Skip to content

标题: Win10的OBJECT_HEADER.TypeIndex被混淆过

https://scz.617.cn/windows/201710241509.txt

kd> dt nt!_OBJECT_HEADER TypeIndex poi(nt!IoFileObjectType)-@@(#FIELD_OFFSET(nt!_OBJECT_HEADER, Body)) +0x018 TypeIndex : 0x32 '2'

Win10的OBJECT_HEADER.TypeIndex相比Win7有变化,上例中TypeIndex等于0x32,我 们期望它等于0x02。Win10中这个值被混淆过,Win7中存放的就是下标。

kd> uf nt!ObGetObjectType nt!ObGetObjectType: fffff800831706f0 488d41d0 lea rax,[rcx-30h] fffff800831706f4 0fb649e8 movzx ecx,byte ptr [rcx-18h] fffff800831706f8 48c1e808 shr rax,8 fffff800831706fc 0fb6c0 movzx eax,al fffff800831706ff 4833c1 xor rax,rcx fffff80083170702 0fb60d37bce8ff movzx ecx,byte ptr [nt!ObHeaderCookie (fffff80082ffc340)] fffff80083170709 4833c1 xor rax,rcx fffff8008317070c 488d0d0dc2e8ff lea rcx,[nt!ObTypeIndexTable (fffff80082ffc920)] fffff80083170713 488b04c1 mov rax,qword ptr [rcx+rax*8] fffff80083170717 c3 ret

C风格伪代码如下:

POBJECT_TYPE ObTypeIndexTable[...]; unsigned char ObHeaderCookie;

POBJECT_TYPE __stdcall ObGetObjectType ( POBJECT_BODY Object ) { POBJECT_HEADER ObjectHeader; POBJECT_TYPE ObjectType; unsigned char TypeIndex;

ObjectHeader    = OBJECT_TO_OBJECT_HEADER( Object );
TypeIndex       = ObjectHeader->TypeIndex;
TypeIndex       = ( ( ObjectHeader >> 8 ) & 0xff ) ^ TypeIndex ^ ObHeaderCookie;
ObjectType      = ObTypeIndexTable[TypeIndex];
return( ObjectType );

}

用如下两组命令验证伪代码的正确性:

r $t0=poi(nt!IoFileObjectType) r $t1=@$t0-@@(#FIELD_OFFSET(nt!_OBJECT_HEADER, Body)) r $t2=by(@$t1+@@(#FIELD_OFFSET(nt!_OBJECT_HEADER, TypeIndex))) r $t3=((@$t1 >> 8) & 0xff) ^ @$t2 ^ by(nt!ObHeaderCookie) r @$t0, @$t1, @$t2, @$t3

r $t0=poi(nt!ObpTypeObjectType) r $t1=@$t0-@@(#FIELD_OFFSET(nt!_OBJECT_HEADER, Body)) r $t2=by(@$t1+@@(#FIELD_OFFSET(nt!_OBJECT_HEADER, TypeIndex))) r $t3=((@$t1 >> 8) & 0xff) ^ @$t2 ^ by(nt!ObHeaderCookie) r @$t0, @$t1, @$t2, @$t3

最后的t3都应该等于2。