WIN10进程句柄表调试

Debug X64模式控制台程序:

#include <iostream>
#include <Windows.h>


int main()
{
    HANDLE tmp;
    HWND h = FindWindowA("CalcFrame", "计算器");
    DWORD pid = 0;
    if (!h)
    {
        MessageBoxA(0, "请打开计算器", 0, 0);
        return -1;
    }
    GetWindowThreadProcessId(h, &pid);
    for (int i = 0; i < 20; i++)
    {
        tmp = OpenProcess(PROCESS_ALL_ACCESS, NULL, pid);
        std::cout << tmp << std::endl;
        __debugbreak();
    }
    __debugbreak();
    tmp = OpenProcess(PROCESS_CREATE_THREAD, TRUE, pid);
    SetHandleInformation(tmp, HANDLE_FLAG_PROTECT_FROM_CLOSE, HANDLE_FLAG_PROTECT_FROM_CLOSE);
    getchar();
    return 0;
}

 WinDbg双机调试,在虚拟机里运行控制台程序Win10X64Handle.exe

 

kd>!process 0 0

 

kd>dt _EPROCESS ffff85035d97b080

 kd>dt _HANDLE_TABLE 0xffffbc8e`3189f380

TableCode后两位为0,TableCode就是指向句柄表第一个句柄表项

HANDLE_TABLE_ENTRY[NULL句柄表项]的指针.

HANDLE_TABLE_ENTRY结构体16字节

PEPROCESS = [TableCode+(句柄/4)*0x10]>>0x10&FFFFFFFFFFFFFFF0+0x30

 第一个句柄为D0,  D0/4*0x10=0x340

 85035d33`10500001>>0x10&FFFFFFFFFFFFFFF0 = FFFF85035D331050 指向对象头OBJECT_HEADER

 真正的内核对象保存在OBJECT_HEADER+0x030 Body中

dt _Eprocess FFFF85035D331050+0x30

 

--------------------------------------------------------------------------------------------------