当前位置 博文首页 > KOOKNUT的博客:定位HandleTableEntry(Windows内核学习笔记)
通过HandleTable定位HandleTableEntry的方法:
typedef union _EXHANDLE
{
struct
{
ULONG_PTR TagBits:2;//这两位为0
ULONG_PTR Index:29;//句柄表的索引
};
struct
{
ULONG_PTR TagBits2:2;
ULONG_PTR LowIndex:HANDLE_LOW_BITS;
ULONG_PTR MidIndex:HANDLE_HIGH_BITS;
ULONG_PTR HighIndex:HANDLE_HIGH_BITS;
ULONG_PTR KernelFlag:KERNEL_FLAG_BITS;
};
HANDLE GenericHandleOverlay;
ULONG_PTR Value;
} EXHANDLE, *PEXHANDLE;
PHANDLE_TABLE_ENTRY
NTAPI
ExpLookupHandleTableEntry(IN PHANDLE_TABLE HandleTable,
IN EXHANDLE Handle)
{
ULONG TableLevel;//句柄层数
ULONG_PTR TableBase;//句柄表基地址
PHANDLE_TABLE_ENTRY HandleArray, Entry;
PVOID *PointerArray;
/*清空标签位*/
Handle.TagBits = 0;
/*检查句柄值是否位于分配的范围内*/
if (Handle.Value >= HandleTable->NextHandleNeedingPool)
{
return NULL;
}
/*得到TableCode值*/
TableBase = HandleTable->TableCode;
/*得到句柄表的层级数,以及句柄表的基地址*/
TableLevel = (ULONG)(TableBase & 3);
TableBase &= ~3;//抹掉最低3位,得真实地址
PointerArray = (PVOID*)TableBase;//指向指针,指针又指向HandleEntry
HandleArray = (PHANDLE_TABLE_ENTRY)TableBase;//指向HandleEntry
/*检查在哪一级*/
switch (TableLevel)
{
case 2:
/*最高级*/
PointerArray = PointerArray[Handle.HighIndex];
/* Fall through */
case 1:
/*中间层级*/
HandleArray = PointerArray[Handle.MidIndex];
/* Fall through */
case 0:
/*最底层*/
Entry = &HandleArray[Handle.LowIndex];
/* All done */
break;
default:
ASSERT(FALSE);
Entry = NULL;
}
/* Return the handle entry */
return Entry;
}
“失之东隅,收之桑榆。”
参考资料:
Reactos源码
