Windows驱动开发学习记录-ObjectType Hook之ObjectType结构相关分析
1、目的
在一般情况下,对于系统的常规操作如创建进程、创建互斥体、创建文件等可以进行SSDT Hook进行拦截,但在x64位系统下,有PG的保护,常规的SSDT Hook会导致蓝屏。但基于ObjectType的一些Hook也可以做到相应的功能且不会导致系统 BSOD。
2、相关结构分析
2.1 XP上的相关结构
2.1.1 WinDbg调试结构
首先是 _OBJECT_HEADER结构
0: kd> dt _object_header
nt!_OBJECT_HEADER
+0x000 PointerCount : Int4B
+0x004 HandleCount : Int4B
+0x004 NextToFree : Ptr32 Void
+0x008 Type : Ptr32 _OBJECT_TYPE
+0x00c NameInfoOffset : UChar
+0x00d HandleInfoOffset : UChar
+0x00e QuotaInfoOffset : UChar
+0x00f Flags : UChar
+0x010 ObjectCreateInfo : Ptr32 _OBJECT_CREATE_INFORMATION
+0x010 QuotaBlockCharged : Ptr32 Void
+0x014 SecurityDescriptor : Ptr32 Void
+0x018 Body : _QUAD
在第四个字段就是 _OBJECT_TYPE,其结构如下:
0: kd> dt _OBJECT_TYPE
nt!_OBJECT_TYPE
+0x000 Mutex : _ERESOURCE
+0x038 TypeList : _LIST_ENTRY
+0x040 Name : _UNICODE_STRING
+0x048 DefaultObject : Ptr32 Void
+0x04c Index : Uint4B
+0x050 TotalNumberOfObjects : Uint4B
+0x054 TotalNumberOfHandles : Uint4B
+0x058 HighWaterNumberOfObjects : Uint4B
+0x05c HighWaterNumberOfHandles : Uint4B
+0x060 TypeInfo : _OBJECT_TYPE_INITIALIZER
+0x0ac Key : Uint4B
+0x0b0 ObjectLocks : [4] _ERESOURCE
其中的TypeInfo为 _OBJECT_TYPE_INITIALIZER结构,其内容如下:
0: kd> dt _OBJECT_TYPE_INITIALIZER
nt!_OBJECT_TYPE_INITIALIZER
+0x000 Length : Uint2B
+0x002 UseDefaultObject : UChar
+0x003 CaseInsensitive : UChar
+0x004 InvalidAttributes : Uint4B
+0x008 GenericMapping : _GENERIC_MAPPING
+0x018 ValidAccessMask : Uint4B
+0x01c SecurityRequired : UChar
+0x01d MaintainHandleCount : UChar
+0x01e MaintainTypeList : UChar
+0x020 PoolType : _POOL_TYPE
+0x024 DefaultPagedPoolCharge : Uint4B
+0x028 DefaultNonPagedPoolCharge : Uint4B
+0x02c DumpProcedure : Ptr32 void
+0x030 OpenProcedure : Ptr32 long
+0x034 CloseProcedure : Ptr32 void
+0x038 DeleteProcedure : Ptr32 void
+0x03c ParseProcedure : Ptr32 long
+0x040 SecurityProcedure : Ptr32 long
+0x044 QueryNameProcedure : Ptr32 long
+0x048 OkayToCloseProcedure : Ptr32 unsigned char
其中靠后的如 OpenProcedure、CloseProcedure、ParseProcedure等就是我们关注的需要Hook的字段,通过Hook这些字段来实现打开创建相应的对象的过滤操作。
2.1.2 实际中使用的情况
我们经过一些操作来看看XP上的进程对象的相关字段对应的函数
先通过!process命令获取explorer.exe的EPROCESS
0: kd> !process 0 0 explorer.exe
Failed to get VadRoot
PROCESS 89fc3338 SessionId: 0 Cid: 0604 Peb: 7ffd4000 ParentCid: 05f4
DirBase: 0aac01c0 ObjectTable: e1835490 HandleCount: 487.
Image: explorer.exe
获取到的结果为PROCESS 89fc3338, 看看对应的数据如下:
0: kd> dt _eprocess 89fc3338
nt!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x06c ProcessLock : _EX_PUSH_LOCK
+0x070 CreateTime : _LARGE_INTEGER 0x01d99c3e`eb1d80e8
+0x078 ExitTime : _LARGE_INTEGER 0x0
+0x080 RundownProtect : _EX_RUNDOWN_REF
+0x084 UniqueProcessId : 0x00000604 Void
+0x088 ActiveProcessLinks : _LIST_ENTRY [ 0x8a2a8688 - 0x8a0b8738 ]
+0x090 QuotaUsage : [3] 0x34a8
+0x09c QuotaPeak : [3] 0x4650
+0x0a8 CommitCharge : 0xfe0
+0x0ac PeakVirtualSize : 0x6aee000
+0x0b0 VirtualSize : 0x6031000
+0x0b4 SessionProcessLinks : _LIST_ENTRY [ 0x8a2a86b4 - 0x8a0b8764 ]
+0x0bc DebugPort : (null)
+0x0c0 ExceptionPort : 0xe166ca10 Void
+0x0c4 ObjectTable : 0xe1835490 _HANDLE_TABLE
+0x0c8 Token : _EX_FAST_REF
+0x0cc WorkingSetLock : _FAST_MUTEX
+0x0ec WorkingSetPage : 0x16b59
+0x0f0 AddressCreationLock : _FAST_MUTEX
+0x110 HyperSpaceLock : 0
+0x114 ForkInProgress : (null)
+0x118 HardwareTrigger : 0
+0x11c VadRoot : 0x8a32c2a8 Void
+0x120 VadHint : 0x8a32c2a8 Void
+0x124 CloneRoot : (null)
+0x128 NumberOfPrivatePages : 0xa5e
+0x12c NumberOfLockedPages : 0
+0x130 Win32Process : 0xe1d749e0 Void
+0x134 Job : (null)
+0x138 SectionObject : 0xe1d7bbd0 Void
+0x13c SectionBaseAddress : 0x01000000 Void
+0x140 QuotaBlock : 0x8a4b7e58 _EPROCESS_QUOTA_BLOCK
+0x144 WorkingSetWatch : (null)
+0x148 Win32WindowStation : 0x00000038 Void
+0x14c InheritedFromUniqueProcessId : 0x000005f4 Void
+0x150 LdtInformation : (null)
+0x154 VadFreeHint : (null)
+0x158 VdmObjects : (null)
+0x15c DeviceMap : 0xe19f0990 Void
+0x160 PhysicalVadList : _LIST_ENTRY [ 0x89fc3498 - 0x89fc3498 ]
+0x168 PageDirectoryPte : _HARDWARE_PTE
+0x168 Filler : 0
+0x170 Session : 0xba5d0000 Void
+0x174 ImageFileName : [16] "explorer.exe"
......
其中用不着EPROCESS的结构,获取这个的地址是为了获取_OBJECT_HEADER的地址,在XP环境的代码中可以用以下来获取到_OBJECT_HEADER地址,因为_OBJECT_HEADER结构中的Body部分就是获取的对应的对象,如EPROCESS。
#define ObObjectToObjectHeader(x) ((POBJECT_HEADER)(((PUCHAR)(x))-0x18))
操作如下:
0: kd> dt _object_header 89fc3338-0x18
nt!_OBJECT_HEADER
+0x000 PointerCount : 0n185
+0x004 HandleCount : 0n6
+0x004 NextToFree : 0x00000006 Void
+0x008 Type : 0x8a4a4ca0 _OBJECT_TYPE
+0x00c NameInfoOffset : 0 ''
+0x00d HandleInfoOffset : 0 ''
+0x00e QuotaInfoOffset : 0 ''
+0x00f Flags : 0x20 ' '
+0x010 ObjectCreateInfo : 0x8a4b7e58 _OBJECT_CREATE_INFORMATION
+0x010 QuotaBlockCharged : 0x8a4b7e58 Void
+0x014 SecurityDescriptor : 0xe1cd5ed3 Void
+0x018 Body : _QUAD
再继续打印_OBJECT_TYPE
0: kd> dt _object_type 0x8a4a4ca0
nt!_OBJECT_TYPE
+0x000 Mutex : _ERESOURCE
+0x038 TypeList : _LIST_ENTRY [ 0x8a4a4cd8 - 0x8a4a4cd8 ]
+0x040 Name : _UNICODE_STRING "Process"
+0x048 DefaultObject : (null)
+0x04c Index : 5
+0x050 TotalNumberOfObjects : 0x11
+0x054 TotalNumberOfHandles : 0x51
+0x058 HighWaterNumberOfObjects : 0x13
+0x05c HighWaterNumberOfHandles : 0x51
+0x060 TypeInfo : _OBJECT_TYPE_INITIALIZER
+0x0ac Key : 0x636f7250
+0x0b0 ObjectLocks : [4] _ERESOURCE
然后是_OBJECT_TYPE_INITIALIZER
0: kd> dx -id 0,0,8055d0c0 -r1 (*((ntkrpamp!_OBJECT_TYPE_INITIALIZER *)0x8a4a4d00))
(*((ntkrpamp!_OBJECT_TYPE_INITIALIZER *)0x8a4a4d00)) [Type: _OBJECT_TYPE_INITIALIZER]
[+0x000] Length : 0x4c [Type: unsigned short]
[+0x002] UseDefaultObject : 0x0 [Type: unsigned char]
[+0x003] CaseInsensitive : 0x0 [Type: unsigned char]
[+0x004] InvalidAttributes : 0xb0 [Type: unsigned long]
[+0x008] GenericMapping [Type: _GENERIC_MAPPING]
[+0x018] ValidAccessMask : 0x1f0fff [Type: unsigned long]
[+0x01c] SecurityRequired : 0x1 [Type: unsigned char]
[+0x01d] MaintainHandleCount : 0x0 [Type: unsigned char]
[+0x01e] MaintainTypeList : 0x0 [Type: unsigned char]
[+0x020] PoolType : NonPagedPool (0) [Type: _POOL_TYPE]
[+0x024] DefaultPagedPoolCharge : 0x1000 [Type: unsigned long]
[+0x028] DefaultNonPagedPoolCharge : 0x290 [Type: unsigned long]
[+0x02c] DumpProcedure : 0x0 [Type: void (*)(void *,_OBJECT_DUMP_CONTROL *)]
[+0x030] OpenProcedure : 0x0 [Type: long (*)(_OB_OPEN_REASON,_EPROCESS *,void *,unsigned long,unsigned long)]
[+0x034] CloseProcedure : 0x0 [Type: void (*)(_EPROCESS *,void *,unsigned long,unsigned long,unsigned long)]
[+0x038] DeleteProcedure : 0x805d263a [Type: void (*)(void *)]
[+0x03c] ParseProcedure : 0x0 [Type: long (*)(void *,void *,_ACCESS_STATE *,char,unsigned long,_UNICODE_STRING *,_UNICODE_STRING *,void *,_SECURITY_QUALITY_OF_SERVICE *,void * *)]
[+0x040] SecurityProcedure : 0x805f9a74 [Type: long (*)(void *,_SECURITY_OPERATION_CODE,unsigned long *,void *,unsigned long *,void * *,_POOL_TYPE,_GENERIC_MAPPING *,char)]
[+0x044] QueryNameProcedure : 0x0 [Type: long (*)(void *,unsigned char,_OBJECT_NAME_INFORMATION *,unsigned long,unsigned long *)]
[+0x048] OkayToCloseProcedure : 0x0 [Type: unsigned char (*)(_EPROCESS *,void *,void *,char)]
在此就可以看到相关函数的定义及实际地址,如DeleteProcedure : 0x805d263a [Type: void (*)(void *)] 就是地址为0x805d263a 函数声明为 void*(void*)的函数。
2.2 Win7 x64以上64位系统的结构分析
2.2.1 WinDbg调试结构
7: kd> dt _object_header
nt!_OBJECT_HEADER
+0x000 PointerCount : Int8B
+0x008 HandleCount : Int8B
+0x008 NextToFree : Ptr64 Void
+0x010 Lock : _EX_PUSH_LOCK
+0x018 TypeIndex : UChar
+0x019 TraceFlags : UChar
+0x01a InfoMask : UChar
+0x01b Flags : UChar
+0x020 ObjectCreateInfo : Ptr64 _OBJECT_CREATE_INFORMATION
+0x020 QuotaBlockCharged : Ptr64 Void
+0x028 SecurityDescriptor : Ptr64 Void
+0x030 Body : _QUAD
在64位系统上 _OBJECT_HEADER中并没有字段直接包含_OBJECT_TYPE结构,而是一个索引,索引的是一个名叫 ObTypeIndexTable的表,这个表是一个包含所有ObjectType的表结构,详细可见我另一篇文章
而在这种情况下,实现编程中可以直接通过ObGetObjectType函数直接从实际对象获取的ObjectType的指针。
但_OBJECT_TYPE的结构化仍然可以在WinDbg中获取到,如下:
7: kd> dt _object_type
nt!_OBJECT_TYPE
+0x000 TypeList : _LIST_ENTRY
+0x010 Name : _UNICODE_STRING
+0x020 DefaultObject : Ptr64 Void
+0x028 Index : UChar
+0x02c TotalNumberOfObjects : Uint4B
+0x030 TotalNumberOfHandles : Uint4B
+0x034 HighWaterNumberOfObjects : Uint4B
+0x038 HighWaterNumberOfHandles : Uint4B
+0x040 TypeInfo : _OBJECT_TYPE_INITIALIZER
+0x0b0 TypeLock : _EX_PUSH_LOCK
+0x0b8 Key : Uint4B
+0x0c0 CallbackList : _LIST_ENTRY
然后是_OBJECT_TYPE_INITIALIZER
7: kd> dt _OBJECT_TYPE_INITIALIZER
nt!_OBJECT_TYPE_INITIALIZER
+0x000 Length : Uint2B
+0x002 ObjectTypeFlags : UChar
+0x002 CaseInsensitive : Pos 0, 1 Bit
+0x002 UnnamedObjectsOnly : Pos 1, 1 Bit
+0x002 UseDefaultObject : Pos 2, 1 Bit
+0x002 SecurityRequired : Pos 3, 1 Bit
+0x002 MaintainHandleCount : Pos 4, 1 Bit
+0x002 MaintainTypeList : Pos 5, 1 Bit
+0x002 SupportsObjectCallbacks : Pos 6, 1 Bit
+0x002 CacheAligned : Pos 7, 1 Bit
+0x004 ObjectTypeCode : Uint4B
+0x008 InvalidAttributes : Uint4B
+0x00c GenericMapping : _GENERIC_MAPPING
+0x01c ValidAccessMask : Uint4B
+0x020 RetainAccess : Uint4B
+0x024 PoolType : _POOL_TYPE
+0x028 DefaultPagedPoolCharge : Uint4B
+0x02c DefaultNonPagedPoolCharge : Uint4B
+0x030 DumpProcedure : Ptr64 void
+0x038 OpenProcedure : Ptr64 long
+0x040 CloseProcedure : Ptr64 void
+0x048 DeleteProcedure : Ptr64 void
+0x050 ParseProcedure : Ptr64 long
+0x058 SecurityProcedure : Ptr64 long
+0x060 QueryNameProcedure : Ptr64 long
+0x068 OkayToCloseProcedure : Ptr64 unsigned char
其结构和xp有些差别,但需要的几个函数大同小异。
2.2.2 实际中使用的情况
先通过 《遍历Windows内核ObjectType》文章的方法得到EPROCESS对象的_OBJECT_TYPE指针:
5: kd> g
【PrintObjectTypeList】::【DriverEntry】 Hello Kernel World! CurrentProcessId:0x0000000000000004 CurrentIRQL:0x0
【ObRegisterCallback】::【GetObTypeIndexTable】Found ObTypeIndexTable Address:0xFFFFF80006678100
【PrintObjectTypeList】::【PrintObTypeIndexList】Index:00 Address:0xFFFFFA80610603C0 Name:Type
【PrintObjectTypeList】::【PrintObTypeIndexList】Index:01 Address:0xFFFFFA8061060270 Name:Directory
【PrintObjectTypeList】::【PrintObTypeIndexList】Index:02 Address:0xFFFFFA806106C700 Name:SymbolicLink
【PrintObjectTypeList】::【PrintObTypeIndexList】Index:03 Address:0xFFFFFA806106C4B0 Name:Token
【PrintObjectTypeList】::【PrintObTypeIndexList】Index:04 Address:0xFFFFFA806106C290 Name:Job
【PrintObjectTypeList】::【PrintObTypeIndexList】Index:05 Address:0xFFFFFA8061065F30 Name:Process
【PrintObjectTypeList】::【PrintObTypeIndexList】Index:06 Address:0xFFFFFA8061065DE0 Name:Thread
其地址为0xFFFFFA8061065F30,再格式化其结构如下:
5: kd> dt _object_type 0xFFFFFA8061065F30
nt!_OBJECT_TYPE
+0x000 TypeList : _LIST_ENTRY [ 0xfffffa80`61065f30 - 0xfffffa80`61065f30 ]
+0x010 Name : _UNICODE_STRING "Process"
+0x020 DefaultObject : (null)
+0x028 Index : 0x7 ''
+0x02c TotalNumberOfObjects : 0x2f
+0x030 TotalNumberOfHandles : 0x11a
+0x034 HighWaterNumberOfObjects : 0x32
+0x038 HighWaterNumberOfHandles : 0x11e
+0x040 TypeInfo : _OBJECT_TYPE_INITIALIZER
+0x0b0 TypeLock : _EX_PUSH_LOCK
+0x0b8 Key : 0x636f7250
+0x0c0 CallbackList : _LIST_ENTRY [ 0xfffff8a0`00f59b50 - 0xfffff8a0`00f59b50 ]
再获取_OBJECT_TYPE_INITIALIZER,如下:
5: kd> dx -id 0,0,fffffa8061066b00 -r1 (*((ntkrnlmp!_OBJECT_TYPE_INITIALIZER *)0xfffffa8061065f70))
(*((ntkrnlmp!_OBJECT_TYPE_INITIALIZER *)0xfffffa8061065f70)) [Type: _OBJECT_TYPE_INITIALIZER]
[+0x000] Length : 0x70 [Type: unsigned short]
[+0x002] ObjectTypeFlags : 0x4a [Type: unsigned char]
[+0x002 ( 0: 0)] CaseInsensitive : 0x0 [Type: unsigned char]
[+0x002 ( 1: 1)] UnnamedObjectsOnly : 0x1 [Type: unsigned char]
[+0x002 ( 2: 2)] UseDefaultObject : 0x0 [Type: unsigned char]
[+0x002 ( 3: 3)] SecurityRequired : 0x1 [Type: unsigned char]
[+0x002 ( 4: 4)] MaintainHandleCount : 0x0 [Type: unsigned char]
[+0x002 ( 5: 5)] MaintainTypeList : 0x0 [Type: unsigned char]
[+0x002 ( 6: 6)] SupportsObjectCallbacks : 0x1 [Type: unsigned char]
[+0x002 ( 7: 7)] CacheAligned : 0x0 [Type: unsigned char]
[+0x004] ObjectTypeCode : 0x0 [Type: unsigned long]
[+0x008] InvalidAttributes : 0xb0 [Type: unsigned long]
[+0x00c] GenericMapping [Type: _GENERIC_MAPPING]
[+0x01c] ValidAccessMask : 0x1fffff [Type: unsigned long]
[+0x020] RetainAccess : 0x101000 [Type: unsigned long]
[+0x024] PoolType : NonPagedPool (0) [Type: _POOL_TYPE]
[+0x028] DefaultPagedPoolCharge : 0x1000 [Type: unsigned long]
[+0x02c] DefaultNonPagedPoolCharge : 0x550 [Type: unsigned long]
[+0x030] DumpProcedure : 0x0 : 0x0 [Type: void (__cdecl*)(void *,_OBJECT_DUMP_CONTROL *)]
[+0x038] OpenProcedure : 0xfffff80006765ac8 : ntkrnlmp!PspProcessOpen+0x0 [Type: long (__cdecl*)(_OB_OPEN_REASON,char,_EPROCESS *,void *,unsigned long *,unsigned long)]
[+0x040] CloseProcedure : 0xfffff80006765b10 : ntkrnlmp!PspProcessClose+0x0 [Type: void (__cdecl*)(_EPROCESS *,void *,unsigned __int64,unsigned __int64)]
[+0x048] DeleteProcedure : 0xfffff8000672b814 : ntkrnlmp!PspProcessDelete+0x0 [Type: void (__cdecl*)(void *)]
[+0x050] ParseProcedure : 0x0 : 0x0 [Type: long (__cdecl*)(void *,void *,_ACCESS_STATE *,char,unsigned long,_UNICODE_STRING *,_UNICODE_STRING *,void *,_SECURITY_QUALITY_OF_SERVICE *,void * *)]
[+0x058] SecurityProcedure : 0xfffff80006735dd8 : ntkrnlmp!SeDefaultObjectMethod+0x0 [Type: long (__cdecl*)(void *,_SECURITY_OPERATION_CODE,unsigned long *,void *,unsigned long *,void * *,_POOL_TYPE,_GENERIC_MAPPING *,char)]
[+0x060] QueryNameProcedure : 0x0 : 0x0 [Type: long (__cdecl*)(void *,unsigned char,_OBJECT_NAME_INFORMATION *,unsigned long,unsigned long *,char)]
[+0x068] OkayToCloseProcedure : 0x0 : 0x0 [Type: unsigned char (__cdecl*)(_EPROCESS *,void *,void *,char)]
其中的OpenProcedure、CloseProcedure、DeleteProcedure都有相应的值。
3、相应函数的可能原型
3.1 XP x32位
这些结构参考微软泄露出来的源码和ReactOS获取得到:
3.1.1 DumpProcedure
typedef struct _OBJECT_DUMP_CONTROL { PVOID Stream; ULONG Detail; } OB_DUMP_CONTROL, *POB_DUMP_CONTROL;
typedef VOID (*OB_DUMP_METHOD)(
IN PVOID Object,
IN POB_DUMP_CONTROL Control OPTIONAL
);
3.1.2 OpenProcedure
typedef NTSTATUS (*OB_OPEN_METHOD)(
IN OB_OPEN_REASON OpenReason,
IN PEPROCESS Process OPTIONAL,
IN PVOID Object,
IN ACCESS_MASK GrantedAccess,
IN ULONG HandleCount
);
3.1.3 CloseProcedure
typedef VOID (*OB_CLOSE_METHOD)(
IN PEPROCESS Process OPTIONAL,
IN PVOID Object,
IN ACCESS_MASK GrantedAccess,
IN ULONG ProcessHandleCount,
IN ULONG SystemHandleCount
);
3.1.4 DeleteProcedure
typedef VOID (*OB_DELETE_METHOD)(
IN PVOID Object
);
3.1.5 ParseProcedure
typedef NTSTATUS (*OB_PARSE_METHOD)(
IN PVOID ParseObject,
IN PVOID ObjectType,
IN OUT PACCESS_STATE AccessState,
IN KPROCESSOR_MODE AccessMode,
IN ULONG Attributes,
IN OUT PUNICODE_STRING CompleteName,
IN OUT PUNICODE_STRING RemainingName,
IN OUT PVOID Context OPTIONAL,
IN PSECURITY_QUALITY_OF_SERVICE SecurityQos OPTIONAL,
OUT PVOID *Object
);
3.1.6 SecurityProcedure
typedef NTSTATUS (*OB_SECURITY_METHOD)(
IN PVOID Object,
IN SECURITY_OPERATION_CODE OperationCode,
IN PSECURITY_INFORMATION SecurityInformation,
IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
IN OUT PULONG CapturedLength,
IN OUT PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor,
IN POOL_TYPE PoolType,
IN PGENERIC_MAPPING GenericMapping
);
3.1.7 QueryNameProcedure
typedef NTSTATUS (*OB_QUERYNAME_METHOD)(
IN PVOID Object,
IN BOOLEAN HasObjectName,
OUT POBJECT_NAME_INFORMATION ObjectNameInfo,
IN ULONG Length,
OUT PULONG ReturnLength
);
3.1.8 OkayToCloseProcedure
typedef BOOLEAN (*OB_OKAYTOCLOSE_METHOD)(
IN PEPROCESS Process OPTIONAL,
IN PVOID Object,
IN HANDLE Handle,
IN KPROCESSOR_MODE PreviousMode
);
3.2 Win7 x64及以上
参考XP源代码加上2.2.2节最后WinDbg调试显示的结果
3.2.1 DumpProcedure
typedef struct _OBJECT_DUMP_CONTROL { PVOID Stream; ULONG Detail; } OB_DUMP_CONTROL, *POB_DUMP_CONTROL;
typedef VOID (*OB_DUMP_METHOD)(
IN PVOID Object,
IN POB_DUMP_CONTROL Control OPTIONAL
);
3.2.2 OpenProcedure
typedef NTSTATUS (*OB_OPEN_METHOD)(
IN OB_OPEN_REASON OpenReason,
IN CHAR Flag,
IN PEPROCESS Process OPTIONAL,
IN PVOID Object,
IN OUT PACCESS_MASK GrantedAccess,
IN ULONG HandleCount
);
3.2.3 CloseProcedure
typedef VOID (*OB_CLOSE_METHOD)(
IN PEPROCESS Process OPTIONAL,
IN PVOID Object,
IN OUT PACCESS_MASK GrantedAccess,
IN ULONGLONG ReferenceHandleCount
);
3.2.4 DeleteProcedure
typedef VOID (*OB_DELETE_METHOD)(
IN PVOID Object
);
3.2.5 ParseProcedure
typedef NTSTATUS (*OB_PARSE_METHOD)(
IN PVOID ParseObject,
IN POBJECT_TYPE ObjectType,
IN OUT PACCESS_STATE AccessState,
IN CHAR Flag,
IN ULONG Attributes,
IN OUT PUNICODE_STRING CompleteName,
IN OUT PUNICODE_STRING RemainingName,
IN OUT PVOID Context OPTIONAL,
IN PSECURITY_QUALITY_OF_SERVICE SecurityQos OPTIONAL,
OUT PVOID *Object
);
3.2.6 SecurityProcedure
typedef NTSTATUS (*OB_SECURITY_METHOD)(
IN PVOID Object,
IN SECURITY_OPERATION_CODE OperationCode,
IN PSECURITY_INFORMATION SecurityInformation,
IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
IN OUT PULONG CapturedLength,
IN OUT PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor,
IN POOL_TYPE PoolType,
IN PGENERIC_MAPPING GenericMapping,
IN CHAR Flag
);
3.2.7 QueryNameProcedure
typedef NTSTATUS (*OB_QUERYNAME_METHOD)(
IN PVOID Object,
IN BOOLEAN HasObjectName,
OUT POBJECT_NAME_INFORMATION ObjectNameInfo,
IN ULONG Length,
OUT PULONG ReturnLength,
IN CHAR Flag
);
3.2.8 OkayToCloseProcedure
typedef BOOLEAN (*OB_OKAYTOCLOSE_METHOD)(
IN PEPROCESS Process OPTIONAL,
IN PVOID Object,
IN HANDLE Handle,
IN KPROCESSOR_MODE PreviousMode
);