Давеча смотрел wrk и сверялся с windbg под xp sp2 (см. например тут)
!handle 7c0 f 85608808
processor number 0, process 85608808
PROCESS 85608808 SessionId: 0 Cid: 06d4 Peb: 7ffda000 ParentCid: 07a0
DirBase: 1537a580 ObjectTable: e1172758 HandleCount: 19.
Image: pipes.exe
Handle table at e1153000 with 19 Entries in use
07c0: Object: 8559fcf0 GrantedAccess: 0012019f Entry: e1153f80
Object: 8559fcf0 Type: (867e9ca0) File
ObjectHeader: 8559fcd8 (old version)
HandleCount: 2 PointerCount: 4
Directory Object: 00000000 Name: \mynamedpipe {NamedPipe}
lkd> dt nt!_FILE_OBJECT 8559fcf0
+0x000 Type : 5
+0x002 Size : 112
+0x004 DeviceObject : 0x85e2d7c0 _DEVICE_OBJECT
+0x008 Vpb : (null)
+0x00c FsContext : 0xe29bcb99 <-- Ccb
+0x010 FsContext2 : 0x858041c8
+0x014 SectionObjectPointer : (null)
+0x018 PrivateCacheMap : 0x00000001
+0x01c FinalStatus : 0
+0x020 RelatedFileObject : (null)
+0x024 LockOperation : 0 ''
+0x025 DeletePending : 0 ''
+0x026 ReadAccess : 0 ''
+0x027 WriteAccess : 0 ''
+0x028 DeleteAccess : 0 ''
+0x029 SharedRead : 0 ''
+0x02a SharedWrite : 0 ''
+0x02b SharedDelete : 0 ''
+0x02c Flags : 0x40082
+0x030 FileName : _UNICODE_STRING "\mynamedpipe"
+0x038 CurrentByteOffset : _LARGE_INTEGER 0x0
+0x040 Waiters : 0
+0x044 Busy : 1
+0x048 LastLock : (null)
+0x04c Lock : _KEVENT
+0x05c Event : _KEVENT
+0x06c CompletionContext : (null)
В NpCreateCcb размер Ccb указан как 0x7C байт:
e29bcb99 02 00 01 00 00 00 00 00 00 00 00 00 00 00 00 c0 ................
e29bcba9 bc 0d e3 c0 bc 0d e3 90 bc 0d e3 00 00 00 00 f0 ................
e29bcbb9 fc 59 85 00 00 00 00 00 00 00 00 c8 41 80 85 c8 .Y..........A...
e29bcbc9 cb 9b e2 c8 cb 9b e2 02 00 00 00 00 00 00 00 00 ................
e29bcbd9 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 e8 ................
e29bcbe9 cb 9b e2 e8 cb 9b e2 02 00 00 00 00 00 00 00 00 ................
e29bcbf9 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 ................
e29bcc09 00 00 00 40 9f 56 85 40 9f 56 85 00 80
Как видим ссылка на FsContext2 есть, ссылки же на EPROCESS нет
Размер FsContext2 0x44 байта
858041c8 07 00 00 00 00 00 00 00 00 00 00 00 c0 f1 8e 85 ................
858041d8 d0 04 28 85 00 00 00 00 00 00 00 00 00 00 00 00 ..(.............
858041e8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
858041f8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
85804208 00 00 00 00 00
тут нет ссылок ни на FsContext ни на EPROCESS
Итого - хотя в NpCommonCreateNamedPipe и вызывается IoGetRequestorProcess - PEPROCESS в Ccb под xp sp2 не сохраняется.
Update: не поленился, достал с пыльных антресолей w2k
!handle 3d4 f 81542540
processor number 0
PROCESS 81542540 SessionId: 0 Cid: 039c Peb: 7ffdf000 ParentCid: 036c
DirBase: 07b3c000 ObjectTable: 81541768 TableSize: 12.
Image: pipes.exe
Handle Table at e203b000 with 12 Entries in use
03d4: Object: 8158d9e8 GrantedAccess: 0012019f
Object: 8158d9e8 Type: (818a5f40) File
ObjectHeader: 8158d9d0
HandleCount: 1 PointerCount: 2
Directory Object: 00000000 Name: \mynamedpipe {NamedPipe}
kd> dt nt!_FILE_OBJECT 8158d9e8
+0x000 Type : 5
+0x002 Size : 112
+0x004 DeviceObject : 0x817ae470 _DEVICE_OBJECT
+0x008 Vpb : (null)
+0x00c FsContext : 0xe1fd8a89
+0x010 FsContext2 : 0x81552828
+0x014 SectionObjectPointer : (null)
+0x018 PrivateCacheMap : 0x00000001
+0x01c FinalStatus : 0
+0x020 RelatedFileObject : (null)
+0x024 LockOperation : 0 ''
+0x025 DeletePending : 0 ''
+0x026 ReadAccess : 0 ''
+0x027 WriteAccess : 0 ''
+0x028 DeleteAccess : 0 ''
+0x029 SharedRead : 0 ''
+0x02a SharedWrite : 0 ''
+0x02b SharedDelete : 0 ''
+0x02c Flags : 0x40082
+0x030 FileName : _UNICODE_STRING "\mynamedpipe"
+0x038 CurrentByteOffset : _LARGE_INTEGER 0x0
+0x040 Waiters : 0
+0x044 Busy : 1
+0x048 LastLock : (null)
+0x04c Lock : _KEVENT
+0x05c Event : _KEVENT
+0x06c CompletionContext : (null)
e1fd8a89 04 d0 00 98 37 fa e1 98 37 fa e1 68 37 fa e1 00 ....7...7..h7...
e1fd8a99 00 00 00 e8 d9 58 81 00 00 00 00 00 00 00 00 00 .....X..........
e1fd8aa9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
e1fd8ab9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
e1fd8ac9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
e1fd8ad9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 ...............(
e1fd8ae9 28 55 81 00 00 00 00 02 00 00 00 00 00 00 00 01 (U..............
e1fd8af9 00 00 00 00 00 00 00 00 00 00 00 40 25 54 81
Т.е. под античной w2k все что нужно в Ccb есть, а в xp (что характерно и 64битной тоже) - уже нет. Ненависть !!!
Комментариев нет:
Отправить комментарий