进程句柄表初始化,扩展,插入删除句柄源码分析
生活随笔
收集整理的這篇文章主要介紹了
进程句柄表初始化,扩展,插入删除句柄源码分析
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
一、為什么要有句柄
句柄是一個8字節的結構體,用途是指向內核對象。3環程序無法通過地址直接訪問內核對象,所以需要用句柄來間接訪問。
本文重點介紹句柄表,句柄本身則留到下一篇博客介紹。但因為接下來介紹句柄表時也會涉及到句柄表項的成員,所以不妨先簡單鋪墊一下。
首先要區分開句柄和 HANDLE_TABLE_ENTRY ,句柄是3環使用的一個4字節整數,它是句柄表的索引,且一定是4的整數倍;而 HANDLE_TABLE_ENTRY 是句柄表里的項,大小是8字節,稱為句柄表項。
HANDLE_TABLE_ENTRY 由兩個32位的聯合體(union) 組成:
typedef struct _HANDLE_TABLE_ENTRY {union {PVOID Object; // 指向句柄所代表的對象ULONG ObAttributes; // 最低三位有特別含義,參見// OBJ_HANDLE_ATTRIBUTES 宏定義PHANDLE_TABLE_ENTRY_INFO InfoTable; // 各個句柄表頁面的第一個表項// 使用此成員指向一張表ULONG_PTR Value;};union {union {ACCESS_MASK GrantedAccess; // 訪問掩碼struct { // 當NtGlobalFlag 中包含// FLG_KERNEL_STACK_TRACE_DB 標記時使用USHORT GrantedAccessIndex;USHORT CreatorBackTraceIndex;};};LONG NextFreeTableEntry; // 空閑時表示下一個空閑句柄索引}; } HANDLE_TABLE_ENTRY, *PHANDLE_TABLE_ENTRY;多數情況下,使用聯合體的目的是節省內存,隱含的意思是聯合體內部的成員使用的時機不同,不會發生沖突。Object 指向一個內核對象,而 NextFreeTableEntry 是下一個空閑句柄表項的索引,下文會詳細介紹這個屬性的用途。
一個進程創建或打開了一個內核對象,如 CreateProcess ,3環會得到一個句柄,而句柄是存儲在0環的 EPROCESS.ObjectTable 里,這個 ObjectTable 稱為進程句柄表。
二、句柄表結構
typedef struct _HANDLE_TABLE {//// A pointer to the top level handle table tree node.//ULONG_PTR TableCode; // 指向句柄表的存儲結構//// The process who is being charged quota for this handle table and a// unique process id to use in our callbacks//struct _EPROCESS *QuotaProcess; // 句柄表的內存資源記錄在此進程中HANDLE UniqueProcessId; // 創建進程的ID,用于回調函數//// These locks are used for table expansion and preventing the A-B-A problem// on handle allocate.//#define HANDLE_TABLE_LOCKS 4EX_PUSH_LOCK HandleTableLock[HANDLE_TABLE_LOCKS]; // 句柄表鎖,擴展句柄表時使用//// The list of global handle tables. This field is protected by a global// lock.//LIST_ENTRY HandleTableList; // 所有句柄表形成一個鏈表// 鏈表頭為全局變量 HandleTableListHead//// Define a field to block on if a handle is found locked.//EX_PUSH_LOCK HandleContentionEvent; // 若在訪問句柄時發生競爭,則在此推鎖上等待//// Debug info. Only allocated if we are debugging handles//PHANDLE_TRACE_DEBUG_INFO DebugInfo; // 調試信息,僅當調試句柄表時有意義//// The number of pages for additional info.// This counter is used to improve the performance// in ExGetHandleInfo//LONG ExtraInfoPages; // 審計信息所占用的頁面數量//// This is a singly linked list of free table entries. We don't actually// use pointers, but have each store the index of the next free entry// in the list. The list is managed as a lifo list. We also keep track// of the next index that we have to allocate pool to hold.//ULONG FirstFree; // 空閑鏈表表頭的句柄索引//// We free handles to this list when handle debugging is on or if we see// that a thread has this handles bucket lock held. The allows us to delay reuse// of handles to get a better chance of catching offenders//ULONG LastFree; // 最近被釋放的句柄索引,用于FIFO類型空閑鏈表//// This is the next handle index needing a pool allocation. Its also used as a bound// for good handles.//ULONG NextHandleNeedingPool; // 下一次句柄表擴展的起始句柄索引//// The number of handle table entries in use.//LONG HandleCount; // 正在使用的句柄表項的數量//// Define a flags field//union {ULONG Flags; // 標志域//// For optimization we reuse handle values quickly. This can be a problem for// some usages of handles and makes debugging a little harder. If this// bit is set then we always use FIFO handle allocation.//BOOLEAN StrictFIFO : 1; // 是否使用FIFO風格的重用,即先釋放先重用};} HANDLE_TABLE, *PHANDLE_TABLE;進程句柄表 HANDLE_TABLE 存儲了進程擁有的所有句柄,其結構隨著句柄數量的增加變化,它是一個多級結構,有三種形態:
HANDLE_TABLE 的 TableCode 指針指向了句柄表存儲的位置,TableCode 的低2位表示句柄表的結構。考慮三層句柄表的情況,理論上能存儲的句柄數量是 1024 x 1024 x 512 ,但實際上遠小于這個值,規定進程擁有的句柄數最多為 MAX_HANDLE 個,即 2^24 個。另一個事實是,句柄表按頁分配,每頁是4KB,最低層句柄表能存儲 4KB / 8B = 512 個句柄表項,但實際數量要減一,即511個,因為第一項有特殊用途。
三、句柄表的創建和初始化
ExCreateHandleTable
創建進程時,調用 ExCreateHandleTable 函數分配并初始化句柄表,這個函數本身代碼比較簡短,創建句柄表的工作交給了更底層的 ExpAllocateHandleTable 函數。
NTKERNELAPI PHANDLE_TABLE ExCreateHandleTable (__in_opt struct _EPROCESS *Process)/*++Routine Description:This function allocate and initialize a new new handle tableArguments:Process - Supplies an optional pointer to the process against which quotawill be charged.Return Value:If a handle table is successfully created, then the address of thehandle table is returned as the function value. Otherwise, a valueNULL is returned.--*/{PKTHREAD CurrentThread;PHANDLE_TABLE HandleTable;PAGED_CODE();// 從KPCR中獲取當前線程CurrentThread = KeGetCurrentThread ();//// Allocate and initialize a handle table descriptor//// 句柄表的內存分配和初始化HandleTable = ExpAllocateHandleTable( Process, TRUE );if (HandleTable == NULL) {return NULL;}//// Insert the handle table in the handle table list.//KeEnterCriticalRegionThread (CurrentThread); // 暫時停用普通內核APCExAcquirePushLockExclusive( &HandleTableListLock );// HandleTableListHead 是全局句柄表鏈表頭,將當前進程的句柄表插入到其尾部InsertTailList( &HandleTableListHead, &HandleTable->HandleTableList );ExReleasePushLockExclusive( &HandleTableListLock );KeLeaveCriticalRegionThread (CurrentThread); // 恢復普通內核APC//// And return to our caller//return HandleTable; }ExpAllocateHandleTable
ExpAllocateHandleTable 的工作是創建并初始化句柄表結構(HANDLE_TABLE)和一個最低層句柄表(TableCode)。如果 DoInit 參數為 TRUE,則需要初始化句柄表的空閑鏈表(FirstFree),空閑鏈表是用來指示下一個空閑句柄表項的位置的。大家可以先閱讀源碼,對這個空閑鏈表的初始化有一個大致的印象,待會我會詳細分析句柄的插入和刪除過程。
PHANDLE_TABLE ExpAllocateHandleTable (IN PEPROCESS Process OPTIONAL,IN BOOLEAN DoInit)/*++Routine Description:This worker routine will allocate and initialize a new handle tablestructure. The new structure consists of the basic handle tablestruct plus the first allocation needed to store handles. This isreally one page divided up into the top level node, the first midlevel node, and one bottom level node.Arguments:Process - Optionally supplies the process to charge quota for thehandle tableDoInit - If FALSE then we are being called by duplicate and we don't needthe free list built for the callerReturn Value:A pointer to the new handle table or NULL if unsuccessful at gettingpool.--*/{PHANDLE_TABLE HandleTable;PHANDLE_TABLE_ENTRY HandleTableTable, HandleEntry;ULONG i, Idx;PAGED_CODE();//// If any allocation or quota failures happen we will catch it in the// following try-except clause and cleanup after outselves before// we return null////// First allocate the handle table, make sure we got one, charge quota// for it and then zero it out//// HANDLE_TABLE 申請分頁內存HandleTable = (PHANDLE_TABLE)ExAllocatePoolWithTag (PagedPool,sizeof(HANDLE_TABLE),'btbO');if (HandleTable == NULL) {return NULL;}if (ARGUMENT_PRESENT(Process)) {if (!NT_SUCCESS (PsChargeProcessPagedPoolQuota( Process,sizeof(HANDLE_TABLE)))) {ExFreePool( HandleTable );return NULL;}}// HANDLE_TABLE 內存清零RtlZeroMemory( HandleTable, sizeof(HANDLE_TABLE) );//// Now allocate space of the top level, one mid level and one bottom// level table structure. This will all fit on a page, maybe two.//// 申請最高層句柄表內存,大小是一個頁 4KB,創建進程時初始化,應該是只有一層句柄表的HandleTableTable = ExpAllocateTablePagedPoolNoZero ( Process,TABLE_PAGE_SIZE);if ( HandleTableTable == NULL ) {ExFreePool( HandleTable );if (ARGUMENT_PRESENT(Process)) {PsReturnProcessPagedPoolQuota (Process,sizeof(HANDLE_TABLE));}return NULL;}// TableCode 指向最高層句柄表,此時只有一層,所以也是最低層句柄表HandleTable->TableCode = (ULONG_PTR)HandleTableTable;//// We stamp with EX_ADDITIONAL_INFO_SIGNATURE to recognize in the future this// is a special information entry//// 最低層句柄表的第0項有特殊用途// 高32位用 EX_ADDITIONAL_INFO_SIGNATURE 標記起來// 低32位初始化為NULLHandleEntry = &HandleTableTable[0]; HandleEntry->NextFreeTableEntry = EX_ADDITIONAL_INFO_SIGNATURE; HandleEntry->Value = 0;//// For duplicate calls we skip building the free list as we rebuild it manually as// we traverse the old table we are duplicating// 對于重復調用,我們跳過構建空閑列表,因為我們在遍歷要復制的舊表時手動重新構建它// if (DoInit) {// HandleEntry 指向了最低層句柄表下標為1的項HandleEntry++;//// Now setup the free list. We do this by chaining together the free// entries such that each free entry give the next free index (i.e.,// like a fat chain). The chain is terminated with a 0. Note that// we'll skip handle zero because our callers will get that value// confused with null.// 通過遍歷的方式初始化空閑句柄鏈表。每個鏈表項的 NextFreeTableEntry 成員存儲了下一個空閑// 句柄的下標,空閑鏈表以0結尾。只遍歷到下標510,因為最后一項要特殊處理。// 遍歷第1-510項for (i = 1; i < LOWLEVEL_COUNT - 1; i += 1) {HandleEntry->Value = 0; // 不指向任何內核對象// NextFreeTableEntry 等于下一個空閑句柄的句柄索引值HandleEntry->NextFreeTableEntry = (i+1)*HANDLE_VALUE_INC;HandleEntry++;}// 第511項 NextFreeTableEntry 是0,表示鏈表結束HandleEntry->Value = 0;HandleEntry->NextFreeTableEntry = 0;// FirstFree 存儲了當前第一個空閑句柄表項的索引// 因為第0項是特殊用途,所以第一個空閑句柄索引是4HandleTable->FirstFree = HANDLE_VALUE_INC;}// 下一次擴展句柄表時,起始句柄下標是 512 * 4HandleTable->NextHandleNeedingPool = LOWLEVEL_COUNT * HANDLE_VALUE_INC;//// Setup the necessary process information// 設置必須的進程信息HandleTable->QuotaProcess = Process;HandleTable->UniqueProcessId = PsGetCurrentProcess()->UniqueProcessId;HandleTable->Flags = 0;#if DBG && !EXHANDLE_EXTRA_CHECKSif (Process != NULL) {HandleTable->StrictFIFO = TRUE;} #endif//// Initialize the handle table lock. This is only used by table expansion.// 初始化句柄表鎖,用于擴展句柄表for (Idx = 0; Idx < HANDLE_TABLE_LOCKS; Idx++) {ExInitializePushLock (&HandleTable->HandleTableLock[Idx]);}//// Initialize the blocker for handle entry lock contention.// 初始化句柄表入口鎖,用于互斥訪問ExInitializePushLock (&HandleTable->HandleContentionEvent);if (TRACE_ALL_TABLES) {ExEnableHandleTracing (HandleTable, 0); }//// And return to our caller//return HandleTable; }四、句柄表的擴展
ExpAllocateHandleTableEntrySlow
擴展句柄表是由 ExpAllocateHandleTableEntrySlow 函數實現的。分析函數之前,我先把示意圖給出大家。
首先,考慮從一層擴展到二層的情況,當出現這種情況,說明現在進程擁有了511個句柄,一個頁面已經存不下新的句柄了,所以需要擴展成二層結構。做法是調用 ExpAllocateMidLevelTable 函數創建中間層句柄表,ExpAllocateMidLevelTable 函數調用了 ExpAllocateLowLevelTable 函數來創建一個新的最低層句柄表。
接下來,考慮二層擴展到三層的情況:
最后,是三層結構情況下,新增中間層句柄表的情況:
擴展完之后還有一些操作,需要先搞明白句柄如何插入,FirstFree 如何使用,才能分析。
BOOLEAN ExpAllocateHandleTableEntrySlow (IN PHANDLE_TABLE HandleTable,IN BOOLEAN DoInit)/*++Routine Description:This worker routine allocates a new handle table entry for the specifiedhandle table.這個函數為指定的句柄表分配一個新的句柄表項Note: The caller must have already locked the handle table注意:調用者必須先鎖住句柄表Arguments:HandleTable - Supplies the handle table being usedDoInit - If FALSE then the caller (duplicate) doesn't need the free list built如果 FALSE 就不需要構建空閑鏈表Return Value:BOOLEAN - TRUE, Retry the fast allocation path, FALSE, We failed to allocate memory--*/{ULONG i,j;PHANDLE_TABLE_ENTRY NewLowLevel;PHANDLE_TABLE_ENTRY *NewMidLevel;PHANDLE_TABLE_ENTRY **NewHighLevel;ULONG NewFree, OldFree;ULONG OldIndex;PVOID OldValue;ULONG_PTR CapturedTable = HandleTable->TableCode;ULONG TableLevel = (ULONG)(CapturedTable & LEVEL_CODE_MASK); // 當前句柄表層級結構,取 0, 1, 2PAGED_CODE();//// Initializing NewLowLevel is not needed for// correctness but without it the compiler cannot compile this code// W4 to check for use of uninitialized variables.//NewLowLevel = NULL; // 為了編譯通過必須初始化// CapturedTable 存儲了 TableCode 第2位清零的值,即舊的最低層句柄表的地址CapturedTable = CapturedTable & ~LEVEL_CODE_MASK;if ( TableLevel == 0 ) {//// We have a single level. We need to ad a mid-layer// to the process handle table// 現在是單層句柄表結構,需要擴展為二層句柄表// 創建一個中間層句柄表,同時也創建了一個最低層句柄表,存儲在中間層句柄表的第0項NewMidLevel = ExpAllocateMidLevelTable( HandleTable, DoInit, &NewLowLevel );if (NewMidLevel == NULL) {return FALSE;}//// Since ExpAllocateMidLevelTable initialize the // first position with a new table, we need to move it in // the second position, and store in the first position the current one// 因為 ExpAllocateMidLevelTable 的第0項存儲了新的最低層句柄表,現在我們// 把它移動到第1項,然后將舊的最低層句柄表存到第0項。NewMidLevel[1] = NewMidLevel[0];NewMidLevel[0] = (PHANDLE_TABLE_ENTRY)CapturedTable;//// Encode the current level and set it to the handle table process// 修改 TableCode 的第2位,改成1,表示現在是二層句柄表結構// CapturedTable = ((ULONG_PTR)NewMidLevel) | 1;OldValue = InterlockedExchangePointer( (PVOID *)&HandleTable->TableCode, (PVOID)CapturedTable );} else if (TableLevel == 1) {//// We have a 2 levels handle table// 現在是二層句柄表結構//PHANDLE_TABLE_ENTRY *TableLevel2 = (PHANDLE_TABLE_ENTRY *)CapturedTable;//// Test whether the index we need to create is still in the // range for a 2 layers table// 檢查當前的句柄表下標是否真的需要擴展到三層結構// 解釋:當已經存了 1024 x 512 個句柄時,即 NextHandleNeedingPool = 1024 x 512 x 4 ,// 這時需要擴展。換言之,如果需要擴展,下面算出的 i 不應小于 1024// // i 表示當前需要多少張中層句柄表,如果小于 1024 就不需要擴展到三層結構i = HandleTable->NextHandleNeedingPool / (LOWLEVEL_COUNT * HANDLE_VALUE_INC);if (i < MIDLEVEL_COUNT) {//// We just need to allocate a new low-level// table// 二層結構還夠用,我們只需要申請一張新的最低層句柄表// NewLowLevel = ExpAllocateLowLevelTable( HandleTable, DoInit );if (NewLowLevel == NULL) {return FALSE;}//// Set the new one to the table, at appropriate position//OldValue = InterlockedExchangePointer( (PVOID *) (&TableLevel2[i]), NewLowLevel );EXASSERT (OldValue == NULL);} else {//// We exhausted the 2 level domain. We need to insert a new one// 我們已經用完了二層結構的空間,真的需要擴展到三層結構了// 最高層句柄表只需 HIGHLEVEL_SIZE = 32 x 4 = 128 個字節// 因為一個進程只能存 1<<24 個句柄,所以最高層句柄表最多只能存32張中間層句柄表// 32 x 1024 x 512 = 1 << 24// NewHighLevel = ExpAllocateTablePagedPool( HandleTable->QuotaProcess,HIGHLEVEL_SIZE);if (NewHighLevel == NULL) {return FALSE;}// 既然需要擴展到三層結構,說明一張中間層句柄表已經不夠用// 自然需要新創建一張中間層句柄表NewMidLevel = ExpAllocateMidLevelTable( HandleTable, DoInit, &NewLowLevel );if (NewMidLevel == NULL) {ExpFreeTablePagedPool( HandleTable->QuotaProcess,NewHighLevel,HIGHLEVEL_SIZE);return FALSE;}//// Initialize the first index with the previous mid-level layer// 把原來的中間層句柄表放在第0項,新創建的放在第1項//NewHighLevel[0] = (PHANDLE_TABLE_ENTRY*)CapturedTable;NewHighLevel[1] = NewMidLevel;//// Encode the level into the table pointer// 標記低2位為2,表示現在是三層結構//CapturedTable = ((ULONG_PTR)NewHighLevel) | 2;//// Change the handle table pointer with this one// 更新 TableCode 的值,指向最高層句柄表OldValue = InterlockedExchangePointer( (PVOID *)&HandleTable->TableCode, (PVOID)CapturedTable );}} else if (TableLevel == 2) {//// we have already a table with 3 levels// 當前已經是三級句柄表結構//ULONG RemainingIndex;PHANDLE_TABLE_ENTRY **TableLevel3 = (PHANDLE_TABLE_ENTRY **)CapturedTable;// i 算出來表示新的中間層句柄表在最高層句柄表中的下標,不應大于31i = HandleTable->NextHandleNeedingPool / (MIDLEVEL_THRESHOLD * HANDLE_VALUE_INC);//// Check whether we exhausted all possible indexes.// 檢查是否已經用完了 HIGHLEVEL_COUNT(32)個下標,如果是,返回 FALSE//// 不能大于31if (i >= HIGHLEVEL_COUNT) {return FALSE;}if (TableLevel3[i] == NULL) {//// The new available handle points to a free mid-level entry// We need then to allocate a new one and save it in that position// 這個下標還沒有指向中間層句柄表,則創建一個新的//// 創建一個新的中間層句柄表NewMidLevel = ExpAllocateMidLevelTable( HandleTable, DoInit, &NewLowLevel );if (NewMidLevel == NULL) {return FALSE;} // 存儲到最高層句柄表OldValue = InterlockedExchangePointer( (PVOID *) &(TableLevel3[i]), NewMidLevel );EXASSERT (OldValue == NULL);} else {//// We have already a mid-level table. We just need to add a new low-level one// at the end// 這個下標已經有一個中間層句柄表了,只需往里面新增一個最低層句柄表//// j 表示在當前中間層句柄表的第 j 項插入一個新的最低層句柄表RemainingIndex = (HandleTable->NextHandleNeedingPool / HANDLE_VALUE_INC) -i * MIDLEVEL_THRESHOLD;j = RemainingIndex / LOWLEVEL_COUNT;NewLowLevel = ExpAllocateLowLevelTable( HandleTable, DoInit );if (NewLowLevel == NULL) {return FALSE;}OldValue = InterlockedExchangePointer( (PVOID *)(&TableLevel3[i][j]) , NewLowLevel );EXASSERT (OldValue == NULL);}}//// This must be done after the table pointers so that new created handles// are valid before being freed.// 更新 NextHandleNeedingPool 的值,NextHandleNeedingPool 表示下一次擴展時新句柄的值。// 就是簡單地原子加 512 * 4 ,因為不管怎么擴展,最終都是新增了一張最低層句柄表。// OldIndex 存儲了 NextHandleNeedingPool 的舊值,即新的最低層句柄表的第0項//OldIndex = InterlockedExchangeAdd ((PLONG) &HandleTable->NextHandleNeedingPool,LOWLEVEL_COUNT * HANDLE_VALUE_INC);if (DoInit) {//// Generate a new sequence number since this is a push// 跳過第0項,此時 OldIndex 等于新的最低層句柄表的第1項//OldIndex += HANDLE_VALUE_INC + GetNextSeq(); // GetNextSeq = 0//// Now free the handles. These are all ready to be accepted by the lookup logic now.//// FirstFree 的用途不太清楚,所以看不懂下面的代碼// FirstFree 的用途不太清楚,所以看不懂下面的代碼// FirstFree 的用途不太清楚,所以看不懂下面的代碼// FirstFree 的用途不太清楚,所以看不懂下面的代碼// FirstFree 的用途不太清楚,所以看不懂下面的代碼// FirstFree 的用途不太清楚,所以看不懂下面的代碼// FirstFree 的用途不太清楚,所以看不懂下面的代碼// FirstFree 的用途不太清楚,所以看不懂下面的代碼// FirstFree 的用途不太清楚,所以看不懂下面的代碼// FirstFree 的用途不太清楚,所以看不懂下面的代碼while (1) {// 新的最低層句柄表的最后一項的 NextFreeTableEntry 等于舊的 FirstFree// 創建新句柄時,新句柄直接存到 FirstFree 指向的位置,然后把新句柄的// NextFreeTableEntry 賦給 FirstFree。OldFree = ReadForWriteAccess (&HandleTable->FirstFree);NewLowLevel[LOWLEVEL_COUNT - 1].NextFreeTableEntry = OldFree;//// These are new entries that have never existed before. We can't have an A-B-A problem// with these so we don't need to take any locks//// 比較 HandleTable->FirstFree 和 OldFree,// 如果相等,則 OldIndex 賦給 HandleTable->FirstFree// 返回值 NewFree 是 HandleTable->FirstFree 的舊值,// 所以如果相等,循環也就結束了NewFree = InterlockedCompareExchange ((PLONG)&HandleTable->FirstFree,OldIndex,OldFree);if (NewFree == OldFree) {break;}}}return TRUE; }ExpAllocateMidLevelTable
這個函數創建一個中間層句柄表,是一個存儲最低層句柄表指針的數組。
PHANDLE_TABLE_ENTRY * ExpAllocateMidLevelTable (IN PHANDLE_TABLE HandleTable,IN BOOLEAN DoInit,OUT PHANDLE_TABLE_ENTRY *pNewLowLevel)/*++Routine Description:This worker routine allocates a mid-level table. This is an array withpointers to low-level tables.這個函數創建一個中間層句柄表,是一個存儲最低層句柄表指針的數組。It will allocate also a low-level table and will save it in the first index同時會申請一個新的最低層句柄表,并存儲到中間層句柄表的第0項Note: The caller must have already locked the handle table調用者必須先鎖住句柄表Arguments:HandleTable - Supplies the handle table being used當前的單層句柄表DoInit - If FALSE the caller (duplicate) does not want the free list build是否構造空閑鏈表pNewLowLevel - Returns the new low level table for later free list chaining返回新的最低層句柄表Return Value:Returns a pointer to the new mid-level table allocated返回新創建的中間層句柄表--*/{PHANDLE_TABLE_ENTRY *NewMidLevel; // 中間層句柄表,是一個數組,存儲的是最低層句柄表PHANDLE_TABLE_ENTRY NewLowLevel; // 新增的最低層句柄表,存到下標0的位置// 創建中間層句柄表NewMidLevel = ExpAllocateTablePagedPool( HandleTable->QuotaProcess,PAGE_SIZE);if (NewMidLevel == NULL) {return NULL;}//// If we need a new mid-level, we'll need a low-level too.// We'll create one and if success we'll save it at the first position// 創建中間層句柄表意味著一張最低層句柄表不夠用了,所以需要一張新的最低層句柄表// NewLowLevel = ExpAllocateLowLevelTable( HandleTable, DoInit );if (NewLowLevel == NULL) {ExpFreeTablePagedPool( HandleTable->QuotaProcess,NewMidLevel,PAGE_SIZE);return NULL;}//// Set the low-level table at the first index//// 新創建的最低層句柄表存儲到中間層句柄表的第0項NewMidLevel[0] = NewLowLevel;// 輸出參數返回新創建的最低層句柄表*pNewLowLevel = NewLowLevel;// 返回新創建的中間層句柄表return NewMidLevel; }ExpAllocateLowLevelTable
這個函數創建并返回一個新的最低層句柄表。如果 DoInit 為真,就會構造空閑句柄表項鏈表,它會根據句柄表的 NextHandleNeedingPool 的值,和舊的空閑鏈表連接起來。
PHANDLE_TABLE_ENTRY ExpAllocateLowLevelTable (IN PHANDLE_TABLE HandleTable,IN BOOLEAN DoInit)/*++Routine Description:This worker routine allocates a new low level table創建一個新的最低層句柄表。Note: The caller must have already locked the handle table調用者須先鎖住句柄表Arguments:HandleTable - Supplies the handle table being usedDoInit - If FALSE the caller (duplicate) doesn't need the free list maintainedReturn Value:Returns - a pointer to a low-level table if allocation issuccessful otherwise the return value is null.如果成功,返回新的最低層句柄表--*/{ULONG k;PHANDLE_TABLE_ENTRY NewLowLevel = NULL, HandleEntry;ULONG BaseHandle;//// Allocate the pool for lower level//NewLowLevel = ExpAllocateTablePagedPoolNoZero( HandleTable->QuotaProcess,TABLE_PAGE_SIZE);if (NewLowLevel == NULL) {return NULL;}//// We stamp with EX_ADDITIONAL_INFO_SIGNATURE to recognize in the future this// is a special information entry// 第0項特殊標記HandleEntry = &NewLowLevel[0];HandleEntry->NextFreeTableEntry = EX_ADDITIONAL_INFO_SIGNATURE;HandleEntry->Value = 0;//// Initialize the free list within this page if the caller wants this//if (DoInit) {HandleEntry++;//// Now add the new entries to the free list. To do this we// chain the new free entries together. We are guaranteed to// have at least one new buffer. The second buffer we need// to check for.//// We reserve the first entry in the table to the structure with// additional info////// Do the guaranteed first buffer//// 這里是初始化空閑鏈表,NextHandleNeedingPool 是新的最低層句柄表的// 第一項的下標,例如 512 * 4。這里 BaseHandle 存儲的是第一個空閑項的下標,// 最低層句柄表的下標0是特殊用途,第一項是新插入的句柄,所以第一個空閑// 位置應該是第三項,所以要加上 2 * HANDLE_VALUE_INCBaseHandle = HandleTable->NextHandleNeedingPool + 2 * HANDLE_VALUE_INC;// 遍歷到這張表的倒數第二項(下標510),最后一項特殊處理for (k = BaseHandle; k < BaseHandle + (LOWLEVEL_COUNT - 2) * HANDLE_VALUE_INC; k += HANDLE_VALUE_INC) {HandleEntry->NextFreeTableEntry = k;HandleEntry->Value = 0;HandleEntry++;}// 空閑鏈表結束標記HandleEntry->NextFreeTableEntry = 0;HandleEntry->Value = 0;}return NewLowLevel; }五、句柄的插入和刪除
模擬句柄表插入刪除算法
HANDLE_TABLE 結構的 FirstFree 成員記錄了空閑句柄鏈,需要創建新的句柄時,調用 ExpAllocateHandleTableEntry 函數直接從 FirstFree 得到句柄表中下一個空閑句柄的位置,把新句柄存進去,然后把原 FirstFree 位置的那個空閑句柄表項的 NextFreeTableEntry 賦給 FirstFree。
這實際上是用數組(最低層句柄表),FirstFree 和 NextFreeTableEntry 模擬了一個空閑句柄鏈表,不過與其說是鏈表,我覺得它更像一個棧,因為它是遵循 LIFO 規則的。但是這也有一個例外,據我了解,PspCidTable 句柄表由于設置了 StrictFIFO 屬性,所以這個句柄表是遵循 FIFO 規則的。
我們姑且認為,除了 PspCidTable 以外, 所有進程的句柄表 StrictFIFO 都是0,這就是說,它們的句柄表都是后釋放,先重用的。如果您對 LIFO 不太理解,我這里給出一個程序,是我模擬句柄表增刪數據寫的一個例程,通過這個程序可以很直觀的感受句柄表的增刪規律。
// test.cpp : 定義控制臺應用程序的入口點。 //#include "stdafx.h"struct Node {int used;int Next; };// 數組模擬鏈表 // 值表示下一個空閑下標 Node List[10]; int NextFree = 1; // 當前空閑下標,0用作特殊用途void AllocHandle() {if (NextFree == 0){printf("句柄表空間耗盡,請先釋放句柄.\n");return;}printf("獲取新句柄:%d\n", NextFree);List[NextFree].used = 1;NextFree = List[NextFree].Next;printf("當前空閑句柄:%d\n", NextFree); }void FreeHandle(int x) {if (List[x].used == 0){printf("不能釋放一個未使用的句柄.\n");return;}List[x].used = 0;printf("釋放了一個句柄:%d\n", x);int temp = NextFree;NextFree = x;printf("當前空閑句柄:%d\n", NextFree);List[x].Next = temp;}void PrintList() {for (int i = 0; i < 10; i++){printf("%d ", i);}printf("\n");for (int i = 0; i < 10; i++){if (List[i].used)printf("* ");elseprintf(" ");}printf("\n");for (int i = 0; i < 10; i++){printf("%d ", List[i].Next);}printf("\n");printf("----------------------------------------------\n");printf("----------------------------------------------\n"); }int _tmain(int argc, _TCHAR* argv[]) {for (int i = 1; i < 9; i++){List[i].Next = i + 1;List[i].used = 0;}PrintList();while (1){int n;printf("申請句柄請輸入-1,釋放句柄請輸入句柄號碼:");scanf("%d", &n);getchar();if (n == -1){AllocHandle();}else{FreeHandle(n);}PrintList();}return 0; }ExpAllocateHandleTableEntry
這個函數的功能是從句柄表里找一個空閑位置,然后把新句柄插入進去。它調用了 ExpMoveFreeHandles 函數,我分析過這個 ExpMoveFreeHandles 函數,不敢說完全弄懂了,不過大概用途應該是檢查 LastFree 隊列是否有句柄,LastFree 存的是使用過但已經釋放的句柄,據我觀察,絕大多數進程的句柄表是不使用這個值的,所以在分析進程句柄表的時候,可以忽略這個函數,它啥也沒做。不過正如我所說,我不敢保證我的分析是對的,所以我也會貼出我對這個函數的部分分析,僅供參考。
此外,如果當前最低層句柄表空間耗盡,還會調用 ExpAllocateHandleTableEntrySlow 函數來擴展句柄表,這個已經分析過了,此處不表。函數返回值是句柄表項的地址,這個地址是通過 ExpLookupHandleTableEntry 函數獲取的。
插入成功后,句柄計數加一,這些細節在代碼中能看到。
下面給出我的分析結果,即 ExpAllocateHandleTableEntry,ExpMoveFreeHandles,ExpLookupHandleTableEntry 的注釋。
再次強調,ExpMoveFreeHandles 的分析結果可能并不準確。
PHANDLE_TABLE_ENTRY ExpAllocateHandleTableEntry (IN PHANDLE_TABLE HandleTable,OUT PEXHANDLE pHandle) /*++Routine Description:This routine does a fast allocate of a free handle. It's lock free ifpossible.快速分配一個句柄表項,Only the rare case of handle table expansion is covered by the handletable lock.Arguments:HandleTable - Supplies the handle table being allocated from.pHandle - Handle returnedReturn Value:PHANDLE_TABLE_ENTRY - The allocated handle table entry pointer or NULLon failure.--*/ {PKTHREAD CurrentThread;ULONG OldValue, NewValue, NewValue1;PHANDLE_TABLE_ENTRY Entry;EXHANDLE Handle;BOOLEAN RetVal;ULONG Idx;CurrentThread = KeGetCurrentThread ();while (1) {// FirstFree 是下一個空閑句柄的索引OldValue = HandleTable->FirstFree;// 如果沒有空位了,就擴展句柄表while (OldValue == 0) {//// Lock the handle table for exclusive access as we will be// allocating a new table level.//// 鎖住句柄表,為了互斥訪問,因為現在要擴展句柄表了ExpLockHandleTableExclusive (HandleTable, CurrentThread);//// If we have multiple threads trying to expand the table at// the same time then by just acquiring the table lock we// force those threads to complete their allocations and// populate the free list. We must check the free list here// so we don't expand the list twice without needing to.//// 如果有多個線程同時嘗試擴展句柄表,只需要把句柄表鎖住,// 等待其他線程完成操作,當我們獲得操作權限時,必須先檢查// 其他線程是否已經擴展了句柄表,避免重復擴展。//// FirstFree 有空位了,因為其他線程已經擴展了句柄表OldValue = HandleTable->FirstFree;if (OldValue != 0) {ExpUnlockHandleTableExclusive (HandleTable, CurrentThread);break;}//// See if we have any handles on the alternate free list// These handles need some locking to move them over.//// 檢查 LastFree 隊列是否有空閑句柄位置,如果沒有(LastFree == 0)就啥也不干//// FirstFree 是當前空閑隊列,LastFree 是已使用但被釋放了的空閑隊列// 如果 StrictFIFO == 0 并且 FirstFree 已經為空,就把 LastFree 給到 FirstFree//OldValue = ExpMoveFreeHandles (HandleTable);if (OldValue != 0) {ExpUnlockHandleTableExclusive (HandleTable, CurrentThread);break;}//// This must be the first thread attempting expansion or all the// free handles allocated by another thread got used up in the gap.// 必須是第一個要求擴展句柄表的線程,或者是別的線程擴展的空間已經用完//// 嘗試擴展句柄表RetVal = ExpAllocateHandleTableEntrySlow (HandleTable, TRUE);// 句柄表解鎖ExpUnlockHandleTableExclusive (HandleTable, CurrentThread);OldValue = HandleTable->FirstFree;//// If ExpAllocateHandleTableEntrySlow had a failed allocation// then we want to fail the call. We check for free entries// before we exit just in case they got allocated or freed by// somebody else in the gap.// //if (!RetVal) {if (OldValue == 0) {// 擴展失敗的原因是句柄表空間用盡pHandle->GenericHandleOverlay = NULL;return NULL;} }}// 設置句柄值,如果失敗,就是0,否則就是 FirstFreeHandle.Value = (OldValue & FREE_HANDLE_MASK);// 找到新句柄在句柄表的位置Entry = ExpLookupHandleTableEntry (HandleTable, Handle);Idx = ((OldValue & FREE_HANDLE_MASK)>>2) % HANDLE_TABLE_LOCKS;ExpLockHandleTableShared (HandleTable, CurrentThread, Idx);if (OldValue != *(volatile ULONG *) &HandleTable->FirstFree) {ExpUnlockHandleTableShared (HandleTable, CurrentThread, Idx);continue;}KeMemoryBarrier ();// 獲取新句柄里存儲的 NextFreeTableEntry ,這個值的含義是下一個空閑句柄的位置NewValue = *(volatile ULONG *) &Entry->NextFreeTableEntry;// 更新 FirstFree ,指向下一個空閑句柄位置NewValue1 = InterlockedCompareExchange ((PLONG)&HandleTable->FirstFree,NewValue,OldValue);ExpUnlockHandleTableShared (HandleTable, CurrentThread, Idx);if (NewValue1 == OldValue) {EXASSERT ((NewValue & FREE_HANDLE_MASK) < HandleTable->NextHandleNeedingPool);break;} else {//// We should have eliminated the A-B-A problem so if only the sequence number has// changed we are broken.//EXASSERT ((NewValue1 & FREE_HANDLE_MASK) != (OldValue & FREE_HANDLE_MASK));}}// 句柄計數加一InterlockedIncrement (&HandleTable->HandleCount);// 輸出參數返回句柄值*pHandle = Handle;// 返回句柄表項的地址return Entry; }ExpMoveFreeHandles
ULONG ExpMoveFreeHandles (IN PHANDLE_TABLE HandleTable) {ULONG OldValue, NewValue;ULONG Index, OldIndex, NewIndex, FreeSize;PHANDLE_TABLE_ENTRY Entry, FirstEntry;EXHANDLE Handle;ULONG Idx;BOOLEAN StrictFIFO;//// First remove all the handles from the free list so we can add them to the// list we use for allocates.//// 如果 LastFree == 0,就啥也不干,直接返回OldValue = InterlockedExchange ((PLONG)&HandleTable->LastFree,0);Index = OldValue;if (Index == 0) {//// There are no free handles. Nothing to do.// 如果 LastFree 本來就是0,說明沒有空閑句柄,啥也不做返回//return OldValue;}//// We are pushing old entries onto the free list.// We have the A-B-A problem here as these items may have been moved here because// another thread was using them in the pop code.//for (Idx = 1; Idx < HANDLE_TABLE_LOCKS; Idx++) {ExAcquireReleasePushLockExclusive (&HandleTable->HandleTableLock[Idx]);}StrictFIFO = HandleTable->StrictFIFO;//// If we are strict FIFO then reverse the list to make handle reuse rare.//// 系統中唯一一個StrictFIFO=1的句柄表是PspCidTable,普通進程 StrictFIFO == 0if (!StrictFIFO) {//// We have a complete chain here. If there is no existing chain we// can just push this one without any hassles. If we can't then// we can just fall into the reversing code anyway as we need// to find the end of the chain to continue it.////// This is a push so create a new sequence number//// 如果不要求FIFO,且 FirstFree 鏈表為空,則 FirstFree = LastFreeif (InterlockedCompareExchange ((PLONG)&HandleTable->FirstFree,OldValue + GetNextSeq(),0) == 0) {return OldValue;}}//// Loop over all the entries and reverse the chain.// 反轉鏈表,保證 FIFOFreeSize = OldIndex = 0;FirstEntry = NULL;while (1) {FreeSize++;Handle.Value = Index;Entry = ExpLookupHandleTableEntry (HandleTable, Handle);EXASSERT (Entry->Object == NULL);NewIndex = Entry->NextFreeTableEntry;Entry->NextFreeTableEntry = OldIndex;if (OldIndex == 0) {FirstEntry = Entry;}OldIndex = Index;if (NewIndex == 0) {break;}Index = NewIndex;}NewValue = ExpInterlockedExchange (&HandleTable->FirstFree,OldIndex,FirstEntry);//// If we haven't got a pool of a few handles then force// table expansion to keep the free handle size high//if (FreeSize < 100 && StrictFIFO) {OldValue = 0;}return OldValue; }ExpLookupHandleTableEntry
這個比較簡單,看一遍源碼應該就懂了。
PHANDLE_TABLE_ENTRY ExpLookupHandleTableEntry (IN PHANDLE_TABLE HandleTable,IN EXHANDLE tHandle)/*++Routine Description:This routine looks up and returns the table entry for thespecified handle value.查找句柄在句柄表里的地址Arguments:HandleTable - Supplies the handle table being queriedtHandle - Supplies the handle value being queriedReturn Value:Returns a pointer to the corresponding table entry for the inputhandle. Or NULL if the handle value is invalid (i.e., too largefor the tables current allocation.--*/{ULONG_PTR i,j,k;ULONG_PTR CapturedTable;ULONG TableLevel;PHANDLE_TABLE_ENTRY Entry = NULL;EXHANDLE Handle;PUCHAR TableLevel1;PUCHAR TableLevel2;PUCHAR TableLevel3;ULONG_PTR MaxHandle;PAGED_CODE();//// Extract the handle index//Handle = tHandle;Handle.TagBits = 0;// 句柄的范圍小于 NextHandleNeedingPoolMaxHandle = *(volatile ULONG *) &HandleTable->NextHandleNeedingPool;//// See if this can be a valid handle given the table levels.// 檢查句柄是否超過范圍,是就返回NULL//if (Handle.Value >= MaxHandle) {return NULL; }//// Now fetch the table address and level bits. We must preserve the// ordering here.//CapturedTable = *(volatile ULONG_PTR *) &HandleTable->TableCode;//// we need to capture the current table. This routine is lock free// so another thread may change the table at HandleTable->TableCode//// 獲取句柄表層級結構TableLevel = (ULONG)(CapturedTable & LEVEL_CODE_MASK);// 計算最高層句柄表地址CapturedTable = CapturedTable - TableLevel;//// The lookup code depends on number of levels we have//switch (TableLevel) {case 0://// We have a simple index into the array, for a single level// handle table//TableLevel1 = (PUCHAR) CapturedTable;//// The index for this level is already scaled by a factor of 4. Take advantage of this//Entry = (PHANDLE_TABLE_ENTRY) &TableLevel1[Handle.Value *(sizeof (HANDLE_TABLE_ENTRY) / HANDLE_VALUE_INC)];break;case 1://// we have a 2 level handle table. We need to get the upper index// and lower index into the array//TableLevel2 = (PUCHAR) CapturedTable;i = Handle.Value % (LOWLEVEL_COUNT * HANDLE_VALUE_INC);Handle.Value -= i;j = Handle.Value / ((LOWLEVEL_COUNT * HANDLE_VALUE_INC) / sizeof (PHANDLE_TABLE_ENTRY));TableLevel1 = (PUCHAR) *(PHANDLE_TABLE_ENTRY *) &TableLevel2[j];Entry = (PHANDLE_TABLE_ENTRY) &TableLevel1[i * (sizeof (HANDLE_TABLE_ENTRY) / HANDLE_VALUE_INC)];break;case 2://// We have here a three level handle table.//TableLevel3 = (PUCHAR) CapturedTable;i = Handle.Value % (LOWLEVEL_COUNT * HANDLE_VALUE_INC);Handle.Value -= i;k = Handle.Value / ((LOWLEVEL_COUNT * HANDLE_VALUE_INC) / sizeof (PHANDLE_TABLE_ENTRY));j = k % (MIDLEVEL_COUNT * sizeof (PHANDLE_TABLE_ENTRY));k -= j;k /= MIDLEVEL_COUNT;TableLevel2 = (PUCHAR) *(PHANDLE_TABLE_ENTRY *) &TableLevel3[k];TableLevel1 = (PUCHAR) *(PHANDLE_TABLE_ENTRY *) &TableLevel2[j];Entry = (PHANDLE_TABLE_ENTRY) &TableLevel1[i * (sizeof (HANDLE_TABLE_ENTRY) / HANDLE_VALUE_INC)];break;default :_assume (0);}return Entry; }ExpFreeHandleTableEntry
和插入比較類似,刪除操作調用的函數是 ExpFreeHandleTableEntry。如果您閱讀并運行了我給出的模擬程序,這部分應該是很好理解的,直接給出源碼注釋。
VOID ExpFreeHandleTableEntry (IN PHANDLE_TABLE HandleTable,IN EXHANDLE Handle,IN PHANDLE_TABLE_ENTRY HandleTableEntry)/*++Routine Description:This worker routine returns the specified handle table entry to the freelist for the handle table.Note: The caller must have already locked the handle tableArguments:HandleTable - Supplies the parent handle table being modifiedHandle - Supplies the handle of the entry being freedHandleTableEntry - Supplies the table entry being freedReturn Value:None.--*/{PHANDLE_TABLE_ENTRY_INFO EntryInfo;ULONG OldFree, NewFree, *Free;PKTHREAD CurrentThread;ULONG Idx;ULONG SeqInc;PAGED_CODE();EXASSERT (HandleTableEntry->Object == NULL);EXASSERT (HandleTableEntry == ExpLookupHandleTableEntry (HandleTable, Handle));//// Clear the AuditMask flags if these are present into the table//EntryInfo = ExGetHandleInfo(HandleTable, Handle.GenericHandleOverlay, TRUE);if (EntryInfo) {EntryInfo->AuditMask = 0;}//// A free is simply a push onto the free table entry stack, or in the// debug case we'll sometimes just float the entry to catch apps who// reuse a recycled handle value.//// 句柄計數減一InterlockedDecrement (&HandleTable->HandleCount);CurrentThread = KeGetCurrentThread ();// 句柄值第2位清零存到 NewFree ,正常來說句柄值是4的倍數,低2位肯定是00// 待會要用 NewFree 來設置 FirstFreeNewFree = (ULONG) Handle.Value & ~(HANDLE_VALUE_INC - 1);#if DBGif (ExReuseHandles) { #endif //DBGif (!HandleTable->StrictFIFO) {//// We are pushing potentially old entries onto the free list.// Prevent the A-B-A problem by shifting to an alternate list// read this element has the list head out of the loop.//Idx = (NewFree>>2) % HANDLE_TABLE_LOCKS;if (ExTryAcquireReleasePushLockExclusive (&HandleTable->HandleTableLock[Idx])) {SeqInc = GetNextSeq();Free = &HandleTable->FirstFree; // 走這} else {SeqInc = 0;Free = &HandleTable->LastFree;}} else {SeqInc = 0;Free = &HandleTable->LastFree;}while (1) {OldFree = ReadForWriteAccess (Free);// 釋放的句柄的 NextFreeTableEntry 等于原來的 FirstFreeHandleTableEntry->NextFreeTableEntry = OldFree;// 更新 FirstFreeif ((ULONG)InterlockedCompareExchange ((PLONG)Free,NewFree + SeqInc,OldFree) == OldFree) {EXASSERT ((OldFree & FREE_HANDLE_MASK) < HandleTable->NextHandleNeedingPool);break;}}#if DBG} else {HandleTableEntry->NextFreeTableEntry = 0;} #endif //DBGreturn; }總結
以上是生活随笔為你收集整理的进程句柄表初始化,扩展,插入删除句柄源码分析的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 进程线程创建过程
- 下一篇: 命令行编译 WRK ,windbg 调试