玩了下windbg插件
最近在做一些自动化分析dump的东西,用windbg插件实现~下面是一个取得object的例子~mark一下~
放到WinDDK\7600.16385.1\Debuggers\sdk\samples\exts 编译~~ 高亮代码
ULONG64 __stdcall FindObjectByName(char* szObjectName,ULONG64 ulRoot)
{/*
哈希表
kd> dt _OBJECT_DIRECTORY
nt!_OBJECT_DIRECTORY
+0x000 HashBuckets : [37] Ptr32 _OBJECT_DIRECTORY_ENTRY
+0x094 Lock : _EX_PUSH_LOCK
+0x098 DeviceMap : Ptr32 _DEVICE_MAP
+0x09c SessionId : Uint4B
+0x0a0 Reserved : Uint2B
+0x0a2 SymbolicLinkUsageCount : Uint2B
nt!_OBJECT_DIRECTORY_ENTRY
+0x000 ChainLink : Ptr32 _OBJECT_DIRECTORY_ENTRY
+0x004 Object : Ptr32 Void
*/
BOOL bRet = FALSE;
ULONG ulOffsetHashBucket = 0;
ULONG64 HashBucketsArray;
ULONG pointerSize;
char* iCurrentStr;
if (!ulRoot)
{
//默认从根目录开始遍历
bRet = FetchRootDirectoryObjectValue(&ulRoot);
if (!bRet)
return bRet;
//去掉左斜杠
if (szObjectName[0] == '\\')
{
char* i = strchr(szObjectName,'\\');
++i;
szObjectName = i;
//dprintf("szObjectName %s\n",szObjectName);
}
}
//得到目录对象
ULONG64 ulpObjType = 0;
ULONG64 ulObjDirType;
ulpObjType = GetExpression("nt!ObpDirectoryObjectType");
ReadPointer(ulpObjType,&ulObjDirType);
///////////////////////////////////////////////////////////////字符串处理
//截断后面的内容 aaa\bbb 拆分
char* szObjNameNextToFind = strchr(szObjectName,'\\');
if (szObjNameNextToFind)
{
szObjNameNextToFind[0] = (char)0;
++szObjNameNextToFind;
//dprintf("szObjectName %s,szObjNameNextToFind %s\n",szObjectName,szObjNameNextToFind);
}
///////////////////////////////////////////////////////////////字符串处理
if (S_OK != GetFieldOffset("nt!_OBJECT_DIRECTORY", "HashBuckets", &ulOffsetHashBucket) )
{
dprintf("Cannot find _OBJECT_DIRECTORY type.\n");
bRet = FALSE;
}
else
{
HashBucketsArray = ulRoot + ulOffsetHashBucket;
pointerSize = IsPtr64() != 0 ? 8 : 4;
//遍历哈希表
for (int j = 0; j < HASH_BUCKETS; ++j )
{
ULONG64 ulObjDirEntry = 0;
ULONG64 ulObjDirEntryNext = 0;
ULONG64 ulObj = 0;
//读取HashBuckets下的单向链表
ReadPointer(HashBucketsArray + pointerSize * j,&ulObjDirEntry);
//循环单向链表
while(ulObjDirEntry)
{
//得到object
if ( S_OK != GetFieldValue(ulObjDirEntry, "nt!_OBJECT_DIRECTORY_ENTRY", "Object",ulObj) )
break;
//用户中断
if ( ExtensionApis.lpCheckControlCRoutine() )
return 0;
//判断对象类型和名字,如果是要找的名字,返回。
//如果是一个目录,递归
char szName[260] ={ 0};
ULONG64 ulObjType;
if ( GetObjectInfo(ulObj,&ulObjType,szName) )
{
//dprintf("GetObjectInfo szName %s\n",szName);
if (szName && _stricmp(szName,szObjectName) == 0)
{
//dprintf("cmp szObjectName success %s\n",szObjectName);
if (!szObjNameNextToFind)
{
//得到对象
return ulObj;
}
else if ( (ULONG)ulObjType == (ULONG)ulObjDirType )
{
//得到正确的路径,进行递归
//递归
ULONG64 ulRet = FindObjectByName(szObjNameNextToFind, ulObj);
if (ulRet)
return ulRet;
}
}
}
//遍历链表下一项
GetFieldValue(ulObjDirEntry, "nt!_OBJECT_DIRECTORY_ENTRY", "ChainLink",ulObjDirEntryNext);
ulObjDirEntry = ulObjDirEntryNext;
}
}
}
bRet = 0;
return 0;
}
类别:调试逆向 查看评论
