KERNEL32!NlsServerInitialize函数分析创建了一个目录对象和目录对象下面的5个对象

创建了一个目录对象，和目录对象下面的5个对象。

第一部分：

1: kd> kc
 #
00 basesrv!BaseSrvNlsCreateSection
01 CSRSRV!CsrCallServerFromServer
02 ntdll!CsrClientCallServer
03 KERNEL32!CsrBasepNlsCreateSection
04 KERNEL32!NlsServerInitialize
05 KERNEL32!NlsDllInitialize
06 KERNEL32!BaseDllInitialize
07 ntdll!LdrpCallInitRoutine
08 ntdll!LdrpRunInitializeRoutines
09 ntdll!LdrpLoadDll
0a ntdll!LdrLoadDll
0b CSRSRV!CsrLoadServerDll
0c CSRSRV!CsrParseServerCommandLine
0d CSRSRV!CsrServerInitialization
0e csrss!main
0f csrss!NtProcessStartup

返回到这里：

ULONG
BaseSrvNlsCreateSection(
    IN OUT PCSR_API_MSG m,
    IN OUT PCSR_REPLY_STATUS ReplyStatus)
{

    rc = NtCreateSection( &hNewSec,
                          hFile ? SECTION_MAP_READ : SECTION_MAP_READ | SECTION_MAP_WRITE,
                          &ObjA,
                          hFile? NULL:&Size,
                          hFile ? PAGE_READONLY:PAGE_READWRITE,
                          SEC_COMMIT,
                          hFile );

    NtClose(hFile);

第二部分：

1: kd> dv
                  m = 0x0015f28c
        ReplyStatus = 0x0015f23c
               ObjA = struct _OBJECT_ATTRIBUTES
              hFile = 0x000000d8

pSecurityDescriptor = unsigned char [52] "???"
1: kd> dx -r1 (*((basesrv!_OBJECT_ATTRIBUTES *)0x15f12c))
(*((basesrv!_OBJECT_ATTRIBUTES *)0x15f12c))                 [Type: _OBJECT_ATTRIBUTES]
    [+0x000] Length           : 0x18 [Type: unsigned long]
    [+0x004] RootDirectory    : 0x0 [Type: void *]
    [+0x008] ObjectName       : 0x15f154 : "\NLS\NlsSectionUnicode" [Type: _UNICODE_STRING *]
    [+0x00c] Attributes       : 0xd0 [Type: unsigned long]
    [+0x010] SecurityDescriptor : 0x15f1a4 [Type: void *]
    [+0x014] SecurityQualityOfService : 0x0 [Type: void *]

    //
    //  Duplicate the new section handle for the client.
    //  The client will map a view of the section and fill in the data.
    //
    InitializeObjectAttributes( &ObjA,
                                NULL,
                                0,
                                NULL,
                                NULL );

1: kd> dx -r1 (*((basesrv!_OBJECT_ATTRIBUTES *)0x15f12c))
(*((basesrv!_OBJECT_ATTRIBUTES *)0x15f12c))                 [Type: _OBJECT_ATTRIBUTES]
    [+0x000] Length           : 0x18 [Type: unsigned long]
    [+0x004] RootDirectory    : 0x0 [Type: void *]
    [+0x008] ObjectName       : 0x0 [Type: _UNICODE_STRING *]
    [+0x00c] Attributes       : 0x0 [Type: unsigned long]
    [+0x010] SecurityDescriptor : 0x0 [Type: void *]
    [+0x014] SecurityQualityOfService : 0x0 [Type: void *]

    rc = NtOpenProcess( &hProcess,
                        PROCESS_DUP_HANDLE,
                        &ObjA,
                        &m->h.ClientId );

1: kd> p
basesrv!BaseSrvNlsCreateSection+0x492:
001b:752eb220 ff1518112e75    call    dword ptr [basesrv!_imp__NtOpenProcess (752e1118)]
1: kd> p
basesrv!BaseSrvNlsCreateSection+0x498:
001b:752eb226 8bd8            mov     ebx,eax
1: kd> dv
                  m = 0x0015f28c
        ReplyStatus = 0x0015f23c
               ObjA = struct _OBJECT_ATTRIBUTES
              hFile = 0x000000d8
            hNewSec = 0x000000dc
          ObSecName = "\NLS\NlsSectionUnicode"
               Size = {10696049119985740}
              pFile = 0x752e2c34
                  a = 0x0015f2b4
        wszFileName = unsigned short [32]
         wszSecName = unsigned short [32]
           hProcess = 0x000000e0

1: kd> !handle e0

PROCESS 8953a020  SessionId: 0  Cid: 01b4    Peb: 7ffdf000  ParentCid: 0184
    DirBase: 7b29b000  ObjectTable: e1436840  HandleCount:  14.
    Image: csrss.exe

Handle table at e1436840 with 14 entries in use

00e0: Object: 8953a020  GrantedAccess: 00000040 Entry: e15e61c0
Object: 8953a020  Type: (899a28e8) Process
    ObjectHeader: 8953a008 (old version)
        HandleCount: 2  PointerCount: 3

1: kd> dt kprocess 8953a020
CSRSRV!KPROCESS
   +0x000 Header           : _DISPATCHER_HEADER
   +0x010 ProfileListHead  : _LIST_ENTRY [ 0x8953a030 - 0x8953a030 ]
   +0x018 DirectoryTableBase : [2] 0x7b29b000
   +0x020 LdtDescriptor    : _KGDTENTRY
   +0x028 Int21Descriptor  : _KIDTENTRY
   +0x030 IopmOffset       : 0x20ac
   +0x032 Iopl             : 0 ''
   +0x033 Unused           : 0 ''
   +0x034 ActiveProcessors : 2
   +0x038 KernelTime       : 0x36
   +0x03c UserTime         : 0
   +0x040 ReadyListHead    : _LIST_ENTRY [ 0x8953a060 - 0x8953a060 ]
   +0x048 SwapListEntry    : _SINGLE_LIST_ENTRY
   +0x04c VdmTrapcHandler  : (null)
   +0x050 ThreadListHead   : _LIST_ENTRY [ 0x8961f1cc - 0x8961f1cc ]
   +0x058 ProcessLock      : 0
   +0x05c Affinity         : 3
   +0x060 StackCount       : 1
   +0x062 BasePriority     : 13 ''
   +0x063 ThreadQuantum    : 36 '$'
   +0x064 AutoAlignment    : 0 ''
   +0x065 State            : 0 ''
   +0x066 ThreadSeed       : 0 ''
   +0x067 DisableBoost     : 0 ''
   +0x068 PowerState       : 0 ''
   +0x069 DisableQuantum   : 0 ''
   +0x06a IdealNode        : 0 ''
   +0x06b Spare            : 0 ''

第三部分：

1: kd> dv
                  m = 0x0015f28c
        ReplyStatus = 0x0015f23c
               ObjA = struct _OBJECT_ATTRIBUTES
              hFile = 0x000000d8
            hNewSec = 0x000000dc
          ObSecName = "\NLS\NlsSectionUnicode"
               Size = {10696049119985740}
              pFile = 0x752e2c34
                  a = 0x0015f2b4
        wszFileName = unsigned short [32]
         wszSecName = unsigned short [32]
           hProcess = 0x000000e0
                 rc = 0n0
pSecurityDescriptor = unsigned char [52] "???"

1: kd> dx -r1 ((basesrv!_CSR_API_MSG *)0x15f28c)
((basesrv!_CSR_API_MSG *)0x15f28c)                 : 0x15f28c [Type: _CSR_API_MSG *]
    [+0x000] h                [Type: _PORT_MESSAGE]
    [+0x018] ConnectionRequest [Type: _CSR_API_CONNECTINFO]
    [+0x018] CaptureBuffer    : 0x0 [Type: _CSR_CAPTURE_HEADER *]
    [+0x01c] ApiNumber        : 0x10010 [Type: unsigned long]
    [+0x020] ReturnValue      : 0x40001 [Type: unsigned long]
    [+0x024] Reserved         : 0x0 [Type: unsigned long]
    [+0x028] u                [Type: __unnamed]
1: kd> dx -r1 (*((basesrv!__unnamed *)0x15f2b4))
(*((basesrv!__unnamed *)0x15f2b4))                 [Type: __unnamed]
    [+0x000] ClientConnect    [Type: _CSR_CLIENTCONNECT_MSG]
    [+0x000] ApiMessageData   [Type: unsigned long [39]]

1: kd> dx -r1 ((basesrv!_BASE_NLS_CREATE_SECTION_MSG *)0x15f2b4)
((basesrv!_BASE_NLS_CREATE_SECTION_MSG *)0x15f2b4)                 : 0x15f2b4 [Type: _BASE_NLS_CREATE_SECTION_MSG *]
    [+0x000] hNewSection      : 0x0 [Type: void *]
    [+0x004] uiType           : 0x1 [Type: unsigned int]
    [+0x008] Locale           : 0x0 [Type: unsigned long]

NTSTATUS NtDuplicateObject(
  HANDLE SourceProcessHandle,
  HANDLE SourceHandle,
  HANDLE TargetProcessHandle,
  PHANDLE TargetHandle,
  ACCESS_MASK DesiredAccess,
  ULONG Attributes,
  ULONG Options
);

    rc = NtDuplicateObject( NtCurrentProcess(),
                            hNewSec,
                            hProcess,
                            &(a->hNewSection),
                            0L,
                            0L,
                            DUPLICATE_SAME_ACCESS | DUPLICATE_CLOSE_SOURCE );

1: kd> !handle dc

PROCESS 8953a020  SessionId: 0  Cid: 01b4    Peb: 7ffdf000  ParentCid: 0184
    DirBase: 7b29b000  ObjectTable: e1436840  HandleCount:  14.
    Image: csrss.exe

Handle table at e1436840 with 14 entries in use

00dc: Object: e155b810  GrantedAccess: 00000004 Entry: e15e61b8
Object: e155b810  Type: (89994e70) Section
    ObjectHeader: e155b7f8 (old version)
        HandleCount: 1  PointerCount: 2
        Directory Object: e15e9460  Name: NlsSectionUnicode

1: kd> dv
                  m = 0x0015f28c
        ReplyStatus = 0x0015f23c
               ObjA = struct _OBJECT_ATTRIBUTES
              hFile = 0x000000d8
            hNewSec = 0x000000dc
          ObSecName = "\NLS\NlsSectionUnicode"
               Size = {10696049119985740}
              pFile = 0x752e2c34
                  a = 0x0015f2b4

pSecurityDescriptor = unsigned char [52] "???"
1: kd> dx -r1 ((basesrv!_BASE_NLS_CREATE_SECTION_MSG *)0x15f2b4)
((basesrv!_BASE_NLS_CREATE_SECTION_MSG *)0x15f2b4)                 : 0x15f2b4 [Type: _BASE_NLS_CREATE_SECTION_MSG *]
    [+0x000] hNewSection      : 0xe4 [Type: void *]
    [+0x004] uiType           : 0x1 [Type: unsigned int]
    [+0x008] Locale           : 0x0 [Type: unsigned long]

a->hNewSection=hNewSection      : 0xe4

1: kd> !handle e4

PROCESS 8953a020  SessionId: 0  Cid: 01b4    Peb: 7ffdf000  ParentCid: 0184
    DirBase: 7b29b000  ObjectTable: e1436840  HandleCount:  14.
    Image: csrss.exe

Handle table at e1436840 with 14 entries in use

00e4: Object: e155b810  GrantedAccess: 00000004 Entry: e15e61c8
Object: e155b810  Type: (89994e70) Section
    ObjectHeader: e155b7f8 (old version)
        HandleCount: 1  PointerCount: 2
        Directory Object: e15e9460  Name: NlsSectionUnicode

源进程和目标进程是一样的。
句柄dc到 e0 到e4

    hFile = 0x000000d8
    hNewSec = 0x000000dc
           hProcess = 0x000000e0
    a->hNewSection=0x000000e4
1: kd> dv
                  m = 0x0015f28c
1: kd> dx -r1 ((basesrv!_CSR_API_MSG *)0x15f28c)
((basesrv!_CSR_API_MSG *)0x15f28c)                 : 0x15f28c [Type: _CSR_API_MSG *]
    [+0x000] h                [Type: _PORT_MESSAGE]
    [+0x018] ConnectionRequest [Type: _CSR_API_CONNECTINFO]
    [+0x018] CaptureBuffer    : 0x0 [Type: _CSR_CAPTURE_HEADER *]
    [+0x01c] ApiNumber        : 0x10010 [Type: unsigned long]
    [+0x020] ReturnValue      : 0x40001 [Type: unsigned long]
    [+0x024] Reserved         : 0x0 [Type: unsigned long]
    [+0x028] u                [Type: __unnamed]
1: kd> dx -r1 (*((basesrv!_PORT_MESSAGE *)0x15f28c))
(*((basesrv!_PORT_MESSAGE *)0x15f28c))                 [Type: _PORT_MESSAGE]
    [+0x000] u1               [Type: __unnamed]
    [+0x004] u2               [Type: __unnamed]
    [+0x008] ClientId         [Type: _CLIENT_ID]
    [+0x008] DoNotUseThisField : 0.000000 [Type: double]
    [+0x010] MessageId        : 0x77f2ebe8 [Type: unsigned long]
    [+0x014] ClientViewSize   : 0x77e85ce9 [Type: unsigned long]
    [+0x014] CallbackId       : 0x77e85ce9 [Type: unsigned long]
1: kd> dx -r1 (*((basesrv!_CLIENT_ID *)0x15f294))
(*((basesrv!_CLIENT_ID *)0x15f294))                 [Type: _CLIENT_ID]
    [+0x000] UniqueProcess    : 0x1b4 [Type: void *]
    [+0x004] UniqueThread     : 0x1b8 [Type: void *]
1: kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 899a2278  SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 0a200000  ObjectTable: e1000e38  HandleCount:  75.
    Image: System

PROCESS 89504020  SessionId: none  Cid: 0184    Peb: 7ffdf000  ParentCid: 0004
    DirBase: 7b9d8000  ObjectTable: e127d250  HandleCount:  11.
    Image: smss.exe

PROCESS 8953a020  SessionId: 0  Cid: 01b4    Peb: 7ffdf000  ParentCid: 0184
    DirBase: 7b29b000  ObjectTable: e1436840  HandleCount:  14.
    Image: csrss.exe

第四部分：

NTSTATUS CsrBasepNlsCreateSection(
    IN UINT uiType,
    IN LCID Locale,
    OUT PHANDLE phSection)
{

    CsrClientCallServer( (PCSR_API_MSG)&m,
                         NULL,
                         CSR_MAKE_API_NUMBER(BASESRV_SERVERDLL_INDEX,
                                             BasepNlsCreateSection),
                         sizeof(*a) );

    //
    //  Save the handle to the new section.
    //
    *phSection = a->hNewSection;

    return (m.ReturnValue);

#endif

}

第五部分：继续创建几个对象

    //  All other data files will have the sections created only as they
    //  are needed.
    //
    if ((!NT_SUCCESS(rc = CsrBasepNlsCreateSection( NLS_CREATE_SECTION_UNICODE, 0, &hSec))) ||
        (!NT_SUCCESS(rc = CsrBasepNlsCreateSection( NLS_CREATE_SECTION_LOCALE, 0, &hSec)))  ||
        (!NT_SUCCESS(rc = CsrBasepNlsCreateSection( NLS_CREATE_SECTION_CTYPE, 0, &hSec)))   ||
        (!NT_SUCCESS(rc = CsrBasepNlsCreateSection( NLS_CREATE_SECTION_SORTKEY, 0, &hSec))) ||
        (!NT_SUCCESS(rc = CsrBasepNlsCreateSection( NLS_CREATE_SECTION_SORTTBLS, 0, &hSec))))
    {
        return (rc);
    }

1: kd> kc
 #
00 basesrv!BaseSrvNlsCreateSection
01 CSRSRV!CsrCallServerFromServer
02 ntdll!CsrClientCallServer
03 KERNEL32!CsrBasepNlsCreateSection
04 KERNEL32!NlsServerInitialize
05 KERNEL32!NlsDllInitialize

ULONG NlsServerInitialize(void)
{
。。。。。。

    if ((!NT_SUCCESS(rc = CsrBasepNlsCreateSection( NLS_CREATE_SECTION_UNICODE, 0, &hSec))) ||
        (!NT_SUCCESS(rc = CsrBasepNlsCreateSection( NLS_CREATE_SECTION_LOCALE, 0, &hSec)))  ||
        (!NT_SUCCESS(rc = CsrBasepNlsCreateSection( NLS_CREATE_SECTION_CTYPE, 0, &hSec)))   ||
        (!NT_SUCCESS(rc = CsrBasepNlsCreateSection( NLS_CREATE_SECTION_SORTKEY, 0, &hSec))) ||
        (!NT_SUCCESS(rc = CsrBasepNlsCreateSection( NLS_CREATE_SECTION_SORTTBLS, 0, &hSec))))
    {
        return (rc);
    }

#define NLS_CREATE_SECTION_UNICODE 1
#define NLS_CREATE_SECTION_LOCALE  2
#define NLS_CREATE_SECTION_CTYPE   3
#define NLS_CREATE_SECTION_SORTKEY 4
#define NLS_CREATE_SECTION_SORTTBLS 5

NTSTATUS CsrBasepNlsCreateSection(
    IN UINT uiType,
    IN LCID Locale,
    OUT PHANDLE phSection)
{

    BASE_API_MSG m;
    PBASE_NLS_CREATE_SECTION_MSG a = &m.u.NlsCreateSection;

    a->Locale = Locale;
    a->uiType = uiType;                //a->uiType = uiType;

    CsrClientCallServer( (PCSR_API_MSG)&m,
                         NULL,
                         CSR_MAKE_API_NUMBER(BASESRV_SERVERDLL_INDEX,
                                             BasepNlsCreateSection),
                         sizeof(*a) );

ULONG
BaseSrvNlsCreateSection(
    IN OUT PCSR_API_MSG m,
    IN OUT PCSR_REPLY_STATUS ReplyStatus)
{
。。。。
    switch (a->uiType)
    {
        case (NLS_CREATE_SECTION_UNICODE) :
        {
            RtlInitUnicodeString(&ObSecName, NLS_SECTION_UNICODE);
            pFile = NLS_FILE_UNICODE;
            break;
        }

#define NLS_SECTION_UNICODE        L"\\NLS\\NlsSectionUnicode"
#define NLS_SECTION_LOCALE         L"\\NLS\\NlsSectionLocale"
#define NLS_SECTION_CTYPE          L"\\NLS\\NlsSectionCType"
#define NLS_SECTION_SORTKEY        L"\\NLS\\NlsSectionSortkey"
#define NLS_SECTION_SORTTBLS       L"\\NLS\\NlsSectionSortTbls"

          ObSecName = "\NLS\NlsSectionUnicode"

第六部分：目录对象已经创建好了。

#define NLS_OBJECT_DIRECTORY_NAME  L"\\NLS"

ULONG CreateNlsObjectDirectory()
{

    //
    //  Create the object directory.
    //
    RtlInitUnicodeString(&ObDirName, NLS_OBJECT_DIRECTORY_NAME);
    InitializeObjectAttributes( &ObjA,
                                &ObDirName,
                                OBJ_PERMANENT | OBJ_CASE_INSENSITIVE,
                                NULL,
                                pSecurityDescriptor );

    rc = NtCreateDirectoryObject( &hDirHandle,
                                  DIRECTORY_TRAVERSE | DIRECTORY_CREATE_OBJECT,
                                  &ObjA );

1: kd> !object \
Object: e10007c0  Type: (899a2e70) Directory
    ObjectHeader: e10007a8 (old version)
    HandleCount: 0  PointerCount: 30
    Directory Object: 00000000  Name: \

    Hash Address  Type                      Name
    ---- -------  ----                      ----
     00  e1003350 Directory                 ArcName
         8962e4b0 Device                    Ntfs
     03  e1003b28 Key                       \REGISTRY
     09  e15e9460 Directory                 NLS

1: kd> !object \NLS
Object: e15e9460  Type: (899a2e70) Directory
    ObjectHeader: e15e9448 (old version)
    HandleCount: 0  PointerCount: 2
    Directory Object: e10007c0  Name: NLS

    Hash Address  Type                      Name
    ---- -------  ----                      ----
     33  e155b810 Section                   NlsSectionUnicode