Jaime Blasco Blog
General: Windows Kernel Objects
Thu, 24 Dec 2009

The Windows Kernel offers different resources to developers: Process, Socket, Thread, Mutex...

A kernel object is a memory block which structure has different members containing information about the object.
There are common members across all object types (like security descriptor) but each object type has its own specific members (like ID of a Process object).

Let's begin playing with WinDbg that can be used to debug windows in kernel mode.

The best way to retrieve the list of kernel objects is to query the ObjectTypes directory:

lkd> !object \ObjectTypes
Object: e1000110  Type: (823ed418) Directory
    ObjectHeader: e10000f8 (old version)
    HandleCount: 0  PointerCount: 25
    Directory Object: e1001150  Name: ObjectTypes

    Hash Address  Type          Name
    ---- -------  ----          ----
     00  823ed418 Type          Directory
     01  823c8ca0 Type          Thread
         823c55e0 Type          Mutant
     03  82335770 Type          FilterCommunicationPort
     05  823b4958 Type          Controller
     07  823ed5e8 Type          Type
         823c4ca0 Type          Profile
         823c5980 Type          Event
     09  823ed248 Type          SymbolicLink
         823c4560 Type          Section
         823c57b0 Type          EventPair
     10  823c4730 Type          Desktop
     11  823c4e70 Type          Timer
     12  823c4900 Type          WindowStation
         823eb040 Type          File
     16  823b45b8 Type          Driver
     18  823ae250 Type          WmiGuid
         823c4ad0 Type          KeyedEvent
     19  823c8040 Type          Token
         823b4788 Type          Device
     20  823c8408 Type          DebugObject
     21  823b43e8 Type          IoCompletion
     22  823c8e70 Type          Process
     24  823b4b28 Type          Adapter
     26  823c18a0 Type          Key
     28  823c8ad0 Type          Job
     31  823ec3d0 Type          WaitablePort
         823ec5a0 Type          Port
     32  823c5410 Type          Callback
     33  82335940 Type          FilterConnectionPort
     34  823c4040 Type          Semaphore

Then we have a list with all the available object types managed by the Kernel.

We can get more info about an object type querying its address:

lkd> dt _OBJECT_TYPE 823c4900 
ntdll!_OBJECT_TYPE
   +0x000 Mutex            : _ERESOURCE
   +0x038 TypeList         : _LIST_ENTRY [ 0x823c4938 - 0x823c4938 ]
   +0x040 Name             : _UNICODE_STRING "WindowStation"
   +0x048 DefaultObject    : (null) 
   +0x04c Index            : 0x11
   +0x050 TotalNumberOfObjects : 5
   +0x054 TotalNumberOfHandles : 0x76
   +0x058 HighWaterNumberOfObjects : 5
   +0x05c HighWaterNumberOfHandles : 0x80
   +0x060 TypeInfo         : _OBJECT_TYPE_INITIALIZER
   +0x0ac Key              : 0x646e6957
   +0x0b0 ObjectLocks      : [4] _ERESOURCE

And ever more information:

lkd> dt _OBJECT_TYPE_INITIALIZER 823c55e0 
ntdll!_OBJECT_TYPE_INITIALIZER
   +0x000 Length           : 0x5690
   +0x002 UseDefaultObject : 0x3c '<'
   +0x003 CaseInsensitive  : 0x82 ''
   +0x004 InvalidAttributes : 0x823c5908
   +0x008 GenericMapping   : _GENERIC_MAPPING
   +0x018 ValidAccessMask  : 0
   +0x01c SecurityRequired : 0 ''
   +0x01d MaintainHandleCount : 0 ''
   +0x01e MaintainTypeList : 0 ''
   +0x020 PoolType         : 0 ( NonPagedPool )
   +0x024 DefaultPagedPoolCharge : 0
   +0x028 DefaultNonPagedPoolCharge : 0
   +0x02c DumpProcedure    : (null) 
   +0x030 OpenProcedure    : (null) 
   +0x034 CloseProcedure   : (null) 
   +0x038 DeleteProcedure  : 0x823c5618     void  +ffffffff823c5618
   +0x03c ParseProcedure   : 0x823c5618     long  +ffffffff823c5618
   +0x040 SecurityProcedure : 0x000e000c     long  +e000c
   +0x044 QueryNameProcedure : 0xe1005498     long  +ffffffffe1005498
   +0x048 OkayToCloseProcedure : (null)

All the kernel objects are managed by the object manager which manage all the resources: kernel data structures, kernel references, user references, synchronization...

The Windows Kernel provides "Object directories" to categorize objects being managed according to the types. For example we previously queried the ObjectTypes directory to retrieve the list of object types.

Another example, query the \Drivers directory to get the list of drivers present on the system:

lkd> !object \Driver
Object: e1023908  Type: (823ed418) Directory
    ObjectHeader: e10238f0 (old version)
    HandleCount: 0  PointerCount: 96
    Directory Object: e1001150  Name: Driver

    Hash Address  Type          Name
    ---- -------  ----          ----
     00  823343b0 Driver        NDIS
         82335340 Driver        KSecDD
         82171320 Driver        Beep
     01  8217ef38 Driver        Raspti
         82233260 Driver        Mouclass
         8217dd68 Driver        es1371
     02  82060030 Driver        vmx_svga
...
...

In the next post I will explain the way to query object directories from user land via NtQueryDirectoryObject [Ntdll.dll] and take advantage of it for incident response and malware detection.

posted at: 01:24 | path: /General | permanent link to this entry | 0 comments |



Name:


E-mail:


URL:


Comment:


 Categories

/ (34)
    Attacks/ (2)
    Exploits/ (1)
    General/ (3)
    Lua/ (1)
    Malware/ (3)
    Nessus/ (6)
        cisco/ (1)
        plugins/ (3)
    Ossim/ (9)
    Scada Security/ (2)
    Security Visualization/ (6)
        Malware/ (2)
    Vulnerability Management/ (1)


Jaime Blasco
(feel free to get in touch)
  • Mail
  • Linkedin
  • Twitter
  • Linkedin
  • Forums

Friend's blogs:
  • /blog/dk
  • /blog/juanma
  • /blog/santiago
  • /blog/pablo/



RSS



Lecture...




< December 2009 >
MoTuWeThFrSaSu
  1 2 3 4 5 6
7 8 910111213
14151617181920
21222324252627
28293031   



Archives

2010-Aug
2010-Jul
2010-Mar
2010-Jan
2009-Dec
2009-Oct
2009-Sep
2009-Jul
2009-Jun
2009-Apr
2009-Mar
2009-Feb
2009-Jan
2008-Oct
2008-Aug



Tags


Made with PyBlosxom