【旧文章搬运】Windows句柄表分配算法分析(一)

HandleTable = ExpAllocateHandleTable( Process,TRUE );//创建句柄表
InsertTailList( &HandleTableListHead,&HandleTable->HandleTableList );//放入双向链表中
=======================================================
PHANDLE_TABLE
ExpAllocateHandleTable (
    IN PEPROCESS Process OPTIONAL,IN BOOLEAN DoInit
    );

//设置TableCode为刚申请的一级表,这里其实隐含了句柄表为一级这个事实
HandleTable->TableCode = (ULONG_PTR)HandleTableTable;
//下面是对这个刚申请的一级表进行初始化
HandleEntry = &HandleTableTable[0]; //第一个HANDLE_TABLE_ENTRY
     HandleEntry->NextFreeTableEntry = EX_ADDITIONAL_INFO_SIGNATURE;//-2,作为标志;
     HandleEntry->Value = 0; //对象值为0,对应于无效句柄NULL
    //
    // For duplicate calls we skip building the free list as we rebuild it manually as
    // we traverse the old table we are duplicating
    //
    if (DoInit) { //这个参数在普通调用时为TRUE,仅在复制句柄表时则为False,因为复制时并不需要重新分配句柄
         HandleEntry++; //从第二个HANDLE_TABLE_ENTRY开始
        //
        //   Now setup the free list.   We do this by chaining together the free
        //   entries such that each free entry give the next free index (i.e.,//   like a fat chain).   The chain is terminated with a 0.   Note that
        //   we‘ll skip handle zero because our callers will get that value
        //   confused with null.
        //
        for (i = 1; i < LOWLEVEL_COUNT - 1; i += 1) {
             HandleEntry->Value = 0; //对象值初始化为0
            //FreeHandle即自由的,未被使用的句柄
             HandleEntry->NextFreeTableEntry = (i+1)*HANDLE_VALUE_INC; //构建FreeHandle列表,在初始化时,每一个HANDLE_TABLE_ENTRY都指向下一个句柄.这里的NextFreeTableEntry的值准确说是下一个FreeHandle,这样构成了一个单向链表一样的结构
             HandleEntry++;
         }
        //对最后一项作特殊处理
         HandleEntry->Value = 0;
         HandleEntry->NextFreeTableEntry = 0; //最后一项的NextFreeTableEntry为0
         HandleTable->FirstFree = HANDLE_VALUE_INC; //把刚初始化完的句柄表的FirstFree设为4,即第一个可用句柄
     }
    
     HandleTable->NextHandleNeedingPool = LOWLEVEL_COUNT * HANDLE_VALUE_INC; //一级表最大句柄
    //
    //   Setup the necessary process information
    //
     HandleTable->QuotaProcess = Process; //设置所属的Process
     HandleTable->UniqueProcessId = PsGetCurrentProcess()->UniqueProcessId; //调置所属Process的ProcessId
     HandleTable->Flags = 0;

PHANDLE_TABLE_ENTRY
ExpAllocateLowLevelTable (
     IN PHANDLE_TABLE HandleTable,IN BOOLEAN DoInit
     )
/*++
Routine Description:
     This worker routine allocates a new low level table
    
     Note: The caller must have already locked the handle table
Arguments:
     HandleTable - Supplies the handle table being used
     DoInit - If FALSE the caller (duplicate) doesn‘t need the free list maintained
Return Value:
     Returns - a pointer to a low-level table if allocation is
         successful otherwise the return value is null.
--*/
{
    ULONG k;
     PHANDLE_TABLE_ENTRY NewLowLevel = NULL,HandleEntry;
    ULONG BaseHandle;
    
    //
    //   Allocate the pool for lower level
    //
     NewLowLevel = ExpAllocateTablePagedPoolNoZero( HandleTable->QuotaProcess,TABLE_PAGE_SIZE
                                                  );//申请内存,大小为一级表的大小TABLE_PAGE_SIZE
    if (NewLowLevel == NULL) {
        return NULL;
     }
    //
    //   We stamp with EX_ADDITIONAL_INFO_SIGNATURE to recognize in the future this
    //   is a special information entry
    //
//下面三行代码为初始化,这个同刚创建HANDLE_TABLE时创建第一个一级表时的工作基本相同,不多说
     HandleEntry = &NewLowLevel[0];
     HandleEntry->NextFreeTableEntry = EX_ADDITIONAL_INFO_SIGNATURE;
     HandleEntry->Value = 0;
    //
    // Initialize the free list within this page if the caller wants this
    //
    if (DoInit) {
         HandleEntry++;
        //
        //   Now add the new entries to the free list.   To do this we
        //   chain the new free entries together.   We are guaranteed to
        //   have at least one new buffer.   The second buffer we need
        //   to check for.
        //
        //   We reserve the first entry in the table to the structure with
        //   additional info
        //
        //
        //   Do the guaranteed first buffer
        //
  //这里是构建FreeHandleList,也是将每一个HANDLE_TABLE_ENTRY的NextFreeTableEntry指向下一个可用句柄.
  //但是由于这里不是第一个一级表,所以句柄值的计算稍有不同,需要考虑加上前面的部分
         BaseHandle = HandleTable->NextHandleNeedingPool + 2 * HANDLE_VALUE_INC;
        //BaseHandle是当前新分配的句柄表中的最小句柄+4,即未申请本表时的最大Handle(句柄表的最大Handle即HandleTable->NextHandleNeedingPool)再加上8,也就是说跳过了第一个用作无效标记的HANDLE_TABLE_ENTRY(占一个句柄索引),
        //以第二个作为新句柄表起始点的HANDLE_TABLE_ENTRY为起始点(因为第二个HANDLE_TABLE_ENTRY才是有效的,因此从这里开始构建FreeHandleList的话,它的下一个FreeHandle应该指向第三个HANDLE_TABLE_ENTRY,
        //而第三个HANDLE_TABLE_ENTRY的句柄在当前句柄表内的偏移为2*HANDLE_VALUE_INC=8)
        for (k = BaseHandle; k < BaseHandle + (LOWLEVEL_COUNT - 2) * HANDLE_VALUE_INC; k += HANDLE_VALUE_INC) {
   
   //k的值为BaseHandle开始,以HANDLE_VALUE_INC递增,增量为4
             HandleEntry->NextFreeTableEntry = k; //这里构建了FreeHandleList,可以实验观察之
             HandleEntry->Value = 0;
             HandleEntry++;
         }
         HandleEntry->NextFreeTableEntry = 0; //最后一个置0,作为结束标记
         HandleEntry->Value = 0;
     }
    return NewLowLevel;    
}