Search This Blog
Showing posts with label !object. Show all posts
Showing posts with label !object. Show all posts

Wednesday, 17 September 2014

WinDbg : !handle Command

WinDbg : !handle Command extension 
Handles are used everywhere in Windows. A handle in Windows is an opaque pointer. Almost every Windows API uses a handle as a reference to the internal object. WinDbg has the !handle extension command to help us find more information regarding handles.

Here is the output of !handle when run on a user mode crash dump. There are differences in the output of !handle when executed via user mode and via kernel mode, we will soon see these differences.


0:000> !handle


Handle 0000000000000004
  Type         Directory
Handle 0000000000000008
  Type         File
Handle 000000000000000c
  Type         Key
Handle 0000000000000010
  Type         Event
Handle 0000000000000014
  Type         ALPC Port
Handle 0000000000000024
  Type         Key
Handle 0000000000000030
  Type         WaitCompletionPacket
Handle 0000000000000034
  Type         IoCompletion
Handle 0000000000000038
  Type         TpWorkerFactory
Handle 000000000000003c
  Type         IRTimer
Handle 0000000000000040
  Type         WaitCompletionPacket
Handle 0000000000000044
  Type         IRTimer
Handle 0000000000000048
  Type         WaitCompletionPacket
Handle 000000000000004c
  Type        
<Output Snipped due to space constraints>
Handle 0000000000000bf8
  Type         Thread
377 Handles
Type                     Count
None                     26
Event                   74
Section                 5
File                     7
Directory               2
Mutant                   115
Semaphore               17
Key                     104
Thread                   11
IoCompletion             2
TpWorkerFactory         1
ALPC Port               9
WaitCompletionPacket     4


The handle command takes a few flags. Here is the output for handle 10 for each of the flags, 1, 2, 4, 8 and f(all flags enabled)

0:000> !handle 10 1
Handle 0000000000000010
  Type          Event

0:000> !handle 10 2
Handle 0000000000000010
  Attributes   0
  GrantedAccess 0x1f0003:
         Delete,ReadControl,WriteDac,WriteOwner,Synch
         Delete,ReadControl,WriteDac,WriteOwner,Synch
  HandleCount   2
  PointerCount 65537

0:000> !handle 10 4
Handle 0000000000000010
  Name         <none>

0:000> !handle 10 8
Handle 0000000000000010
  No object specific information available

0:000> !handle 10 f
Handle 0000000000000010
  Type         Event
  Attributes   0
  GrantedAccess 0x1f0003:
         Delete,ReadControl,WriteDac,WriteOwner,Synch
         QueryState,ModifyState
  HandleCount   2
  PointerCount 65537
  Name         <none>
  Object specific information
    Event Type Auto Reset
    Event is Waiting

To get all information (0xf) about a particular type of handle (say for event objects) for all such events in the process (handle number 0 is all), we can use:

0:000> !handle 0 f event
Handle 0000000000000010
  Type         Event
  Attributes   0
  GrantedAccess 0x1f0003:
         Delete,ReadControl,WriteDac,WriteOwner,Synch
         QueryState,ModifyState
  HandleCount   2
  PointerCount 65537
  Name         <none>
  Object specific information
    Event Type Auto Reset
    Event is Waiting
Handle 000000000000002c
  Type         Event
  Attributes   0
  GrantedAccess 0x1f0003:
         Delete,ReadControl,WriteDac,WriteOwner,Synch
         QueryState,ModifyState
  HandleCount   2
  PointerCount 65538
  Name         <none>
  Object specific information
    Event Type Auto Reset
    Event is Waiting

<Output Snipped to save space>

Handle 0000000000000afc
  Type         Event
  Attributes   0
  GrantedAccess 0x100003:
         Synch
         QueryState,ModifyState
  HandleCount   2
  PointerCount 65512
  Name         <none>
  Object specific information
    Event Type Auto Reset
    Event is Waiting
74 handles of type Event


The output and capabilities of the !handle in kernel mode is different. It is more powerful since the debugger actually has access to the Kernel objects required to fetch such information.

kd> !handle

PROCESS 851d1348  SessionId: 1  Cid: 08b4    Peb: 7ffd4000  ParentCid: 0138
    DirBase: 1eed3420  ObjectTable: 93d06750  HandleCount:  71.
    Image: NotMyfault.exe

Handle table at 93d06750 with 71 entries in use

0004: Object: 8b265108  GrantedAccess: 00000003 Entry: 93d26008
Object: 8b265108  Type: (839b7e90) Directory
    ObjectHeader: 8b2650f0 (new version)
        HandleCount: 29  PointerCount: 67
        Directory Object: 874010e8  Name: KnownDlls

        Hash Address  Type          Name
        ---- -------  ----          ----
         00  875dd678 Section       gdi32.dll
             8b2569f0 Section       kernelbase.dll
             87439a48 Section       IMAGEHLP.dll
         02  875fec88 Section       NORMALIZ.dll
         03  8d82ec58 Section       ole32.dll
             8847b3b8 Section       URLMON.dll
         04  874ff820 Section       USP10.dll
         05  8b252458 Section       DEVOBJ.dll
         06  8ca6d948 Section       SHELL32.dll
             8b250af0 Section       CFGMGR32.dll
             875c71a8 Section       WLDAP32.dll
         09  874e84d0 Section       user32.dll
         14  875de3f8 Section       MSASN1.dll
         16  875edf98 SymbolicLink  KnownDllPath
             8b21ed58 Section       COMCTL32.dll
         17  87580268 Section       CRYPT32.dll
             8b24bba8 Section       PSAPI.DLL
         18  885ffb68 Section       advapi32.dll
             87537178 Section       OLEAUT32.dll
         19  8b3f8478 Section       SHLWAPI.dll
             875d3b50 Section       IERTUTIL.dll
             8755ba30 Section       ntdll.dll
         20  8755b780 Section       WS2_32.dll
         21  8ca6d758 Section       LPK.dll
         22  874d3850 Section       sechost.dll
         23  8745c768 Section       COMDLG32.dll
         24  8ca63f10 Section       difxapi.dll
         25  8758b888 Section       Setupapi.dll
         26  874cc3c8 Section       MSCTF.dll
             8b3e3338 Section       WININET.dll
         27  875d8b48 Section       WINTRUST.dll
             875cdd30 Section       IMM32.dll
         28  8ca533c8 Section       MSVCRT.dll
         31  874d33c8 Section       rpcrt4.dll
             875358b0 Section       clbcatq.dll
         32  8ca593e0 Section       kernel32.dll
         35  875fedf0 Section       NSI.dll

0008: Object: 851d11c0  GrantedAccess: 00100020 Entry: 93d26010
Object: 851d11c0  Type: (83a287a8) File
    ObjectHeader: 851d11a8 (new version)
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \Users\Win7SP1x86-Debug\Desktop\Tools\Notmyfault\exe\Release {HarddiskVolume2}

000c: Object: 850bd518  GrantedAccess: 00100020 Entry: 93d26018
Object: 850bd518  Type: (83a287a8) File
    ObjectHeader: 850bd500 (new version)
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2 {HarddiskVolume2}

0010: Object: 93cbdd48  GrantedAccess: 00020019 Entry: 93d26020
Object: 93cbdd48  Type: (83a2d388) Key
    ObjectHeader: 93cbdd30 (new version)
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\SORTING\VERSIONS

0014: Object: 851d19e8  GrantedAccess: 001f0001 Entry: 93d26028
Object: 851d19e8  Type: (83a298f0) ALPC Port
    ObjectHeader: 851d19d0 (new version)
        HandleCount: 1  PointerCount: 3

0018: Object: 93cf3ec8  GrantedAccess: 00000001 Entry: 93d26030
Object: 93cf3ec8  Type: (83a2d388) Key
    ObjectHeader: 93cf3eb0 (new version)
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER

001c: Object: 850bd620  GrantedAccess: 00000804 Entry: 93d26038
Object: 850bd620  Type: (83a43f78) EtwRegistration
    ObjectHeader: 850bd608 (new version)
        HandleCount: 1  PointerCount: 1

0020: Object: 851cec08  GrantedAccess: 001f0003 (Protected) Entry: 93d26040
Object: 851cec08  Type: (83a33420) Event
    ObjectHeader: 851cebf0 (new version)
        HandleCount: 1  PointerCount: 2

0024: Object: 84ccffa8  GrantedAccess: 000f037f Entry: 93d26048
Object: 84ccffa8  Type: (83a28de8) WindowStation
    ObjectHeader: 84ccff90 (new version)
        HandleCount: 13  PointerCount: 24
        Directory Object: 95e31b38  Name: WinSta0

0028: Object: 84cd1d18  GrantedAccess: 000f01ff Entry: 93d26050
Object: 84cd1d18  Type: (83a28d20) Desktop
    ObjectHeader: 84cd1d00 (new version)
        HandleCount: 8  PointerCount: 476
        Directory Object: 00000000  Name: Default

002c: Object: 84ccffa8  GrantedAccess: 000f037f Entry: 93d26058
Object: 84ccffa8  Type: (83a28de8) WindowStation
    ObjectHeader: 84ccff90 (new version)
        HandleCount: 13  PointerCount: 24
        Directory Object: 95e31b38  Name: WinSta0

0030: Object: 90dbab80  GrantedAccess: 000f003f Entry: 93d26060
Object: 90dbab80  Type: (83a2d388) Key
    ObjectHeader: 90dbab68 (new version)
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\MACHINE

0034: Object: 851c79f8  GrantedAccess: 00000804 Entry: 93d26068
Object: 851c79f8  Type: (83a43f78) EtwRegistration
    ObjectHeader: 851c79e0 (new version)
        HandleCount: 1  PointerCount: 1

0038: Object: 851c7990  GrantedAccess: 00000804 Entry: 93d26070
Object: 851c7990  Type: (83a43f78) EtwRegistration
    ObjectHeader: 851c7978 (new version)
        HandleCount: 1  PointerCount: 1

003c: Object: 851c7928  GrantedAccess: 00000804 Entry: 93d26078
Object: 851c7928  Type: (83a43f78) EtwRegistration
    ObjectHeader: 851c7910 (new version)
        HandleCount: 1  PointerCount: 1

0040: Object: 851d3cd8  GrantedAccess: 00000804 Entry: 93d26080
Object: 851d3cd8  Type: (83a43f78) EtwRegistration
    ObjectHeader: 851d3cc0 (new version)
        HandleCount: 1  PointerCount: 1

0044: Object: 851cf428  GrantedAccess: 00000804 Entry: 93d26088
Object: 851cf428  Type: (83a43f78) EtwRegistration
    ObjectHeader: 851cf410 (new version)
        HandleCount: 1  PointerCount: 1

0048: Object: 851cf490  GrantedAccess: 00000804 Entry: 93d26090
Object: 851cf490  Type: (83a43f78) EtwRegistration
    ObjectHeader: 851cf478 (new version)
        HandleCount: 1  PointerCount: 1

004c: Object: 851cf3c0  GrantedAccess: 00000804 Entry: 93d26098
Object: 851cf3c0  Type: (83a43f78) EtwRegistration
    ObjectHeader: 851cf3a8 (new version)
        HandleCount: 1  PointerCount: 1

0050: Object: 851cf358  GrantedAccess: 00000804 Entry: 93d260a0
Object: 851cf358  Type: (83a43f78) EtwRegistration
    ObjectHeader: 851cf340 (new version)
        HandleCount: 1  PointerCount: 1

0054: Object: 851cf2f0  GrantedAccess: 00000804 Entry: 93d260a8
Object: 851cf2f0  Type: (83a43f78) EtwRegistration
    ObjectHeader: 851cf2d8 (new version)
        HandleCount: 1  PointerCount: 1

0058: Object: 851cf288  GrantedAccess: 00000804 Entry: 93d260b0
Object: 851cf288  Type: (83a43f78) EtwRegistration
    ObjectHeader: 851cf270 (new version)
        HandleCount: 1  PointerCount: 1

005c: Object: 851cffd0  GrantedAccess: 00000804 Entry: 93d260b8
Object: 851cffd0  Type: (83a43f78) EtwRegistration
    ObjectHeader: 851cffb8 (new version)
        HandleCount: 1  PointerCount: 1

0060: Object: 851cff68  GrantedAccess: 00000804 Entry: 93d260c0
Object: 851cff68  Type: (83a43f78) EtwRegistration
    ObjectHeader: 851cff50 (new version)
        HandleCount: 1  PointerCount: 1

0064: Object: 851cff00  GrantedAccess: 00000804 Entry: 93d260c8
Object: 851cff00  Type: (83a43f78) EtwRegistration
    ObjectHeader: 851cfee8 (new version)
        HandleCount: 1  PointerCount: 1

0068: Object: 851cfea8  GrantedAccess: 001f0001 Entry: 93d260d0
Object: 851cfea8  Type: (83a25418) Mutant
    ObjectHeader: 851cfe90 (new version)
        HandleCount: 1  PointerCount: 1

006c: Object: 851d3b90  GrantedAccess: 001f0003 Entry: 93d260d8
Object: 851d3b90  Type: (83a33420) Event
    ObjectHeader: 851d3b78 (new version)
        HandleCount: 1  PointerCount: 1

0070: Object: 93d14c28  GrantedAccess: 00020019 Entry: 93d260e0
Object: 93d14c28  Type: (83a2d388) Key
    ObjectHeader: 93d14c10 (new version)
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE

0074: Object: 93c85638  GrantedAccess: 00020019 Entry: 93d260e8
Object: 93c85638  Type: (83a2d388) Key
    ObjectHeader: 93c85620 (new version)
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE\ALTERNATE SORTS

0078: Object: 8bbc5ab8  GrantedAccess: 00020019 Entry: 93d260f0
Object: 8bbc5ab8  Type: (83a2d388) Key
    ObjectHeader: 8bbc5aa0 (new version)
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\LANGUAGE GROUPS

007c: Object: 851cfe48  GrantedAccess: 00000804 Entry: 93d260f8
Object: 851cfe48  Type: (83a43f78) EtwRegistration
    ObjectHeader: 851cfe30 (new version)
        HandleCount: 1  PointerCount: 1

0080: Object: 850be990  GrantedAccess: 00000804 Entry: 93d26100
Object: 850be990  Type: (83a43f78) EtwRegistration
    ObjectHeader: 850be978 (new version)
        HandleCount: 1  PointerCount: 1

0084: Object: 851d3038  GrantedAccess: 001f0001 Entry: 93d26108
Object: 851d3038  Type: (83a298f0) ALPC Port
    ObjectHeader: 851d3020 (new version)
        HandleCount: 1  PointerCount: 1

0088: Object: 8bb01590  GrantedAccess: 00000004 Entry: 93d26110
Object: 8bb01590  Type: (83a31b50) Section
    ObjectHeader: 8bb01578 (new version)
        HandleCount: 6  PointerCount: 6

008c: Object: 851d31b8  GrantedAccess: 00000804 Entry: 93d26118
Object: 851d31b8  Type: (83a43f78) EtwRegistration
    ObjectHeader: 851d31a0 (new version)
        HandleCount: 1  PointerCount: 1

0090: Object: 851d3220  GrantedAccess: 00000804 Entry: 93d26120
Object: 851d3220  Type: (83a43f78) EtwRegistration
    ObjectHeader: 851d3208 (new version)
        HandleCount: 1  PointerCount: 1

0094: Object: 849c05a8  GrantedAccess: 00120089 Entry: 93d26128
Object: 849c05a8  Type: (83a287a8) File
    ObjectHeader: 849c0590 (new version)
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \Windows\System32\en-US\user32.dll.mui {HarddiskVolume2}

0098: Object: 851d9098  GrantedAccess: 001f0003 Entry: 93d26130
Object: 851d9098  Type: (83a33420) Event
    ObjectHeader: 851d9080 (new version)
        HandleCount: 1  PointerCount: 1

009c: Object: 95e2ed60  GrantedAccess: 0000000f Entry: 93d26138
Object: 95e2ed60  Type: (839b7e90) Directory
    ObjectHeader: 95e2ed48 (new version)
        HandleCount: 8  PointerCount: 43
        Directory Object: 95e2d298  Name: BaseNamedObjects

        Hash Address  Type          Name
        ---- -------  ----          ----
         00  95e2fc68 SymbolicLink  Local
             8506b5d8 Mutant        ZonesCacheCounterMutex
         01  850d3ab8 Mutant        ZonesLockedCacheCounterMutex
             8515d8b0 Mutant        AccessibilitySoundAgentRunning
             84f40ff0 Event         ThemesStartEvent
         02  95e2c428 Directory     Restricted
         03  84cd0298 Event         ScNetDrvMsg
         04  8e5479f0 Section       windows_shell_global_counters
         07  850f9580 Event         ShellDesktopSwitchEvent
         09  8513eb80 Event         MSCTF.AsmCacheReady.Default1
             84f53ea8 Event         ThemeLoadedEvent
         10  8513ec20 Event         MSCTF.CtfActivated.Default1
             90db9c98 Section       C:*ProgramData*Microsoft*Windows*Caches*{7CD55808-3D38-4DD5-90C9-62F0E6EE60D4}.2.ver0x0000000000000001.db
             90d58340 Section       C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000007.db
         12  85145948 Mutant        MSCTF.CtfMonitorInstMutexDefault1
         13  84f96470 Event         ShellReadyEvent
             90d5eaa0 Section       C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro
         14  90d59c58 Section       C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db
         16  95e2d158 SymbolicLink  Global
         19  84d0e4d8 Event         WinSta0_DesktopSwitch
         20  848c5b18 Mutant        ZoneAttributeCacheCounterMutex
             84ccd208 Event         EventShutDownCSRSS
         21  8ba99b88 Section       windows_ie_global_counters
         22  84d79e10 Mutant        ALTTAB_RUNNING_MUTEX
         26  85100380 Event         MSCTF.CtfMonitorInitialized.Default1
         28  851450a8 Mutant        CicLoadWinStaWinSta0
             85182080 Mutant        _SHuassist.mtx
         29  849544e8 Mutant        ZonesCounterMutex
             85144700 Mutant        MSCTF.Asm.MutexDefault1
         30  95e1f100 SymbolicLink  Session
         31  8e551830 Section       UrlZonesSM_Win7SP1x86-Debug
         33  85141528 ALPC Port     Dwm-49D1-ApiPort-1BF9
             8e5ae7c8 Section       CTF.AsmListCache.FMPDefault1
         35  8513ebd0 Event         MSCTF.CtfDeactivated.Default1

00a0: Object: 851d1b90  GrantedAccess: 001f0003 Entry: 93d26140
Object: 851d1b90  Type: (83a33420) Event
    ObjectHeader: 851d1b78 (new version)
        HandleCount: 1  PointerCount: 1

00a4: Object: 851db930  GrantedAccess: 001f0003 Entry: 93d26148
Object: 851db930  Type: (83a33420) Event
    ObjectHeader: 851db918 (new version)
        HandleCount: 1  PointerCount: 1

00a8: Object: 851d2530  GrantedAccess: 00000804 Entry: 93d26150
Object: 851d2530  Type: (83a43f78) EtwRegistration
    ObjectHeader: 851d2518 (new version)
        HandleCount: 1  PointerCount: 1

00ac: Object: 851d97d8  GrantedAccess: 00000804 Entry: 93d26158
Object: 851d97d8  Type: (83a43f78) EtwRegistration
    ObjectHeader: 851d97c0 (new version)
        HandleCount: 1  PointerCount: 1

00b0: Object: 851c7df8  GrantedAccess: 001f0003 Entry: 93d26160
Object: 851c7df8  Type: (83a33420) Event
    ObjectHeader: 851c7de0 (new version)
        HandleCount: 1  PointerCount: 1

00b4: Object: 851d8d48  GrantedAccess: 001fffff Entry: 93d26168
Object: 851d8d48  Type: (839b78b0) Thread
    ObjectHeader: 851d8d30 (new version)
        HandleCount: 2  PointerCount: 4

00b8: Object: 851d96a0  GrantedAccess: 001f0001 Entry: 93d26170
Object: 851d96a0  Type: (83a298f0) ALPC Port
    ObjectHeader: 851d9688 (new version)
        HandleCount: 1  PointerCount: 1

00bc: Object: 852540f0  GrantedAccess: 0012019f Entry: 93d26178
Object: 852540f0  Type: (83a287a8) File
    ObjectHeader: 852540d8 (new version)
        HandleCount: 1  PointerCount: 3

00c0: Object: 8507f098  GrantedAccess: 001f0003 Entry: 93d26180
Object: 8507f098  Type: (83a28870) IoCompletion
    ObjectHeader: 8507f080 (new version)
        HandleCount: 1  PointerCount: 2

00c4: Object: 85255ee0  GrantedAccess: 000f00ff Entry: 93d26188
Object: 85255ee0  Type: (83a28c58) TpWorkerFactory
    ObjectHeader: 85255ec8 (new version)
        HandleCount: 1  PointerCount: 1

00c8: Object: 94078d00  GrantedAccess: 000f0003 Entry: 93d26190
Object: 94078d00  Type: (83a28eb0) KeyedEvent
    ObjectHeader: 94078ce8 (new version)
        HandleCount: 1  PointerCount: 1

00cc: Object: 850bfe38  GrantedAccess: 00100002 Entry: 93d26198
Object: 850bfe38  Type: (83a26350) Timer
    ObjectHeader: 850bfe20 (new version)
        HandleCount: 1  PointerCount: 2

00d0: Object: 850bfd70  GrantedAccess: 001f0003 Entry: 93d261a0
Object: 850bfd70  Type: (83a26350) Timer
    ObjectHeader: 850bfd58 (new version)
        HandleCount: 1  PointerCount: 2

00d4: Object: 850bfa88  GrantedAccess: 001fffff Entry: 93d261a8
Object: 850bfa88  Type: (839b78b0) Thread
    ObjectHeader: 850bfa70 (new version)
        HandleCount: 2  PointerCount: 3

00d8: Object: 850bfa88  GrantedAccess: 001fffff Entry: 93d261b0
Object: 850bfa88  Type: (839b78b0) Thread
    ObjectHeader: 850bfa70 (new version)
        HandleCount: 2  PointerCount: 3

00dc: Object: 851b1240  GrantedAccess: 001f0003 Entry: 93d261b8
Object: 851b1240  Type: (83a28870) IoCompletion
    ObjectHeader: 851b1228 (new version)
        HandleCount: 1  PointerCount: 2

00e0: Object: 850bf9e0  GrantedAccess: 000f00ff Entry: 93d261c0
Object: 850bf9e0  Type: (83a28c58) TpWorkerFactory
    ObjectHeader: 850bf9c8 (new version)
        HandleCount: 1  PointerCount: 1

00e4: Object: 850bf918  GrantedAccess: 00100002 Entry: 93d261c8
Object: 850bf918  Type: (83a26350) Timer
    ObjectHeader: 850bf900 (new version)
        HandleCount: 1  PointerCount: 2

00e8: Object: 850bf868  GrantedAccess: 00120089 Entry: 93d261d0
Object: 850bf868  Type: (83a287a8) File
    ObjectHeader: 850bf850 (new version)
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \Windows\Fonts\StaticCache.dat {HarddiskVolume2}

00ec: Object: 90d6b3b0  GrantedAccess: 000f0005 Entry: 93d261d8
Object: 90d6b3b0  Type: (83a31b50) Section
    ObjectHeader: 90d6b398 (new version)
        HandleCount: 1  PointerCount: 1

00f0: Object: 84d4c968  GrantedAccess: 001f0003 Entry: 93d261e0
Object: 84d4c968  Type: (83a33420) Event
    ObjectHeader: 84d4c950 (new version)
        HandleCount: 1  PointerCount: 1

00f4: Object: 851c8e88  GrantedAccess: 00000804 Entry: 93d261e8
Object: 851c8e88  Type: (83a43f78) EtwRegistration
    ObjectHeader: 851c8e70 (new version)
        HandleCount: 1  PointerCount: 1

00f8: Object: 84d50c78  GrantedAccess: 001f0003 Entry: 93d261f0
Object: 84d50c78  Type: (83a33420) Event
    ObjectHeader: 84d50c60 (new version)
        HandleCount: 1  PointerCount: 1

00fc: Object: 849fa258  GrantedAccess: 001f0003 Entry: 93d261f8
Object: 849fa258  Type: (83a33420) Event
    ObjectHeader: 849fa240 (new version)
        HandleCount: 1  PointerCount: 1

0100: Object: 84d70360  GrantedAccess: 001f0003 Entry: 93d26200
Object: 84d70360  Type: (83a33420) Event
    ObjectHeader: 84d70348 (new version)
        HandleCount: 1  PointerCount: 1

0104: Object: 851cc628  GrantedAccess: 001f0003 Entry: 93d26208
Object: 851cc628  Type: (83a33420) Event
    ObjectHeader: 851cc610 (new version)
        HandleCount: 1  PointerCount: 1

0108: Object: 8523bd38  GrantedAccess: 001f0003 Entry: 93d26210
Object: 8523bd38  Type: (83a33420) Event
    ObjectHeader: 8523bd20 (new version)
        HandleCount: 1  PointerCount: 1

010c: Object: 83a4c0f8  GrantedAccess: 001f0003 Entry: 93d26218
Object: 83a4c0f8  Type: (83a33420) Event
    ObjectHeader: 83a4c0e0 (new version)
        HandleCount: 1  PointerCount: 1

0110: Object: 851cf6d0  GrantedAccess: 001f0003 Entry: 93d26220
Object: 851cf6d0  Type: (83a33420) Event
    ObjectHeader: 851cf6b8 (new version)
        HandleCount: 1  PointerCount: 1

0114: Object: 85255318  GrantedAccess: 00100001 Entry: 93d26228
Object: 85255318  Type: (83a287a8) File
    ObjectHeader: 85255300 (new version)
        HandleCount: 1  PointerCount: 1

0118: Object: 93d12608  GrantedAccess: 000f003f Entry: 93d26230
Object: 93d12608  Type: (83a2d388) Key
    ObjectHeader: 93d125f0 (new version)
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\USER\S-1-5-21-4213196723-1351097745-788781942-1001

011c: Object: 8e5479f0  GrantedAccess: 00000006 Entry: 93d26238
Object: 8e5479f0  Type: (83a31b50) Section
    ObjectHeader: 8e5479d8 (new version)
        HandleCount: 3  PointerCount: 4
        Directory Object: 95e2ed60  Name: windows_shell_global_counters

As we see the object information and name is given out with a horde of other useful stuff. 

Thus we see that to debug handle leaks etc, it is perhaps more useful to have a full kernel dump instead of just a process dump.

For example, assuming that we want to find out all open file handles for the process 'system'. We can do that with these steps below:

kd> !process 0 0 system
PROCESS 839afbf8  SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 00185000  ObjectTable: 87401ca0  HandleCount: 463.
    Image: System

kd> .process /p /r 839afbf8
Implicit process is now 839afbf8
Loading User Symbols

kd> !handle 0 7 839afbf8 File

Searching for handles of type File

PROCESS 839afbf8  SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 00185000  ObjectTable: 87401ca0  HandleCount: 463.
    Image: System

Kernel handle table at 87401ca0 with 463 entries in use

0054: Object: 849133f0  GrantedAccess: 00120116 Entry: 874030a8
Object: 849133f0  Type: (83a287a8) File
    ObjectHeader: 849133d8 (new version)
        HandleCount: 1  PointerCount: 1

0060: Object: 84871940  GrantedAccess: 00100001 Entry: 874030c0
Object: 84871940  Type: (83a287a8) File
    ObjectHeader: 84871928 (new version)
        HandleCount: 1  PointerCount: 1

0064: Object: 84dc24d0  GrantedAccess: 0012008b Entry: 874030c8
Object: 84dc24d0  Type: (83a287a8) File
    ObjectHeader: 84dc24b8 (new version)
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \Windows\System32\wdi\LogFiles\WdiContextLog.etl.003 {HarddiskVolume2}

0070: Object: 84c0ef80  GrantedAccess: 0012019f Entry: 874030e0
Object: 84c0ef80  Type: (83a287a8) File
    ObjectHeader: 84c0ef68 (new version)
        HandleCount: 1  PointerCount: 2

0088: Object: 84c42788  GrantedAccess: 0012019f Entry: 87403110
Object: 84c42788  Type: (83a287a8) File
    ObjectHeader: 84c42770 (new version)
        HandleCount: 1  PointerCount: 2
        Directory Object: 00000000  Name: \$Extend\$RmMetadata\$TxfLog\$TxfLog.blf {HarddiskVolume1}

008c: Object: 84c30268  GrantedAccess: 0012019f (Inherit) Entry: 87403118
Object: 84c30268  Type: (83a287a8) File
    ObjectHeader: 84c30250 (new version)
        HandleCount: 1  PointerCount: 2
        Directory Object: 00000000  Name: TxfLog {clfs}

0090: Object: 84c30310  GrantedAccess: 0012019f Entry: 87403120
Object: 84c30310  Type: (83a287a8) File
    ObjectHeader: 84c302f8 (new version)
        HandleCount: 1  PointerCount: 2
        Directory Object: 00000000  Name: \$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000001 {HarddiskVolume1}

<Output snipped>


0140: Object: 847e7e98  GrantedAccess: 00020003 (Protected) Entry: 87403280
Object: 847e7e98  Type: (83a287a8) File
    ObjectHeader: 847e7e80 (new version)
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \Windows\System32\config\SOFTWARE {HarddiskVolume2}


0728: free handle, Entry address 87403e50, Next Entry 00000744
0734: free handle, Entry address 87403e68, Next Entry 0000083c
0ffc: free handle, Entry address 91427ff8, Next Entry 00000000


<Output snipped>

I have deliberately snipped the output since it is very long. As we see, we have open handles for regular files, registry, transaction logs and what not.

We will revisit this topic again in a future post to see how this information can be extended to actually find which device is an IO bound to.


We can use the !object command to get even more useful information of the handle in question. Here is a link to a blog post which describes how the !object command works.

Posted by at No comments:
Labels: , , , , , , , , , , , , , ,

Monday, 15 September 2014

WinDbg : the !object Command & It's Usage

WinDbg : !object
The NT Kernel tries to maintain an object based environment. A core set of objects are exposed which are used by the NT Executive. A set of functions are also provided to act upon these objects.  The NT Executive uses these objects, to create even more complex objects, many of which are available to the user.

Note: The NT Kernel does not depend on the Object Manager (which forms part of the Executive) to manage the kernel defined object types.

Kernel Objects are of the following two types:

Dispatcher Objects : These are used to control the synchronization and dispatching of system threads. Examples include thread, event, timer, mutex etc. 

Control Objects : These objects affect the operation of Kernel-mode code, but do not affect synchronization or dispatching. Examples include Interrupt objects, process objects, APC and DPC objects etc.

Lets have a look at the list of kernel objects we can wait on in Windows. It is stored in an enum.


kd> dt nt!_KOBJECTS
   EventNotificationObject = 0n0
   EventSynchronizationObject = 0n1
   MutantObject = 0n2
   ProcessObject = 0n3
   QueueObject = 0n4
   SemaphoreObject = 0n5
   ThreadObject = 0n6
   GateObject = 0n7
   TimerNotificationObject = 0n8
   TimerSynchronizationObject = 0n9
   Spare2Object = 0n10
   Spare3Object = 0n11
   Spare4Object = 0n12
   Spare5Object = 0n13
   Spare6Object = 0n14
   Spare7Object = 0n15
   Spare8Object = 0n16
   Spare9Object = 0n17
   ApcObject = 0n18
   DpcObject = 0n19
   DeviceQueueObject = 0n20
   EventPairObject = 0n21
   InterruptObject = 0n22
   ProfileObject = 0n23
   ThreadedDpcObject = 0n24
   MaximumKernelObject = 0n25


An Object, in NT, is an opaque data structure, implemented, maintained and manipulated by the NT executive. Each such object, has a set of operations defined for it, example : 
  • Create an instance of the object
  • Delete a created instance of the object
  • Wait On an object instance for it to become signaled.
  • Signal an object instance.
The object manager provides us with :
  • A global naming hierarchy, much like that used in file systems.
  • Methods to create and delete object instances.
  • Methods to add security restrictions on objects.
  • Maintain reference counts for object instances.
  • Add new object types dynamically to the the system.
Note: The Object manager does not concern itself with the internal data structure of the object.  the object structure contains a header and then a body.

 kd> dt nt!_OBJECT_HEADER
   +0x000 PointerCount     : Int4B
   +0x004 HandleCount      : Int4B
   +0x004 NextToFree       : Ptr32 Void
   +0x008 Lock             : _EX_PUSH_LOCK
   +0x00c TypeIndex        : UChar
   +0x00d TraceFlags       : UChar
   +0x00e InfoMask         : UChar
   +0x00f Flags            : UChar
   +0x010 ObjectCreateInfo : Ptr32 _OBJECT_CREATE_INFORMATION
   +0x010 QuotaBlockCharged : Ptr32 Void
   +0x014 SecurityDescriptor : Ptr32 Void

   +0x018 Body             : _QUAD

The global namespace maintained by the object manager contains all named objects in the system. The object name space is modeled like an inverted tree (much like a file system does) and the global root directory for this tree is called "\". This namespace is initialized during system boot up.

NT Executive can create sub-directories under root and create instances of already defined object types. 

Lets try to parse the object manager through the debugger. The !object extension command is extremely helpful in this case.


kd> !object \


Object: 874010e8  Type: (839b7e90) Directory
    ObjectHeader: 874010d0 (new version)
    HandleCount: 0  PointerCount: 42
    Directory Object: 00000000  Name: \

Hash Address Type Name
---- ------- ---- ----
0 8740bbe0 Directory ArcName
8470c9f0 Device Ntfs
1 84ccfde8 ALPC Port SeLsaCommandPort
83a2b658 Event UniqueInteractiveSessionIdEvent
3 87408d10 Key \REGISTRY
4 83a295f8 ALPC Port PowerPort
5 84f2bf00 ALPC Port ThemeApiPort
9 8745d920 Directory NLS
10 87405df0 SymbolicLink DosDevices
12 84f319a8 ALPC Port UxSmsApiPort
13 84938038 ALPC Port SeRmCommandPort
14 84d66380 Event LanmanServerAnnounceEvent
8756d6e0 SymbolicLink Dfs
8744a360 Directory UMDFCommunicationPorts
16 8744cf58 Directory Driver
18 846fd4d0 Device clfs
19 8740f030 Directory Device
20 8b21e580 Directory Windows
84f03810 ALPC Port MmcssApiPort
849056e0 Event CsrSbSyncEvent
21 8b249bc8 Directory Sessions
84cebb38 Event SAM_SERVICE_STARTED
22 8b2487f8 Directory RPC Control
84958048 ALPC Port SmApiPort
23 95e0ee30 Directory BaseNamedObjects
874054c0 Directory KernelObjects
83a16038 ALPC Port PowerMonitorPort
24 87408f58 Directory GLOBAL??
87468330 Directory FileSystem
25 84d169c0 Event DSYSDBG.Debug.Trace.Memory.208
95ee6318 Section LsaPerformance
26 84d8da18 ALPC Port SmSsWinStationApiPort
87405b80 Directory ObjectTypes
27 8740ae38 Directory Security
30 851c9c20 ALPC Port AELPort
31 875dbd70 SymbolicLink SystemRoot
32 87405aa8 Directory Callback
33 84c28298 Event UniqueSessionIdEvent
84bcd6b8 Event EFSInitEvent
35 8b265108 Directory KnownDlls
This displays all the object types with the hierarchy they are in the name space. So see a sub-tree we can give it's path as well. E.g. Drivers.

kd> !object \Driver
Object: 8744cf58  Type: (839b7e90) Directory
    ObjectHeader: 8744cf40 (new version)
    HandleCount: 0  PointerCount: 87
    Directory Object: 874010e8  Name: Driver

Hash Address Type Name
---- ------- ---- ----
0 8470c4a0 Driver KSecDD
8474c3b8 Driver NDIS
8494b878 Driver Beep
8492d3b0 Driver rdpbus
1 847bfa58 Driver storflt
848df5d0 Driver SynthVid
848de030 Driver mouclass
2 8475c3b8 Driver KSecPkg
3 848a2db8 Driver kbdclass
4 839e87f0 Driver msisadrv
846aa940 Driver vmbus
8494b980 Driver VgaSave
84be2e28 Driver NDProxy
5 846ecdb8 Driver mountmgr
6 8474bb98 Driver pcw
8 85029960 Driver PEAUTH
846ec770 Driver atapi
847ddc38 Driver hwpolicy
8490c438 Driver blbdrive
9 846aae90 Driver volmgrx
10 848d7188 Driver Psched
11 84904600 Driver Win32k
846f8970 Driver amdxata
84981960 Driver mouhid
12 848d23a8 Driver tunnel
848e92e0 Driver netvsc
8492b4f0 Driver RasSstp
84949dc8 Driver swenum
13 8.48E+34 Driver HTTP
848816b0 Driver RDPCDD
8.49E+303 Driver RasPppoe
14 848903b8 Driver TermDD
15 848e8c20 Driver fdc
848cf150 Driver VMBusHID
84931f38 Driver Rasl2tp
16 8470c5e8 Driver CNG
8488ce38 Driver RDPREFMP
17 84951f38 Driver umbus
8491b1c0 Driver s3cap
18 84837de0 Driver secdrv
83a42da8 Driver ACPI_HAL
83a42670 Driver WMIxWDM
83a51338 Driver CLFS
848de250 Driver Serenum
8492ea18 Driver PptpMiniport
19 8.47E+102 Driver storvsc
847bf7b8 Driver spldr
21 8509d080 Driver tcpipreg
848d80c0 Driver NetBT
22 8484f4e0 Driver RDPENCDD
848a4030 Driver cdrom
84a515f0 Driver mssmbios
23 84f34b90 Driver rspndr
84856a80 Driver tdx
84967680 Driver WfpLwf
24 84fd1160 Driver mpsdrv
847613b8 Driver Tcpip
847ab530 Driver fvevol
25 839b7580 Driver 0000149
84307240 Driver volmgr
847c4d48 Driver volsnap
84891948 Driver nsiproxy
26 849194d0 Driver intelppm
27 84f38158 Driver lltdio
84890660 Driver Wanarpv6
28 848a4778 Driver Null
84a51b38 Driver discache
29 839e8508 Driver pci
847dd9a8 Driver Disk
848d6c40 Driver CSC
30 84307928 Driver partmgr
849134a0 Driver Serial
84932188 Driver NdisTapi
848da530 Driver NdisWan
32 852541a0 Driver MYFAULT
839ca1a0 Driver Wdf01000
842b71c8 Driver ACPI
33 83a31c18 Driver PnpManager
84964d08 Driver flpydisk
34 842fc318 Driver vdrvroot
848a4cf0 Driver AFD
84915750 Driver CompositeBus
36 846aa838 Driver intelide
847aa4c0 Driver rdyboost
848cf790 Driver i8042prt
849316b0 Driver RasAgileVpn
Strangely, we do not see the name of NTFS, one of the mandatory drivers for Windows, in this list. The reason is that, NTFS is a file system, and Windows treats file systems separately. Infact, none of the file system drivers are to be seen here. They are all in the \Filesystem hive. Lets have a look:

kd> !object \Filesystem
Object: 87468330  Type: (839b7e90) Directory
    ObjectHeader: 87468318 (new version)
    HandleCount: 0  PointerCount: 27
    Directory Object: 874010e8  Name: FileSystem

Hash Address Type Name
---- ------- ---- ----
0 846d9b98 Driver srvnet
8470cb18 Driver Ntfs
1 84913250 Driver NetBIOS
3 84755378 Device ExFatRecognizer
5 846edac8 Driver rdbss
10 84fd3600 Driver bowser
15 849d7ce8 Driver Msfs
17 84c39a88 Driver mrxsmb
18 84750378 Device UdfsCdRomRecognizer
19 84fe6530 Driver srv
23 848d6ea8 Driver DfsC
24 848f2718 Driver srv2
847bf570 Driver Mup
842b41b8 Driver RAW
25 8488c2d0 Driver Npfs
8474e360 Driver Fs_Rec
26 8744eb50 Directory Filters
30 84fd1a88 Driver mrxsmb10
32 84753378 Device FatCdRomRecognizer
8474f378 Device CdfsRecognizer
846f8878 Driver FltMgr
33 84fd5848 Driver mrxsmb20
34 84752378 Device FatDiskRecognizer
8470d578 Driver FileInfo
36 84d4b030 Driver luafv
84751378 Device UdfsDiskRecognizer

To see details of a named object we can give the name of the object. Example for details of the C: (which is a symbolic link) we can use the following command.

kd> !object \Global??\c:
Object: 875dbd28  Type: (839b7dc8) SymbolicLink
    ObjectHeader: 875dbd10 (new version)
    HandleCount: 0  PointerCount: 1
    Directory Object: 87408f58  Name: C:
    Target String is '\Device\HarddiskVolume2'
    Drive Letter Index is 3 (C:)

We had discussed object types in a previous section, to see all the object types currently supported we can use:

kd> !object \ObjectTypes
Object: 87405b80  Type: (839b7e90) Directory
    ObjectHeader: 87405b68 (new version)
    HandleCount: 0  PointerCount: 44
    Directory Object: 874010e8  Name: ObjectTypes

Hash Address Type Name
---- ------- ---- ----
0 83a28c58 Type TpWorkerFactory
839b7e90 Type Directory
1 83a25418 Type Mutant
839b78b0 Type Thread
3 846ff870 Type FilterCommunicationPort
4 83a31eb0 Type TmTx
5 83a28ac8 Type Controller
6 83a43f78 Type EtwRegistration
7 83a28f78 Type Profile
83a33420 Type Event
839b7f58 Type Type
9 83a31b50 Type Section
83a2f3f8 Type EventPair
839b7dc8 Type SymbolicLink
10 83a28d20 Type Desktop
839b77e8 Type UserApcReserve
11 83a43eb0 Type EtwConsumer
83a26350 Type Timer
12 83a287a8 Type File
83a28de8 Type WindowStation
14 8474b298 Type PcwObject
15 83a31d20 Type TmEn
16 83a28938 Type Driver
18 83a42528 Type WmiGuid
83a28eb0 Type KeyedEvent
19 83a28a00 Type Device
839b7b80 Type Token
20 83a298f0 Type ALPC Port
839af878 Type DebugObject
21 83a28870 Type IoCompletion
22 839b7978 Type Process
23 83a31de8 Type TmRm
24 83a28b90 Type Adapter
26 83a16f18 Type PowerRequest
83a2d388 Type Key
28 839b7a40 Type Job
30 83a317b0 Type Session
83a31f78 Type TmTm
31 839afef8 Type IoCompletionReserve
32 83a25350 Type Callback
33 846ec158 Type FilterConnectionPort
34 83a26418 Type Semaphore




NT maintains a data structure called the OBJECT_TYPE which contains all relevant information about any object. We will be using the dt command. To read more about what dt is, read here.

kd> dt nt!_OBJECT_TYPE
   +0x000 TypeList         : _LIST_ENTRY
   +0x008 Name             : _UNICODE_STRING
   +0x010 DefaultObject    : Ptr32 Void
   +0x014 Index            : UChar
   +0x018 TotalNumberOfObjects : Uint4B
   +0x01c TotalNumberOfHandles : Uint4B
   +0x020 HighWaterNumberOfObjects : Uint4B
   +0x024 HighWaterNumberOfHandles : Uint4B
   +0x028 TypeInfo         : _OBJECT_TYPE_INITIALIZER
   +0x078 TypeLock         : _EX_PUSH_LOCK
   +0x07c Key              : Uint4B
   +0x080 CallbackList     : _LIST_ENTRY

The TypeInfo structure will reveal information like the memory pool where this object is allocated from, several function pointers which will act upon the object, counts of handles etc. 

kd> dt nt!_OBJECT_TYPE TypeInfo.
   +0x028 TypeInfo  : 
      +0x000 Length    : Uint2B
      +0x002 ObjectTypeFlags : UChar
      +0x002 CaseInsensitive : Pos 0, 1 Bit
      +0x002 UnnamedObjectsOnly : Pos 1, 1 Bit
      +0x002 UseDefaultObject : Pos 2, 1 Bit
      +0x002 SecurityRequired : Pos 3, 1 Bit
      +0x002 MaintainHandleCount : Pos 4, 1 Bit
      +0x002 MaintainTypeList : Pos 5, 1 Bit
      +0x002 SupportsObjectCallbacks : Pos 6, 1 Bit
      +0x004 ObjectTypeCode : Uint4B
      +0x008 InvalidAttributes : Uint4B
      +0x00c GenericMapping : _GENERIC_MAPPING
      +0x01c ValidAccessMask : Uint4B
      +0x020 RetainAccess : Uint4B
      +0x024 PoolType  : _POOL_TYPE
      +0x028 DefaultPagedPoolCharge : Uint4B
      +0x02c DefaultNonPagedPoolCharge : Uint4B
      +0x030 DumpProcedure : Ptr32        void 
      +0x034 OpenProcedure : Ptr32        long 
      +0x038 CloseProcedure : Ptr32        void 
      +0x03c DeleteProcedure : Ptr32        void 
      +0x040 ParseProcedure : Ptr32        long 
      +0x044 SecurityProcedure : Ptr32        long 
      +0x048 QueryNameProcedure : Ptr32        long 
      +0x04c OkayToCloseProcedure : Ptr32        unsigned char 

Note: Observe the . (dot) after the TypeInfo in the above command. It is used to expand structure fields.

Lets use this to see the values for an actual Object. Processes are also objects inside NT. So lets use our favorite process lsass.exe for this example.

kd> !process 0 0 lsass.exe
PROCESS 84cdc860  SessionId: 0  Cid: 0208    Peb: 7ffda000  ParentCid: 018c
    DirBase: 1eed30e0  ObjectTable: 95f00d18  HandleCount: 513.
    Image: lsass.exe

Passing this process address to the !object extension we extract information about it.

kd> !object 84cdc860  
Object: 84cdc860  Type: (839b7978) Process
    ObjectHeader: 84cdc848 (new version)
    HandleCount: 10  PointerCount: 254

Lets try to typecast this address to OBJECT_TYPE.

kd> dt nt!_OBJECT_TYPE 839b7978
   +0x000 TypeList         : _LIST_ENTRY [ 0x839b7978 - 0x839b7978 ]
   +0x008 Name             : _UNICODE_STRING "Process"
   +0x010 DefaultObject    : (null)
   +0x014 Index            : 0x7 ''
   +0x018 TotalNumberOfObjects : 0x1f
   +0x01c TotalNumberOfHandles : 0xaf
   +0x020 HighWaterNumberOfObjects : 0x22
   +0x024 HighWaterNumberOfHandles : 0xbd
   +0x028 TypeInfo         : _OBJECT_TYPE_INITIALIZER
   +0x078 TypeLock         : _EX_PUSH_LOCK
   +0x07c Key              : 0x636f7250
   +0x080 CallbackList     : _LIST_ENTRY [ 0x839b79f8 - 0x839b79f8 ]

Notice that the Name of this Object is 'Process'.

...and extract the TypeInfo sub structure fields....

kd> dt nt!_OBJECT_TYPE 839b7978 TypeInfo.
   +0x028 TypeInfo  :
      +0x000 Length    : 0x50
      +0x002 ObjectTypeFlags : 0x4a 'J'
      +0x002 CaseInsensitive : 0y0
      +0x002 UnnamedObjectsOnly : 0y1
      +0x002 UseDefaultObject : 0y0
      +0x002 SecurityRequired : 0y1
      +0x002 MaintainHandleCount : 0y0
      +0x002 MaintainTypeList : 0y0
      +0x002 SupportsObjectCallbacks : 0y1
      +0x004 ObjectTypeCode : 0
      +0x008 InvalidAttributes : 0xb0
      +0x00c GenericMapping : _GENERIC_MAPPING
      +0x01c ValidAccessMask : 0x1fffff
      +0x020 RetainAccess : 0x101000
      +0x024 PoolType  : 0 ( NonPagedPool )
      +0x028 DefaultPagedPoolCharge : 0x1000
      +0x02c DefaultNonPagedPoolCharge : 0x2f0
      +0x030 DumpProcedure : (null)
      +0x034 OpenProcedure : 0x82819ccb        long  nt!PspProcessOpen+0
      +0x038 CloseProcedure : 0x82879d2e        void  nt!PspProcessClose+0
      +0x03c DeleteProcedure : 0x8287c5f5        void  nt!PspProcessDelete+0
      +0x040 ParseProcedure : (null)
      +0x044 SecurityProcedure : 0x8286e5b6        long  nt!SeDefaultObjectMethod+0
      +0x048 QueryNameProcedure : (null)
      +0x04c OkayToCloseProcedure : (null) 

We had discussed before about the object having a header and a body. Lets see if we can extract the appropriate fields displayed by the !object extension ourselves.

kd> dt nt!_OBJECT_HEADER
   +0x000 PointerCount     : Int4B
   +0x004 HandleCount      : Int4B
   +0x004 NextToFree       : Ptr32 Void
   +0x008 Lock             : _EX_PUSH_LOCK
   +0x00c TypeIndex        : UChar
   +0x00d TraceFlags       : UChar
   +0x00e InfoMask         : UChar
   +0x00f Flags            : UChar
   +0x010 ObjectCreateInfo : Ptr32 _OBJECT_CREATE_INFORMATION
   +0x010 QuotaBlockCharged : Ptr32 Void
   +0x014 SecurityDescriptor : Ptr32 Void
   +0x018 Body             : _QUAD

In my version of Windows the body starts at offset 0x18, which means to get the header we need to move the pointer by 0x18. using the address of lsass.ee from the output of !process above...

kd> !process 0 0 lsass.exe
PROCESS 84cdc860  SessionId: 0  Cid: 0208    Peb: 7ffda000  ParentCid: 018c
    DirBase: 1eed30e0  ObjectTable: 95f00d18  HandleCount: 513.
    Image: lsass.exe

kd> dt nt!_OBJECT_HEADER 84cdc860-18
   +0x000 PointerCount     : 0n254
   +0x004 HandleCount      : 0n10
   +0x004 NextToFree       : 0x0000000a Void
   +0x008 Lock             : _EX_PUSH_LOCK
   +0x00c TypeIndex        : 0x7 ''
   +0x00d TraceFlags       : 0 ''
   +0x00e InfoMask         : 0x8 ''
   +0x00f Flags            : 0 ''
   +0x010 ObjectCreateInfo : 0x8273ecc0 _OBJECT_CREATE_INFORMATION
   +0x010 QuotaBlockCharged : 0x8273ecc0 Void
   +0x014 SecurityDescriptor : 0x87405f79 Void
   +0x018 Body             : _QUAD

Which are the same as given by the !object extension.

kd> !object 84cdc860
Object: 84cdc860  Type: (839b7978) Process
    ObjectHeader: 84cdc848 (new version)
    HandleCount: 10  PointerCount: 254

Note: The Object header structure has changed from the previous versions of Windows. Earlier the _OBJECT_TYPE pointer used to be available in the header itself. Hre is an output from an older version of Windows.

kd>dt_object_header  8a4ce650
nt!_OBJECT_HEADER
  +0x000PointerCount     : 79
  +0x004HandleCount      : 2
  +0x004NextToFree       : 0x00000002
  +0x008 Type            : 0x8a4ceca0
  +0x00cNameInfoOffset   : 0''
  +0x00dHandleInfoOffset : 0''
  +0x00eQuotaInfoOffset  : 0''
  +0x00fFlags            : 0x22'"'
  +0x010ObjectCreateInfo : 0x80545620
  +0x010QuotaBlockCharged : 0x80545620
  +0x014SecurityDescriptor : 0xe10001dc
  +0x018Body             : _QUAD

We will revisit the object manager again later on when we see how names are resolved in Windows.

Posted by at No comments:
Labels: , , , , , , , , , , , , , ,
Subscribe to: Posts (Atom)