ETW中的对象句柄跟踪

时间:2018-11-22 08:40:37

标签: etw process-explorer

Sysinternals的

Process Explorer显示进程持有的所有句柄,并带有诸如对象的名称,类型,地址和句柄值之类的字段。例如:

https://i.stack.imgur.com/hlUQI.png

ETW的 NT Kernel Logger 跟踪会话具有使用以下语法进行句柄操作的事件:

class ObHandleEvent : ObTrace
{
  uint32 Handle;
  uint32 Object;
  string ObjectName;
  uint16 ObjectType;
};

我的问题是这样的: ETW中的ObjectType是一个16位整数。如何将整数ObjectType值映射到相应的对象类型名称(如Process Explorer中所示)?

1 个答案:

答案 0 :(得分:0)

我认为内核对象类型就是您所追求的。在内核调试器中签出,或通过命令

livekd 
0: kd> !object \ObjectTypes
Object: ffffe589f9c17aa0  Type: (ffffb28572cd3820) Directory
    ObjectHeader: ffffe589f9c17a70 (new version)
    HandleCount: 0 PointerCount: 68
    Directory Object: ffffe589f9c14a60  Name: ObjectTypes

    Hash Address          Type                      Name
    ---- -------          ----                      ----
     00  ffffb28572d7e180 Type                      TmTm
     01  ffffb28572d76310 Type                      Desktop
         ffffb28572c3e680 Type                      Process
     02  ffffb28572d53ad0 Type                      EnergyTracker
         ffffb28572d5cbb0 Type                      RegistryTransaction
     03  ffffb28572cccc60 Type                      DebugObject
     04  ffffb28575682520 Type                      VRegConfigurationContext
         ffffb28572ccc440 Type                      TpWorkerFactory
     05  ffffb28572d6da20 Type                      Adapter
         ffffb28572ccfc40 Type                      Token
     06  ffffb2857562ebb0 Type                      DxgkSharedResource
     07  ffffb28572ccb560 Type                      PsSiloContextPaged
     ....

然后您可以使用

转储对象标题 
0: kd> dt nt!_OBJECT_TYPE ffffb28572d68e80
   +0x000 TypeList         : _LIST_ENTRY [ 0xffffb285`72d68e80 - 0xffffb285`72d68e80 ]
   +0x010 Name             : _UNICODE_STRING "Section"
   +0x020 DefaultObject    : 0xfffff801`a03c4680 Void
   **+0x028 Index            : 0x29 ')'**
   +0x02c TotalNumberOfObjects : 0x4943
   +0x030 TotalNumberOfHandles : 0xf50
   +0x034 HighWaterNumberOfObjects : 0x4ccc
   +0x038 HighWaterNumberOfHandles : 0x10c3
   +0x040 TypeInfo         : _OBJECT_TYPE_INITIALIZER
   +0x0b8 TypeLock         : _EX_PUSH_LOCK
   +0x0c0 Key              : 0x74636553
   +0x0c8 CallbackList     : _LIST_ENTRY [ 0xffffb285`72d68f48 - 0xffffb285`72d68f48 ]

“索引”字段应与相应的ETW事件相关。我不确定Windows版本之间该索引是否恒定,但我认为不是。

Process Hacker(更好的Process Explorer)使用以下方法设置对象类型的格式:

static VOID PhpDumpObjectInfo(
    _In_ PPH_OBJECT_HEADER ObjectHeader
    )
{
    PVOID object;
    PPH_OBJECT_TYPE objectType;

    object = PhObjectHeaderToObject(ObjectHeader);
    objectType = PhGetObjectType(object);

    __try
    {
        wprintf(L"Type: %s\n", objectType->Name);
        wprintf(L"Reference count: %d\n", ObjectHeader->RefCount);
        wprintf(L"Flags: %x\n", ObjectHeader->Flags);

        if (objectType == PhObjectTypeObject)
        {
            wprintf(L"Name: %s\n", ((PPH_OBJECT_TYPE)object)->Name);
            wprintf(L"Number of objects: %u\n", ((PPH_OBJECT_TYPE)object)->NumberOfObjects);
            wprintf(L"Flags: %u\n", ((PPH_OBJECT_TYPE)object)->Flags);
            wprintf(L"Type index: %u\n", ((PPH_OBJECT_TYPE)object)->TypeIndex);
            wprintf(L"Free list count: %u\n", ((PPH_OBJECT_TYPE)object)->FreeList.Count);
        }
        else if (objectType == PhStringType)
        {
            wprintf(L"%s\n", ((PPH_STRING)object)->Buffer);
        }

这应该为您提供一些下一步的指示。

相关问题
最新问题