Windows内核分析——NtCreateDebugObject函数分析

Posted 2020-07-01

第一篇分析Windows内核的文章，主要是加强学习记忆。以后会多写这种笔记，正如猪猪侠所说，所学的知识只有实践并且能够讲出来才能真正实现掌握。

程序来自ReactOS或WRK1.2

资料参考自《Windows内核情景分析》和《Windows 内核设计思想》以及网上文章和视频

NTSTATUS
NtCreateDebugObject (
    OUT PHANDLE DebugObjectHandle,
    IN ACCESS_MASK DesiredAccess,
    IN POBJECT_ATTRIBUTES ObjectAttributes,
    IN ULONG Flags
    )
/*++

Routine Description:

    Creates a new debug object that maintains the context for a single debug session. Multiple processes may be
    associated with a single debug object.

Arguments:

    DebugObjectHandle - Pointer to a handle to recive the output objects handle
    DesiredAccess     - Required handle access
    ObjectAttributes  - Standard object attributes structure
    Flags             - Only one flag DEBUG_KILL_ON_CLOSE

Return Value:

    NTSTATUS - Status of call.

--*/
{
    NTSTATUS Status;
    HANDLE Handle;
    KPROCESSOR_MODE PreviousMode;
    PDEBUG_OBJECT DebugObject;

    PAGED_CODE();

    //
    // Get previous processor mode and probe output arguments if necessary.
    // Zero the handle for error paths.
    //

    PreviousMode = KeGetPreviousMode();

    try {
        if (PreviousMode != KernelMode) {
            ProbeForWriteHandle (DebugObjectHandle);
        }
        *DebugObjectHandle = NULL;

    } except (ExSystemExceptionFilter ()) { // If previous mode is kernel then don‘t handle the exception
        return GetExceptionCode ();
    }

    if (Flags & ~DEBUG_KILL_ON_CLOSE) {
        return STATUS_INVALID_PARAMETER;
    }

    //
    // Create a new debug object and initialize it.
    //

    Status = ObCreateObject (PreviousMode,
                             DbgkDebugObjectType,
                             ObjectAttributes,
                             PreviousMode,
                             NULL,
                             sizeof (DEBUG_OBJECT),
                             0,
                             0,
                             &DebugObject);

    if (!NT_SUCCESS (Status)) {
        return Status;
    }

    ExInitializeFastMutex (&DebugObject->Mutex);
    InitializeListHead (&DebugObject->EventList);
    KeInitializeEvent (&DebugObject->EventsPresent, NotificationEvent, FALSE);

    if (Flags & DEBUG_KILL_ON_CLOSE) {
        DebugObject->Flags = DEBUG_OBJECT_KILL_ON_CLOSE;
    } else {
        DebugObject->Flags = 0;
    }

    //
    // Insert the object into the handle table
    //
    Status = ObInsertObject (DebugObject,
                             NULL,
                             DesiredAccess,
                             0,
                             NULL,
                             &Handle);


    if (!NT_SUCCESS (Status)) {
        return Status;
    }

    try {
        *DebugObjectHandle = Handle;
    } except (ExSystemExceptionFilter ()) {
        //
        // The caller changed the page protection or deleted the memory for the handle.
        // No point closing the handle as process rundown will do that and we don‘t know its still the same handle
        //
        Status = GetExceptionCode ();
    }

    return Status;
}