Windows内核分析——NtCreateDebugObject函数分析
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Windows内核分析——NtCreateDebugObject函数分析相关的知识,希望对你有一定的参考价值。
第一篇分析Windows内核的文章,主要是加强学习记忆。以后会多写这种笔记,正如猪猪侠所说,所学的知识只有实践并且能够讲出来才能真正实现掌握。
程序来自ReactOS或WRK1.2
资料参考自《Windows内核情景分析》和《Windows 内核设计思想》以及网上文章和视频
NTSTATUS
NtCreateDebugObject (
OUT PHANDLE DebugObjectHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN ULONG Flags
)
/*++
Routine Description:
Creates a new debug object that maintains the context for a single debug session. Multiple processes may be
associated with a single debug object.
Arguments:
DebugObjectHandle - Pointer to a handle to recive the output objects handle
DesiredAccess - Required handle access
ObjectAttributes - Standard object attributes structure
Flags - Only one flag DEBUG_KILL_ON_CLOSE
Return Value:
NTSTATUS - Status of call.
--*/
{
NTSTATUS Status;
HANDLE Handle;
KPROCESSOR_MODE PreviousMode;
PDEBUG_OBJECT DebugObject;
PAGED_CODE();
//
// Get previous processor mode and probe output arguments if necessary.
// Zero the handle for error paths.
//
PreviousMode = KeGetPreviousMode();
try {
if (PreviousMode != KernelMode) {
ProbeForWriteHandle (DebugObjectHandle);
}
*DebugObjectHandle = NULL;
} except (ExSystemExceptionFilter ()) { // If previous mode is kernel then don‘t handle the exception
return GetExceptionCode ();
}
if (Flags & ~DEBUG_KILL_ON_CLOSE) {
return STATUS_INVALID_PARAMETER;
}
//
// Create a new debug object and initialize it.
//
Status = ObCreateObject (PreviousMode,
DbgkDebugObjectType,
ObjectAttributes,
PreviousMode,
NULL,
sizeof (DEBUG_OBJECT),
0,
0,
&DebugObject);
if (!NT_SUCCESS (Status)) {
return Status;
}
ExInitializeFastMutex (&DebugObject->Mutex);
InitializeListHead (&DebugObject->EventList);
KeInitializeEvent (&DebugObject->EventsPresent, NotificationEvent, FALSE);
if (Flags & DEBUG_KILL_ON_CLOSE) {
DebugObject->Flags = DEBUG_OBJECT_KILL_ON_CLOSE;
} else {
DebugObject->Flags = 0;
}
//
// Insert the object into the handle table
//
Status = ObInsertObject (DebugObject,
NULL,
DesiredAccess,
0,
NULL,
&Handle);
if (!NT_SUCCESS (Status)) {
return Status;
}
try {
*DebugObjectHandle = Handle;
} except (ExSystemExceptionFilter ()) {
//
// The caller changed the page protection or deleted the memory for the handle.
// No point closing the handle as process rundown will do that and we don‘t know its still the same handle
//
Status = GetExceptionCode ();
}
return Status;
}
以上是关于Windows内核分析——NtCreateDebugObject函数分析的主要内容,如果未能解决你的问题,请参考以下文章
windows内核情景分析之—— KeRaiseIrql函数与KeLowerIrql()函数