小我从今天开始在这个版贴点 Win-XP 的跟踪笔记,前辈们不反对吧。^_^省的麻烦所以C的代码就不列了,许多时候汇编比C来的清楚。
简析:ExCreateHandleTable() 和对象管理器以及句柄表的关系很紧密,它的第一次调用位于 ObInitSystem()。目的是初始化System进程的句柄表。nt!ExCreateHandleTable:80603ade 8bff mov edi,edi ; ┓80603ae0 55 push ebp ; ┣ Prologue80603ae1 8bec mov ebp,esp ; ┛80603ae3 53 push ebx ; : HandleTable80603ae4 56 push esi ; : CurrentThread80603ae5 64a124010000 mov eax,dword ptr fs:[00000124h] ; KeGetCurrentThread()80603aeb ff7508 push dword ptr [ebp+8] ; __in_opt struct _EPROCESS *Process80603aee 8bf0 mov esi,eax ; ESI <-+-> CurrentThread80603af0 e867f7ffff call nt!ExpAllocateHandleTable (8060325c) ; 注意参数,C代码(Win-2003)和汇编代码(Win-XP)实现上不一样!80603af5 8bd8 mov ebx,eax ; ┓80603af7 85db test ebx,ebx ; ┣ 函数 ExpAllocateHandleTable() 的返回值判断80603af9 7452 je nt!ExCreateHandleTable+0x6f (80603b4d) ; ┛--------------------------------------------------------------------------------------------80603afb ff8ed4000000 dec dword ptr [esi+0D4h] ; Thread->KernelApcDisable -= 1; [KeEnterCriticalRegionThread -- Macro in ntddk.h]80603b01 57 push edi ; : 申请局部变量80603b02 6a01 push 1 ; (ARG) : Wait80603b04 bf60b55580 mov edi,offset nt!HandleTableListLock (8055b560) ; ┓ (ARG) : Resource80603b09 57 push edi ; ┛80603b0a e825eef2ff call nt!ExAcquireResourceExclusiveLite (80532934) ; 注意这里!{FUN} : ExAcquireResourceExclusiveLite()--------------------------------------------------------------------------------------------80603b0f 8b0d4cb55580 mov ecx,dword ptr [nt!HandleTableListHead+0x4 (8055b54c)] ; ECX <-+-> 链表尾部80603b15 8d431c lea eax,[ebx+1Ch] ; EAX <-+-> [+0x01c] _HANDLE_TABLE.HandleTableList80603b18 894804 mov dword ptr [eax+4],ecx ; [InsertTailList() 操作1] 新插入节点 Blink 域的赋值80603b1b c70048b55580 mov dword ptr [eax],offset nt!HandleTableListHead (8055b548) ; [InsertTailList() 操作2] 新插入节点 Flink 域的赋值80603b21 8901 mov dword ptr [ecx],eax ; [InsertTailList() 操作3] 原来尾节点 Flink 域的赋值80603b23 8bcf mov ecx,edi ; -_-凸 FASTCALL80603b25 a34cb55580 mov dword ptr [nt!HandleTableListHead+0x4 (8055b54c)],eax ; [InsertTailList() 操作4] 链表首节点 Blink 域的赋值--------------------------------------------------------------------------------------------80603b2a e8e1e4f2ff call nt!ExReleaseResourceLite (80532010) ; {FUN} : ExReleaseResourceLite() !FASTCALL!80603b2f ff86d4000000 inc dword ptr [esi+0D4h] ; Thread->KernelApcDisable += 1; [KeLeaveCriticalRegionThread -- ..\WRK1.2\base\ntos\inc\kx.h]80603b35 5f pop edi ; : 释放局部变量80603b36 7513 jne nt!ExCreateHandleTable+0x6d (80603b4b) ; if((Thread->KernelApcDisable += 1) == 0)80603b38 8d4634 lea eax,[esi+34h] ; ┓80603b3b 3900 cmp dword ptr [eax],eax ; ┣ if(Thread->ApcState.ApcListHead[KernelMode].Flink != &Thread->ApcState.ApcListHead[KernelMode])80603b3d 740c je nt!ExCreateHandleTable+0x6d (80603b4b) ; ┛ 80603b4b 为程序的执行流程80603b3f b101 mov cl,1 ; ┓80603b41 c6464901 mov byte ptr [esi+49h],1 ; ┣ KiCheckForKernelApcDelivery() 的内部实现(FORCEINLINE)80603b45 ff1500874d80 call dword ptr [nt!_imp_HalRequestSoftwareInterrupt (804d8700)] ; ┛--------------------------------------------------------------------------------------------80603b4b 8bc3 mov eax,ebx ; return HandleTable;80603b4d 5e pop esi ; ┓ 清除栈上的局部变量80603b4e 5b pop ebx ; ┛80603b4f 5d pop ebp ; ESP 没有检验80603b50 c20400 ret 4 ; 被调用者清堆栈