The first article analyzing the Windows kernel is to strengthen learning and memory. This kind of note will be written later, as pig-man said, the knowledge learned is only practiced and can be spoken to truly master.
Program from ReactOS or WRK1.2
Data referenced from Windows kernel scenario analysis and Windows kernel design ideas, as well as online articles and videos
Ntstatusntcreatedebugobject (out Phandle debugobjecthandle, in Access_mask desiredaccess, in POBJECT_ATTRIBUTES Objectattributes, in ULONG Flags)/*++routine description:creates A new Debug object that maintains the context A single debug session. Multiple processes is associated with a single Debug object. Arguments:debugobjecthandle-pointer to a handle to recive the output objects handle desiredaccess-required Handle Access Objectattributes-standard object attributes structure flags-only one flag Debug_kill_ On_closereturn value:ntstatus-status of call.--*/{NTSTATUS Status; HANDLE HANDLE; Kprocessor_mode Previousmode; Pdebug_object Debugobject; Paged_code (); Get previous processor mode and probe output arguments if necessary. Zero the handle for error paths. Previousmode = Kegetpreviousmode (); try {if (Previousmode! = KernelMode) {ProbeforwritehanDle (Debugobjecthandle); } *debugobjecthandle = NULL; } except (Exsystemexceptionfilter ()) {//If previous mode is kernel then don ' t handle the exception return GETEXC Eptioncode (); } if (Flags & ~debug_kill_on_close) {return status_invalid_parameter; }////Create A new Debug object and initialize it. Status = Obcreateobject (Previousmode, Dbgkdebugobjecttype, Objectattributes, Previousmode, NULL, sizeof (Debug_object), 0, 0, &debu GObject); if (! Nt_success (status)) {return status; } Exinitializefastmutex (&debugobject->mutex); Initializelisthead (&debugobject->eventlist); Keinitializeevent (&debugobject->eventspresent, notificationevent, FALSE); if (FlAGS & debug_kill_on_close) {debugobject->flags = Debug_object_kill_on_close; } else {debugobject->flags = 0; }////Insert the object into the handle table//Status = Obinsertobject (Debugobject, NULL, desiredaccess, 0, NULL, &handle); if (! Nt_success (status)) {return status; } try {*debugobjecthandle = Handle; } except (Exsystemexceptionfilter ()) {/////The caller changed the page protection or deleted the memory F or the handle. No point closing the handle as process rundown would do and we don ' t know its still the same handle// Status = GetExceptionCode (); } return Status;
Windows Kernel analysis--ntcreatedebugobject function analysis