nt!ObpLookupDirectoryEntry函数分析和目录对象哈希值HashIndex的算法

nt!ObpLookupDirectoryEntry函数分析

1: kd> g

Breakpoint 1 hit

nt!ObpLookupDirectoryEntry:

80d1be16 55 push ebp

1: kd> kc

00 nt!ObpLookupDirectoryEntry
01 nt!ObpLookupObjectName
02 nt!ObInsertObject
03 nt!IoCreateDriver

04 hal!HaliInitPnpDriver

05 nt!IoInitSystem

06 nt!Phase1Initialization

07 nt!PspSystemThreadStartup

08 nt!KiThreadStartup

1: kd> kv

ChildEBP RetAddr Args to Child

00 f789a440 80d1cebe e10007c0 f789a468 00000050 nt!ObpLookupDirectoryEntry (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ob\obdir.c @ 865]

01 f789a4a8 80d237fa 00000000 8998337c 00000050 nt!ObpLookupObjectName+0x4dc (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ob\obdir.c @ 2266]

02 f789a5ac 80c6159e 899833a8 f789a4e8 00000000 nt!ObInsertObject+0x370 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ob\obinsert.c @ 256]

03 f789a67c 8050c48e 899833a8 8050c2b6 80077000 nt!IoCreateDriver+0x178 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\iomgr\iosubs.c @ 14215]

04 f789a69c 80e65571 00034000 00000000 00000000 hal!HaliInitPnpDriver+0x5c (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\hals\halacpi\ixpnpdrv.c @ 319]

05 f789a838 80e632fd 80077000 00000000 899a1020 nt!IoInitSystem+0x6b5 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\iomgr\ioinit.c @ 617]

06 f789adac 80d391f0 80077000 00000000 00000000 nt!Phase1Initialization+0x9b3 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\init\init.c @ 2221]

07 f789addc 80b00d52 80e6294a 80077000 00000000 nt!PspSystemThreadStartup+0x2e (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ps\create.c @ 2213]

08 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16 [d:\srv03rtm\base\ntos\ke\i386\threadbg.asm @ 81]

1: kd> dv

Directory = 0xe10007c0
Name = 0xf789a468 "Driver"

Attributes = 0x50

SearchShadow = 0x00 ''

LookupContext = 0xf789a580

Object = 0x00000008

CaseInSensitive = 0x17 ''

1: kd> dx -r1 ((ntkrnlmp!_OBJECT_DIRECTORY *)0xe10007c0)

((ntkrnlmp!_OBJECT_DIRECTORY *)0xe10007c0) : 0xe10007c0 [Type: _OBJECT_DIRECTORY *]

+0x000\] HashBuckets \[Type: _OBJECT_DIRECTORY_ENTRY \* \[37\]

+0x094\] Lock \[Type: _EX_PUSH_LOCK

+0x098\] DeviceMap : 0x0 \[Type: _DEVICE_MAP \*

+0x09c\] SessionId : 0xffffffff \[Type: unsigned long

1: kd> dx -r1 (*((ntkrnlmp!_OBJECT_DIRECTORY_ENTRY * (*)[37])0xe10007c0))

(*((ntkrnlmp!_OBJECT_DIRECTORY_ENTRY * (*)[37])0xe10007c0)) [Type: _OBJECT_DIRECTORY_ENTRY * [37]]

0\] : 0xe1001330 \[Type: _OBJECT_DIRECTORY_ENTRY \*

1\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

2\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

3\] : 0xe101aad0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

4\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

5\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

6\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

7\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

8\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

9\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

10\] : 0xe1000380 \[Type: _OBJECT_DIRECTORY_ENTRY \*

11\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

12\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

13\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

14\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

15\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

16\] : 0xe12792e0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

17\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

18\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

19\] : 0xe1001320 \[Type: _OBJECT_DIRECTORY_ENTRY \*

20\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

21\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

22\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

23\] : 0xe1002a90 \[Type: _OBJECT_DIRECTORY_ENTRY \*

24\] : 0xe127c130 \[Type: _OBJECT_DIRECTORY_ENTRY \*

25\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

26\] : 0xe1003ae8 \[Type: _OBJECT_DIRECTORY_ENTRY \*

27\] : 0xe1003440 \[Type: _OBJECT_DIRECTORY_ENTRY \*

28\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

29\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

30\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

31\] : 0xe1001310 \[Type: _OBJECT_DIRECTORY_ENTRY \*

32\] : 0xe1002840 \[Type: _OBJECT_DIRECTORY_ENTRY \*

33\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

34\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

35\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

36\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

1: kd> x nt!ObpRootDirectoryObject

80bf1390 nt!ObpRootDirectoryObject = 0xe10007c0

1: kd> dx -r1 ((ntkrnlmp!_OBJECT_DIRECTORY *)0xe10007c0)

((ntkrnlmp!_OBJECT_DIRECTORY *)0xe10007c0) : 0xe10007c0 [Type: _OBJECT_DIRECTORY *]

+0x000\] HashBuckets \[Type: _OBJECT_DIRECTORY_ENTRY \* \[37\]

+0x094\] Lock \[Type: _EX_PUSH_LOCK

+0x098\] DeviceMap : 0x0 \[Type: _DEVICE_MAP \*

+0x09c\] SessionId : 0xffffffff \[Type: unsigned long

1: kd> dx -r1 (*((ntkrnlmp!_OBJECT_DIRECTORY_ENTRY * (*)[37])0xe10007c0))

(*((ntkrnlmp!_OBJECT_DIRECTORY_ENTRY * (*)[37])0xe10007c0)) [Type: _OBJECT_DIRECTORY_ENTRY * [37]]

0\] : 0xe1001330 \[Type: _OBJECT_DIRECTORY_ENTRY \*

1\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

2\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

3\] : 0xe101aad0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

4\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

5\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

6\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

7\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

8\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

9\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

10\] : 0xe1000380 \[Type: _OBJECT_DIRECTORY_ENTRY \*

11\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

12\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

13\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

14\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

15\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

16\] : 0xe12792e0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

17\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

18\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

19\] : 0xe1001320 \[Type: _OBJECT_DIRECTORY_ENTRY \*

20\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

21\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

22\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

23\] : 0xe1002a90 \[Type: _OBJECT_DIRECTORY_ENTRY \*

24\] : 0xe127c130 \[Type: _OBJECT_DIRECTORY_ENTRY \*

25\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

26\] : 0xe1003ae8 \[Type: _OBJECT_DIRECTORY_ENTRY \*

27\] : 0xe1003440 \[Type: _OBJECT_DIRECTORY_ENTRY \*

28\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

29\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

30\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

31\] : 0xe1001310 \[Type: _OBJECT_DIRECTORY_ENTRY \*

32\] : 0xe1002840 \[Type: _OBJECT_DIRECTORY_ENTRY \*

33\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

34\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

35\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

36\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

1: kd> dx -r1 ((ntkrnlmp!_OBJECT_DIRECTORY_ENTRY *)0xe12792e0)

((ntkrnlmp!_OBJECT_DIRECTORY_ENTRY *)0xe12792e0) : 0xe12792e0 [Type: _OBJECT_DIRECTORY_ENTRY *]

+0x000\] ChainLink : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

+0x004\] Object : 0xe127b3d0 \[Type: void \*

1: kd> !object \

Object: e10007c0 Type: (899a2e70) Directory

ObjectHeader: e10007a8 (old version)

HandleCount: 0 PointerCount: 14

Directory Object: 00000000 Name: \

Hash Address Type Name

---

00 e1003350 Directory ArcName

03 e1003b28 Key \REGISTRY

10 e1001870 SymbolicLink DosDevices
16 e127b3d0 Directory Driver

19 e1003278 Directory Device

23 e1000640 Directory KernelObjects

24 e12725c8 Directory FileSystem

e1000440 Directory GLOBAL??

26 e1001ae0 Directory ObjectTypes

27 e1001448 Directory Security

31 e1003d98 SymbolicLink SystemRoot

32 e1001768 Directory Callback

1: kd> !object e127b3d0

Object: e127b3d0 Type: (899a2e70) Directory

ObjectHeader: e127b3b8 (old version)

HandleCount: 0 PointerCount: 2

Directory Object: e10007c0 Name: Driver

Hash Address Type Name

---

33 899c5d30 Driver PnpManager

1: kd> dx -r1 ((ntkrnlmp!_OBJECT_DIRECTORY_ENTRY *)0xe12792e0)

((ntkrnlmp!_OBJECT_DIRECTORY_ENTRY *)0xe12792e0) : 0xe12792e0 [Type: _OBJECT_DIRECTORY_ENTRY *]

+0x000\] ChainLink : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

+0x004\] Object : 0xe127b3d0 \[Type: void \*

1: kd> dt ntkrnlmp!_OBJECT_DIRECTORY 0xe127b3d0

+0x000 HashBuckets : [37] (null)

+0x094 Lock : _EX_PUSH_LOCK

+0x098 DeviceMap : (null)

+0x09c SessionId : 0xffffffff

1: kd> dx -id 0,0,899a2278 -r1 (*((ntkrnlmp!_OBJECT_DIRECTORY_ENTRY * (*)[37])0xe127b3d0))

(*((ntkrnlmp!_OBJECT_DIRECTORY_ENTRY * (*)[37])0xe127b3d0)) [Type: _OBJECT_DIRECTORY_ENTRY * [37]]

0\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

1\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

2\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

3\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

4\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

5\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

6\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

7\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

8\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

9\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

10\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

11\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

12\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

13\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

14\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

15\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

16\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

17\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

18\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

19\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

20\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

21\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

22\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

23\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

24\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

25\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

26\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

27\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

28\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

29\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

30\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

31\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

32\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

[33] : 0xe1278160 [Type: _OBJECT_DIRECTORY_ENTRY *]

34\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

35\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

36\] : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

1: kd> dx -id 0,0,899a2278 -r1 ((ntkrnlmp!_OBJECT_DIRECTORY_ENTRY *)0xe1278160)

((ntkrnlmp!_OBJECT_DIRECTORY_ENTRY *)0xe1278160) : 0xe1278160 [Type: _OBJECT_DIRECTORY_ENTRY *]

+0x000\] ChainLink : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

[+0x004] Object : 0x899c5d30 [Type: void *]

1: kd> !object 0x899c5d30

Object: 899c5d30 Type: (89987ac0) Driver

ObjectHeader: 899c5d18 (old version)

HandleCount: 0 PointerCount: 564
Directory Object: e127b3d0 Name: PnpManager

Buffer = Name->Buffer;

WcharLength = Name->Length / sizeof( *Buffer );

if (!WcharLength || !Buffer) {

goto UPDATECONTEXT;

}

//

// Compute the address of the head of the bucket chain for this name.

//

HashIndex = 0;

while (WcharLength--) {

Wchar = *Buffer++;
HashIndex += (HashIndex << 1) + (HashIndex >> 1);

if (Wchar < 'a') {

HashIndex += Wchar;

} else if (Wchar > 'z') {

HashIndex += RtlUpcaseUnicodeChar( Wchar );

} else {

HashIndex += (Wchar - ('a'-'A'));

}

}

HashIndex %= NUMBER_HASH_BUCKETS;

1: kd> p

eax=00000044 ebx=00000006 ecx=e1278d01 edx=00000020 esi=00000000 edi=e1278db2

eip=80d1bea0 esp=f789a428 ebp=f789a440 iopl=0 nv up ei pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246

nt!ObpLookupDirectoryEntry+0x8a:

80d1bea0 8bce mov ecx,esi

1: kd> p

eax=00000044 ebx=00000006 ecx=00000000 edx=00000020 esi=00000000 edi=e1278db2

eip=80d1bea2 esp=f789a428 ebp=f789a440 iopl=0 nv up ei pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246

nt!ObpLookupDirectoryEntry+0x8c:

80d1bea2 47 inc edi

1: kd> p

eax=00000044 ebx=00000006 ecx=00000000 edx=00000020 esi=00000000 edi=e1278db3

eip=80d1bea3 esp=f789a428 ebp=f789a440 iopl=0 nv up ei ng nz na po nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282

nt!ObpLookupDirectoryEntry+0x8d:

80d1bea3 d1e9 shr ecx,1

1: kd> p

eax=00000044 ebx=00000006 ecx=00000000 edx=00000020 esi=00000000 edi=e1278db3

eip=80d1bea5 esp=f789a428 ebp=f789a440 iopl=0 nv up ei pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246

nt!ObpLookupDirectoryEntry+0x8f:

80d1bea5 8d1476 lea edx,[esi+esi*2]

1: kd> p

eax=00000044 ebx=00000006 ecx=00000000 edx=00000000 esi=00000000 edi=e1278db3

eip=80d1bea8 esp=f789a428 ebp=f789a440 iopl=0 nv up ei pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246

nt!ObpLookupDirectoryEntry+0x92:

80d1bea8 03ca add ecx,edx

1: kd> p

eax=00000044 ebx=00000006 ecx=00000000 edx=00000000 esi=00000000 edi=e1278db3

eip=80d1beaa esp=f789a428 ebp=f789a440 iopl=0 nv up ei pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246

nt!ObpLookupDirectoryEntry+0x94:

80d1beaa 47 inc edi

1: kd> bp 80d1beaa

1: kd> p

eax=00000044 ebx=00000006 ecx=00000000 edx=00000000 esi=00000000 edi=e1278db4

eip=80d1beab esp=f789a428 ebp=f789a440 iopl=0 nv up ei ng nz na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286

nt!ObpLookupDirectoryEntry+0x95:

80d1beab 663d6100 cmp ax,61h

1: kd> p

eax=00000044 ebx=00000006 ecx=00000000 edx=00000000 esi=00000000 edi=e1278db4

eip=80d1beaf esp=f789a428 ebp=f789a440 iopl=0 nv up ei ng nz na po cy

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000283

nt!ObpLookupDirectoryEntry+0x99:

80d1beaf 8bf1 mov esi,ecx

1: kd> p

eax=00000044 ebx=00000006 ecx=00000000 edx=00000000 esi=00000000 edi=e1278db4

eip=80d1beb1 esp=f789a428 ebp=f789a440 iopl=0 nv up ei ng nz na po cy

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000283

nt!ObpLookupDirectoryEntry+0x9b:

80d1beb1 7307 jae nt!ObpLookupDirectoryEntry+0xa4 (80d1beba) [br=0]

1: kd> p

eax=00000044 ebx=00000006 ecx=00000000 edx=00000000 esi=00000000 edi=e1278db4

eip=80d1beb3 esp=f789a428 ebp=f789a440 iopl=0 nv up ei ng nz na po cy

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000283

nt!ObpLookupDirectoryEntry+0x9d:

80d1beb3 0fb7c0 movzx eax,ax

1: kd> p

eax=00000044 ebx=00000006 ecx=00000000 edx=00000000 esi=00000000 edi=e1278db4

eip=80d1beb6 esp=f789a428 ebp=f789a440 iopl=0 nv up ei ng nz na po cy

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000283

nt!ObpLookupDirectoryEntry+0xa0:

80d1beb6 03f0 add esi,eax

1: kd> p

eax=00000044 ebx=00000006 ecx=00000000 edx=00000000 esi=00000044 edi=e1278db4

eip=80d1beb8 esp=f789a428 ebp=f789a440 iopl=0 nv up ei pl nz na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206

nt!ObpLookupDirectoryEntry+0xa2:

80d1beb8 eb15 jmp nt!ObpLookupDirectoryEntry+0xb9 (80d1becf)

1: kd> p

eax=00000044 ebx=00000006 ecx=00000000 edx=00000000 esi=00000044 edi=e1278db4

eip=80d1becf esp=f789a428 ebp=f789a440 iopl=0 nv up ei pl nz na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206

nt!ObpLookupDirectoryEntry+0xb9:

80d1becf 4b dec ebx

1: kd> p

eax=00000044 ebx=00000005 ecx=00000000 edx=00000000 esi=00000044 edi=e1278db4

eip=80d1bed0 esp=f789a428 ebp=f789a440 iopl=0 nv up ei pl nz na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206

nt!ObpLookupDirectoryEntry+0xba:

80d1bed0 75cb jne nt!ObpLookupDirectoryEntry+0x87 (80d1be9d) [br=1]

1: kd> p

eax=00000044 ebx=00000005 ecx=00000000 edx=00000000 esi=00000044 edi=e1278db4

eip=80d1be9d esp=f789a428 ebp=f789a440 iopl=0 nv up ei pl nz na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206

nt!ObpLookupDirectoryEntry+0x87:

80d1be9d 668b07 mov ax,word ptr [edi] ds:0023:e1278db4=0072

1: kd> p

eax=00000072 ebx=00000005 ecx=00000000 edx=00000000 esi=00000044 edi=e1278db4

eip=80d1bea0 esp=f789a428 ebp=f789a440 iopl=0 nv up ei pl nz na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206

nt!ObpLookupDirectoryEntry+0x8a:

80d1bea0 8bce mov ecx,esi

1: kd> p

eax=00000072 ebx=00000005 ecx=00000044 edx=00000000 esi=00000044 edi=e1278db4

eip=80d1bea2 esp=f789a428 ebp=f789a440 iopl=0 nv up ei pl nz na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206

nt!ObpLookupDirectoryEntry+0x8c:

80d1bea2 47 inc edi

1: kd> p

eax=00000072 ebx=00000005 ecx=00000044 edx=00000000 esi=00000044 edi=e1278db5

eip=80d1bea3 esp=f789a428 ebp=f789a440 iopl=0 nv up ei ng nz na po nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282

nt!ObpLookupDirectoryEntry+0x8d:

80d1bea3 d1e9 shr ecx,1

1: kd> p

eax=00000072 ebx=00000005 ecx=00000022 edx=00000000 esi=00000044 edi=e1278db5

eip=80d1bea5 esp=f789a428 ebp=f789a440 iopl=0 nv up ei pl nz na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206

nt!ObpLookupDirectoryEntry+0x8f:

80d1bea5 8d1476 lea edx,[esi+esi*2]

1: kd> p

eax=00000072 ebx=00000005 ecx=00000022 edx=000000cc esi=00000044 edi=e1278db5

eip=80d1bea8 esp=f789a428 ebp=f789a440 iopl=0 nv up ei pl nz na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206

nt!ObpLookupDirectoryEntry+0x92:

80d1bea8 03ca add ecx,edx

1: kd> p

Breakpoint 2 hit

eax=00000072 ebx=00000005 ecx=000000ee edx=000000cc esi=00000044 edi=e1278db5

eip=80d1beaa esp=f789a428 ebp=f789a440 iopl=0 nv up ei pl nz na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206

nt!ObpLookupDirectoryEntry+0x94:

80d1beaa 47 inc edi

1: kd> p

eax=00000072 ebx=00000005 ecx=000000ee edx=000000cc esi=00000044 edi=e1278db6

eip=80d1beab esp=f789a428 ebp=f789a440 iopl=0 nv up ei ng nz na po nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282

nt!ObpLookupDirectoryEntry+0x95:

80d1beab 663d6100 cmp ax,61h

1: kd> p

eax=00000072 ebx=00000005 ecx=000000ee edx=000000cc esi=00000044 edi=e1278db6

eip=80d1beaf esp=f789a428 ebp=f789a440 iopl=0 nv up ei pl nz na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206

nt!ObpLookupDirectoryEntry+0x99:

80d1beaf 8bf1 mov esi,ecx

1: kd> p

eax=00000072 ebx=00000005 ecx=000000ee edx=000000cc esi=000000ee edi=e1278db6

eip=80d1beb1 esp=f789a428 ebp=f789a440 iopl=0 nv up ei pl nz na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206

nt!ObpLookupDirectoryEntry+0x9b:

80d1beb1 7307 jae nt!ObpLookupDirectoryEntry+0xa4 (80d1beba) [br=1]

1: kd> p

eax=00000072 ebx=00000005 ecx=000000ee edx=000000cc esi=000000ee edi=e1278db6

eip=80d1beba esp=f789a428 ebp=f789a440 iopl=0 nv up ei pl nz na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206

nt!ObpLookupDirectoryEntry+0xa4:

80d1beba 663d7a00 cmp ax,7Ah

1: kd> p

eax=00000072 ebx=00000005 ecx=000000ee edx=000000cc esi=000000ee edi=e1278db6

eip=80d1bebe esp=f789a428 ebp=f789a440 iopl=0 nv up ei ng nz ac po cy

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000293

nt!ObpLookupDirectoryEntry+0xa8:

80d1bebe 7608 jbe nt!ObpLookupDirectoryEntry+0xb2 (80d1bec8) [br=1]

1: kd> p

eax=00000072 ebx=00000005 ecx=000000ee edx=000000cc esi=000000ee edi=e1278db6

eip=80d1bec8 esp=f789a428 ebp=f789a440 iopl=0 nv up ei ng nz ac po cy

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000293

nt!ObpLookupDirectoryEntry+0xb2:

80d1bec8 0fb7c0 movzx eax,ax

1: kd> p

eax=00000072 ebx=00000005 ecx=000000ee edx=000000cc esi=000000ee edi=e1278db6

eip=80d1becb esp=f789a428 ebp=f789a440 iopl=0 nv up ei ng nz ac po cy

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000293

nt!ObpLookupDirectoryEntry+0xb5:

80d1becb 8d7406e0 lea esi,[esi+eax-20h]

1: kd> p

eax=00000072 ebx=00000005 ecx=000000ee edx=000000cc esi=00000140 edi=e1278db6

eip=80d1becf esp=f789a428 ebp=f789a440 iopl=0 nv up ei ng nz ac po cy

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000293

nt!ObpLookupDirectoryEntry+0xb9:

80d1becf 4b dec ebx

1: kd> p

eax=00000072 ebx=00000004 ecx=000000ee edx=000000cc esi=00000140 edi=e1278db6

eip=80d1bed0 esp=f789a428 ebp=f789a440 iopl=0 nv up ei pl nz na po cy

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000203

nt!ObpLookupDirectoryEntry+0xba:

80d1bed0 75cb jne nt!ObpLookupDirectoryEntry+0x87 (80d1be9d) [br=1]

1: kd> p

eax=00000072 ebx=00000004 ecx=000000ee edx=000000cc esi=00000140 edi=e1278db6

eip=80d1be9d esp=f789a428 ebp=f789a440 iopl=0 nv up ei pl nz na po cy

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000203

nt!ObpLookupDirectoryEntry+0x87:

80d1be9d 668b07 mov ax,word ptr [edi] ds:0023:e1278db6=0069

1: kd> p

eax=00000069 ebx=00000004 ecx=000000ee edx=000000cc esi=00000140 edi=e1278db6

eip=80d1bea0 esp=f789a428 ebp=f789a440 iopl=0 nv up ei pl nz na po cy

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000203

nt!ObpLookupDirectoryEntry+0x8a:

80d1bea0 8bce mov ecx,esi

1: kd> p

eax=00000069 ebx=00000004 ecx=00000140 edx=000000cc esi=00000140 edi=e1278db6

eip=80d1bea2 esp=f789a428 ebp=f789a440 iopl=0 nv up ei pl nz na po cy

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000203

nt!ObpLookupDirectoryEntry+0x8c:

80d1bea2 47 inc edi

1: kd> p

eax=00000069 ebx=00000004 ecx=00000140 edx=000000cc esi=00000140 edi=e1278db7

eip=80d1bea3 esp=f789a428 ebp=f789a440 iopl=0 nv up ei ng nz na pe cy

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000287

nt!ObpLookupDirectoryEntry+0x8d:

80d1bea3 d1e9 shr ecx,1

1: kd> p

eax=00000069 ebx=00000004 ecx=000000a0 edx=000000cc esi=00000140 edi=e1278db7

eip=80d1bea5 esp=f789a428 ebp=f789a440 iopl=0 nv up ei pl nz na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206

nt!ObpLookupDirectoryEntry+0x8f:

80d1bea5 8d1476 lea edx,[esi+esi*2]

1: kd> p

eax=00000069 ebx=00000004 ecx=000000a0 edx=000003c0 esi=00000140 edi=e1278db7

eip=80d1bea8 esp=f789a428 ebp=f789a440 iopl=0 nv up ei pl nz na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206

nt!ObpLookupDirectoryEntry+0x92:

80d1bea8 03ca add ecx,edx

1: kd> p

Breakpoint 2 hit

eax=00000069 ebx=00000004 ecx=00000460 edx=000003c0 esi=00000140 edi=e1278db7

eip=80d1beaa esp=f789a428 ebp=f789a440 iopl=0 nv up ei pl nz na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206

nt!ObpLookupDirectoryEntry+0x94:

80d1beaa 47 inc edi

1: kd> h

^ Syntax error in 'h'

1: kd> g

Breakpoint 2 hit

eax=00000076 ebx=00000003 ecx=0000104f edx=00000dfb esi=000004a9 edi=e1278db9

eip=80d1beaa esp=f789a428 ebp=f789a440 iopl=0 nv up ei pl nz na po nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202

nt!ObpLookupDirectoryEntry+0x94:

80d1beaa 47 inc edi

1: kd> g

Breakpoint 2 hit

eax=00000065 ebx=00000002 ecx=00003a41 edx=000031ef esi=000010a5 edi=e1278dbb

eip=80d1beaa esp=f789a428 ebp=f789a440 iopl=0 nv up ei pl nz ac pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000216

nt!ObpLookupDirectoryEntry+0x94:

80d1beaa 47 inc edi

1: kd> g

Breakpoint 2 hit

eax=00000072 ebx=00000001 ecx=0000ccd5 edx=0000af92 esi=00003a86 edi=e1278dbd

eip=80d1beaa esp=f789a428 ebp=f789a440 iopl=0 nv up ei pl nz na po nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202

nt!ObpLookupDirectoryEntry+0x94:

80d1beaa 47 inc edi

1: kd> p

eax=00000072 ebx=00000001 ecx=0000ccd5 edx=0000af92 esi=00003a86 edi=e1278dbe

eip=80d1beab esp=f789a428 ebp=f789a440 iopl=0 nv up ei ng nz na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286

nt!ObpLookupDirectoryEntry+0x95:

80d1beab 663d6100 cmp ax,61h

1: kd> p

eax=00000072 ebx=00000001 ecx=0000ccd5 edx=0000af92 esi=00003a86 edi=e1278dbe

eip=80d1beaf esp=f789a428 ebp=f789a440 iopl=0 nv up ei pl nz na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206

nt!ObpLookupDirectoryEntry+0x99:

80d1beaf 8bf1 mov esi,ecx

1: kd> p

eax=00000072 ebx=00000001 ecx=0000ccd5 edx=0000af92 esi=0000ccd5 edi=e1278dbe

eip=80d1beb1 esp=f789a428 ebp=f789a440 iopl=0 nv up ei pl nz na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206

nt!ObpLookupDirectoryEntry+0x9b:

80d1beb1 7307 jae nt!ObpLookupDirectoryEntry+0xa4 (80d1beba) [br=1]

1: kd> p

eax=00000072 ebx=00000001 ecx=0000ccd5 edx=0000af92 esi=0000ccd5 edi=e1278dbe

eip=80d1beba esp=f789a428 ebp=f789a440 iopl=0 nv up ei pl nz na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206

nt!ObpLookupDirectoryEntry+0xa4:

80d1beba 663d7a00 cmp ax,7Ah

1: kd> p

eax=00000072 ebx=00000001 ecx=0000ccd5 edx=0000af92 esi=0000ccd5 edi=e1278dbe

eip=80d1bebe esp=f789a428 ebp=f789a440 iopl=0 nv up ei ng nz ac po cy

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000293

nt!ObpLookupDirectoryEntry+0xa8:

80d1bebe 7608 jbe nt!ObpLookupDirectoryEntry+0xb2 (80d1bec8) [br=1]

1: kd> p

eax=00000072 ebx=00000001 ecx=0000ccd5 edx=0000af92 esi=0000ccd5 edi=e1278dbe

eip=80d1bec8 esp=f789a428 ebp=f789a440 iopl=0 nv up ei ng nz ac po cy

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000293

nt!ObpLookupDirectoryEntry+0xb2:

80d1bec8 0fb7c0 movzx eax,ax

1: kd> p

eax=00000072 ebx=00000001 ecx=0000ccd5 edx=0000af92 esi=0000ccd5 edi=e1278dbe

eip=80d1becb esp=f789a428 ebp=f789a440 iopl=0 nv up ei ng nz ac po cy

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000293

nt!ObpLookupDirectoryEntry+0xb5:

80d1becb 8d7406e0 lea esi,[esi+eax-20h]

1: kd> p

eax=00000072 ebx=00000001 ecx=0000ccd5 edx=0000af92 esi=0000cd27 edi=e1278dbe

eip=80d1becf esp=f789a428 ebp=f789a440 iopl=0 nv up ei ng nz ac po cy

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000293

nt!ObpLookupDirectoryEntry+0xb9:

80d1becf 4b dec ebx

1: kd> p

eax=00000072 ebx=00000000 ecx=0000ccd5 edx=0000af92 esi=0000cd27 edi=e1278dbe

eip=80d1bed0 esp=f789a428 ebp=f789a440 iopl=0 nv up ei pl zr na pe cy

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000247

nt!ObpLookupDirectoryEntry+0xba:

80d1bed0 75cb jne nt!ObpLookupDirectoryEntry+0x87 (80d1be9d) [br=0]

1: kd> p

eax=00000072 ebx=00000000 ecx=0000ccd5 edx=0000af92 esi=0000cd27 edi=e1278dbe

eip=80d1bed2 esp=f789a428 ebp=f789a440 iopl=0 nv up ei pl zr na pe cy

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000247

nt!ObpLookupDirectoryEntry+0xbc:

80d1bed2 6a25 push 25h

1: kd> ?0n37

Evaluate expression: 37 = 00000025

1: kd> ?cd27%25

Evaluate expression: 16 = 00000010

1: kd> p

eax=00000072 ebx=00000000 ecx=0000ccd5 edx=0000af92 esi=0000cd27 edi=e1278dbe

eip=80d1bed4 esp=f789a424 ebp=f789a440 iopl=0 nv up ei pl zr na pe cy

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000247

nt!ObpLookupDirectoryEntry+0xbe:

80d1bed4 33d2 xor edx,edx

1: kd> p

eax=00000072 ebx=00000000 ecx=0000ccd5 edx=00000000 esi=0000cd27 edi=e1278dbe

eip=80d1bed6 esp=f789a424 ebp=f789a440 iopl=0 nv up ei pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246

nt!ObpLookupDirectoryEntry+0xc0:

80d1bed6 8bc6 mov eax,esi

1: kd> p

eax=0000cd27 ebx=00000000 ecx=0000ccd5 edx=00000000 esi=0000cd27 edi=e1278dbe

eip=80d1bed8 esp=f789a424 ebp=f789a440 iopl=0 nv up ei pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246

nt!ObpLookupDirectoryEntry+0xc2:

80d1bed8 59 pop ecx

1: kd> p

eax=0000cd27 ebx=00000000 ecx=00000025 edx=00000000 esi=0000cd27 edi=e1278dbe

eip=80d1bed9 esp=f789a428 ebp=f789a440 iopl=0 nv up ei pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246

nt!ObpLookupDirectoryEntry+0xc3:

80d1bed9 f7f1 div eax,ecx

1: kd> p

eax=0000058b ebx=00000000 ecx=00000025 edx=00000010 esi=0000cd27 edi=e1278dbe

eip=80d1bedb esp=f789a428 ebp=f789a440 iopl=0 nv up ei pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246

nt!ObpLookupDirectoryEntry+0xc5:

80d1bedb 8b4518 mov eax,dword ptr [ebp+18h] ss:0010:f789a458=f789a580

while (1) {

HeadDirectoryEntry = (POBJECT_DIRECTORY_ENTRY *)&Directory->HashBuckets[ HashIndex ]; edi=e1000800

LookupBucket = HeadDirectoryEntry;

1: kd> p

eax=00000040 ebx=00000000 ecx=e10007c0 edx=00000010 esi=0000cd27 edi=e1000800

eip=80d1bef3 esp=f789a428 ebp=f789a440 iopl=0 nv up ei pl nz na po nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202

nt!ObpLookupDirectoryEntry+0xdd:

80d1bef3 8b4518 mov eax,dword ptr [ebp+18h] ss:0010:f789a458=f789a580

1: kd> ?e10007c0+10*4

Evaluate expression: -520091648 = e1000800

ObjectHeader = OBJECT_TO_OBJECT_HEADER( DirectoryEntry->Object ); eax=e127b3d0

1: kd> p

eax=e127b3d0 ebx=e1000800 ecx=e1000854 edx=00000000 esi=e12792e0 edi=e1000800

eip=80d1bf8b esp=f789a428 ebp=f789a440 iopl=0 nv up ei ng nz na po nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282

nt!ObpLookupDirectoryEntry+0x175:

80d1bf8b 8a48f4 mov cl,byte ptr [eax-0Ch] ds:0023:e127b3c4=18

1: kd> dx -r1 ((ntkrnlmp!_OBJECT_DIRECTORY_ENTRY *)0xe12792e0)

((ntkrnlmp!_OBJECT_DIRECTORY_ENTRY *)0xe12792e0) : 0xe12792e0 [Type: _OBJECT_DIRECTORY_ENTRY *]

+0x000\] ChainLink : 0x0 \[Type: _OBJECT_DIRECTORY_ENTRY \*

+0x004\] Object : 0xe127b3d0 \[Type: void \*

#define OBJECT_HEADER_TO_NAME_INFO( oh ) ((POBJECT_HEADER_NAME_INFO) \

((oh)->NameInfoOffset == 0 ? NULL : ((PCHAR)(oh) - (oh)->NameInfoOffset)))

1: kd> dt _OBJECT_HEADER_NAME_INFO e127b3b8-0x18

nt!_OBJECT_HEADER_NAME_INFO

+0x000 Directory : 0xe10007c0 _OBJECT_DIRECTORY

+0x004 Name : _UNICODE_STRING "Driver" 正确！！！

+0x00c QueryReferences : 1

+0x010 Reserved2 : 1

+0x014 DbgDereferenceCount : 0n-1296957461

1: kd> dt _object_header e127b3b8

nt!_OBJECT_HEADER

+0x000 PointerCount : 0n2

+0x004 HandleCount : 0n0

+0x004 NextToFree : (null)

+0x008 Type : 0x899a2e70 _OBJECT_TYPE
+0x00c NameInfoOffset : 0x18 ''

+0x00d HandleInfoOffset : 0 ''

+0x00e QuotaInfoOffset : 0 ''

+0x00f Flags : 0x32 '2'

+0x010 ObjectCreateInfo : 0x00000001 _OBJECT_CREATE_INFORMATION

+0x010 QuotaBlockCharged : 0x00000001 Void

+0x014 SecurityDescriptor : 0xe1002bf5 Void

+0x018 Body : _QUAD

#define OBJECT_HEADER_TO_CREATOR_INFO( oh ) ((POBJECT_HEADER_CREATOR_INFO) \

(((oh)->Flags & OB_FLAG_CREATOR_INFO) == 0 ? NULL : ((PCHAR)(oh) - sizeof(OBJECT_HEADER_CREATOR_INFO))))

#define OB_FLAG_NEW_OBJECT 0x01
#define OB_FLAG_KERNEL_OBJECT 0x02
#define OB_FLAG_CREATOR_INFO 0x04
#define OB_FLAG_EXCLUSIVE_OBJECT 0x08
#define OB_FLAG_PERMANENT_OBJECT 0x10
#define OB_FLAG_DEFAULT_SECURITY_QUOTA 0x20
#define OB_FLAG_SINGLE_HANDLE_ENTRY 0x40
#define OB_FLAG_DELETED_INLINE 0x80

1: kd> dt OBJECT_HEADER_CREATOR_INFO -v

nt!OBJECT_HEADER_CREATOR_INFO

struct _OBJECT_HEADER_CREATOR_INFO, 4 elements, 0x10 bytes

+0x000 TypeList : struct _LIST_ENTRY, 2 elements, 0x8 bytes

+0x008 CreatorUniqueProcess : Ptr32 to Void

+0x00c CreatorBackTraceIndex : Uint2B

+0x00e Reserved : Uint2B

#define OBJECT_HEADER_TO_HANDLE_INFO( oh ) ((POBJECT_HEADER_HANDLE_INFO) \

((oh)->HandleInfoOffset == 0 ? NULL : ((PCHAR)(oh) - (oh)->HandleInfoOffset)))

1: kd> !handle

PROCESS 899a2278 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000

DirBase: 0a200000 ObjectTable: e1000e38 HandleCount: 9.

Image: System

Kernel handle table at e1000e38 with 9 entries in use

0004: Object: 899a2278 GrantedAccess: 001f0fff Entry: e1004008

Object: 899a2278 Type: (899a28e8) Process

ObjectHeader: 899a2260 (old version)

HandleCount: 1 PointerCount: 30

1: kd> dt object_header 899a2260

nt!OBJECT_HEADER

+0x000 PointerCount : 0n30

+0x004 HandleCount : 0n1

+0x004 NextToFree : 0x00000001 Void

+0x008 Type : 0x899a28e8 _OBJECT_TYPE

+0x00c NameInfoOffset : 0 ''

+0x00d HandleInfoOffset : 0 ''

+0x00e QuotaInfoOffset : 0 ''

+0x00f Flags : 0x22 '"'

+0x010 ObjectCreateInfo : 0x80bf4440 _OBJECT_CREATE_INFORMATION

+0x010 QuotaBlockCharged : 0x80bf4440 Void

+0x014 SecurityDescriptor : 0xe1002c7f Void

+0x018 Body : _QUAD

#define OB_FLAG_NEW_OBJECT 0x01

#define OB_FLAG_KERNEL_OBJECT 0x02

#define OB_FLAG_CREATOR_INFO 0x04

#define OB_FLAG_EXCLUSIVE_OBJECT 0x08

#define OB_FLAG_PERMANENT_OBJECT 0x10

#define OB_FLAG_DEFAULT_SECURITY_QUOTA 0x20

#define OB_FLAG_SINGLE_HANDLE_ENTRY 0x40

#define OB_FLAG_DELETED_INLINE 0x80

#define OBJECT_HEADER_TO_QUOTA_INFO( oh ) ((POBJECT_HEADER_QUOTA_INFO) \

((oh)->QuotaInfoOffset == 0 ? NULL : ((PCHAR)(oh) - (oh)->QuotaInfoOffset)))

00d4: Object: e1003b28 GrantedAccess: 00000000 Entry: e10041a8

Object: e1003b28 Type: (89996048) Key

ObjectHeader: e1003b10 (old version)

HandleCount: 1 PointerCount: 3

Directory Object: 00000000 Name: \REGISTRY

1: kd> dt object_header e1003b10

nt!OBJECT_HEADER

+0x000 PointerCount : 0n3

+0x004 HandleCount : 0n1

+0x004 NextToFree : 0x00000001 Void

+0x008 Type : 0x89996048 _OBJECT_TYPE
+0x00c NameInfoOffset : 0x18 ''

+0x00d HandleInfoOffset : 0 ''

+0x00e QuotaInfoOffset : 0 ''

+0x00f Flags : 0 ''

+0x010 ObjectCreateInfo : 0x00000001 _OBJECT_CREATE_INFORMATION

+0x010 QuotaBlockCharged : 0x00000001 Void

+0x014 SecurityDescriptor : (null)

+0x018 Body : _QUAD

1: kd> dt _OBJECT_HEADER_NAME_INFO e1003b10-0x18

nt!_OBJECT_HEADER_NAME_INFO

+0x000 Directory : 0xe10007c0 _OBJECT_DIRECTORY

+0x004 Name : _UNICODE_STRING "REGISTRY"

+0x00c QueryReferences : 1

+0x010 Reserved2 : 0x101

+0x014 DbgDereferenceCount : 0n83881605

if (DirectoryEntry) {

1: kd> p

eax=c1062001 ebx=e1000800 ecx=00000072 edx=e1278dbe esi=e12792e0 edi=e1000800

eip=80d1bfc2 esp=f789a428 ebp=f789a440 iopl=0 nv up ei pl nz na po nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202

nt!ObpLookupDirectoryEntry+0x1ac:

80d1bfc2 85f6 test esi,esi

//

// Now return the object to our caller

//

Object = DirectoryEntry->Object; esi=e127b3d0

1: kd> p

eax=c1062001 ebx=e1000800 ecx=00000072 edx=e1278dbe esi=e12792e0 edi=e1000800

eip=80d1c0c4 esp=f789a428 ebp=f789a440 iopl=0 nv up ei pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246

nt!ObpLookupDirectoryEntry+0x2ae:

80d1c0c4 8b7604 mov esi,dword ptr [esi+4] ds:0023:e12792e4=e127b3d0

1: kd> p

eax=c1062001 ebx=e1000800 ecx=00000072 edx=e1278dbe esi=e127b3d0 edi=e1000800

eip=80d1c0c7 esp=f789a428 ebp=f789a440 iopl=0 nv up ei pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246

nt!ObpLookupDirectoryEntry+0x2b1:

80d1c0c7 85f6 test esi,esi

1: kd> !object e127b3d0

Object: e127b3d0 Type: (899a2e70) Directory

ObjectHeader: e127b3b8 (old version)

HandleCount: 0 PointerCount: 2

Directory Object: e10007c0 Name: Driver

Hash Address Type Name

---

33 899c5d30 Driver PnpManager

1: kd> gu

eax=e127b3d0 ebx=00000000 ecx=f789a580 edx=00000000 esi=0044005c edi=f789a580

eip=80d1cebe esp=f789a45c ebp=f789a4a8 iopl=0 nv up ei pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246

nt!ObpLookupObjectName+0x4dc:

80d1cebe 3bc3 cmp eax,ebx

1: kd> dv LookupContext

LookupContext = 0xf789a580

1: kd> dx -r1 ((ntkrnlmp!_OBP_LOOKUP_CONTEXT *)0xf789a580)

((ntkrnlmp!_OBP_LOOKUP_CONTEXT *)0xf789a580) : 0xf789a580 [Type: _OBP_LOOKUP_CONTEXT *]

+0x000\] Directory : 0x0 \[Type: _OBJECT_DIRECTORY \*

+0x004\] Object : 0xe127b3d0 \[Type: void \*

+0x008\] HashIndex : 0x10 \[Type: unsigned short

+0x00a\] DirectoryLocked : 0x0 \[Type: unsigned char

+0x00c\] LockStateSignature : 0xeeee1234 \[Type: unsigned long

参考：

LookupContext->HashIndex = (USHORT)HashIndex;

LookupContext->Object = Object;

return Object;

}

参考：

//

// The object does not exist in the directory and

// we are allowed to create one. So allocate space

// for the name and insert the name into the directory

//

NewName = ExAllocatePoolWithTag( PagedPool, ComponentName.Length, 'mNbO' );

if ((NewName == NULL) ||

!ObpInsertDirectoryEntry( Directory, LookupContext, ObjectHeader )) {