第一部分:
NTSTATUS
RtlLookupAtomInAtomTable(
IN PVOID AtomTableHandle,
IN PWSTR AtomName,
OUT PRTL_ATOM Atom OPTIONAL
)
{
NTSTATUS Status;
PRTL_ATOM_TABLE p = (PRTL_ATOM_TABLE)AtomTableHandle;
PRTL_ATOM_TABLE_ENTRY a;
RTL_ATOM Temp;
RTL_PAGED_CODE();
if (!RtlpLockAtomTable( p )) {
return STATUS_INVALID_PARAMETER;
}
try {
if (RtlpGetIntegerAtom( AtomName, &Temp )) {
if (Temp >= RTL_ATOM_MAXIMUM_INTEGER_ATOM) {
Temp = RTL_ATOM_INVALID_ATOM;
Status = STATUS_INVALID_PARAMETER;
}
else {
Status = STATUS_SUCCESS;
}
if (ARGUMENT_PRESENT( Atom )) {
*Atom = Temp;
}
}
else
if (*AtomName == UNICODE_NULL) {
Status = STATUS_OBJECT_NAME_INVALID;
}
else {
a = RtlpHashStringToAtom( p, AtomName, NULL, NULL ); //关键地方
if (a == NULL) {
Status = STATUS_OBJECT_NAME_NOT_FOUND;
}
else {
if (RtlpAtomMapAtomToHandleEntry( p, (ULONG)a->HandleIndex ) != NULL) { //关键地方
Status = STATUS_SUCCESS;
if (ARGUMENT_PRESENT( Atom )) {
*Atom = a->Atom;
}
}
else {
Status = STATUS_INVALID_HANDLE;
}
}
}
}
except (EXCEPTION_EXECUTE_HANDLER) {
Status = GetExceptionCode();
}
RtlpUnlockAtomTable( p );
return Status;
}
第二部分:AtomTable->ExHandleTable说明原子表也是个句柄表
PRTL_ATOM_TABLE_ENTRY
RtlpAtomMapAtomToHandleEntry(
IN PRTL_ATOM_TABLE AtomTable,
IN ULONG HandleIndex
)
{
#if defined(NTOS_KERNEL_RUNTIME)
PHANDLE_TABLE_ENTRY ExHandleEntry;
PRTL_ATOM_TABLE_ENTRY a;
EXHANDLE ExHandle;
ExHandle.GenericHandleOverlay = 0;
ExHandle.Index = HandleIndex;
ExHandleEntry = ExMapHandleToPointer( AtomTable->ExHandleTable,
ExHandle.GenericHandleOverlay
);
typedef struct _EXHANDLE {
union {
struct {
//
// Application available tag bits
//
ULONG TagBits : 2;
//
// The handle table entry index
//
ULONG Index : 30;
};
HANDLE GenericHandleOverlay;
#define HANDLE_VALUE_INC 4 // Amount to increment the Value to get to the next handle
ULONG_PTR Value;
};
} EXHANDLE, *PEXHANDLE;
1: kd> t
nt!RtlLookupAtomInAtomTable+0xc9:
80d51ca1 e862f6ffff call nt!RtlpAtomMapAtomToHandleEntry (80d51308)
1: kd> t
nt!RtlpAtomMapAtomToHandleEntry:
80d51308 55 push ebp
1: kd> dv
AtomTable = 0xe13d6010
HandleIndex = 0x1f
第三部分:
NTKERNELAPI
PHANDLE_TABLE_ENTRY
ExMapHandleToPointer (
IN PHANDLE_TABLE HandleTable,
IN HANDLE Handle
)
{
EXHANDLE LocalHandle;
PHANDLE_TABLE_ENTRY HandleTableEntry;
PAGED_CODE();
LocalHandle.GenericHandleOverlay = Handle;
if ((LocalHandle.Index & (LOWLEVEL_COUNT - 1)) == 0) {
return NULL;
}
//
// Translate the input handle to a handle table entry and make
// sure it is a valid handle.
//
HandleTableEntry = ExpLookupHandleTableEntry( HandleTable,
LocalHandle );
1: kd> t
nt!RtlpAtomMapAtomToHandleEntry+0x11:
80d51319 e89e030600 call nt!ExMapHandleToPointer (80db16bc)
1: kd> t
nt!ExMapHandleToPointer:
80db16bc 55 push ebp
1: kd> dv
HandleTable = 0xe140afb8
Handle = 0x0000007c
第四部分:
PHANDLE_TABLE_ENTRY
ExpLookupHandleTableEntry (
IN PHANDLE_TABLE HandleTable,
IN EXHANDLE tHandle
)
1: kd> dv
HandleTable = 0xe140afb8
tHandle = struct _EXHANDLE
1: kd> dx -r1 ((ntkrnlmp!_HANDLE_TABLE *)0xe140afb8)
((ntkrnlmp!_HANDLE_TABLE *)0xe140afb8) : 0xe140afb8 [Type: _HANDLE_TABLE *]
+0x000\] TableCode : 0xe140d000 \[Type: unsigned long
+0x004\] QuotaProcess : 0x0 \[Type: _EPROCESS \*
+0x008\] UniqueProcessId : 0x1cc \[Type: void \*
+0x00c\] HandleTableLock \[Type: _EX_PUSH_LOCK \[4\]
+0x01c\] HandleTableList \[Type: _LIST_ENTRY
+0x024\] HandleContentionEvent \[Type: _EX_PUSH_LOCK
+0x028\] DebugInfo : 0x0 \[Type: _HANDLE_TRACE_DEBUG_INFO \*
+0x02c\] ExtraInfoPages : 0 \[Type: long
+0x030\] FirstFree : 0x90 \[Type: unsigned long
+0x034\] LastFree : 0x0 \[Type: unsigned long
+0x038\] NextHandleNeedingPool : 0x800 \[Type: unsigned long
+0x03c\] HandleCount : 35 \[Type: long\] //一共35个句柄0x23 \[+0x040\] Flags : 0x0 \[Type: unsigned long
+0x040 ( 0: 0)\] StrictFIFO : 0x0 \[Type: unsigned char
1: kd> dv
HandleTable = 0xe140afb8
tHandle = struct _EXHANDLE
1: kd> dx -r1 (*((ntkrnlmp!_EXHANDLE *)0xb9f32678))
(*((ntkrnlmp!_EXHANDLE *)0xb9f32678)) [Type: _EXHANDLE]
+0x000 ( 1: 0)\] TagBits : 0x0 \[Type: unsigned long
+0x000 (31: 2)\] Index : 0x1f \[Type: unsigned long
+0x000\] GenericHandleOverlay : 0x7c \[Type: void \*
+0x000\] Value : 0x7c \[Type: unsigned long
1: kd> dt HANDLE_TABLE_ENTRY 0xe140d000
ntdll!HANDLE_TABLE_ENTRY
+0x000 Object : (null)
+0x000 ObAttributes : 0
+0x000 InfoTable : (null)
+0x000 Value : 0
+0x004 GrantedAccess : 0xfffffffe
+0x004 GrantedAccessIndex : 0xfffe
+0x006 CreatorBackTraceIndex : 0xffff
+0x004 NextFreeTableEntry : 0n-2
1: kd> dt HANDLE_TABLE_ENTRY 0xe140d000+8*1f
ntdll!HANDLE_TABLE_ENTRY
+0x000 Object : 0xe194ebd1 Void
+0x000 ObAttributes : 0xe194ebd1
+0x000 InfoTable : 0xe194ebd1 _HANDLE_TABLE_ENTRY_INFO
+0x000 Value : 0xe194ebd1
+0x004 GrantedAccess : 0
+0x004 GrantedAccessIndex : 0
+0x006 CreatorBackTraceIndex : 0
+0x004 NextFreeTableEntry : 0n0
第五部分: +0x000 Value : 0xe194ebd1 转换为ntdll!_RTL_ATOM_TABLE_ENTRY结构
1: kd> dt ntdll!_RTL_ATOM_TABLE_ENTRY 0xe194ebd0
+0x000 HashLink : (null)
+0x004 HandleIndex : 0x1f
+0x006 Atom : 0xc01f
+0x008 ReferenceCount : 1
+0x00a Flags : 0 ''
+0x00b NameLength : 0x14 ''
+0x00c Name : [1] 0x43
1: kd> dx -id 0,0,896d1020 -r1 (*((ntdll!unsigned short (*)[1])0xe194ebdc))
(*((ntdll!unsigned short (*)[1])0xe194ebdc)) [Type: unsigned short [1]]
0\] : 0x43 \[Type: unsigned short
1: kd> db 0xe194ebdc
e194ebdc 43 00 41 00 64 00 64 00-72 00 65 00 73 00 73 00 C.A.d.d.r.e.s.s.
e194ebec 43 00 6f 00 6d 00 62 00-6f 00 45 00 78 00 5f 00 C.o.m.b.o.E.x._.
e194ebfc 54 00 68 00 69 00 73 00-00 00 54 89 09 06 09 0c T.h.i.s...T.....