ObjectType HOOK干涉注册表操作
2008-02-26 09:23:07 来源:WEB开发网来看ObOpenObjectByName,它会调用ObpLookupObjectByName来打开一个对象。
对象头(object_header)有一个object type结构,object type结构里有一个TypeInfo,结构是OBJECT_TYPE_INITIALIZER
typedefstruct_OBJECT_TYPE_INITIALIZER{
USHORTLength;
BOOLEANUseDefaultObject;
BOOLEANCaseInsensitive;
ULONGInvalidAttributes;
GENERIC_MAPPINGGenericMapping;
ULONGValidAccessMask;
BOOLEANSecurityRequired;
BOOLEANMaintainHandleCount;
BOOLEANMaintainTypeList;
POOL_TYPEPoolType;
ULONGDefaultPagedPoolCharge;
ULONGDefaultNonPagedPoolCharge;
PVOIDDumpProcedure;
PVOIDOpenProcedure;
PVOIDCloseProcedure;
PVOIDDeleteProcedure;
PVOIDParseProcedure;
PVOIDSecurityProcedure;
PVOIDQueryNameProcedure;
PVOIDOkayToCloseProcedure;
}OBJECT_TYPE_INITIALIZER,*POBJECT_TYPE_INITIALIZER;
OBJECT_TYPE_INITIALIZER 结构中一个指针ParseProcedure就是用来实现这类对象的打开的
OBJECT_TYPE_INITIALIZER 中类似的有:
DumpProcedure;OpenProcedure;CloseProcedure;DeleteProcedure;ParseProcedure;SecurityProcedure;QueryNameProcedure;OkayToCloseProcedure;
分别对应着对象的删除、lookup、获取名字等的例程,一般对象不是所有的routine都有。
这些都是在ObCreateObjectType(系统启动时)填充的。
例如KeyObject的TypeInfo:
Tags:ObjectType HOOK 干涉
编辑录入:爽爽 [复制链接] [打 印]
中查找“ObjectType HOOK干涉注册表操作”更多相关内容
中查找“ObjectType HOOK干涉注册表操作”更多相关内容更多精彩
赞助商链接
