The Windows Kernel offers different resources to developers: Process, Socket, Thread, Mutex…
A kernel object is a memory block which structure has different members containing information about the object.
There are common members across all object types (like security descriptor) but each object type has its own specific members (like ID of a Process object).
Let’s begin playing with WinDbg that can be used to debug windows in kernel mode.
The best way to retrieve the list of kernel objects is to query the ObjectTypes directory:
lkd> !object ObjectTypes Object: e1000110 Type: (823ed418) Directory ObjectHeader: e10000f8 (old version) HandleCount: 0 PointerCount: 25 Directory Object: e1001150 Name: ObjectTypes Hash Address Type Name ---- ------- ---- ---- 00 823ed418 Type Directory 01 823c8ca0 Type Thread 823c55e0 Type Mutant 03 82335770 Type FilterCommunicationPort 05 823b4958 Type Controller 07 823ed5e8 Type Type 823c4ca0 Type Profile 823c5980 Type Event 09 823ed248 Type SymbolicLink 823c4560 Type Section 823c57b0 Type EventPair 10 823c4730 Type Desktop 11 823c4e70 Type Timer 12 823c4900 Type WindowStation 823eb040 Type File 16 823b45b8 Type Driver 18 823ae250 Type WmiGuid 823c4ad0 Type KeyedEvent 19 823c8040 Type Token 823b4788 Type Device 20 823c8408 Type DebugObject 21 823b43e8 Type IoCompletion 22 823c8e70 Type Process 24 823b4b28 Type Adapter 26 823c18a0 Type Key 28 823c8ad0 Type Job 31 823ec3d0 Type WaitablePort 823ec5a0 Type Port 32 823c5410 Type Callback 33 82335940 Type FilterConnectionPort 34 823c4040 Type Semaphore
Then we have a list with all the available object types managed by the Kernel.
We can get more info about an object type querying its address:
lkd> dt _OBJECT_TYPE 823c4900 ntdll!_OBJECT_TYPE +0x000 Mutex : _ERESOURCE +0x038 TypeList : _LIST_ENTRY [ 0x823c4938 - 0x823c4938 ] +0x040 Name : _UNICODE_STRING "WindowStation" +0x048 DefaultObject : (null) +0x04c Index : 0x11 +0x050 TotalNumberOfObjects : 5 +0x054 TotalNumberOfHandles : 0x76 +0x058 HighWaterNumberOfObjects : 5 +0x05c HighWaterNumberOfHandles : 0x80 +0x060 TypeInfo : _OBJECT_TYPE_INITIALIZER +0x0ac Key : 0x646e6957 +0x0b0 ObjectLocks : [4] _ERESOURCE
And ever more information:
lkd> dt _OBJECT_TYPE_INITIALIZER 823c55e0 ntdll!_OBJECT_TYPE_INITIALIZER +0x000 Length : 0x5690 +0x002 UseDefaultObject : 0x3c '<' +0x003 CaseInsensitive : 0x82 '' +0x004 InvalidAttributes : 0x823c5908 +0x008 GenericMapping : _GENERIC_MAPPING +0x018 ValidAccessMask : 0 +0x01c SecurityRequired : 0 '' +0x01d MaintainHandleCount : 0 '' +0x01e MaintainTypeList : 0 '' +0x020 PoolType : 0 ( NonPagedPool ) +0x024 DefaultPagedPoolCharge : 0 +0x028 DefaultNonPagedPoolCharge : 0 +0x02c DumpProcedure : (null) +0x030 OpenProcedure : (null) +0x034 CloseProcedure : (null) +0x038 DeleteProcedure : 0x823c5618 void +ffffffff823c5618 +0x03c ParseProcedure : 0x823c5618 long +ffffffff823c5618 +0x040 SecurityProcedure : 0x000e000c long +e000c +0x044 QueryNameProcedure : 0xe1005498 long +ffffffffe1005498 +0x048 OkayToCloseProcedure : (null)
All the kernel objects are managed by the object manager which manage all the resources: kernel data structures, kernel references, user references, synchronization…
The Windows Kernel provides “Object directories” to categorize objects being managed according to the types. For example we previously queried the ObjectTypes directory to retrieve the list of object types.
Another example, query the Drivers directory to get the list of drivers present on the system:
lkd> !object Driver Object: e1023908 Type: (823ed418) Directory ObjectHeader: e10238f0 (old version) HandleCount: 0 PointerCount: 96 Directory Object: e1001150 Name: Driver Hash Address Type Name ---- ------- ---- ---- 00 823343b0 Driver NDIS 82335340 Driver KSecDD 82171320 Driver Beep 01 8217ef38 Driver Raspti 82233260 Driver Mouclass 8217dd68 Driver es1371 02 82060030 Driver vmx_svga ... ...
In the next post I will explain the way to query object directories from user land via NtQueryDirectoryObject [Ntdll.dll] and take advantage of it for incident response and malware detection.