我尝试在 windbg 中提取 notepad.exe 的对象类型,但 nt!_object_type 将其显示为 Desktop 对象而不是 Process 对象。
知道为什么会这样吗?
4: kd> !process 0 0 notepad.exe
PROCESS ffffc80bc92d7080
SessionId: 1 Cid: 07c0 Peb: 4c99481000 ParentCid: 2b48
DirBase: 147205000 ObjectTable: ffffa30d80327d40 HandleCount: 233.
Image: notepad.exe
4: kd> !object ffffc80bc92d7080
Object: ffffc80bc92d7080 Type: (ffffc80bb02a9220) Process
ObjectHeader: ffffc80bc92d7050 (new version)
HandleCount: 6 PointerCount: 196490
4: kd> ?? (nt!_object_header*)0xffffc80bc92d7050
struct _OBJECT_HEADER * 0xffffc80b`c92d7050
+0x000 PointerCount : 0n196490
+0x008 HandleCount : 0n6
+0x008 NextToFree : 0x00000000`00000006 Void
+0x010 Lock : _EX_PUSH_LOCK
+0x018 TypeIndex : 0x19 ''
+0x019 TraceFlags : 0 ''
+0x019 DbgRefTrace : 0y0
+0x019 DbgTracePermanent : 0y0
+0x01a InfoMask : 0x88 ''
+0x01b Flags : 0 ''
+0x01b NewObject : 0y0
+0x01b KernelObject : 0y0
+0x01b KernelOnlyAccess : 0y0
+0x01b ExclusiveObject : 0y0
+0x01b PermanentObject : 0y0
+0x01b DefaultSecurityQuota : 0y0
+0x01b SingleHandleEntry : 0y0
+0x01b DeletedInline : 0y0
+0x01c Reserved : 0
+0x020 ObjectCreateInfo : 0xffffc80b`ba32dc40 _OBJECT_CREATE_INFORMATION
+0x020 QuotaBlockCharged : 0xffffc80b`ba32dc40 Void
+0x028 SecurityDescriptor : 0xffffa30d`7cd0d369 Void
+0x030 Body : _QUAD
4: kd> ?? ((nt!_object_header*)0xffffc80bc92d7050)->TypeIndex
unsigned char 0x19 ''
4: kd> ?? ((nt!_object_type**)@@(nt!ObTypeIndexTable))[((nt!_object_header*)0xffffc80bc92d7050)->TypeIndex]
struct _OBJECT_TYPE * 0xffffc80b`b02d3980
+0x000 TypeList : _LIST_ENTRY [ 0xffffc80b`b02d3980 - 0xffffc80b`b02d3980 ]
+0x010 Name : _UNICODE_STRING "Desktop"
+0x020 DefaultObject : (null)
+0x028 Index : 0x19 ''
+0x02c TotalNumberOfObjects : 0xc
+0x030 TotalNumberOfHandles : 0xf7
+0x034 HighWaterNumberOfObjects : 0xd
+0x038 HighWaterNumberOfHandles : 0xff
+0x040 TypeInfo : _OBJECT_TYPE_INITIALIZER
+0x0b8 TypeLock : _EX_PUSH_LOCK
+0x0c0 Key : 0x6b736544
+0x0c8 CallbackList : _LIST_ENTRY [ 0xffffc80b`b02d3a48 - 0xffffc80b`b02d3a48 ]