JIURL play Win2k process thread of articles HANDLE_TABLE: JIURL Home: http://jiurl.yeah.net Date: 2003-7-30
The struct handle_table * ObjectTable at the EPROCESS offset 128 in Win2K Build 2195 is the pointer to the process handle_table structure. Through a process of Handle_Table structure, we can find all objects that this process open. The various handles we have obtained in the program are the index of the object in the handle. For example, open a file in the program, which is a handle. Next, this file is followed by this handle. The handle is the index of the file object in the handle table. With the handle, you can find the pointer to the corresponding file object in the handle table. The file object can be performed accordingly. Through EPRocess 128 Struct Handle_Table * ObjectTable We can find a process-in-handle_table structure, 08 struct _handle_table_entry *** table with the Handle_Table structure we can find the handle table of this process. The pointer to all objects of the process is placed in this table. The handle is divided into three layers. The uppermost table is an array of size in size, with a total of 256 elements, and 4 bytes per element, each element is a pointer to the middle table. The middle table is also an array of 1kb, a total of 256 elements, 4 bytes per element, each element is a pointer to the lower table. The lower table is a Handle_Table_Entry array, the entire array size is 2KB, a total of 256 elements, 8 bytes per element, is a handle_table_entry, and the pointer to the object is saved in Handle_Table_Entry. One process has an upper table, one top table can have 256 middle layers. There can be up to 256 lower tables per medium table. Most lower tables can have a pointer to 256 objects. A handle is divided into three parts, making the index in these three tables, and the value of the lowest 10bit (bits0-9) is by 2, and the offset in the lower table is obtained. Bits10-17 This 8bit, the index of the middle table, multiplied by 4 to the offset in the middle table. Bits18-25 This 8bit, a high-level design index, multiplied by 4 to the offset in the high-level table. For a handle, we can finally find the corresponding handle_table_entry in a lower table. The Handle_Table_Entry size is 8 bytes, composed of 2 32 bit. If the first 32 bit value is not 0, then the first 32bit can be converted into a pointer to the object head. Since the object head is always 32bit alignment, the low 3bit of a pointer of an object is always 0. So Handle_Table_Entry The first 32bit low 3bit is used as a logo. Since all objects are in the system address space (0x80000000-0xffffffff), the highest bit of a pointer of an object head is always 1. So Handle_Table_Entry The first 32bit is also used as a sign. When we convert a Handle_Table_Entry to the pointer to the object header, we need to set the low 3 bit to 0, and the highest bit is set to 1. The object pointer always refers to the pointer of the object, since the object head is 0x18 bytes before the object header, so the object pointer is equal to the object head pointer plus 0x18.
HANDLE_TABLE structure is defined as in Win2k Build 2195 in kd>! Strct HANDLE_TABLE! Strct HANDLE_TABLEstruct _HANDLE_TABLE (sizeof = 108) 00 uint32 Flags 04 int32 HandleCount 08 struct _HANDLE_TABLE_ENTRY *** Table 0c struct _EPROCESS * QuotaProcess 10 void * UniqueProcessId 14 int32 FirstFreeTableEntry 18 int32 NextIndexNeedingPool 1c struct _ERESOURCE HandleTableLock 1c struct _LIST_ENTRY SystemResourcesList 1c struct _LIST_ENTRY * Flink 20 struct _LIST_ENTRY * Blink 24 struct _OWNER_ENTRY * OwnerTable 28 int16 ActiveCount 2a uint16 Flag 2c struct _KSEMAPHORE * SharedWaiters 30 struct _KEVENT * ExclusiveWaiters 34 struct _OWNER_ENTRY OwnerThreads [2] uint32 OwnerThreadint32 OwnerCountuint32 TableSize 44 uint32 ContentionCount 48 uint16 NumberOfSharedWaiters 4a uint16 NumberOfExclusiveWaiters 4c void * Address 4c uint32 CreatorBackTraceIndex 50 uint32 SpinLock 54 struct _LIST_ENTRY HandleTableList 54 Struct _List_ENTRY * FLINK 58 STRUCT _LIST_ENTRY * Blink 5C Struct_Kevent HandleContentionEvent 5c struct _dispatcher_he ADER Header 5c byte Type 5d byte Absolute 5e byte Size 5f byte Inserted 60 int32 SignalState 64 struct _LIST_ENTRY WaitListHead 64 struct _LIST_ENTRY * Flink 68 struct _LIST_ENTRY * Blinkkd>! Strct HANDLE_TABLE_ENTRY! Strct HANDLE_TABLE_ENTRYstruct _HANDLE_TABLE_ENTRY (sizeof = 8) 0 void * Object 0 uint32 Obattributes 4 UINT32 GRANTEDACCESS 4 UINT16 GRANTEDACCESSDEEX 6 UINT16 CREATORBACKTRACEX 4 INT32 NEXTFREETABERTRY Below we use KD to explain KD>
! Process 0 0 process 0 0 **** NT ACTIVE PROCESS DUMP **** ... PROCESS 82592ae0 SessionId:! 0 Cid: 0254 Peb: 7ffdf000 ParentCid: 0240DirBase: 02611000 ObjectTable: 824e08e8 TableSize: 31.Image: internat. Exe ... // Let's take the process INTERNAT.EXE as an example, pay attention to ObjectTable: 824e08e8 tablesize: 31 // Use! Handle command, check the object KD>! Handle 0 3 254 in the process of PID 254 handle 0 3 254processor number 0Searching for Process with Cid == 254PROCESS 82592ae0 SessionId: 0 Cid: 0254 Peb: 7ffdf000 ParentCid: 0240DirBase: 02611000 ObjectTable: 824e08e8 TableSize: 31.Image: internat.exeHandle Table at e3073000 with 31 Entries in use0004: Object : e13d7c10 GrantedAccess: 000f001fObject: e13d7c10 Type: (8141b760) SectionObjectHeader: e13d7bf8HandleCount: 1 PointerCount: 10008: Object: 8236a400 GrantedAccess: 00100003Object: 8236a400 Type: (8141e460) EventObjectHeader: 8236a3e8HandleCount: 1 PointerCount: 1 ... 0044: Object: e139af20 GrantedAccess: 000f003fObject: E139AF20 TYPE: (8141B0C0) KeyObjectHeader: E139AF08HandLEcount: 1 Pointercount: 1D IRECTORY Object: 00000000 name: / registry / machine // process handle is an object of 0044, below we will find yourself to find the handle 44 object // Remember the name of the object Name: / registry / machine ... 00ac: Object: e3065800 GrantedAccess: 00020019Object: e3065800 Type: (8141b0c0) KeyObjectHeader: e30657e8HandleCount: 1 PointerCount: 1Directory Object: 00000000 Name: / REGISTRY / MACHINE / SYSTEM / ControlSet001 / Control / Nls / Language Groups // first, from the process of structural EPROCESS address obtained HANDLE_TABLE structure kd>! strct eprocess 82592ae0! strct eprocess 82592ae0struct _EPROCESS (sizeof = 648) ... 128 struct _HANDLE_TABLE * ObjectTable = 824E08E8 ... // from HANDLE_TABLE structure 08 struct _HANDLE_TABLE_ENTRY *** Table Find a handlek KD>
! Strct handle_table 824E08E8! Strct handle_table 824E08E8struct _HANDLE_TABLE (sizeof = 108) 00 uint32 Flags = 00000000 04 int32 HandleCount = 0000001f 08 struct _HANDLE_TABLE_ENTRY *** Table = E3073000 0c struct _EPROCESS * QuotaProcess = 82592AE0 10 void * UniqueProcessId = 00000254 14 int32 FirstFreeTableEntry = 00000021 18 int32 NextIndexNeedingPool = 00000100 ... 54 struct _LIST_ENTRY HandleTableList 54 struct _LIST_ENTRY * Flink = 835CC9DC 58 struct _LIST_ENTRY * Blink = 8105449C 5c struct _KEVENT HandleContentionEvent ... 68 struct _LIST_ENTRY * The upper table address of the Blink = 824E094 C is E3073000, now we start looking to find the object // handle 0x44 corresponding to the handle 0x44, the upper index, the value of BITS18-25 is 0, and the offset is 0 * 4. // The address of the corresponding medium-layer table is E3073400KD> DD E3073000 0 * 4 L 4DD E3073000 0 * 4 L 4E3073000 E3073400 0000000 0000000 0000000 // Handle 0x44, medium index, BITS10-17 value is 0, offset is 0 * 4. // The address of the corresponding lower table is E3073800KD> DD E3073400 0 * 4 L 4DD E3073400 0 * 4 L 4E3073400 E3073800 0000000 00000000 00000000 // handle 0x44, bits0-9 value is 0x44, Handle_Table_Entry in the lower table shift of 0x44 * 2kd> dd e3073800 44 * 2 l 8dd e3073800 44 * 2 l 8e3073888 6139af08 000f003f 62beecc8 000f003fe3073898 010e86b8 0002000f 010c9cf8 001f0003 we find the corresponding handle 0x44 HANDLE_TABLE_ENTRY, its first 32bit, value 6139af08, not air. We convert it to object pointers. / / Convert the pointer to the object head, set the low 3 bit to 0, and the highest bit is set to 1. // Due to the 6139AF08 low three, it is not set. The highest bit is not 1, by adding 80000000, set to 1.
kd> 80000000 6139af08 80000000 6139af08Evaluate expression:?? -516313336 = e139af08 // pointer to the object is a pointer to the object body, the object is equal to the head pointer is incremented 0x18kd> e139af08 18 e139af08 18Evaluate expression:?? -516313312 = e139af20 object obtained Pointer E139AF20 // Use! Object command to analyze the object. ! Kd> object e139af20 object e139af20Object:! E139af20 Type: (8141b0c0) KeyObjectHeader: e139af08HandleCount: 1 PointerCount: 1Directory Object: 00000000 Name:! / REGISTRY / MACHINE you can see that this object is in front of the object using the handle command, see . Through the handle 0x44 we found the corresponding object. The memory consumed by the handle is not more than approximately 256 objects open objects, and the system only assigns an upper table for the handle table, the size is 1KB. A middle table, size is 1KB. One lower table, size is 2KB. It is exactly in the same physical page. When the object opens more than approximately 256, the system will reassign 2 lower tables, placed in the same physical page, and fill the address of these two lower tables, which can be stored approximately 256 * 3 = Object head pointer for 768 objects. In most cases, this is enough. So in most cases, the process's handle table consumes a physical memory of 4K (open object does not exceed about 256 times) or 8K (open object does not exceed about 768 times).
Let's take a look at the case where the slice table of the handle of the process INTERNAT.EXE is E3073000. The upper layer table address is the first medium table address of E3073400, the first term of the upper layer table corresponding to the first term corresponding to the lower layer table address e3073800 It is on the same page, we show the entire contents of this page kd> dd e3073000 l 400dd e3073000 l 400e3073000 e3073400 00000000 00000000 00000000e3073010 00000000 00000000 00000000 00000000 ... e30733f0 00000000 00000000 00000000 00000000e3073400 e3073800 00000000 00000000 00000000e3073410 00000000 00000000 00000000 00000000 ... e30737e0 00000000 00000000 00000000 00000000e30737f0 00000000 00000000 00000000 00000000e3073800 00000000 00000001 613d7bf8 000f001fe3073810 0236a3e8 00100003 01092948 00100003e3073820 02244748 00100003 010f5f18 00000003e3073830 0132a7b2 00100020 010f6878 000f000fe3073840 021fb2a8 00100003 613b3e19 001f0001e3073850 010e84c8 00000001 61390498 000f001fe3073860 0108a529 001f0003 010c9220 000f037fe3073870 010c3dc0 000f01ff 010c9220 000f037fe3073880 02469968 00100003 6139af08 000f003FE3073890 62Beecc8 000f003F 010E86B8 0002000FE30738A0 010C9CF8 001F0003 02469D28 001F0003E30738B0 02469CE8 001F0001 02469CA8 001f0003e30738c0 02469c68 001f0001 61371d88 000f003fe30738d0 6139a508 000f003f 63418e08 000f003fe30738e0 00000000 0000002c 613d20c8 000f0007e30738f0 00000000 0000001c 00000000 00000020e3073900 00000000 00000023 00000000 00000022e3073910 00000000 00000025 00000000 00000024e3073920 00000000 0000001e 00000000 00000026e3073930 00000000 00000027 00000000 00000028e3073940 00000000 0000001f 613c75c8 00020019e3073950 61325c28 00020019 630657e8 00020019e3073960 00000000 0000002d 00000000 0000002e ... e3073fe0 00000000 000000FD 00000000 0000000000000000000000000000000000 fffffffffFFFFFFFFHANDLE_TABLE Chain In Win2K Build 2195, all processes (including IDLE processes) have passed by Handle_Table Structures
The List_Entry HandletAblelist chain at 54 is together. 54 STRUCT_ENTRY HANDLETABLIST 54 STRUCT _LIST_ENTRY * FLINK 58 STRUCT _LIST_ENTRY * BLINK You can find this chain through the global variable handletableListhead. For Win2k Build 2195, the HandletAbleListhead address is 8046A140, which begins to be a list_entry structure. There is also a special Handle_Table in Win2k, which can be called kernelHandletable. It does not belong to any process, and the List_Table HandletAblelist chain at the Handle_Table structure 54 is on the Handle_Table chain. It can be found through global variables OBPkernelHandletable. For Win2K Build 2195, the OBPkernelHandletable address is 8046A694, is a pointer to the Handle_Table structure. There is also a special handle_table in the process thread Handle_Table Win2k, which can be called PSPCIDTable. In this handle_table's handle, the pointer to all processes and thread objects is saved. PID (Process ID) and ThreadID (thread ID) are indexes in this handle table. This handle_table does not belong to any process, and there is no chain on the Handle_Table chain. The global variable pspcidtable is a pointer to this Handle_Table. This handle_table has a little different from other handle_table, which is the first 32bit in its handle_table_entry. The object pointer (of course, it is necessary to convert) instead of the object head pointer (the object pointer is the object pointer).
Here we see a practical example is HANDLE_TABLE // PspCidTable address kd> dd PspCidTable l 1dd PspCidTable l 180469a28 81452228kd>! Strct HANDLE_TABLE 81452228! Strct HANDLE_TABLE 81452228struct _HANDLE_TABLE (sizeof = 108) 00 uint32 Flags = 00000000 04 int32 HandleCount = 000000d1 08 struct _HANDLE_TABLE_ENTRY *** Table = E1004000 0c struct _EPROCESS * QuotaProcess = 00000000 10 void * UniqueProcessId = 00000000 14 int32 FirstFreeTableEntry = 0000008a 18 int32 NextIndexNeedingPool = 00000100 1c struct _ERESOURCE HandleTableLock 1c struct _LIST_ENTRY SystemResourcesList 1c struct _LIST_ENTRY * Flink = 80480020 20 struct _LIST_ENTRY * Blink = 814522E0 24 struct _OWNER_ENTRY * OwnerTable = 00000000 28 int16 ActiveCount = 0000 2a uint16 Flag = 0000 2c struct _KSEMAPHORE * SharedWaiters = 00000000 30 struct _KEVENT * ExclusiveWaiters = 00000000 34 struct _OWNER_ENTRY OwnerThreads [2] 34 OwnerThreads [0] 34 uint32 OwnerThread = 00000000 38 int32 OwnerCount = 00000000 38 uint32 TableSize = 00000000 3c OwnerThreads [1] 3c uint32 Ow nerThread = 00000000 40 int32 OwnerCount = 00000000 40 uint32 TableSize = 00000000 44 uint32 ContentionCount = 00000000 48 uint16 NumberOfSharedWaiters = 0000 4a uint16 NumberOfExclusiveWaiters = 0000 4c void * Address = 00000000 4c uint32 CreatorBackTraceIndex = 00000000 50 uint32 SpinLock = 00000000 54 struct _List_entry handletables 54 struct _List_ENTRY * FLINK = 8145227C 58 STRUCT _LIST_ENTRY * BLINK = 8145227C 5C Struct_kevent HandleContentionEvent
5c struct _DISPATCHER_HEADER Header 5c byte Type = 00. 5d byte Absolute = 00. 5e byte Size = 04. 5f byte Inserted = 00. 60 int32 SignalState = 00000000 64 struct _LIST_ENTRY WaitListHead 64 struct _LIST_ENTRY * Flink = 8145228c 68 struct _list_entry * blink = 8145228C // Handle table upper table address is E1004000 // 0th medium table address is E1004400KD> DD E1004000 L 4DD E1004000 L 4E1004000 E1004400 00000000 0000000 0000000 0000000 聽 00000 0000000 000 聽 02 0 lower table address is E1004800KD> DD E1004400 L 4DD E1004400 L 4E1004400 E1004800 0000000 0000000 0000000 // The contents of the 0th lower table of the 0 middle table 0 KD>
dd E1004800 l 200dd E1004800 l 200e1004800 00000000 00000001 0141eda0 00000000e1004810 0141e020 00000000 0141e7c0 00000000e1004820 0141e540 00000000 0141d020 00000000e1004830 0141dda0 00000000 0141db20 00000000e1004840 0141d8a0 00000000 0141d620 00000000e1004850 0141d3a0 00000000 0141c020 00000000e1004860 0141cda0 00000000 0141b4c0 00000000e1004870 0141b240 00000000 0141a020 00000000e1004880 0141ada0 00000000 0141a660 00000000e1004890 0141a3e0 00000000 01411020 00000000e10048a0 013f7240 00000000 013d1b80 00000000e10048b0 01421660 00000000 01350c20 00000000e10048c0 012a7b20 00000000 011017c0 00000000e10048d0 012a78a0 00000000 012663a0 00000000e10048e0 0114cda0 00000000 01101540 00000000e10048f0 011012c0 00000000 010fc020 00000000e1004900 02000000 00000000 010f7a60 00000000e1004910 010f7340 00000000 010f7760 00000000e1004920 010f6c00 00000000 010f6960 00000000e1004930 010e9860 00000000 010e9b00 00000000e1004940 010e9520 00000000 010cb020 00000000e1004950 010e8020 00000000 010ce220 000000 00e1004960 010cc020 00000000 010ccce0 00000000e1004970 010cc9a0 00000000 010cc660 00000000e1004980 010ca020 00000000 010c2020 00000000e1004990 010c2b00 00000000 010c3340 00000000e10049a0 010c1020 00000000 01089700 00000000e10049b0 010c19c0 00000000 010c12c0 00000000e10049c0 02000000 00000000 010bf020 00000000e10049d0 010bd580 00000000 010bb980 00000000e10049e0 010bb2c0 00000000 010ba420 00000000e10049f0 010b9020 00000000 010b9d60 00000000e1004a00 039beae0 00000000 010b8c00 00000000e1004a10 01099020 00000000 010ae180 00000000e1004a20 010ac020 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 010A9D40 00000000000000000000000000000000000000 010A9D40 00000000000 010A9D40 0000000
0e1004a70 010a8740 00000000 06b02020 00000000e1004a80 02000000 00000000 00000000 000000b0e1004a90 010a5da0 00000000 010a4020 00000000e1004aa0 010a7b20 00000000 010a5b20 00000000e1004ab0 010a46e0 00000000 010a2d00 00000000e1004ac0 010a2a80 00000000 04859da0 00000000e1004ad0 0109f020 00000000 010a3900 00000000e1004ae0 0109e020 00000000 010a6d20 00000000e1004af0 0109c360 00000000 03518580 00000000e1004b00 01099da0 00000000 01097020 00000000e1004b10 010926c0 00000000 01092940 00000000e1004b20 03425c20 00000000 010915c0 00000000e1004b30 0108dc00 00000000 034aa860 00000000e1004b40 0108a020 00000000 0108cd00 00000000e1004b50 0108c020 00000000 0108b6c0 00000000e1004b60 01089020 00000000 0484e020 00000000e1004b70 047d6480 00000000 07b3f700 00000000e1004b80 01086020 00000000 05b1b020 00000000e1004b90 039bed60 00000000 05938cc0 00000000e1004ba0 01065940 00000000 01063580 00000000e1004bb0 0105cca0 00000000 0105a980 00000000e1004bc0 01059580 00000000 0105a320 00000000e1004bd0 043c2020 00000000 0105 6280 00000000e1004be0 047f8560 00000000 0639c1c0 00000000e1004bf0 03555340 00000000 02151940 00000000e1004c00 010555a0 00000000 01055820 00000000e1004c10 0104a700 00000000 01052b80 00000000e1004c20 05b9b480 00000000 0689f020 00000000e1004c30 01045a20 00000000 01042c20 00000000e1004c40 0767d800 00000000 069c3020 00000000e1004c50 0767d020 00000000 035007e0 00000000e1004c60 021a2680 00000000 022d6ac0 00000000e1004c70 01fac020 00000000 01089da0 00000000e1004c80 022fd020 00000000 022fdda0 00000000e1004c90 022fd320 00000000 022fd6e0 00000000e1004ca0 0243BDA0 00000000E1004CB0 05938A40 00000000 027E4460 000,000000000000000 01C15860 000000000E1004CD0 0786D020 00000000 02B83560 00000000E1004CE0 02C305E0 0000000000 0349E3
e0 00000000e1004cf0 02daf020 00000000 02e0c740 00000000e1004d00 02def020 00000000 02ded760 00000000e1004d10 02eb9b20 00000000 02eb98a0 00000000e1004d20 010a3120 00000000 03309020 00000000e1004d30 06d00020 00000000 047fb7e0 00000000e1004d40 010cdaa0 00000000 0323c400 00000000e1004d50 019a5900 00000000 048217a0 00000000e1004d60 0489e2e0 00000000 02000000 00000000e1004d70 038fada0 00000000 01c153c0 00000000e1004d80 00000000 000000b8 0639cda0 00000000e1004d90 008bcda0 00000000 07a5d740 00000000e1004da0 0344c020 00000000 00000000 000000dee1004db0 02389380 00000000 0108a8e0 00000000e1004dc0 00000000 000000d0 03375020 00000000e1004dd0 034aace0 00000000 0767d300 00000000e1004de0 04029900 00000000 0712fda0 00000000e1004df0 06a594c0 00000000 01079da0 00000000e1004e00 035a4d60 00000000 04977340 00000000e1004e10 0786d600 00000000 009c46c0 00000000e1004e20 01eefbc0 00000000 03210520 00000000e1004e30 0788c020 00000000 035c3da0 00000000e1004e40 02000000 00000000 06b8db60 00000000e1004e50 0492dc80 000 00000 063eada0 00000000e1004e60 00000000 000000da 035a43e0 00000000e1004e70 034e0020 00000000 019a5020 00000000e1004e80 00000000 000000cc 02eb9620 00000000e1004e90 034e03a0 00000000 04fdf4a0 00000000e1004ea0 0349f980 00000000 04a4ec20 00000000e1004eb0 00000000 000000e0 049e9020 00000000e1004ec0 00000000 000000d6 01055020 00000000e1004ed0 00000000 00000046 04029b80 00000000e1004ee0 00000000 000000df 00000000 000000dce1004ef0 00000000 000000d8 00000000 000000e1e1004f00 00000000 000000dd 00000000 000000e2e1004f10 00000000 000000e3 00000000 00000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004F60 00000000 00000
0ed 00000000 000000eee1004f70 00000000 000000ef 00000000 000000f0e1004f80 00000000 000000f1 00000000 000000f2e1004f90 00000000 000000f3 00000000 000000f4e1004fa0 00000000 000000f5 00000000 000000f6e1004fb0 00000000 000000f7 00000000 000000f8e1004fc0 00000000 000000f9 00000000 000000fae1004fd0 00000000 000000fb 00000000 000000fce1004fe0 00000000 000000fd 00000000 000000fee1004ff0 00000000 000000ff 00000000 ffffffff // PID of the process is for the 0x8 process kd System !> process 8 0 process 8 0Searching for Process with Cid == 8PROCESS 8141e020 SessionId:! 0 Cid: 0008 Peb: 00000000 ParentCid: 0000DirBase: 00030000 ObjectTable: 81452a68 TableSize: 108.Image: System Here we are looking for an object corresponding to 0x8 / / PID is 0x8.0x8 The upper table index is 0, the middle table index is 0x8 * 2 in the 0 // lower layer table. So the 0x8 corresponds to the Handle_Table_Entry address of E1004800 8 * 2. KD> DD E1004800 8 * 2 L 2DD E1004800 8 * 2 L 2E1004810 0141E020 00000000 // Handle_Table_ENTRY in the first 32bit is not available. // Convert the first 32bit of Handle_Table_Entry to the object pointer. // The lower 3bit itself is 0, and the highest bit is set to 1. KD>? 0141E020 80000000? 0141E020 80000000EVALUATE Expression: -2126389216 = 8141E020 // Note that the converted here is directly the object pointer (object pointer). // get information kd command with the object of this object> object 8141e020 object 8141e020Object:!!! 8141e020 Type: (814524e0) ProcessObjectHeader: 8141e008HandleCount: 2 PointerCount: 36 // object of type process, we can use this command to get the process! process information kd> process 8141e020 0 process 8141e020 0PROCESS 8141e020 SessionId:!! 0 Cid: 0008 Peb: 00000000 ParentCid: 0000DirBase: 00030000 ObjectTable: 81452a68 TableSize: 108.Image: System process information is displayed for the System process PID 8. We found the PID process object by PID in PSPCIDTable. We can calculate the handle value of the handle_table_entry at address E1004808 is 0x4. We look at whether the handle value (PID or ThreadID) of the object of Handle_Table_entry at E1004808 is 0x4. / / Convert to Object Pointer KD>? 0141eda0 80000000? 0141eda0 80000000EVALUATE E
