A forum for reverse engineering, OS internals and malware analysis 

_OBJECT_TYPE_INITIALIZER and Windbg help

Discussion on reverse-engineering and debugging.

_OBJECT_TYPE_INITIALIZER and Windbg help

 #9758  by lorddoskias
 Sat Nov 19, 2011 2:00 pm
kd> dt _OBJECT_TYPE_INITIALIZER poi(nt!IoFileObjectType)
ntdll!_OBJECT_TYPE_INITIALIZER
+0x000 Length : 0xe7a8
+0x002 ObjectTypeFlags : 0x1e ''
+0x002 CaseInsensitive : 0y0
+0x002 UnnamedObjectsOnly : 0y1
+0x002 UseDefaultObject : 0y1
+0x002 SecurityRequired : 0y1
+0x002 MaintainHandleCount : 0y1
+0x002 MaintainTypeList : 0y0
+0x002 SupportsObjectCallbacks : 0y0
+0x004 ObjectTypeCode : 0x841ee7a8
+0x008 InvalidAttributes : 0xa0008
+0x00c GenericMapping : _GENERIC_MAPPING
+0x01c ValidAccessMask : 0x34f
+0x020 RetainAccess : 0x11ed
+0x024 PoolType : 0x39a (No matching name)
+0x028 DefaultPagedPoolCharge : 0x110050
+0x02c DefaultNonPagedPoolCharge : 1
+0x030 DumpProcedure : 0x00000130 void +130
+0x034 OpenProcedure : 0x00120089 long +120089
+0x038 CloseProcedure : 0x00120116 void +120116
+0x03c DeleteProcedure : 0x001200a0 void +1200a0
+0x040 ParseProcedure : 0x001f01ff long +1f01ff
+0x044 SecurityProcedure : 0x001f01ff long +1f01ff
+0x048 QueryNameProcedure : (null)
+0x04c OkayToCloseProcedure : (null)

How can I see what function are used for *Procedure - obviously everything apart from QueryName and OkayToClose has pointers to function but when I try to see dissambly:
kd> u 0x00120089
00120089 ?? ???
^ Memory access error in 'u 0x00120089 '
kd> uf 0x00120089
No code found, aborting

Re: _OBJECT_TYPE_INITIALIZER and Windbg help

 #9759  by EP_X0FF
 Sat Nov 19, 2011 2:29 pm
Code: Select all
lkd> !object \ObjectTypes\File
Object: 855f1580  Type: (8550bf78) Type
    ObjectHeader: 855f1568 (new version)
    HandleCount: 0  PointerCount: 2
    Directory Object: 8c805588  Name: File
lkd> dt _OBJECT_TYPE 855f1580 TypeInfo.
ntdll!_OBJECT_TYPE
   +0x028 TypeInfo  : 
      +0x000 Length    : 0x50
      +0x002 ObjectTypeFlags : 0x31 '1'
      +0x002 CaseInsensitive : 0y1
      +0x002 UnnamedObjectsOnly : 0y0
      +0x002 UseDefaultObject : 0y0
      +0x002 SecurityRequired : 0y0
      +0x002 MaintainHandleCount : 0y1
      +0x002 MaintainTypeList : 0y1
      +0x002 SupportsObjectCallbacks : 0y0
      +0x004 ObjectTypeCode : 1
      +0x008 InvalidAttributes : 0x130
      +0x00c GenericMapping : _GENERIC_MAPPING
      +0x01c ValidAccessMask : 0x1f01ff
      +0x020 RetainAccess : 0
      +0x024 PoolType  : 0 ( NonPagedPool )
      +0x028 DefaultPagedPoolCharge : 0x400
      +0x02c DefaultNonPagedPoolCharge : 0xf8
      +0x030 DumpProcedure : (null) 
      +0x034 OpenProcedure : (null) 
      +0x038 CloseProcedure : 0x82e367b3        void  nt!IopCloseFile+0
      +0x03c DeleteProcedure : 0x82e358fb        void  nt!IopDeleteFile+0
      +0x040 ParseProcedure : 0x82e85105        long  nt!IopParseFile+0
      +0x044 SecurityProcedure : 0x82e68245        long  nt!IopGetSetSecurityObject+0
      +0x048 QueryNameProcedure : 0x82e746ef        long  nt!IopQueryName+0
      +0x04c OkayToCloseProcedure : (null) 
lkd> u IopCloseFile
nt!IopCloseFile:
82e367b3 8bff            mov     edi,edi
82e367b5 55              push    ebp
82e367b6 8bec            mov     ebp,esp
82e367b8 83e4f8          and     esp,0FFFFFFF8h
82e367bb 83ec2c          sub     esp,2Ch
82e367be 53              push    ebx
82e367bf 56              push    esi
82e367c0 57              push    edi
 Return to “Reverse Engineering and Debugging”