内容摘要:本文介绍ObjectType HOOK干涉注册表操作,它会调用ObpLookupObjectByName来打开一个对象。
来看ObOpenObjectByName,它会调用ObpLookupObjectByName来打开一个对象。
对象头(object_header)有一个object type结构,object type结构里有一个TypeInfo,结构是OBJECT_TYPE_INITIALIZER
typedefstruct_OBJECT_TYPE_INITIALIZER{
USHORTLength;
BOOLEANUseDefaultObject;
BOOLEANCaseInsensitive;
ULONGInvalidAttributes;
GENERIC_MAPPINGGenericMapping;
ULONGValidAccessMask;
BOOLEANSecurityRequired;
BOOLEANMaintainHandleCount;
BOOLEANMaintainTypeList;
POOL_TYPEPoolType;
ULONGDefaultPagedPoolCharge;
ULONGDefaultNonPagedPoolCharge;
PVOIDDumpProcedure;
PVOIDOpenProcedure;
PVOIDCloseProcedure;
PVOIDDeleteProcedure;
PVOIDParseProcedure;
PVOIDSecurityProcedure;
PVOIDQueryNameProcedure;
PVOIDOkayToCloseProcedure;
}OBJECT_TYPE_INITIALIZER,*POBJECT_TYPE_INITIALIZER;
OBJECT_TYPE_INITIALIZER 结构中一个指针ParseProcedure就是用来实现这类对象的打开的
OBJECT_TYPE_INITIALIZER 中类似的有:
DumpProcedure;OpenProcedure;CloseProcedure;DeleteProcedure;ParseProcedure;SecurityProcedure;QueryNameProcedure;OkayToCloseProcedure;
分别对应着对象的删除、lookup、获取名字等的例程,一般对象不是所有的routine都有。
这些都是在ObCreateObjectType(系统启动时)填充的。
例如KeyObject的TypeInfo:
来源:豆豆网转载 作者:mj0011 责编:豆豆技术应用