24.IDA逆向句柄表算法-Windows驱动

染指11102026-01-02 8:24

免责声明:内容仅供学习参考,请合法利用知识,禁止进行违法犯罪活动!

本次游戏没法给

内容参考于:微尘网络安全

上一个内容:私有句柄表(查看私有句柄表工具和通过私有句柄id找目标进程id)-Windows驱动

句柄表算法函数是叫ExpLookupHandleTableEntry,它是一个未导出函数,它所在的位置比较底层,然后它在ntoskrnl.exe中,ntoskrnl.exe所在的目录如下图红框

使用ida打开后,搜索ObReferenceObjectByHandle,ExpLookupHandleTableEntry未导出,要使用ObReferenceObjectByHandle来找,很多资料也是通过它 开始逆的

可以通过微软的官网查看ObReferenceObjectByHandle函数的说明

https://learn.microsoft.com/zh-cn/windows-hardware/drivers/ddi/wdm/nf-wdm-obreferenceobjectbyhandle

它的代码如下图红框,就这么一段

然后进入它call的ObpReferenceObjectByHandleWithTag函数,如下图红框就可以看到我们要找的ExpLookupHandleTableEntry函数了

ExpLookupHandleTableEntry函数有两个参数一个是rcx一个是rdx,rdx的值来自于rcx,然后rcx来自于ObReferenceObjectByHandle函数,然后rcx在x64架构中是第一个参数,然后根据微软官网的说明ObReferenceObjectByHandle函数第一个参数是句柄,所以这里的rdx是传进来的一个句柄

rcx来自于gs段寄存器,如果有机会会详细写段寄存器,接下来使用Windbg一步一步调试,看看全局句柄表的算法

首先使用bu ObReferenceObjectByHandle设置断点

触发断点

如下图红框,通过断点看出rcx的值来自于ObpKernelHandleTable,这是内核句柄表

接下来进入ExpLookupHandleTableEntry函数里查看

现在的数据情况,它是一个二层表

然后继续单步

rcx+8取出了TableCode

取出它有几层表 and eax,3,这里就说明Windows操作系统最多支持4层句柄表

下图红框位置判断是否等于1,jnz是不等于时跳转,这里是等于1说明是二层表

下图红框是不等于1时执行的,eax等于0就执行下图红框的代码,如果不等于0就执行下图蓝框的代码,下图蓝框就是处理三层表的代码

下图红框的 shr rax,0Ah 代码是右移,句柄右移10位后就得到了(也就是pid除以1024),句柄表的所以,也就是下图红框的ffffe380`09ac0000

下图红框的 and edx,3FFh,就是pid减1024的结果,也就是得到句柄结构的地址在句柄表里的位置

如下图红框取出地址mov rax,qword ptr [r8+rax*8-1]句柄表中的地址

然后 lea rax,[rax+rdx*4]执行完就得到了加密的值,然后就ret返回了

返回后就会开始解密,在下图红框的ExGetHandlePointer函数中解密的,sar rax,10h,相当于我们之前的取前11个字节,and rax, 0FFFFFFFFFFFFFFF0h相当于后面加4个0,前面加四个1111

Windbg过程

复制代码 
0: kd> g
Breakpoint 0 hit
nt!ObReferenceObjectByHandle:
fffff807`78641f10 4883ec48        sub     rsp,48h
2: kd> p
nt!ObReferenceObjectByHandle+0x4:
fffff807`78641f14 488b442478      mov     rax,qword ptr [rsp+78h]
2: kd> p
nt!ObReferenceObjectByHandle+0x9:
fffff807`78641f19 48c744243800000000 mov   qword ptr [rsp+38h],0
2: kd> p
nt!ObReferenceObjectByHandle+0x12:
fffff807`78641f22 4889442430      mov     qword ptr [rsp+30h],rax
2: kd> p
nt!ObReferenceObjectByHandle+0x17:
fffff807`78641f27 488b442470      mov     rax,qword ptr [rsp+70h]
2: kd> p
nt!ObReferenceObjectByHandle+0x1c:
fffff807`78641f2c 4889442428      mov     qword ptr [rsp+28h],rax
2: kd> p
nt!ObReferenceObjectByHandle+0x21:
fffff807`78641f31 c744242044666c74 mov     dword ptr [rsp+20h],746C6644h
2: kd> p
nt!ObReferenceObjectByHandle+0x29:
fffff807`78641f39 e872080000      call    nt!ObpReferenceObjectByHandleWithTag (fffff807`786427b0)
2: kd> t
nt!ObpReferenceObjectByHandleWithTag:
fffff807`786427b0 44884c2420      mov     byte ptr [rsp+20h],r9b
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x5:
fffff807`786427b5 4c89442418      mov     qword ptr [rsp+18h],r8
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0xa:
fffff807`786427ba 89542410        mov     dword ptr [rsp+10h],edx
2: kd> t
nt!ObpReferenceObjectByHandleWithTag+0xe:
fffff807`786427be 48894c2408      mov     qword ptr [rsp+8],rcx
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x13:
fffff807`786427c3 53              push    rbx
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x14:
fffff807`786427c4 55              push    rbp
2: kd> t
nt!ObpReferenceObjectByHandleWithTag+0x15:
fffff807`786427c5 56              push    rsi
2: kd> t
nt!ObpReferenceObjectByHandleWithTag+0x16:
fffff807`786427c6 4154            push    r12
2: kd> t
nt!ObpReferenceObjectByHandleWithTag+0x18:
fffff807`786427c8 4157            push    r15
2: kd> t
nt!ObpReferenceObjectByHandleWithTag+0x1a:
fffff807`786427ca 4881ec80000000  sub     rsp,80h
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x21:
fffff807`786427d1 654c8b3c2588010000 mov   r15,qword ptr gs:[188h]
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x2a:
fffff807`786427da 33ed            xor     ebp,ebp
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x2c:
fffff807`786427dc 488bb424d8000000 mov     rsi,qword ptr [rsp+0D8h]
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x34:
fffff807`786427e4 488bd9          mov     rbx,rcx
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x37:
fffff807`786427e7 488b8424e8000000 mov     rax,qword ptr [rsp+0E8h]
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x3f:
fffff807`786427ef 40886c2430      mov     byte ptr [rsp+30h],bpl
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x44:
fffff807`786427f4 4d8ba7b8000000  mov     r12,qword ptr [r15+0B8h]
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x4b:
fffff807`786427fb 48892e          mov     qword ptr [rsi],rbp
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x4e:
fffff807`786427fe 4885c0          test    rax,rax
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x51:
fffff807`78642801 7405            je      nt!ObpReferenceObjectByHandleWithTag+0x58 (fffff807`78642808)
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x58:
fffff807`78642808 48897c2478      mov     qword ptr [rsp+78h],rdi
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x5d:
fffff807`7864280d 488bc3          mov     rax,rbx
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x60:
fffff807`78642810 482500000080    and     rax,0FFFFFFFF80000000h
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x66:
fffff807`78642816 4c896c2470      mov     qword ptr [rsp+70h],r13
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x6b:
fffff807`7864281b 4c89742468      mov     qword ptr [rsp+68h],r14
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x70:
fffff807`78642820 483d00000080    cmp     rax,0FFFFFFFF80000000h
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x76:
fffff807`78642826 0f84d8010000    je      nt!ObpReferenceObjectByHandleWithTag+0x254 (fffff807`78642a04)
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x254:
fffff807`78642a04 4883fbff        cmp     rbx,0FFFFFFFFFFFFFFFFh
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x258:
fffff807`78642a08 7437            je      nt!ObpReferenceObjectByHandleWithTag+0x291 (fffff807`78642a41)
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x25a:
fffff807`78642a0a 4883fbfe        cmp     rbx,0FFFFFFFFFFFFFFFEh
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x25e:
fffff807`78642a0e 0f84d2010000    je      nt!ObpReferenceObjectByHandleWithTag+0x436 (fffff807`78642be6)
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x264:
fffff807`78642a14 4584c9          test    r9b,r9b
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x267:
fffff807`78642a17 0f8539030000    jne     nt!ObpReferenceObjectByHandleWithTag+0x5a6 (fffff807`78642d56)
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x26d:
fffff807`78642a1d 4c8b2dd4c26c00  mov     r13,qword ptr [nt!ObpKernelHandleTable (fffff807`78d0ecf8)]
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x274:
fffff807`78642a24 4881f300000080  xor     rbx,0FFFFFFFF80000000h
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x27b:
fffff807`78642a2b 6641ff8fe4010000 dec     word ptr [r15+1E4h]
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x283:
fffff807`78642a33 90              nop
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x284:
fffff807`78642a34 48899c24b0000000 mov     qword ptr [rsp+0B0h],rbx
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x28c:
fffff807`78642a3c e941feffff      jmp     nt!ObpReferenceObjectByHandleWithTag+0xd2 (fffff807`78642882)
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0xd2:
fffff807`78642882 f7c3fc030000    test    ebx,3FCh
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0xd8:
fffff807`78642888 0f8420040000    je      nt!ObpReferenceObjectByHandleWithTag+0x4fe (fffff807`78642cae)
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0xde:
fffff807`7864288e 488bd3          mov     rdx,rbx
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0xe1:
fffff807`78642891 498bcd          mov     rcx,r13
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0xe4:
fffff807`78642894 e867060000      call    nt!ExpLookupHandleTableEntry (fffff807`78642f00)
2: kd> r
rax=ffffffff80000000 rbx=00000000000007bc rcx=ffffe38009224a80
rdx=00000000000007bc rsi=ffff928b8cc8f548 rdi=0000000000000001
rip=fffff80778642894 rsp=ffff928b8cc8f3f0 rbp=0000000000000000
 r8=ffffaf82d08247f0  r9=0000000000000000 r10=fffff8077878eb60
r11=ffff928b8cc8f628 r12=ffffaf82d52b2080 r13=ffffe38009224a80
r14=0000000000000000 r15=ffffaf82d527a080
iopl=0         nv up ei pl nz na pe nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00040202
nt!ObpReferenceObjectByHandleWithTag+0xe4:
fffff807`78642894 e867060000      call    nt!ExpLookupHandleTableEntry (fffff807`78642f00)
2: kd> dq fffff807`78d0ecf8
fffff807`78d0ecf8  ffffe380`09224a80 ffffaf82`d071ee90
fffff807`78d0ed08  ffffaf82`d072ee00 00000000`00000000
fffff807`78d0ed18  00000000`00000000 00000000`00000000
fffff807`78d0ed28  00000000`00000400 ffffe380`0f03fdf0
fffff807`78d0ed38  ffffaf82`d528b450 00000000`00000001
fffff807`78d0ed48  00000000`00000000 00000000`00000400
fffff807`78d0ed58  ffffe380`0f03e800 ffffaf82`d528b850
fffff807`78d0ed68  00000000`00000001 00000000`00000000
2: kd> t
nt!ExpLookupHandleTableEntry:
fffff807`78642f00 8b01            mov     eax,dword ptr [rcx]
2: kd> dt _HEADLE_TABLE ffffe380`09224a80
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that     ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: _HEADLE_TABLE                                 ***
***                                                                   ***
*************************************************************************
Symbol _HEADLE_TABLE not found.
2: kd> dt _HANDLE_TABLE ffffe380`09224a80
nt!_HANDLE_TABLE
   +0x000 NextHandleNeedingPool : 0x4000
   +0x004 ExtraInfoPages   : 0n0
   +0x008 TableCode        : 0xffffe380`09abf001
   +0x010 QuotaProcess     : (null) 
   +0x018 HandleTableList  : _LIST_ENTRY [ 0xffffe380`09260c58 - 0xfffff807`78dd8fd8 ]
   +0x028 UniqueProcessId  : 4
   +0x02c Flags            : 0
   +0x02c StrictFIFO       : 0y0
   +0x02c EnableHandleExceptions : 0y0
   +0x02c Rundown          : 0y0
   +0x02c Duplicated       : 0y0
   +0x02c RaiseUMExceptionOnInvalidHandleClose : 0y0
   +0x030 HandleContentionEvent : _EX_PUSH_LOCK
   +0x038 HandleTableLock  : _EX_PUSH_LOCK
   +0x040 FreeLists        : [1] _HANDLE_TABLE_FREE_LIST
   +0x040 ActualEntry      : [32]  ""
   +0x060 DebugInfo        : (null) 
2: kd> p
nt!ExpLookupHandleTableEntry+0x2:
fffff807`78642f02 4883e2fc        and     rdx,0FFFFFFFFFFFFFFFCh
2: kd> p
nt!ExpLookupHandleTableEntry+0x6:
fffff807`78642f06 483bd0          cmp     rdx,rax
2: kd> p
nt!ExpLookupHandleTableEntry+0x9:
fffff807`78642f09 7331            jae     nt!ExpLookupHandleTableEntry+0x3c (fffff807`78642f3c)
2: kd> r
rax=0000000000004000 rbx=00000000000007bc rcx=ffffe38009224a80
rdx=00000000000007bc rsi=ffff928b8cc8f548 rdi=0000000000000001
rip=fffff80778642f09 rsp=ffff928b8cc8f3e8 rbp=0000000000000000
 r8=ffffaf82d08247f0  r9=0000000000000000 r10=fffff8077878eb60
r11=ffff928b8cc8f628 r12=ffffaf82d52b2080 r13=ffffe38009224a80
r14=0000000000000000 r15=ffffaf82d527a080
iopl=0         nv up ei ng nz na pe cy
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00040283
nt!ExpLookupHandleTableEntry+0x9:
fffff807`78642f09 7331            jae     nt!ExpLookupHandleTableEntry+0x3c (fffff807`78642f3c) [br=0]
2: kd> p
nt!ExpLookupHandleTableEntry+0xb:
fffff807`78642f0b 4c8b4108        mov     r8,qword ptr [rcx+8]
2: kd> p
nt!ExpLookupHandleTableEntry+0xf:
fffff807`78642f0f 418bc0          mov     eax,r8d
2: kd> p
nt!ExpLookupHandleTableEntry+0x12:
fffff807`78642f12 83e003          and     eax,3
2: kd> r
rax=0000000009abf001 rbx=00000000000007bc rcx=ffffe38009224a80
rdx=00000000000007bc rsi=ffff928b8cc8f548 rdi=0000000000000001
rip=fffff80778642f12 rsp=ffff928b8cc8f3e8 rbp=0000000000000000
 r8=ffffe38009abf001  r9=0000000000000000 r10=fffff8077878eb60
r11=ffff928b8cc8f628 r12=ffffaf82d52b2080 r13=ffffe38009224a80
r14=0000000000000000 r15=ffffaf82d527a080
iopl=0         nv up ei ng nz na pe cy
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00040283
nt!ExpLookupHandleTableEntry+0x12:
fffff807`78642f12 83e003          and     eax,3
2: kd> p
nt!ExpLookupHandleTableEntry+0x15:
fffff807`78642f15 83f801          cmp     eax,1
2: kd> r
rax=0000000000000001 rbx=00000000000007bc rcx=ffffe38009224a80
rdx=00000000000007bc rsi=ffff928b8cc8f548 rdi=0000000000000001
rip=fffff80778642f15 rsp=ffff928b8cc8f3e8 rbp=0000000000000000
 r8=ffffe38009abf001  r9=0000000000000000 r10=fffff8077878eb60
r11=ffff928b8cc8f628 r12=ffffaf82d52b2080 r13=ffffe38009224a80
r14=0000000000000000 r15=ffffaf82d527a080
iopl=0         nv up ei pl nz na pe nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00040202
nt!ExpLookupHandleTableEntry+0x15:
fffff807`78642f15 83f801          cmp     eax,1
2: kd> t
nt!ExpLookupHandleTableEntry+0x18:
fffff807`78642f18 7518            jne     nt!ExpLookupHandleTableEntry+0x32 (fffff807`78642f32)
2: kd> p
nt!ExpLookupHandleTableEntry+0x1a:
fffff807`78642f1a 488bc2          mov     rax,rdx
2: kd> p
nt!ExpLookupHandleTableEntry+0x1d:
fffff807`78642f1d 48c1e80a        shr     rax,0Ah
2: kd> p
nt!ExpLookupHandleTableEntry+0x21:
fffff807`78642f21 81e2ff030000    and     edx,3FFh
2: kd> r
rax=0000000000000001 rbx=00000000000007bc rcx=ffffe38009224a80
rdx=00000000000007bc rsi=ffff928b8cc8f548 rdi=0000000000000001
rip=fffff80778642f21 rsp=ffff928b8cc8f3e8 rbp=0000000000000000
 r8=ffffe38009abf001  r9=0000000000000000 r10=fffff8077878eb60
r11=ffff928b8cc8f628 r12=ffffaf82d52b2080 r13=ffffe38009224a80
r14=0000000000000000 r15=ffffaf82d527a080
iopl=0         nv up ei pl nz na pe cy
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00040203
nt!ExpLookupHandleTableEntry+0x21:
fffff807`78642f21 81e2ff030000    and     edx,3FFh
2: kd> dq 0xffffe380`09abf000
ffffe380`09abf000  ffffe380`0923d000 ffffe380`09ac0000
ffffe380`09abf010  ffffe380`0de7e000 ffffe380`0995c000
ffffe380`09abf020  ffffe380`0fcff000 ffffe380`0f8eb000
ffffe380`09abf030  ffffe380`092e7000 ffffe380`0de5f000
ffffe380`09abf040  ffffe380`1164c000 ffffe380`105da000
ffffe380`09abf050  ffffe380`11eff000 ffffe380`1057f000
ffffe380`09abf060  ffffe380`12bfd000 ffffe380`14189000
ffffe380`09abf070  ffffe380`13b9a000 ffffe380`11e07000
2: kd> p
nt!ExpLookupHandleTableEntry+0x27:
fffff807`78642f27 498b44c0ff      mov     rax,qword ptr [r8+rax*8-1]
2: kd> r
rax=0000000000000001 rbx=00000000000007bc rcx=ffffe38009224a80
rdx=00000000000003bc rsi=ffff928b8cc8f548 rdi=0000000000000001
rip=fffff80778642f27 rsp=ffff928b8cc8f3e8 rbp=0000000000000000
 r8=ffffe38009abf001  r9=0000000000000000 r10=fffff8077878eb60
r11=ffff928b8cc8f628 r12=ffffaf82d52b2080 r13=ffffe38009224a80
r14=0000000000000000 r15=ffffaf82d527a080
iopl=0         nv up ei pl nz na pe nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00040202
nt!ExpLookupHandleTableEntry+0x27:
fffff807`78642f27 498b44c0ff      mov     rax,qword ptr [r8+rax*8-1] ds:002b:ffffe380`09abf008=ffffe38009ac0000
2: kd> p
nt!ExpLookupHandleTableEntry+0x2c:
fffff807`78642f2c 488d0490        lea     rax,[rax+rdx*4]
2: kd> r
rax=ffffe38009ac0000 rbx=00000000000007bc rcx=ffffe38009224a80
rdx=00000000000003bc rsi=ffff928b8cc8f548 rdi=0000000000000001
rip=fffff80778642f2c rsp=ffff928b8cc8f3e8 rbp=0000000000000000
 r8=ffffe38009abf001  r9=0000000000000000 r10=fffff8077878eb60
r11=ffff928b8cc8f628 r12=ffffaf82d52b2080 r13=ffffe38009224a80
r14=0000000000000000 r15=ffffaf82d527a080
iopl=0         nv up ei pl nz na pe nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00040202
nt!ExpLookupHandleTableEntry+0x2c:
fffff807`78642f2c 488d0490        lea     rax,[rax+rdx*4]
2: kd> p
nt!ExpLookupHandleTableEntry+0x30:
fffff807`78642f30 c3              ret
2: kd> r
rax=ffffe38009ac0ef0 rbx=00000000000007bc rcx=ffffe38009224a80
rdx=00000000000003bc rsi=ffff928b8cc8f548 rdi=0000000000000001
rip=fffff80778642f30 rsp=ffff928b8cc8f3e8 rbp=0000000000000000
 r8=ffffe38009abf001  r9=0000000000000000 r10=fffff8077878eb60
r11=ffff928b8cc8f628 r12=ffffaf82d52b2080 r13=ffffe38009224a80
r14=0000000000000000 r15=ffffaf82d527a080
iopl=0         nv up ei pl nz na pe nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00040202
nt!ExpLookupHandleTableEntry+0x30:
fffff807`78642f30 c3              ret
2: kd> dt _HANDLE_TABLE_ENTRY  ffffe38009ac0000+ 3bc * 4
Numeric expression missing from '<EOL>'
2: kd> dt _HANDLE_TABLE_ENTRY  ffffe38009ac0000 + 3bc * 4
nt!_HANDLE_TABLE_ENTRY
Cannot find specified field members.
2: kd> dt _HANDLE_TABLE_ENTRY  ffffe380`09ac0000 + 3bc * 4
nt!_HANDLE_TABLE_ENTRY
Cannot find specified field members.
2: kd> dt _HANDLE_TABLE  ffffe380`09ac0000 + 3bc * 4
nt!_HANDLE_TABLE
Cannot find specified field members.
2: kd> dq ffffe380`09ac0000 + 3bc * 4
ffffe380`09ac0ef0  af82d59f`0310c491 00000000`001f0003
ffffe380`09ac0f00  af82d59c`fa30e249 00000000`00000001
ffffe380`09ac0f10  af82d57f`db800001 00000000`001f0003
ffffe380`09ac0f20  af82d5a0`2b300001 00000000`001f0003
ffffe380`09ac0f30  af82d5a0`40300001 00000000`001f0003
ffffe380`09ac0f40  af82d57f`c7400001 00000000`001f0003
ffffe380`09ac0f50  af82d57f`ce000001 00000000`001f0003
ffffe380`09ac0f60  af82d57f`d8200001 00000000`001f0003
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0xe9:
fffff807`78642899 488bf8          mov     rdi,rax
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0xec:
fffff807`7864289c 4885c0          test    rax,rax
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0xef:
fffff807`7864289f 0f8409040000    je      nt!ObpReferenceObjectByHandleWithTag+0x4fe (fffff807`78642cae)
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0xf5:
fffff807`786428a5 0f0d08          prefetchw [rax]
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0xf8:
fffff807`786428a8 488b00          mov     rax,qword ptr [rax]
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0xfb:
fffff807`786428ab 4c8b7708        mov     r14,qword ptr [rdi+8]
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0xff:
fffff807`786428af 4889442448      mov     qword ptr [rsp+48h],rax
2: kd> r
rax=af82d59f0310c491 rbx=00000000000007bc rcx=ffffe38009224a80
rdx=00000000000003bc rsi=ffff928b8cc8f548 rdi=ffffe38009ac0ef0
rip=fffff807786428af rsp=ffff928b8cc8f3f0 rbp=0000000000000000
 r8=ffffe38009abf001  r9=0000000000000000 r10=fffff8077878eb60
r11=ffff928b8cc8f628 r12=ffffaf82d52b2080 r13=ffffe38009224a80
r14=00000000001f0003 r15=ffffaf82d527a080
iopl=0         nv up ei ng nz na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00040286
nt!ObpReferenceObjectByHandleWithTag+0xff:
fffff807`786428af 4889442448      mov     qword ptr [rsp+48h],rax ss:0018:ffff928b`8cc8f438=ffff928b8cc8f720
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x104:
fffff807`786428b4 488b742448      mov     rsi,qword ptr [rsp+48h]
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x109:
fffff807`786428b9 4c89742450      mov     qword ptr [rsp+50h],r14
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x10e:
fffff807`786428be 90              nop
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x10f:
fffff807`786428bf 48f7c6feff0100  test    rsi,1FFFEh
2: kd> r
rax=af82d59f0310c491 rbx=00000000000007bc rcx=ffffe38009224a80
rdx=00000000000003bc rsi=af82d59f0310c491 rdi=ffffe38009ac0ef0
rip=fffff807786428bf rsp=ffff928b8cc8f3f0 rbp=0000000000000000
 r8=ffffe38009abf001  r9=0000000000000000 r10=fffff8077878eb60
r11=ffff928b8cc8f628 r12=ffffaf82d52b2080 r13=ffffe38009224a80
r14=00000000001f0003 r15=ffffaf82d527a080
iopl=0         nv up ei ng nz na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00040286
nt!ObpReferenceObjectByHandleWithTag+0x10f:
fffff807`786428bf 48f7c6feff0100  test    rsi,1FFFEh
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x116:
fffff807`786428c6 0f84e4010000    je      nt!ObpReferenceObjectByHandleWithTag+0x300 (fffff807`78642ab0)
2: kd> r
rax=af82d59f0310c491 rbx=00000000000007bc rcx=ffffe38009224a80
rdx=00000000000003bc rsi=af82d59f0310c491 rdi=ffffe38009ac0ef0
rip=fffff807786428c6 rsp=ffff928b8cc8f3f0 rbp=0000000000000000
 r8=ffffe38009abf001  r9=0000000000000000 r10=fffff8077878eb60
r11=ffff928b8cc8f628 r12=ffffaf82d52b2080 r13=ffffe38009224a80
r14=00000000001f0003 r15=ffffaf82d527a080
iopl=0         nv up ei pl nz na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00040206
nt!ObpReferenceObjectByHandleWithTag+0x116:
fffff807`786428c6 0f84e4010000    je      nt!ObpReferenceObjectByHandleWithTag+0x300 (fffff807`78642ab0) [br=0]
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x11c:
fffff807`786428cc 400fb6c6        movzx   eax,sil
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x120:
fffff807`786428d0 f6d0            not     al
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x122:
fffff807`786428d2 a801            test    al,1
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x124:
fffff807`786428d4 7416            je      nt!ObpReferenceObjectByHandleWithTag+0x13c (fffff807`786428ec)
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x13c:
fffff807`786428ec 488d5efe        lea     rbx,[rsi-2]
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x140:
fffff807`786428f0 498bce          mov     rcx,r14
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x143:
fffff807`786428f3 488bc6          mov     rax,rsi
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x146:
fffff807`786428f6 498bd6          mov     rdx,r14
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x149:
fffff807`786428f9 f0480fc70f      lock cmpxchg16b oword ptr [rdi]
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x14e:
fffff807`786428fe 488bf0          mov     rsi,rax
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x151:
fffff807`78642901 4889442448      mov     qword ptr [rsp+48h],rax
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x156:
fffff807`78642906 0f94c0          sete    al
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x159:
fffff807`78642909 4889542450      mov     qword ptr [rsp+50h],rdx
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x15e:
fffff807`7864290e 4c8bf2          mov     r14,rdx
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x161:
fffff807`78642911 84c0            test    al,al
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x163:
fffff807`78642913 74a9            je      nt!ObpReferenceObjectByHandleWithTag+0x10e (fffff807`786428be)
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x165:
fffff807`78642915 488bce          mov     rcx,rsi
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x168:
fffff807`78642918 48d1e9          shr     rcx,1
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x16b:
fffff807`7864291b 6683f910        cmp     cx,10h
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x16f:
fffff807`7864291f 0f843b040000    je      nt!ObpReferenceObjectByHandleWithTag+0x5b0 (fffff807`78642d60)
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x175:
fffff807`78642925 488d4c2448      lea     rcx,[rsp+48h]
2: kd> p
nt!ObpReferenceObjectByHandleWithTag+0x17a:
fffff807`7864292a e8f113beff      call    nt!ExGetHandlePointer (fffff807`78223d20)
2: kd> t
nt!ExGetHandlePointer:
fffff807`78223d20 488b01          mov     rax,qword ptr [rcx]
2: kd> r
rax=af82d59f0310c401 rbx=af82d59f0310c48f rcx=ffff928b8cc8f438
rdx=00000000001f0003 rsi=af82d59f0310c491 rdi=ffffe38009ac0ef0
rip=fffff80778223d20 rsp=ffff928b8cc8f3e8 rbp=0000000000000000
 r8=ffffe38009abf001  r9=0000000000000000 r10=fffff8077878eb60
r11=ffff928b8cc8f628 r12=ffffaf82d52b2080 r13=ffffe38009224a80
r14=00000000001f0003 r15=ffffaf82d527a080
iopl=0         nv up ei pl nz na pe nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00040202
nt!ExGetHandlePointer:
fffff807`78223d20 488b01          mov     rax,qword ptr [rcx] ds:002b:ffff928b`8cc8f438=af82d59f0310c491
2: kd> p
nt!ExGetHandlePointer+0x3:
fffff807`78223d23 48c1f810        sar     rax,10h
2: kd> r
rax=af82d59f0310c491 rbx=af82d59f0310c48f rcx=ffff928b8cc8f438
rdx=00000000001f0003 rsi=af82d59f0310c491 rdi=ffffe38009ac0ef0
rip=fffff80778223d23 rsp=ffff928b8cc8f3e8 rbp=0000000000000000
 r8=ffffe38009abf001  r9=0000000000000000 r10=fffff8077878eb60
r11=ffff928b8cc8f628 r12=ffffaf82d52b2080 r13=ffffe38009224a80
r14=00000000001f0003 r15=ffffaf82d527a080
iopl=0         nv up ei pl nz na pe nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00040202
nt!ExGetHandlePointer+0x3:
fffff807`78223d23 48c1f810        sar     rax,10h
2: kd> p
nt!ExGetHandlePointer+0x7:
fffff807`78223d27 4883e0f0        and     rax,0FFFFFFFFFFFFFFF0h
2: kd> r
rax=ffffaf82d59f0310 rbx=af82d59f0310c48f rcx=ffff928b8cc8f438
rdx=00000000001f0003 rsi=af82d59f0310c491 rdi=ffffe38009ac0ef0
rip=fffff80778223d27 rsp=ffff928b8cc8f3e8 rbp=0000000000000000
 r8=ffffe38009abf001  r9=0000000000000000 r10=fffff8077878eb60
r11=ffff928b8cc8f628 r12=ffffaf82d52b2080 r13=ffffe38009224a80
r14=00000000001f0003 r15=ffffaf82d527a080
iopl=0         nv up ei ng nz na pe cy
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00040283
nt!ExGetHandlePointer+0x7:
fffff807`78223d27 4883e0f0        and     rax,0FFFFFFFFFFFFFFF0h
2: kd> p
nt!ExGetHandlePointer+0xb:
fffff807`78223d2b c3              ret
2: kd> r
rax=ffffaf82d59f0310 rbx=af82d59f0310c48f rcx=ffff928b8cc8f438
rdx=00000000001f0003 rsi=af82d59f0310c491 rdi=ffffe38009ac0ef0
rip=fffff80778223d2b rsp=ffff928b8cc8f3e8 rbp=0000000000000000
 r8=ffffe38009abf001  r9=0000000000000000 r10=fffff8077878eb60
r11=ffff928b8cc8f628 r12=ffffaf82d52b2080 r13=ffffe38009224a80
r14=00000000001f0003 r15=ffffaf82d527a080
iopl=0         nv up ei ng nz na pe nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00040282
nt!ExGetHandlePointer+0xb:
fffff807`78223d2b c3              ret
相关推荐
Damon小智2 小时前
Windows系统安装Docker容器搭建Linux环境
linux·运维·windows·docker·子系统
yuuki2332332 小时前
【C++】揭秘STL:stack与queue的底层实现
java·c++·windows
weixin_425023002 小时前
Java开发高频实用技巧汇总(List操作/多线程/反射/监控等)
java·windows·list
YJlio11 小时前
VolumeID 学习笔记(13.10):卷序列号修改与资产标识管理实战
windows·笔记·学习
OliverH-yishuihan14 小时前
在win10上借助WSL用VS2019开发跨平台项目实例
linux·c++·windows
南知意-16 小时前
GitHub 6K Star! 一款完全免费的音乐播放器,爽听VIP歌曲!
linux·windows·开源·github·开源软件·mac
Guistar~~17 小时前
【Linux驱动开发IMX6ULL】使用NXP MfgTool 烧写系统到eMMC
linux·运维·驱动开发
allanGold17 小时前
【virtualbox】【windows】已有虚拟机存储容量调整方法
windows·virtualbox
Y unes17 小时前
《uboot基础命令记录①》
linux·驱动开发·嵌入式硬件·mcu·ubuntu·uboot
热门推荐
01GitHub 镜像站点02jdk21下载、安装(Windows、Linux、macOS)03Linux下V2Ray安装配置指南04Claude Code Skills 实用使用手册05UV安装并设置国内源06手把手教你通过Gemini3 pro 学生认证,白用一年,手慢无!072025 最新教程:注册并切换到美区 Apple ID08从快手“12·22”直播攻击事件看:一次教科书式的业务层饱和攻击09【踩坑笔记】50系显卡适配的 PyTorch 安装10祝大家 2026 年新年快乐,代码无 bug,需求一次过