PowerPoint Presentation - PDF Free Download

列 Kernel Objects Windows Kernel Object 來理行行

What is a Kernel Object? The data structure maintains information about the object Process Object: 錄了 PID, priority, exit code File Object: 錄了 byte offset, sharing mode, open mode Ex: Open for writing or Open for reading A memory block allocated by kernel and accessible only by the kernel application kernel object 料

How to access these kernel objects? CreateFileMapping( ) CreateThread( ) CrateFile( ) 立 kernel object Handle ex HANDLE hfile; hfile = CreateFile("myfile.txt", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); - We use the handle to manipulate the kernel object - The kernel object handle is process relative kernel object 不 Process 不

Usage Counting Usage count 1 5 0 deleted Process A CreateFileMapping( ) 3 kernel Process B CreateFileMapping( ) Process C CreateFileMapping( )

Security Kernel Object can be protected with a security descriptor, which decrypts Who create the object Who can gain access to or use the object Who is denied access Usually used when writing server applications

Security Almost all function that create kernel object need ex HANDLE CreateFileMapping( HANDLE hfile, PSECURITY_ATTRIBUTES psa, DWORD flprotect, DWORD dwmaximumsizeheight, DWORD dwmaximumsizelow, PCTSTR pszname); SECURITY_ATTRIBUTES structure NULL (default security) Full access only for 1. administrator group 2. Creator

Access to an existing kernel object access right FileMapping handle HANDLE hfilemapping=openfilemapping(file_map_read, FALSE MyFileMapping ); READ op 讀 File-Mapping Security check fail Return:NULL ok Valid handle

Example: Read the registry HKEY hkey; LONG lret; lret = RegOpenKeyEx( HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Office", 0, KEY_QUERY_VALUE, &hkey ); if( lret == ERROR_SUCCESS ) MessageBox(NULL,"You have Office software","ok",mb_ok); else MessageBox(NULL,"fail","fail",MB_OK); RegCloseKey( hkey ); key security descriptor, user 例 : OperRegstryDemo

Kernel object Object object 滑 Kernel Object object? 立, Security attribute 參數, GDI User Object security attribute 例 : : CreateIcon CreateIcon HICON CreateIcon( HINSTANCE hinst, int nwidth, int nheight, BYTE cplanes, BYTE cbitspixel, CONST BYTE *pbandbits, CONST BYTE *pbxorbits);

Kernel Object? Process Kernel Object Handle Table : 來理 Kernel Kernel Object Object 列 Index Pointer to Kernel Access Mask Flags 1 0xF0000000 0x???? 0x???????

立 Kernel Object, 1 Process Object Handle Handle Table Table 行 2 Process Thread 立了 kernel object 1. 1. Kernel Kernel kernel object object 2. 2. Process Process Handle Table Table 3. 3. Handle Table Table 立 kernel object HANDLE CreateThread ( ) HANDLE CreateFile( ) HANDLE CreateFileMapping( ) HANDLE CreateSemaphore( ) HANDLE,, Handle Table Table process thread

kernel object 不 : GetLastError() == ERROR_INVALID_ HANDLE 例 function HANDLE 數 BOOL WriteFile( HANDLE hfile, LPCVOID lpbuffer, DWORD nnumberofbytestowrite, LPDWORD lpnumberofbyteswritten, LPOVERLAPPED lpoverlapped ); Step 1 Step 2 Handle 利 HANDLE HANDLE HANDLE HANDLE TABLE TABLE kernel Object Object Step 3 理 Object Object 料行

立 kernel object NULL FUNCTION -1 (INVALID_HANDLE_VALUE ) : : : HANDLE hmutex = CreateMutex(...); CreateMutex CreateMutex, NULL if (hmutex = = INVALID_HANDLE_VALUE) { } : HANDLE hfile = CreateFile(...); if (hfile = = NULL) { : // We will never execute this code because CreateFile : // returns INVALID_HANDLE_VALUE(-1) if it fails. CreateFile CreateFile, -1-1 }

不 kernel object CloseHandle BOOL CloseHandle(HANDLE hobj); CloseHandle 不 Memory Leak? : process terminated process resource Step 1 Handle Step 2 行 Handle Table Table Kernel Object Object Step 3 不, CloseHandle FALSE kernel object object Usage Usage count count 若 = 00 kernel object object Step 4 Handle Handle Table Table entry

說 Sharing Kernel Objects Across Process, kernel object thread Handle Handle, process 不 kernel object 1. 不 processes 料 MemoryMapFile MemoryMapFile 2. 不 process, 料 Mailslots Mailslots & named named piples piples 3. 不 processes thread 理行 Mutexes, Mutexes, semaphores, semaphores, and and events events

Object Handle Inheritance -- parent parent-child kernel object handle Parent Parent Process Process Spawn Child Child Process Process Kernel Kernel Objects Objects security security 立,, Object I am a inheritable mutex object SECURITY_ATTRIBUTES sa; sa.nlength=sizeof(sa); sa.lpsecuritydescriptor=null; sa.binherithandle=true; HANDLE hmutex=createmutex(&sa, FALSE, NULL); Can I access? SECURITY_ATTRIBUTES that the object handle should be inheritable!

說 The process s s handle table entry 列 Index Pointer to Kernel 1 0xF0000000 2 0x00000000 3 0xF0000010 Process handle table Access Mask 0x???? (N/A) 0x???? Flags 0x00000000 ( inheritance ) (N/A) 0x00000001 ( Handle child process ) 立 Mutex security security HANDLE hmutex1=createmutex(null, FALSE, FALSE, NULL); NULL); security security : : SECURITY_ATTRIBUTES sa; sa.nlength=sizeof(sa); sa.lpsecuritydescriptor=null; sa.binherithandle=true; HANDLE hmutex2=createmutex(&sa FALSE, NULL) 立 Mutex

Two Steps process process security security : : process process BOOL BOOL CreateProcess( LPCTSTR lpapplicationname, LPTSTR lpcommandline, LPSECURITY_ATTRIBUTES lpprocessattributes, Make Make your your object object LPSECURITY_ATTRIBUTES lpthreadattributes, to to inheritance BOOL BOOLbInheritHandles, DWORD dwcreationflags, LPVOID lpenvironment, Let Let your your child child LPCTSTR lpcurrentdirectory, process process to to inherit inheritall all LPSTARTUPINFO lpstartupinfo, inheritable handles handles LPPROCESS_INFORMATION lpprocessinformation); thread thread security security binherithandles FALSE: FALSE: 不 child child process process parent parent kernel kernel object object TRUE: TRUE: child process parent parent inheritable kernel kernel objects objects

How about the child process s s handle table? Parent Parent Process Process Spawn Index Pointer to Kernel 1 0xF0000000 inheritable inheritable 2 0x00000000 3 0xF0000010 Access Mask 0x???? (N/A) 0x???? Flags 0x00000000( inheritance ) (N/A) 0x00000001 ( Handle child process ) Parent s handle table Child Child Process Process Index Pointer to Kernel 1 0x00000000 2 0x00000000 Access Mask (N/A) (N/A) Flags (N/A) (N/A) child child process process (: (: Index Index 3 0xF0000010 0x???? 0x00000001 Child s handle table

例例行流行流 Parent Parent 立 Event Kernel Object 立 Child Process Event Object Child Object handle Event Signal 行 Step 1: 立 Step 2: Command line 串 HANDLE Child Child Step 3: 利 HANDLE Kernel Object signal Step 4: Kernel Object Handle Table 欄 CloseHandle(hsecondHandle);

#include "stdafx.h" #include <windows.h> #include <iostream> using namespace std; Child Child Child // Step 1: 立 int _tmain(int argc, _TCHAR* argv[]) { HANDLE void*, %p %p // Step 2: Command line 串 HANDLE HANDLE hsecondhandle=null; sscanf(argv[0],"%p",&hsecondhandle); // Step 3: 利 HANDLE Kernel Object signal BOOL bsuccess=setevent(hsecondhandle); if(bsuccess) cout <<" parent handle"<<endl; else cout <<""<< endl; 行行,, 行 } // Step 4: Kernel Object Handle Table 欄 CloseHandle(hsecondHandle); return 0;

void main(){ // Step 1: 立 Kernel Object ( Event ) SECURITY_ATTRIBUTES sa; sa.nlength = sizeof(sa); sa.lpsecuritydescriptor = NULL; sa.binherithandle = TRUE; // << -- HANDLE hmyevent=createevent(&sa,true,false,null); // Step 2: Kernel Object HANDLE 串 char buffer[200]; sprintf( buffer,"%p",hmyevent); // Step 3: 立 Child process HANDLE 串 CommandLine // Child CreateProcess( ); // Step 4: Child process 利 HANDLE Kernel Object signal WaitForSingleObject(hmyEvent, INFINITE ); } CloseHandle( pi.hprocess ); CloseHandle( pi.hthread ); CloseHandle(hmyEvent); return 0; Parent Parent () () Childe 行 SetEvent SetEvent

Named Object Sharing kernel object Not all kernel object can be named Functions HANDLE CreateMutex( PCTSTR pszname) Description HANDLE CreateEvent( PCTSTR pszname) HANDLE CreateSemaphore( PCTSTR pszname) HANDLE CreateWaitableTimer( PCTSTR pszname) HANDLE CreateFileMapping( PCTSTR pszname) Waitable_TimerDemo.txt HANDLE CreateJob( PCTSTR pszname)

說 How to sharing a object Process A HANDLE hmutexprocessa=createmutex(null,false, JeffMutex );,, process B thread thread 立 object Process B HANDLE hmutexprocessa=createmutex(null,false, JeffMutex ); kernel Object Object Name Name kernel Object Object Type fail NULL Yes 1. Handle Table 2. Point to the existing kernel object 3. Increase the usage count

, 不 share 了? : : parent child,? SetHandleInformation( ) kernel object object SetHandleInformation(hobj, HANDLE_FLAG_INHERIT, HANDLE_FLAG_INHERIT SetHandleInformation(hobj, HANDLE_FLAG_INHERIT, 0 不

說 Kernel Object Close? : process 立 process, close Handle Handle process process process process Handle 行不 SetHandleInformation(hobj, HANDLE_FLAG_PROTECT_FROM_CLOSE, HANDLE_FLAG_PROTECT_FROM_CLOSE ) CloseHandle(hobj); 不,, exception, process 行 SetHandleInformation(hobj, HANDLE_FLAG_PROTECT_FROM_CLOSE, 0 ) CloseHandle

object? GetHandleInformation 例 Handle 料 DWORD dwflags; GetHandleInformation (hobj, &dwflags); BOOL fhandleisinheritable = (0!= (dwflags & HANDLE_FLAG_INHERIT)); 若 dwflags dwflags bit bit 欄 =1 =1 11 00 0, TRUE

Prevent multiple instances named kernel object #include "stdafx.h" #include <windows.h> int _tmain(int argc, _TCHAR* argv[]) 立 Baby Baby kernel object object { HANDLE h = CreateEvent(NULL,FALSE,FALSE,"Baby"); } if (GetLastError( )==ERROR_ALREADY_EXISTS) { MessageBox(NULL," 行 ","Error",MB_OK); return(0); } getchar(); // Before exiting, close the object. CloseHandle(h); return(0); 立兩 kernel object,

Baby? Universally Universally Unique Unique Identifier Identifier (UUID) (UUID) VS UUIDGEN.EXE GUID(Globally Unique Identifier) 來 GUID HANDLE h = CreateEvent(NULL,FALSE,FALSE, "d00fead7-d497-4765-a5ef-3d10f9d23023");

End UUIDGEN.EXE VC tool, CoCreateGuid 參例例 : http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vcsample/html /_sample_mfc_guidgen.asp