype is as follows:
The parameter handletable is the Handle table address where the target is found, and Thandle is a structured Handle value. Reference: The relationship between Http://www.mamicode.com/info-detail-1539980.htmlhandle and Exhandle is as follows: This thandle structure divides the Handle value into several parts, as shown in:
This tagbit value is two bits (bit 0 to bit 1) and is cleared to 0 values. Therefore: the Thandle.value value is aligned on the 4 bytes boundary. (For some reason) using a high 30 bit as an index to find the handle table, the presence of a low two bit is meaningless. Reference: https://www.cnblogs.com/ck1020/p/5897460.html
Now the low two-bit meaningless does not mean that the future low two-bit meaningless, handle meaning and use may change in the future.
The 3rd chapter of Windows core programming--in-depth understanding of handle