第一部分:
NTSTATUS
RtlLookupAtomInAtomTable(
IN PVOID AtomTableHandle,
IN PWSTR AtomName,
OUT PRTL_ATOM Atom OPTIONAL
)
{
NTSTATUS Status;
PRTL_ATOM_TABLE p = (PRTL_ATOM_TABLE)AtomTableHandle;
PRTL_ATOM_TABLE_ENTRY a;
RTL_ATOM Temp;
RTL_PAGED_CODE();
if (!RtlpLockAtomTable( p )) {
return STATUS_INVALID_PARAMETER;
}
try {
if (RtlpGetIntegerAtom( AtomName, &Temp )) {
if (Temp >= RTL_ATOM_MAXIMUM_INTEGER_ATOM) {
Temp = RTL_ATOM_INVALID_ATOM;
Status = STATUS_INVALID_PARAMETER;
}
else {
Status = STATUS_SUCCESS;
}
if (ARGUMENT_PRESENT( Atom )) {
*Atom = Temp;
}
}
else
if (*AtomName == UNICODE_NULL) {
Status = STATUS_OBJECT_NAME_INVALID;
}
else {
a = RtlpHashStringToAtom( p, AtomName, NULL, NULL ); //关键地方
if (a == NULL) {
Status = STATUS_OBJECT_NAME_NOT_FOUND;
}
else {
if (RtlpAtomMapAtomToHandleEntry( p, (ULONG)a->HandleIndex ) != NULL) { //关键地方
Status = STATUS_SUCCESS;
if (ARGUMENT_PRESENT( Atom )) {
*Atom = a->Atom;
}
}
else {
Status = STATUS_INVALID_HANDLE;
}
}
}
}
except (EXCEPTION_EXECUTE_HANDLER) {
Status = GetExceptionCode();
}
RtlpUnlockAtomTable( p );
return Status;
}
第二部分:AtomTable->ExHandleTable说明原子表也是个句柄表
PRTL_ATOM_TABLE_ENTRY
RtlpAtomMapAtomToHandleEntry(
IN PRTL_ATOM_TABLE AtomTable,
IN ULONG HandleIndex
)
{
#if defined(NTOS_KERNEL_RUNTIME)
PHANDLE_TABLE_ENTRY ExHandleEntry;
PRTL_ATOM_TABLE_ENTRY a;
EXHANDLE ExHandle;
ExHandle.GenericHandleOverlay = 0;
ExHandle.Index = HandleIndex;
ExHandleEntry = ExMapHandleToPointer( AtomTable->ExHandleTable,
ExHandle.GenericHandleOverlay
);
typedef struct _EXHANDLE {
union {
struct {
//
// Application available tag bits
//
ULONG TagBits : 2;
//
// The handle table entry index
//
ULONG Index : 30;
};
HANDLE GenericHandleOverlay;
#define HANDLE_VALUE_INC 4 // Amount to increment the Value to get to the next handle
ULONG_PTR Value;
};
} EXHANDLE, *PEXHANDLE;
1: kd> t
nt!RtlLookupAtomInAtomTable+0xc9:
80d51ca1 e862f6ffff call nt!RtlpAtomMapAtomToHandleEntry (80d51308)
1: kd> t
nt!RtlpAtomMapAtomToHandleEntry:
80d51308 55 push ebp
1: kd> dv
AtomTable = 0xe13d6010
HandleIndex = 0x1f
第三部分:
NTKERNELAPI
PHANDLE_TABLE_ENTRY
ExMapHandleToPointer (
IN PHANDLE_TABLE HandleTable,
IN HANDLE Handle
)
{
EXHANDLE LocalHandle;
PHANDLE_TABLE_ENTRY HandleTableEntry;
PAGED_CODE();
LocalHandle.GenericHandleOverlay = Handle;
if ((LocalHandle.Index & (LOWLEVEL_COUNT - 1)) == 0) {
return NULL;
}
//
// Translate the input handle to a handle table entry and make
// sure it is a valid handle.
//
HandleTableEntry = ExpLookupHandleTableEntry( HandleTable,
LocalHandle );
1: kd> t
nt!RtlpAtomMapAtomToHandleEntry+0x11:
80d51319 e89e030600 call nt!ExMapHandleToPointer (80db16bc)
1: kd> t
nt!ExMapHandleToPointer:
80db16bc 55 push ebp
1: kd> dv
HandleTable = 0xe140afb8
Handle = 0x0000007c
第四部分:
PHANDLE_TABLE_ENTRY
ExpLookupHandleTableEntry (
IN PHANDLE_TABLE HandleTable,
IN EXHANDLE tHandle
)
1: kd> dv
HandleTable = 0xe140afb8
tHandle = struct _EXHANDLE
1: kd> dx -r1 ((ntkrnlmp!_HANDLE_TABLE *)0xe140afb8)
((ntkrnlmp!_HANDLE_TABLE *)0xe140afb8) : 0xe140afb8 [Type: _HANDLE_TABLE *]
[+0x000] TableCode : 0xe140d000 [Type: unsigned long]
[+0x004] QuotaProcess : 0x0 [Type: _EPROCESS *]
[+0x008] UniqueProcessId : 0x1cc [Type: void *]
[+0x00c] HandleTableLock [Type: _EX_PUSH_LOCK [4]]
[+0x01c] HandleTableList [Type: _LIST_ENTRY]
[+0x024] HandleContentionEvent [Type: _EX_PUSH_LOCK]
[+0x028] DebugInfo : 0x0 [Type: _HANDLE_TRACE_DEBUG_INFO *]
[+0x02c] ExtraInfoPages : 0 [Type: long]
[+0x030] FirstFree : 0x90 [Type: unsigned long]
[+0x034] LastFree : 0x0 [Type: unsigned long]
[+0x038] NextHandleNeedingPool : 0x800 [Type: unsigned long]
[+0x03c] HandleCount : 35 [Type: long] //一共35个句柄0x23
[+0x040] Flags : 0x0 [Type: unsigned long]
[+0x040 ( 0: 0)] StrictFIFO : 0x0 [Type: unsigned char]
1: kd> dv
HandleTable = 0xe140afb8
tHandle = struct _EXHANDLE
1: kd> dx -r1 (*((ntkrnlmp!_EXHANDLE *)0xb9f32678))
(*((ntkrnlmp!_EXHANDLE *)0xb9f32678)) [Type: _EXHANDLE]
[+0x000 ( 1: 0)] TagBits : 0x0 [Type: unsigned long]
[+0x000 (31: 2)] Index : 0x1f [Type: unsigned long]
[+0x000] GenericHandleOverlay : 0x7c [Type: void *]
[+0x000] Value : 0x7c [Type: unsigned long]
1: kd> dt HANDLE_TABLE_ENTRY 0xe140d000
ntdll!HANDLE_TABLE_ENTRY
+0x000 Object : (null)
+0x000 ObAttributes : 0
+0x000 InfoTable : (null)
+0x000 Value : 0
+0x004 GrantedAccess : 0xfffffffe
+0x004 GrantedAccessIndex : 0xfffe
+0x006 CreatorBackTraceIndex : 0xffff
+0x004 NextFreeTableEntry : 0n-2
1: kd> dt HANDLE_TABLE_ENTRY 0xe140d000+8*1f
ntdll!HANDLE_TABLE_ENTRY
+0x000 Object : 0xe194ebd1 Void
+0x000 ObAttributes : 0xe194ebd1
+0x000 InfoTable : 0xe194ebd1 _HANDLE_TABLE_ENTRY_INFO
+0x000 Value : 0xe194ebd1
+0x004 GrantedAccess : 0
+0x004 GrantedAccessIndex : 0
+0x006 CreatorBackTraceIndex : 0
+0x004 NextFreeTableEntry : 0n0
第五部分: +0x000 Value : 0xe194ebd1 转换为ntdll!_RTL_ATOM_TABLE_ENTRY结构
1: kd> dt ntdll!_RTL_ATOM_TABLE_ENTRY 0xe194ebd0
+0x000 HashLink : (null)
+0x004 HandleIndex : 0x1f
+0x006 Atom : 0xc01f
+0x008 ReferenceCount : 1
+0x00a Flags : 0 ''
+0x00b NameLength : 0x14 ''
+0x00c Name : [1] 0x43
1: kd> dx -id 0,0,896d1020 -r1 (*((ntdll!unsigned short (*)[1])0xe194ebdc))
(*((ntdll!unsigned short (*)[1])0xe194ebdc)) [Type: unsigned short [1]]
[0] : 0x43 [Type: unsigned short]
1: kd> db 0xe194ebdc
e194ebdc 43 00 41 00 64 00 64 00-72 00 65 00 73 00 73 00 C.A.d.d.r.e.s.s.
e194ebec 43 00 6f 00 6d 00 62 00-6f 00 45 00 78 00 5f 00 C.o.m.b.o.E.x._.
e194ebfc 54 00 68 00 69 00 73 00-00 00 54 89 09 06 09 0c T.h.i.s...T.....
