win10 1511版本之后,_SECTION_OBJECT结构体哪去了?
我想通过SectionObject获取进程执行文件全路径,以下结构在win10 1511版本之前都可以正常使用,
但是在win10 1511版本之后,
这个 _SECTION_OBJECT就没了
是微软直接去掉他了还是有其它替代结构体?
EPROCESS->SectionObject(_SECTION_OBJECT)->Segment(_SEGMENT)->ControlArea (_CONTROL_AREA)->FilePointer( _FILE_OBJECT)
我看了一圈1809的,有个ImageFilePointer成员,直接是_FILE_OBJECT。
但SectionObject成员还在啊,注意看+0x3B8和+0x448:
kd> dt _EPROCESS ffffaf03fdb66540
nt!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x2d8 ProcessLock : _EX_PUSH_LOCK
+0x2e0 UniqueProcessId: 0x00000000`0000029c Void
+0x2e8 ActiveProcessLinks : _LIST_ENTRY [ 0xffffaf03`fdc24368 - 0xffffaf03`fdb55828 ]
+0x2f8 RundownProtect : _EX_RUNDOWN_REF
+0x300 Flags2 : 0xd000
+0x300 JobNotReallyActive : 0y0
+0x300 AccountingFolded : 0y0
+0x300 NewProcessReported : 0y0
+0x300 ExitProcessReported : 0y0
+0x300 ReportCommitChanges : 0y0
+0x300 LastReportMemory : 0y0
+0x300 ForceWakeCharge: 0y0
+0x300 CrossSessionCreate : 0y0
+0x300 NeedsHandleRundown : 0y0
+0x300 RefTraceEnabled: 0y0
+0x300 PicoCreated : 0y0
+0x300 EmptyJobEvaluated : 0y0
+0x300 DefaultPagePriority : 0y101
+0x300 PrimaryTokenFrozen : 0y1
+0x300 ProcessVerifierTarget : 0y0
+0x300 RestrictSetThreadContext : 0y0
+0x300 AffinityPermanent : 0y0
+0x300 AffinityUpdateEnable : 0y0
+0x300 PropagateNode : 0y0
+0x300 ExplicitAffinity : 0y0
+0x300 ProcessExecutionState : 0y00
+0x300 EnableReadVmLogging : 0y0
+0x300 EnableWriteVmLogging : 0y0
+0x300 FatalAccessTerminationRequested : 0y0
+0x300 DisableSystemAllowedCpuSet : 0y0
+0x300 ProcessStateChangeRequest : 0y00
+0x300 ProcessStateChangeInProgress : 0y0
+0x300 InPrivate : 0y0
+0x304 Flags : 0x144d2c01
+0x304 CreateReported : 0y1
+0x304 NoDebugInherit : 0y0
+0x304 ProcessExiting : 0y0
+0x304 ProcessDelete : 0y0
+0x304 ManageExecutableMemoryWrites : 0y0
+0x304 VmDeleted : 0y0
+0x304 OutswapEnabled : 0y0
+0x304 Outswapped : 0y0
+0x304 FailFastOnCommitFail : 0y0
+0x304 Wow64VaSpace4Gb: 0y0
+0x304 AddressSpaceInitialized : 0y11
+0x304 SetTimerResolution : 0y0
+0x304 BreakOnTermination : 0y1
+0x304 DeprioritizeViews : 0y0
+0x304 WriteWatch : 0y0
+0x304 ProcessInSession : 0y1
+0x304 OverrideAddressSpace : 0y0
+0x304 HasAddressSpace: 0y1
+0x304 LaunchPrefetched : 0y1
+0x304 Background : 0y0
+0x304 VmTopDown : 0y0
+0x304 ImageNotifyDone: 0y1
+0x304 PdeUpdateNeeded: 0y0
+0x304 VdmAllowed : 0y0
+0x304 ProcessRundown : 0y0
+0x304 ProcessInserted: 0y1
+0x304 DefaultIoPriority : 0y010
+0x304 ProcessSelfDelete : 0y0
+0x304 SetTimerResolutionLink : 0y0
+0x308 CreateTime : _LARGE_INTEGER 0x01d6fa83`4c56ae38
+0x310 ProcessQuotaUsage : 0x3e90
+0x320 ProcessQuotaPeak : 0x4658
+0x330 PeakVirtualSize: 0x00000201`06498000
+0x338 VirtualSize : 0x00000201`05244000
+0x340 SessionProcessLinks : _LIST_ENTRY [ 0xffffaf03`fdc243c0 - 0xffff9c81`e0486010 ]
+0x350 ExceptionPortData : (null)
+0x350 ExceptionPortValue : 0
+0x350 ExceptionPortState : 0y000
+0x358 Token : _EX_FAST_REF
+0x360 MmReserved : 0
+0x368 AddressCreationLock : _EX_PUSH_LOCK
+0x370 PageTableCommitmentLock : _EX_PUSH_LOCK
+0x378 RotateInProgress : (null)
+0x380 ForkInProgress : (null)
+0x388 CommitChargeJob: (null)
+0x390 CloneRoot : _RTL_AVL_TREE
+0x398 NumberOfPrivatePages : 0x11f
+0x3a0 NumberOfLockedPages : 0
+0x3a8 Win32Process : 0xffff8880`40608010 Void
+0x3b0 Job : (null)
+0x3b8 SectionObject : 0xffff8c85`a5762240 Void
+0x3c0 SectionBaseAddress : 0x00007ff7`9a1e0000 Void
+0x3c8 Cookie : 0x96d0bec3
+0x3d0 WorkingSetWatch: (null)
+0x3d8 Win32WindowStation : (null)
+0x3e0 InheritedFromUniqueProcessId : 0x00000000`0000028c Void
+0x3e8 Spare0 : (null)
+0x3f0 OwnerProcessId : 0x28e
+0x3f8 Peb : 0x00000095`f285c000 _PEB
+0x400 Session : 0xffff9c81`e0486000 _MM_SESSION_SPACE
+0x408 Spare1 : (null)
+0x410 QuotaBlock : 0xfffff805`57854600 _EPROCESS_QUOTA_BLOCK
+0x418 ObjectTable : 0xffff8c85`a2cbd8c0 _HANDLE_TABLE
+0x420 DebugPort : (null)
+0x428 WoW64Process : (null)
+0x430 DeviceMap : 0xffff8c85`a1e13660 Void
+0x438 EtwDataSource : 0xffffaf03`fca56ba0 Void
+0x440 PageDirectoryPte : 0
+0x448 ImageFilePointer : 0xffffaf03`fda8d200 _FILE_OBJECT
+0x450 ImageFileName : "csrss.exe"
+0x45f PriorityClass : 0x2 ''
+0x460 SecurityPort : (null)
+0x468 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x470 JobLinks : _LIST_ENTRY [ 0x00000000`00000000 - 0x00000000`00000000 ]
+0x480 HighestUserAddress : 0x00007fff`ffff0000 Void
+0x488 ThreadListHead : _LIST_ENTRY [ 0xffffaf03`fdb6f768 - 0xffffaf03`fdb5c728 ]
+0x498 ActiveThreads : 0xb
+0x49c ImagePathHash : 0
+0x4a0 DefaultHardErrorProcessing : 0
+0x4a4 LastThreadExitStatus : 0n0
+0x4a8 PrefetchTrace : _EX_FAST_REF
+0x4b0 LockedPagesList: (null)
+0x4b8 ReadOperationCount : _LARGE_INTEGER 0x0
+0x4c0 WriteOperationCount : _LARGE_INTEGER 0x0
+0x4c8 OtherOperationCount : _LARGE_INTEGER 0x2f
+0x4d0 ReadTransferCount : _LARGE_INTEGER 0x0
+0x4d8 WriteTransferCount : _LARGE_INTEGER 0x0
+0x4e0 OtherTransferCount : _LARGE_INTEGER 0x500
+0x4e8 CommitChargeLimit : 0
+0x4f0 CommitCharge : 0x19e
+0x4f8 CommitChargePeak : 0x702
+0x500 Vm : _MMSUPPORT_FULL
+0x610 MmProcessLinks : _LIST_ENTRY [ 0xffffaf03`fdc24690 - 0xffffaf03`fdb55b50 ]
+0x620 ModifiedPageCount : 0xf65
+0x624 ExitStatus : 0n259
+0x628 VadRoot : _RTL_AVL_TREE
+0x630 VadHint : 0xffffaf03`fd1424a0 Void
+0x638 VadCount : 0x4d
+0x640 VadPhysicalPages : 0
+0x648 VadPhysicalPagesLimit : 0
+0x650 AlpcContext : _ALPC_PROCESS_CONTEXT
+0x670 TimerResolutionLink : _LIST_ENTRY [ 0x00000000`00000000 - 0x00000000`00000000 ]
+0x680 TimerResolutionStackRecord : (null)
+0x688 RequestedTimerResolution : 0
+0x68c SmallestTimerResolution : 0
+0x690 ExitTime : _LARGE_INTEGER 0x0
+0x698 InvertedFunctionTable : (null)
+0x6a0 InvertedFunctionTableLock : _EX_PUSH_LOCK
+0x6a8 ActiveThreadsHighWatermark : 0xd
+0x6ac LargePrivateVadCount : 0
+0x6b0 ThreadListLock : _EX_PUSH_LOCK
+0x6b8 WnfContext : 0xffff8c85`a5761750 Void
+0x6c0 ServerSilo : (null)
+0x6c8 SignatureLevel : 0x3e '>'
+0x6c9 SectionSignatureLevel : 0xc ''
+0x6ca Protection : _PS_PROTECTION
+0x6cb HangCount : 0y000
+0x6cb GhostCount : 0y000
+0x6cb PrefilterException : 0y0
+0x6cc Flags3 : 0x40c040
+0x6cc Minimal : 0y0
+0x6cc ReplacingPageRoot : 0y0
+0x6cc Crashed : 0y0
+0x6cc JobVadsAreTracked : 0y0
+0x6cc VadTrackingDisabled : 0y0
+0x6cc AuxiliaryProcess : 0y0
+0x6cc SubsystemProcess : 0y1
+0x6cc IndirectCpuSets: 0y0
+0x6cc RelinquishedCommit : 0y0
+0x6cc HighGraphicsPriority : 0y0
+0x6cc CommitFailLogged : 0y0
+0x6cc ReserveFailLogged : 0y0
+0x6cc SystemProcess : 0y0
+0x6cc HideImageBaseAddresses : 0y0
+0x6cc AddressPolicyFrozen : 0y1
+0x6cc ProcessFirstResume : 0y1
+0x6cc ForegroundExternal : 0y0
+0x6cc ForegroundSystem : 0y0
+0x6cc HighMemoryPriority : 0y0
+0x6cc EnableProcessSuspendResumeLogging : 0y0
+0x6cc EnableThreadSuspendResumeLogging : 0y0
+0x6cc SecurityDomainChanged : 0y0
+0x6cc SecurityFreezeComplete : 0y1
+0x6cc VmProcessorHost: 0y0
+0x6d0 DeviceAsid : 0n0
+0x6d8 SvmData : (null)
+0x6e0 SvmProcessLock : _EX_PUSH_LOCK
+0x6e8 SvmLock : 0
+0x6f0 SvmProcessDeviceListHead : _LIST_ENTRY [ 0xffffaf03`fdb66c30 - 0xffffaf03`fdb66c30 ]
+0x700 LastFreezeInterruptTime : 0
+0x708 DiskCounters : 0xffffaf03`fdb66d90 _PROCESS_DISK_COUNTERS
+0x710 PicoContext : (null)
+0x718 EnclaveTable : (null)
+0x720 EnclaveNumber : 0
+0x728 EnclaveLock : _EX_PUSH_LOCK
+0x730 HighPriorityFaultsAllowed : 0
+0x738 EnergyContext : 0xffffaf03`fdb66db8 _PO_PROCESS_ENERGY_CONTEXT
+0x740 VmContext : (null)
+0x748 SequenceNumber : 9
+0x750 CreateInterruptTime : 0x4a01b7a
+0x758 CreateUnbiasedInterruptTime : 0x4a01b7a
+0x760 TotalUnbiasedFrozenTime : 0
+0x768 LastAppStateUpdateTime : 0x4a01b7a
+0x770 LastAppStateUptime : 0y0000000000000000000000000000000000000000000000000000000000000 (0)
+0x770 LastAppState : 0y000
+0x778 SharedCommitCharge : 0x3aa
+0x780 SharedCommitLock : _EX_PUSH_LOCK
+0x788 SharedCommitLinks : _LIST_ENTRY [ 0xffff8c85`a2d6d8e8 - 0xffff8c85`a7311338 ]
+0x798 AllowedCpuSets : 0
+0x7a0 DefaultCpuSets : 0
+0x798 AllowedCpuSetsIndirect : (null)
+0x7a0 DefaultCpuSetsIndirect : (null)
+0x7a8 DiskIoAttribution : (null)
+0x7b0 DxgProcess : 0xffff8c85`a576b050 Void
+0x7b8 Win32KFilterSet: 0
+0x7c0 ProcessTimerDelay : _PS_INTERLOCKED_TIMER_DELAY_VALUES
+0x7c8 KTimerSets : 0
+0x7cc KTimer2Sets : 0
+0x7d0 ThreadTimerSets: 0xb2
+0x7d8 VirtualTimerListLock : 0
+0x7e0 VirtualTimerListHead : _LIST_ENTRY [ 0xffffaf03`fdb66d20 - 0xffffaf03`fdb66d20 ]
+0x7f0 WakeChannel : _WNF_STATE_NAME
+0x7f0 WakeInfo : _PS_PROCESS_WAKE_INFORMATION
+0x820 MitigationFlags: 0x121
+0x820 MitigationFlagsValues : <unnamed-tag>
+0x824 MitigationFlags2 : 0
+0x824 MitigationFlags2Values : <unnamed-tag>
+0x828 PartitionObject: 0xffffaf03`fca95ce0 Void
+0x830 SecurityDomain : 0
+0x838 ParentSecurityDomain : 0
+0x840 CoverageSamplerContext : (null)
+0x848 MmHotPatchContext : (null)
展开SectionObject:
kd> dt _SECTION ffff8c85`a5762240 /b
nt!_SECTION
+0x000 SectionNode : _RTL_BALANCED_NODE
+0x000 Children :
(null)
(null)
+0x000 Left : (null)
+0x008 Right : (null)
+0x010 Red : 0y0
+0x010 Balance : 0y00
+0x010 ParentValue : 0
+0x018 StartingVpn : 0
+0x020 EndingVpn : 0
+0x028 u1 : <unnamed-tag>
+0x000 ControlArea : 0xffffaf03`fd80ac70
+0x000 FileObject : 0xffffaf03`fd80ac70
+0x000 RemoteImageFileObject : 0y0
+0x000 RemoteDataFileObject : 0y0
+0x030 SizeOfSection : 0x7000
+0x038 u : <unnamed-tag>
+0x000 LongFlags : 0x100a0
+0x000 Flags : _MMSECTION_FLAGS
+0x000 BeingDeleted : 0y0
+0x000 BeingCreated : 0y0
+0x000 BeingPurged : 0y0
+0x000 NoModifiedWriting : 0y0
+0x000 FailAllIo : 0y0
+0x000 Image : 0y1
+0x000 Based : 0y0
+0x000 File : 0y1
+0x000 AttemptingDelete : 0y0
+0x000 PrefetchCreated: 0y0
+0x000 PhysicalMemory : 0y0
+0x000 ImageControlAreaOnRemovableMedia : 0y0
+0x000 Reserve : 0y0
+0x000 Commit : 0y0
+0x000 NoChange : 0y0
+0x000 WasPurged : 0y0
+0x000 UserReference : 0y1
+0x000 GlobalMemory : 0y0
+0x000 DeleteOnClose : 0y0
+0x000 FilePointerNull: 0y0
+0x000 PreferredNode : 0y000000 (0)
+0x000 GlobalOnlyPerSession : 0y0
+0x000 UserWritable : 0y0
+0x000 SystemVaAllocated : 0y0
+0x000 PreferredFsCompressionBoundary : 0y0
+0x000 UsingFileExtents : 0y0
+0x000 PageSize64K : 0y0
+0x03c InitialPageProtection : 0y000000010000 (0x10)
+0x03c SessionId : 0y0000000000000000000 (0)
+0x03c NoValidationNeeded : 0y0
然后展开ControlArea:
kd> dt _CONTROL_AREA ffffaf03fd80ac70 /b
nt!_CONTROL_AREA
+0x000 Segment : 0xffff8c85`a525eed0
+0x008 ListHead : _LIST_ENTRY [ 0xffffaf03`fd142d20 - 0xffffaf03`fd457df0 ]
+0x000 Flink : 0xffffaf03`fd142d20
+0x008 Blink : 0xffffaf03`fd457df0
+0x008 AweContext : 0xffffaf03`fd142d20
+0x018 NumberOfSectionReferences : 2
+0x020 NumberOfPfnReferences : 7
+0x028 NumberOfMappedViews : 2
+0x030 NumberOfUserReferences : 4
+0x038 u : <unnamed-tag>
+0x000 LongFlags : 0xa0
+0x000 Flags : _MMSECTION_FLAGS
+0x000 BeingDeleted : 0y0
+0x000 BeingCreated : 0y0
+0x000 BeingPurged : 0y0
+0x000 NoModifiedWriting : 0y0
+0x000 FailAllIo : 0y0
+0x000 Image : 0y1
+0x000 Based : 0y0
+0x000 File : 0y1
+0x000 AttemptingDelete : 0y0
+0x000 PrefetchCreated: 0y0
+0x000 PhysicalMemory : 0y0
+0x000 ImageControlAreaOnRemovableMedia : 0y0
+0x000 Reserve : 0y0
+0x000 Commit : 0y0
+0x000 NoChange : 0y0
+0x000 WasPurged : 0y0
+0x000 UserReference : 0y0
+0x000 GlobalMemory : 0y0
+0x000 DeleteOnClose : 0y0
+0x000 FilePointerNull: 0y0
+0x000 PreferredNode : 0y000000 (0)
+0x000 GlobalOnlyPerSession : 0y0
+0x000 UserWritable : 0y0
+0x000 SystemVaAllocated : 0y0
+0x000 PreferredFsCompressionBoundary : 0y0
+0x000 UsingFileExtents : 0y0
+0x000 PageSize64K : 0y0
+0x03c u1 : <unnamed-tag>
+0x000 LongFlags : 0
+0x000 Flags : _MMSECTION_FLAGS2
+0x000 PartitionId : 0y0000000000 (0)
+0x002 NoCrossPartitionAccess : 0y0
+0x002 SubsectionCrossPartitionReferenceOverflow : 0y0
+0x040 FilePointer : _EX_FAST_REF
+0x000 Object : 0xffffaf03`fd84591b
+0x000 RefCnt : 0y1011
+0x000 Value : 0xffffaf03`fd84591b
+0x048 ControlAreaLock: 0n0
+0x04c ModifiedWriteCount : 0
+0x050 WaitList : (null)
+0x058 u2 : <unnamed-tag>
+0x000 e2 : <unnamed-tag>
+0x000 NumberOfSystemCacheViews : 0xffffffff
+0x000 ImageRelocationStartBit : 0xffffffff
+0x004 WritableUserReferences : 0n58720257
+0x004 ImageRelocationSizeIn64k : 0y0000000000000001 (0x1)
+0x004 LargePage : 0y0
+0x004 AweSection : 0y0
+0x004 SystemImage : 0y0
+0x004 StrongCode : 0y00
+0x004 CantMove : 0y0
+0x004 BitMap : 0y10
+0x004 ImageActive : 0y1
+0x004 ImageBaseOkToReuse : 0y1
+0x008 FlushInProgressCount : 0xfd80ae78
+0x008 NumberOfSubsections : 0xfd80ae78
+0x008 SeImageStub : 0xffffaf03`fd80ae78
+0x068 FileObjectLock : _EX_PUSH_LOCK
+0x000 Locked : 0y0
+0x000 Waiting : 0y0
+0x000 Waking : 0y0
+0x000 MultipleShared : 0y0
+0x000 Shared : 0y000000000000000000000000000000000000000000000000000000000000 (0)
+0x000 Value : 0
+0x000 Ptr : (null)
+0x070 LockedPages : 1
+0x078 u3 : <unnamed-tag>
+0x000 IoAttributionContext : 0y0000000000000000000000000000000000000000000000000000000000110 (0x6)
+0x000 Spare : 0y000
+0x000 ImageCrossPartitionCharge : 6
+0x000 CommittedPageCount : 0y000000000000000000000000000000000110 (0x6)
位于+0x40处的FilePointer,因为低4位是引用计数,去掉它之后地址就是ffffaf03`fd845910,展开看就是:
kd> dt _FILE_OBJECT ffffaf03fd845910
nt!_FILE_OBJECT
+0x000 Type : 0n5
+0x002 Size : 0n216
+0x008 DeviceObject : 0xffffaf03`fd530870 _DEVICE_OBJECT
+0x010 Vpb : 0xffffaf03`fd2b98b0 _VPB
+0x018 FsContext : 0xffff8c85`a500f8b0 Void
+0x020 FsContext2 : 0xffff8c85`a500fb10 Void
+0x028 SectionObjectPointer : 0xffffaf03`fd8e7768 _SECTION_OBJECT_POINTERS
+0x030 PrivateCacheMap: (null)
+0x038 FinalStatus : 0n0
+0x040 RelatedFileObject : (null)
+0x048 LockOperation : 0 ''
+0x049 DeletePending : 0 ''
+0x04a ReadAccess : 0x1 ''
+0x04b WriteAccess : 0 ''
+0x04c DeleteAccess : 0 ''
+0x04d SharedRead : 0x1 ''
+0x04e SharedWrite : 0 ''
+0x04f SharedDelete : 0x1 ''
+0x050 Flags : 0x44042
+0x058 FileName : _UNICODE_STRING "\Windows\System32\csrss.exe"
+0x068 CurrentByteOffset : _LARGE_INTEGER 0x0
+0x070 Waiters : 0
+0x074 Busy : 0
+0x078 LastLock : (null)
+0x080 Lock : _KEVENT
+0x098 Event : _KEVENT
+0x0b0 CompletionContext : (null)
+0x0b8 IrpListLock : 0
+0x0c0 IrpList : _LIST_ENTRY [ 0xffffaf03`fd8459d0 - 0xffffaf03`fd8459d0 ]
+0x0d0 FileObjectExtension : (null)
另外TA很久之前就科普过用PsReferenceProcessFilePointer函数直接来拿进程的文件对象,免一切偏移量和硬编码:http://www.m5home.com/bbs/thread-8627-1-1.html
不过TA给的代码有个小问题就是漏掉了对取得的文件对象的解引用。应该在函数返回前加上一句
ObDereferenceObject(pFileObject); tangptr@126.com 发表于 2021-2-4 07:45
我看了一圈1809的,有个ImageFilePointer成员,直接是_FILE_OBJECT。
但SectionObject成员还在啊,注意看+0 ...
我那段没有加ObDereferenceObject的代码不知道被多少人抄去用了多少回了,哈哈。
即使我已经加了注释“尚未释放内存 以及 ObDereferenceObject”。 tangptr@126.com 发表于 2021-2-4 07:45
我看了一圈1809的,有个ImageFilePointer成员,直接是_FILE_OBJECT。
但SectionObject成员还在啊,注意看+0 ...
首先感谢大佬回复,有点明白了,看来还得自己钻研windbg啊
刚才又仔细看了看资料,从win10 1507 开始,多了一个_SECTION的新结构,但仍然保留了_SECTION_OBJECT结构,
然而1507之后的1511开始,就完全去掉了 _SECTION_OBJECT结构,改为_SECTION结构。
按照这样来说的话,那偏移结构就从 1511之前的
EPROCESS->SectionObject(_SECTION_OBJECT)->Segment(_SEGMENT)->ControlArea (_CONTROL_AREA)->FilePointer( _FILE_OBJECT)
改为
EPROCESS->SectionObject(_SECTION)->ControlArea (_CONTROL_AREA)->FilePointer( _FILE_OBJECT)
去掉了中间的_SEGMENT结构了吗?
还有一个问题就是
+0x040 FilePointer : _EX_FAST_REF
+0x000 Object : 0xffffaf03`fd84591b
+0x000 RefCnt : 0y1011
+0x000 Value : 0xffffaf03`fd84591b
为啥低4位是引用计数 要用地址 减0xb呢? HJonny 发表于 2021-2-4 16:05
首先感谢大佬回复,有点明白了,看来还得自己钻研windbg啊
刚才又仔细看了看资料,从win10 1507 开始,多 ...
第一个问题没法回答,无法保证win10以后不会再变。只能说还是用PsReferenceProcessFilePointer比较好吧。
这一段东西
+0x040 FilePointer : _EX_FAST_REF
+0x000 Object : 0xffffaf03`fd84591b
+0x000 RefCnt : 0y1011
+0x000 Value : 0xffffaf03`fd84591b
用C语言写出来就是
typedef union _EX_FAST_REF
{
struct
{
ULONG64 RefCnt:4;
ULONG64 Object:60;
};
ULONG64 Value;
}EX_FAST_REF,*PEX_FAST_REF;
低四位是引用计数(RefCnt即Reference Count缩写),是快速引用这个对象时使用的,与对象自身的地址无关,故去掉。但不要用减法,而是要用与运算复位之。你也可以自行声明这个联合体,对联合体的Value赋值后再将Object左移4位。 tangptr@126.com 发表于 2021-2-4 20:16
第一个问题没法回答,无法保证win10以后不会再变。只能说还是用PsReferenceProcessFilePointer比较好吧。 ...
明白了,多谢大佬
页:
[1]