each object has an objectheader in 32 bit it is 18 bytes prior to object address that is sizeof(nt!_OBJECT_HEADER- sizeof(obheader->Body)) body is embedded in HEADER as the last member and is variable sizedkd> ?? (unsigned long ) (#FIELD_OFFSET(nt!_OBJECT_HEADER , Body))unsigned long 0x18 _OBJECT_HEADER如下(尽管大小没有变化，新版本标头和旧版本标头之间存在差异)_OBJECT_HEADER is as follows (though sizes haven't changed there are differences between new version header and old version header)kd> dt nt!_object_header 9a10bc58-0x18 +0x000 PointerCount : 0n6 +0x004 HandleCount : 0n6 +0x004 NextToFree : 0x00000006 Void +0x008 Lock : _EX_PUSH_LOCK +0x00c TypeIndex : 0x21 '!' +0x00d TraceFlags : 0 '' +0x00e InfoMask : 0x8 '' +0x00f Flags : 0 '' +0x010 ObjectCreateInfo : 0x82f7aa00 _OBJECT_CREATE_INFORMATION +0x010 QuotaBlockCharged : 0x82f7aa00 Void +0x014 SecurityDescriptor : (null) +0x018 Body : _QUAD旧版本的标头直接在标头中具有_OBJECT_TYPE新版本是数组的索引the old version header had _OBJECT_TYPE directly in the headerthe new version is an index into an array此处类型索引为0x21here the type index is 0x21 Type的数组位于kd> x nt!ObTypeIndexTable82f88580 nt!ObTypeIndexTable = <no type information>您可以编写这样的脚本来转储所有类型you can write a script like this to dump all the typesfunction log(instr){ host.diagnostics.debugLog(instr + "\n");}function exec (cmdstr){ return host.namespace.Debugger.Utility.Control.ExecuteCommand(cmdstr);}function dumptypeindex(){ var cpob = host.createPointerObject var titab = exec("x nt!ObTypeIndexTable").First().substr(0,8) var obtype = cpob(host.parseInt64(titab , 16),"nt","_OBJECT_TYPE **") var i = 2 while(obtype[i] !=0 ) { log("index = "+i+"\t"+ host.memory.readWideString(obtype[i].Name.Buffer)) i++ }}执行此脚本将产生以下类型executing this script would yield the types as followskd> .scriptload c:\wdscr\dumptypeindex.jsJavaScript script successfully loaded from 'c:\dumptypeindex.js'kd> dx @$scriptContents.dumptypeindex()index = 2 Typeindex = 3 Directoryindex = 4 SymbolicLinkindex = 5 Tokenindex = 6 Jobindex = 7 Processindex = 8 Threadindex = 9 UserApcReserveindex = 10 IoCompletionReserveindex = 11 DebugObjectindex = 12 Eventindex = 13 EventPairindex = 14 Mutantindex = 15 Callbackindex = 16 Semaphoreindex = 17 Timerindex = 18 Profileindex = 19 KeyedEventindex = 20 WindowStationindex = 21 Desktopindex = 22 TpWorkerFactoryindex = 23 Adapterindex = 24 Controllerindex = 25 Deviceindex = 26 Driverindex = 27 IoCompletionindex = 28 Fileindex = 29 TmTmindex = 30 TmTxȂ؃扏楄index = 31 TmRmindex = 32 TmEnindex = 33 Sectionindex = 34 Sessionindex = 35 Keyindex = 36 ALPC Portindex = 37 PowerRequestindex = 38 WmiGuidindex = 39 EtwRegistrationindex = 40 EtwConsumerindex = 41 FilterConnectionPortindex = 42 FilterCommunicationPortindex = 43 PcwObject注意0x21 = 0n33 =部分notice 0x21 = 0n33 = Section假设我们有一个版块我们可以转储Section对象we can dump the Section Objectkd> dt -r1 nt!_SECTION_OBJECT 9a10bc58 +0x000 StartingVa : 0x90f87b44 Void +0x004 EndingVa : 0x82efb58a Void +0x008 Parent : 0xc0802000 Void +0x00c LeftChild : (null) +0x010 RightChild : 0xc0c0a280 Void +0x014 Segment : 0x995ed8d8 _SEGMENT_OBJECT +0x000 BaseAddress : 0x86b65740 Void +0x004 TotalNumberOfPtes : 0xdf +0x008 SizeOfSegment : _LARGE_INTEGER 0x000000df`00080000 +0x010 NonExtendedPtes : 0xdf000 +0x014 ImageCommitment : 0 +0x018 ControlArea : (null) +0x01c Subsection : (null) +0x020 MmSectionFlags : 0x869f52a8 _MMSECTION_FLAGS +0x024 MmSubSectionFlags : 0x02ea0000 _MMSUBSECTION_FLAGS在对象之前有对象标头，在对象标头之前有pool_headeran object is preceded by object header which is preceded by the pool_headerkd> dc 9a10bc58-0x18-0x189a10bc28 060b0204 f4636553 00000720 00000070 ....Sec. ...p...9a10bc38 00000000 00000000 00000006 00000006 ................9a10bc48 00000000 00080021 82f7aa00 00000000 ....!...........9a10bc58 90f87b44 82efb58a c0802000 00000000 D{....... ......9a10bc68 c0c0a280 995ed8d8 000df000 00000000 ......^.........9a10bc78 00012000 00000004 0670020b 6666744e . ........p.Ntff9a10bc88 00f00702 00000a48 0000c0fe 00020000 ....H...........9a10bc98 00000000 00000002 00000000 00000000 ................请注意SectionObjects使用了Sec标记notice the Sec tag Sect is used by SectionObjectsd> !pool 9a10bc58-0x18-0x18 2Pool page 9a10bc28 region is Paged pool*9a10bc28 size: 58 previous size: 20 (Allocated) *Sect (Protected) Pooltag Sect : Section objects 这篇关于解释内核转储中的Section对象的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！ 上岸，阿里云！