#define ObReferenceObject(Object) ObfReferenceObject(Object)LONG_PTR
FASTCALL
ObfReferenceObject (
__in PVOID Object
)
/*++
Routine Description:
This function increments the reference count for an object.
N.B. This function should be used to increment the reference count
when the accessing mode is kernel or the objct type is known.
Arguments:
Object - Supplies a pointer to the object whose reference count is
incremented.
Return Value:
None.
--*/
{
POBJECT_HEADER ObjectHeader;
LONG_PTR RetVal;
ObjectHeader = OBJECT_TO_OBJECT_HEADER( Object );
RetVal = ObpIncrPointerCount( ObjectHeader );
ASSERT (RetVal != 1);
return RetVal;
}爲什麼要有這句話
ObjectHeader = OBJECT_TO_OBJECT_HEADER( Object );#define OBJECT_TO_OBJECT_HEADER( o ) \
CONTAINING_RECORD( (o), OBJECT_HEADER, Body )關於CONTAINING_RECORD 這個宏的推導
//
// Calculate the address of the base of the structure given its type, and an
// address of a field within the structure.
//
#define CONTAINING_RECORD(address, type, field) ((type *)( \
(PCHAR)(address) - \
(ULONG_PTR)(&((type *)0)->field)))有一篇文章介紹的很清楚
這應該是原文地址吧 《我對CONTAINING_RECORD宏的詳細解釋》 不是的話請作者指出 我進行修正
到這裏 我們引申出一個很重要的概念 Windows對象 (Object) 結構, 即對象管理器,不同類型的對象具有相同的Object Header,但Object Body部分卻是不同的。
這裏有一篇文章介紹的很清楚
Windows對象 (Object) 結構 (http://blog.csdn.net/sqqsongqiqi/article/details/42557815)
我們看一下 OBJECT_HEADER 這個結構體
typedef struct _OBJECT_HEADER {
LONG_PTR PointerCount;
union {
LONG_PTR HandleCount;
PVOID NextToFree;
};
POBJECT_TYPE Type;
UCHAR NameInfoOffset;
UCHAR HandleInfoOffset;
UCHAR QuotaInfoOffset;
UCHAR Flags;
union {
POBJECT_CREATE_INFORMATION ObjectCreateInfo;
PVOID QuotaBlockCharged;
};
PSECURITY_DESCRIPTOR SecurityDescriptor;
QUAD Body;
} OBJECT_HEADER, *POBJECT_HEADER;我們看見 QUAD Body; 這個字段便是對象的實體部分,也就是我們經常接觸到的DEVICE_OBJECT, FILE_OBJECT等具體的對象類型。
分析完
ObjectHeader = OBJECT_TO_OBJECT_HEADER( Object );RetVal = ObpIncrPointerCount( ObjectHeader );#define ObpIncrPointerCount(np) ObpInterlockedIncrement( &np->PointerCount )至此ObReferenceObject(Object) 分析完畢。
如有錯誤,敬請指出, 不勝感激。