关于Windows内核对象的问题
在这里我的很多问题都得到了解答,非常感谢你们。我还想再问一个问题。 :)
我正在阅读关于< Windows via C/C++ >,它说:
当我们想要访问现有的内核对象(而不是创建一个新的)时,我们必须指定我们打算对该对象执行的操作。如果我们被允许访问此类操作,则会返回内核对象的句柄。
...如果返回的句柄用于调用所需权限与您请求的权限不同的 API,则会发生拒绝访问错误。
AFAIK,句柄只是一个普通的整数,它只是进程句柄表的索引,句柄值不能提供更多信息。如果我们已经获得了内核对象的句柄,系统如何检测到我们将其用于我们请求之外的其他操作?
一个内核对象可以有多个句柄,并且这些句柄的所有者可能有不同的访问类型。系统在哪里存储这些不同的访问类型信息?我认为它应该在进程的句柄表中。
假设我尝试使用 2 种不同的访问类型打开单个内核对象,则应返回同一内核对象的 2 个句柄,因此进程的句柄表中将有 2 个条目,指向同一内核对象。
任何见解都将受到深深的赞赏。
更新1
谢谢大家。
我提到了< Windows 内部结构 >第 5 版,第 6 章中提到。访问检查:
Windows 安全模型要求在打开对象时预先指定要在对象上执行什么类型的操作。对象管理器调用 SRM 根据线程所需的访问权限执行访问检查,如果授予访问权限,则会向该线程的进程分配一个句柄,该线程(或进程中的其他线程)可以使用该句柄对该线程执行进一步的操作。目的。正如第 3 章中所解释的,对象管理器在进程的句柄表中记录授予句柄的访问权限。
所以看来我的猜测是正确的。
谢谢。
I have got many of my questions solved here, many thanks to you guys. And I'd like to ask one more. :)
I am reading about < Windows via C/C++ >, it said:
When we wnat to gain access to an existing kernel object (rather than create a new one), we must speicify the operations we intend to perform on the object. If we are allowed access with such operations, a handle to the kernel object is returned.
...if the returned handle is used to call an API that requires a right different from you requested for, the access-denied error occurs.
AFAIK, handle is just a plain integer number, it's just an index into the process' handle table, nothing more could the handle value provide. If we have already got a handle to a kernel object, how could the system detect we use it for other operations than we requested for?
A kernel object can have more than one handles, and the owners of these handles may have different access types. Where does the system store these different access type info? I think it should be in the process' handle table.
Suppose I try to open a single kernel object with 2 different access types, 2 handles to the same kernel object should be returned, and thus there'll be 2 entries in the process' handle table, pointing to the same kernel object.
Any insight will be deeply appreciated.
Update 1
Thanks guys.
I referred to the < Windows Internals > 5th edition, it said at Ch 6. Access Checks:
The Windows security model requires that a therad speicfy up front, at the time that it opens an object, what types of actions it wants to perfrom on the object. The object manager calls the SRM to perform access checks based on a thread's desired access, and if the access is granted, a handle is assigned to the thread's process with which the thread (or other threads in the process) can perform further operations on the object. As explained in Chapter 3, the object menager records the access permissions granted for a handle in the process's handle table.
So it seems my guess is right.
Thanks.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
每个活动的内核对象都会存储一系列针对它的权限。这只是安全参考管理器 (SRM) 管理的另一个表。当对象管理器断言安全性时,将查找对象句柄以收集对象引用 (
ObReferenceObjectByHandle
) 和结果对象,可用于查找权限 (ObCheckObjectAccess< /代码>)。会有涉及安全令牌的间接,但本质上这就是理论。所以两个句柄确实可能指向同一个引用对象。
Windows Internals(我的版本 5)中对
ObCheckObjectAccess
调用期间发生的情况有很好的描述。此处解释一下:
ObCheckObjectAccess
获取对象、调用线程的凭据和请求的访问权限,并调用 SRM (SeAccessCheck
),以便它可以确定是否正确被断言或否认。Every kernel object that is active will have a series of rights stored against it. This is just another table managed by the Security Reference Manager (SRM). When the security is asserted by the object manager then the object handle will looked up to collect the object reference (
ObReferenceObjectByHandle
) and the resultant object , can be used to look up the rights (ObCheckObjectAccess
). There will be indirections involving security tokens, but in essence this is the theory. So two handles may indeed point to the same reference object.There is a good description of what happens during a
ObCheckObjectAccess
call in Windows Internals (mine version 5).Paraphrasing it here :
The
ObCheckObjectAccess
takes the object, the credentials of the calling thread and the access requested and calls the SRM (SeAccessCheck
) so that it can work out whether the right is asserted or denied.