什么是\Sessions\1\BaseNamedObjects\NamedBuffer?

逆向工程 视窗 ollydbg 登录
2021-06-26 16:24:32

我在调试器(OllyDbg,处理子窗口)中看到了那些,但我从来没有遇到过关于这些是什么的解释。

以上就是全部内容了,老实说,我想知道这一切的含义。可疑的很多NamedBuffer,我想知道其他计算机是否也一样。

昨天我了解到我可以按 键在本地 ( \REGISTRY\MACHINE) 和翻译 ( HKEY_LOCAL_MACHINE) 名称之间切换Tab它适用于注册表路径和文件路径。

Handles
Handle     Type             Refs    Access     T    Info          Name
00000028   ALPC Port           4.   001F0001
0000004C   Desktop          1737.   000F01FF                      \Default
00000008   Directory          91.   00000003                      \KnownDlls
0000000C   Directory          53.   00000003                      \KnownDlls32
00000018   Directory          53.   00000003                      \KnownDlls32
00000070   Directory        2028.   0000000F                      \Sessions\1\BaseNamedObjects
0000003C   Event               2.   001F0003
00000044   Event               3.   001F0003
00000058   Event               2.   001F0003
0000005C   Event               2.   001F0003
00000060   Event               2.   001F0003
00000064   Event               2.   001F0003
00000068   Event               2.   001F0003
0000006C   Event               2.   001F0003
0000007C   File (dev)          2.   00100003                      \FileSystem\Filters\FltMgrMsg
00000010   File (dir)          2.   00100020                      \Device\HarddiskVolume1\Windows
0000001C   File (dir)          2.   00100020                      \Device\HarddiskVolume1\shared\debugger
00000004   Key                 2.   00000009                      \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
00000014   Key                 2.   00000009                      \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
00000020   Key                 2.   00020019                      \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions
00000024   Key                 2.   00000001                      \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER
00000038   Key                 2.   000F003F                      \REGISTRY\MACHINE
00000034   Mutant              2.   001F0001
00000080   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\mchLLEW2$1360
00000084   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $77a5f9e0
00000088   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\AutoUnhookMap$00001360$73ec0000
0000008C   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $71ac0000
00000094   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $77a7dffe
00000098   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $73e812c6
0000009C   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $73e82384
000000A0   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $76fef792
000000A4   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $75db3be3
000000A8   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $76e69d0b
000000AC   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $75b77ba4
000000B0   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $75b7ea03
000000B4   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $75b7b986
000000B8   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $75b758b3
000000BC   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $75dccd11
000000C0   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $75db9ae4
000000C4   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $75e1dd76
000000C8   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $75e1de19
000000CC   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $75dc3baa
000000D0   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $75b75ea5
000000D4   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $75b7cc01
000000D8   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $75ba4969
000000DC   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $75b7ba5f
000000E0   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $75f202bf
000000E4   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $75f2027b
000000E8   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $75ed835c
000000EC   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $75ed7603
000000F0   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $75ecee09
000000F4   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $75ed6110
000000F8   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $75ec8332
000000FC   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $75ed3baa
00000100   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $75ed12a5
00000104   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $75ed3c61
00000108   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $75ec8bff
0000010C   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $75ed612e
00000110   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $75ec9679
00000114   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $75ed781f
00000118   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $75ec97d2
0000011C   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $75f26cfc
00000120   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $75ed76e0
00000124   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $75f26d5d
00000128   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $75ed7668
0000012C   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $75eec112
00000130   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $75eed0f5
00000134   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $75eeff4a
00000138   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $75eeec68
0000013C   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $75ed291f
00000140   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $75eeeb96
00000144   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $75f288eb
00000148   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $75ed2d64
0000014C   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $75ed3698
00000150   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $75edc4b6
00000154   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $75f27dd7
00000158   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $75f09f1d
0000015C   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $75ecefc9
00000160   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $75ed6c30
00000164   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $75ec90d3
00000168   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $75ed2da4
0000016C   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $75f11497
00000170   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $77a60550
00000174   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $77a603d0
00000178   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $77a6079c
0000017C   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $77a5ff74
00000180   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $77a606f4
00000184   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $77a60874
00000188   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $77a607e4
0000018C   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $77a60004
00000190   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $77a60084
00000194   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $77a61cb4
00000198   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $77a61d8c
0000019C   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $77a5fcb0
000001A0   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $77a60694
000001A4   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $77a60df4
000001A8   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $77a61be4
000001AC   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $77a5ffa4
000001B0   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $77a5fdc8
000001B4   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $77a600b4
000001B8   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $77a5fd64
000001BC   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $77a5fec0
000001C0   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $77a6088c
000001C4   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $77a60ed8
000001C8   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $77a5fb28
000001CC   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $77a608a4
000001D0   Section             3.   000F0007                      \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00001360, API $77a603b8
0000002C   Semaphore           2.   00100003        Count 0. of
00000030   Semaphore           2.   00100003        Count 0. of
00000048   WindowStation      82.   000F037F                      \Sessions\1\Windows\WindowStations\WinSta0
00000050   WindowStation      82.   000F037F                      \Sessions\1\Windows\WindowStations\WinSta0
2个回答

这些是由 CreateFileMapping() 或 ZwCreateSection 创建的部分名称。它不会在其他计算机上相同。

OllyDbg 甚至说句柄是一个部分。

一个简单的可执行文件不会有很多句柄。

您可以从 MSDN 检查并编译此代码以查看 OllyDbg 句柄窗口中的名称。

创建命名共享内存

如果您创建 10 个不同的文件映射,您将看到 10 个具有 10 个名称的部分句柄,如下所示, BaseNamedObjects\MyFileMappingObject1 2、3 等。

把手,第 4 项

Handle=00000028
Type=Section
Refs= 3.
Access=000F0007 WRITE_OWNER|WRITE_DAC|READ_CONTROL|DELETE|QUERY_STATE|MODIFY_STATE|4
Name= \BaseNamedObjects\MyFileMappingObject

关于这条线:

00000034   Mutant              2.   001F0001

突变体是互斥体的内核名称。

突变体这个名字有着丰富多彩的历史。在 Windows NT 开发的早期,Dave Cutler 创建了一个内核互斥对象来实现低级互斥。后来他发现 OS/2 需要一个带有附加语义的互斥信号量版本,Dave 认为这是“脑损伤”并且与原始对象不兼容。(具体来说,线程可以放弃该对象并使其无法访问。)因此,他创建了一个 OS/2 版本的互斥锁并将其命名为突变体。后来 Dave 修改了突变对象以删除 OS/2 语义,允许 Win32 子系统使用该对象。Win32 API 调用修改后的对象互斥锁,但本机服务保留名称变体。

https://forum.sysinternals.com/whats-a-mutant-handle_topic17376.html

https://blogs.msdn.microsoft.com/larryosterman/2004/09/24/cleaning-up-shared-resources-when-a-process-is-abnormally-terminated/

海伦·卡斯特斯,“Windows NT 内部”

其它你可能感兴趣的问题
上一篇将程序输出从 /dev/*char_device* 重定向到文本文件 下一篇binwalk 倒车开关固件