Windows Kernel Objects

December 24, 2009 | Jaime Blasco

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

The Windows Kernel offers different resources to developers: Process, Socket, Thread, Mutex…

A kernel object is a memory block which structure has different members containing information about the object.
There are common members across all object types (like security descriptor) but each object type has its own specific members (like ID of a Process object).

Let’s begin playing with WinDbg that can be used to debug windows in kernel mode.

The best way to retrieve the list of kernel objects is to query the ObjectTypes directory:

lkd> !object \ObjectTypes

Object: e1000110  Type: (823ed418) Directory

    ObjectHeader: e10000f8 (old version)

    HandleCount: 0  PointerCount: 25

    Directory Object: e1001150  Name: ObjectTypes

    Hash Address  Type          Name

    ---- -------  ----          ----

     00  823ed418 Type          Directory

     01  823c8ca0 Type          Thread

         823c55e0 Type          Mutant

     03  82335770 Type          FilterCommunicationPort

     05  823b4958 Type          Controller

     07  823ed5e8 Type          Type

         823c4ca0 Type          Profile

         823c5980 Type          Event

     09  823ed248 Type          SymbolicLink

         823c4560 Type          Section

         823c57b0 Type          EventPair

     10  823c4730 Type          Desktop

     11  823c4e70 Type          Timer

     12  823c4900 Type          WindowStation

         823eb040 Type          File

     16  823b45b8 Type          Driver

     18  823ae250 Type          WmiGuid

         823c4ad0 Type          KeyedEvent

     19  823c8040 Type          Token

         823b4788 Type          Device

     20  823c8408 Type          DebugObject

     21  823b43e8 Type          IoCompletion

     22  823c8e70 Type          Process

     24  823b4b28 Type          Adapter

     26  823c18a0 Type          Key

     28  823c8ad0 Type          Job

     31  823ec3d0 Type          WaitablePort

         823ec5a0 Type          Port

     32  823c5410 Type          Callback

     33  82335940 Type          FilterConnectionPort

     34  823c4040 Type          Semaphore

Then we have a list with all the available object types managed by the Kernel.

We can get more info about an object type querying its address:

lkd> dt _OBJECT_TYPE 823c4900 


   +0x000 Mutex            : _ERESOURCE

   +0x038 TypeList         : _LIST_ENTRY [ 0x823c4938 - 0x823c4938 ]

   +0x040 Name             : _UNICODE_STRING "WindowStation"

   +0x048 DefaultObject    : (null) 

   +0x04c Index            : 0x11

   +0x050 TotalNumberOfObjects : 5

   +0x054 TotalNumberOfHandles : 0x76

   +0x058 HighWaterNumberOfObjects : 5

   +0x05c HighWaterNumberOfHandles : 0x80

   +0x060 TypeInfo         : _OBJECT_TYPE_INITIALIZER

   +0x0ac Key              : 0x646e6957

   +0x0b0 ObjectLocks      : [4] _ERESOURCE

And ever more information:

lkd> dt _OBJECT_TYPE_INITIALIZER 823c55e0 


   +0x000 Length           : 0x5690

   +0x002 UseDefaultObject : 0x3c '<'

   +0x003 CaseInsensitive  : 0x82 ''

   +0x004 InvalidAttributes : 0x823c5908

   +0x008 GenericMapping   : _GENERIC_MAPPING

   +0x018 ValidAccessMask  : 0

   +0x01c SecurityRequired : 0 ''

   +0x01d MaintainHandleCount : 0 ''

   +0x01e MaintainTypeList : 0 ''

   +0x020 PoolType         : 0 ( NonPagedPool )

   +0x024 DefaultPagedPoolCharge : 0

   +0x028 DefaultNonPagedPoolCharge : 0

   +0x02c DumpProcedure    : (null) 

   +0x030 OpenProcedure    : (null) 

   +0x034 CloseProcedure   : (null) 

   +0x038 DeleteProcedure  : 0x823c5618     void  +ffffffff823c5618

   +0x03c ParseProcedure   : 0x823c5618     long  +ffffffff823c5618

   +0x040 SecurityProcedure : 0x000e000c     long  +e000c

   +0x044 QueryNameProcedure : 0xe1005498     long  +ffffffffe1005498

   +0x048 OkayToCloseProcedure : (null) 

All the kernel objects are managed by the object manager which manage all the resources: kernel data structures, kernel references, user references, synchronization…

The Windows Kernel provides “Object directories” to categorize objects being managed according to the types. For example we previously queried the ObjectTypes directory to retrieve the list of object types.

Another example, query the \Drivers directory to get the list of drivers present on the system:

lkd> !object \Driver

Object: e1023908  Type: (823ed418) Directory

    ObjectHeader: e10238f0 (old version)

    HandleCount: 0  PointerCount: 96

    Directory Object: e1001150  Name: Driver

    Hash Address  Type          Name

    ---- -------  ----          ----

     00  823343b0 Driver        NDIS

         82335340 Driver        KSecDD

         82171320 Driver        Beep

     01  8217ef38 Driver        Raspti

         82233260 Driver        Mouclass

         8217dd68 Driver        es1371

     02  82060030 Driver        vmx_svga



In the next post I will explain the way to query object directories from user land via NtQueryDirectoryObject [Ntdll.dll] and take advantage of it for incident response and malware detection.

Jaime Blasco

About the Author: Jaime Blasco
Jaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AlienVault, Jaime leads the Lab Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AlienVault he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.
Read more posts from Jaime Blasco ›


Watch a Demo ›