ObReferenceObjectByHandle说明

参考:https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/nf-wdm-obreferenceobjectbyhandle

   

code: 

 status = ObReferenceObjectByHandle(\

                                          ThreadHandle,\  //这个是当前方法的input

                                          THREAD_ALL_ACCESS,\

                                          PsThreadType,\

                                          KernelMode,\

                                         &pTargetThread,\

                                         NULL);

 [popexizhi:

 参数中要go的

   *  PsThreadType
   *  KernelMode

 这里的 PsThreadType定义为

 extern POBJECT_TYPE NTSYSAPI PsThreadType;

 ]
 

参数说明 

 The ObReferenceObjectByHandle routine provides access validation on the object handle, and, if access can be granted, returns the corresponding pointer to the object's body.

 [popexizhi译: obReferenceObjectByHandle  常规的对象句柄的访问权限验证， 如果验证通过，返回对象体指针位置]

 NTSTATUSObReferenceObjectByHandle( HANDLE Handle, ACCESS_MASK DesiredAccess, POBJECT_TYPE ObjectType, KPROCESSOR_MODE AccessMode, PVOID *Object, POBJECT_HANDLE_INFORMATION HandleInformation );
        [ObjectType]

 Pointer to the object type. ObjectType can be *ExEventObjectType, *ExSemaphoreObjectType, *IoFileObjectType, *PsProcessType, *PsThreadType, *SeTokenObjectType, *TmEnlistmentObjectType, *TmResourceManagerObjectType, *TmTransactionManagerObjectType, or *TmTransactionObjectType.

 If ObjectType is not NULL, the operating system verifies that the supplied object type matches the object type of the object that Handle specifies.

 [pope译:

 如果ObjectType 不是NULL, 操作系统校验 提供的一个参数定义的Handle是否匹配为此对象的类型。

  ]
        [AccessMode]

 Specifies the access mode to use for the access check. It must be either UserMode or KernelMode. Drivers should always specify UserMode for handles they receive from user address space.

 [pope译:

 指定访问模式 ，此模式是用来进行访问检测的；它只能是UserMode 或者 KernelMode。

 驱动 应该使用UserMode 的handles,用来接受用户地址空间内容。 

 ]