标题: Win10的OBJECT_HEADER.TypeIndex被混淆过 https://scz.617.cn/windows/201710241509.txt kd> dt nt!_OBJECT_HEADER TypeIndex poi(nt!IoFileObjectType)-@@(#FIELD_OFFSET(nt!_OBJECT_HEADER, Body)) +0x018 TypeIndex : 0x32 '2' Win10的OBJECT_HEADER.TypeIndex相比Win7有变化,上例中TypeIndex等于0x32,我 们期望它等于0x02。Win10中这个值被混淆过,Win7中存放的就是下标。 kd> uf nt!ObGetObjectType nt!ObGetObjectType: fffff800`831706f0 488d41d0 lea rax,[rcx-30h] fffff800`831706f4 0fb649e8 movzx ecx,byte ptr [rcx-18h] fffff800`831706f8 48c1e808 shr rax,8 fffff800`831706fc 0fb6c0 movzx eax,al fffff800`831706ff 4833c1 xor rax,rcx fffff800`83170702 0fb60d37bce8ff movzx ecx,byte ptr [nt!ObHeaderCookie (fffff800`82ffc340)] fffff800`83170709 4833c1 xor rax,rcx fffff800`8317070c 488d0d0dc2e8ff lea rcx,[nt!ObTypeIndexTable (fffff800`82ffc920)] fffff800`83170713 488b04c1 mov rax,qword ptr [rcx+rax*8] fffff800`83170717 c3 ret C风格伪代码如下: -------------------------------------------------------------------------- POBJECT_TYPE ObTypeIndexTable[...]; unsigned char ObHeaderCookie; POBJECT_TYPE __stdcall ObGetObjectType ( POBJECT_BODY Object ) { POBJECT_HEADER ObjectHeader; POBJECT_TYPE ObjectType; unsigned char TypeIndex; ObjectHeader = OBJECT_TO_OBJECT_HEADER( Object ); TypeIndex = ObjectHeader->TypeIndex; TypeIndex = ( ( ObjectHeader >> 8 ) & 0xff ) ^ TypeIndex ^ ObHeaderCookie; ObjectType = ObTypeIndexTable[TypeIndex]; return( ObjectType ); } -------------------------------------------------------------------------- 用如下两组命令验证伪代码的正确性: r $t0=poi(nt!IoFileObjectType) r $t1=@$t0-@@(#FIELD_OFFSET(nt!_OBJECT_HEADER, Body)) r $t2=by(@$t1+@@(#FIELD_OFFSET(nt!_OBJECT_HEADER, TypeIndex))) r $t3=((@$t1 >> 8) & 0xff) ^ @$t2 ^ by(nt!ObHeaderCookie) r @$t0, @$t1, @$t2, @$t3 r $t0=poi(nt!ObpTypeObjectType) r $t1=@$t0-@@(#FIELD_OFFSET(nt!_OBJECT_HEADER, Body)) r $t2=by(@$t1+@@(#FIELD_OFFSET(nt!_OBJECT_HEADER, TypeIndex))) r $t3=((@$t1 >> 8) & 0xff) ^ @$t2 ^ by(nt!ObHeaderCookie) r @$t0, @$t1, @$t2, @$t3 最后的t3都应该等于2。