Jump to content
Sign in to follow this  
Ascend4nt

Kernel Objects Information

Recommended Posts

trancexx

Excellent! Thanks for sharing mister.

...I did something similar few weeks ago when that thread about hotkeys was actual, to see if there would be any sign of hotkeys on this level. However, nothing as complete as your code. I wonder if your motivation was similar? That would be mighty cool.

Thanks again.


♡♡♡

.

eMyvnE

Share this post


Link to post
Share on other sites
Danyfirex

Insteresting. thanks for sharing  Ascend4nt. I've learned a lot from your codes.

Saludos

Share this post


Link to post
Share on other sites
Ascend4nt

trancexx, Actually I've had parts of the code laying around for years now.  I was intending to release something like this last year when I first showed Decipher a >function on getting Object names using a thread.  I've done a bit of work in C++ with multithreading using Semaphores and Mutexes, which gave me the need to query those objects too. Why MS never 'officially' exposed these non-mutating query API's (NtQueryMutant, NtQuerySemaphore, etc), I'll never know.. they are pretty important tools for debugging.

Additionally, I've also seen a few random people asking about handles, files, and other system objects that made me think it might be worth something to someone to release this.

As an unexpected result of this, I've also been able to see why certain processes are eating thousands of handles, sometimes for no good reason (khalmnpr.exe - you dirty little slut).

Ah, but back to that HotKeys thread.. that actually did get me digging, but instead of finding an answer, I went and released that '>Atom Tables' UDF a month or so ago, as some hotkey strings are occasionally stored there.

Man, I dunno about you.. but with this project, I'm pretty much done with the Undocumented Windows world. haha

With the Processes and Threads, Atom Tables, multi-CPU Usage and other UDF's I've released, I think I've had my fill.

Share this post


Link to post
Share on other sites
Ascend4nt

Insteresting. thanks for sharing  Ascend4nt. I've learned a lot from your codes.

Glad to hear it!

Btw, I'd like to hear if the Registry keys, File paths, and NamedPipes/Mailslots etc are being detected properly. (excluding those reporting negative values in the 'ExInfo' column)

Also, hmm.. it appears when running from Scite, querying one of the 'AutoIt3Wrapper' processes fails for certain File types, probably NamedPipes.. the thread querying these doesn't even terminate properly.  I may have to force protection for that specific attribute even on Windows 7

Share this post


Link to post
Share on other sites
Danyfirex

This is my output running as admin in windows 7 Home Basic x86

Handles Info.txt

Typemapping.txt

Saludos

Share this post


Link to post
Share on other sites
Ascend4nt

JScript: thanks for the compliment

DanyfireX, much appreciated! Are you running a Spanish (or otherwise) language version of the O/S?

Share this post


Link to post
Share on other sites
Danyfirex

Spanish language.

Saludos

Share this post


Link to post
Share on other sites
step887

Nice work :)

I recently been trying to work my way through calling process handles and I was trying to get the path name.

here is output of the self inspect (win 7 64 bit, ran with admin rights and has 64 bit)

Once I get a bit more time, I am going to dig through your code and see what I can learn.

 

 

autoit.xlsx

Edited by step887

Share this post


Link to post
Share on other sites
MikahS

Very cool, thank you for sharing Ascend4nt :)

Edited by MikahS

Snips & Scripts


My Snips: graphCPUTemp ~ getENVvars
My Scripts: Short-Order Encrypter - message and file encryption V1.6.1 ~ AuPad - Notepad written entirely in AutoIt V1.9.4

Feel free to use any of my code for your own use.                                                                                                                                                           Forum FAQ

 

Share this post


Link to post
Share on other sites
Ascend4nt
here is output of the self inspect (win 7 64 bit, ran with admin rights and has 64 bit)

step887, thanks for the output. I'm curious why HKEY_CURENT_USER isn't being detected for you properly.  The line that reads "HKEY_USERSS-1-5-21...Software" should be converted, so I'm assuming the call to _Security__LookupAccountName() isn't returning the proper SID for you.  Just out of curiosity, try running this and see if the SID matches the one used in that line:

#include <Security.au3>
ConsoleWrite("SID = " & _Security__LookupAccountName(@UserName)[0] & @CRLF)

But anyway, I'm releasing a new version of the UDF shortly which uses a different method of getting the SID, so we'll see if that one works for you

Share this post


Link to post
Share on other sites
step887
#include <Security.au3>
ConsoleWrite("SID = " & _Security__LookupAccountName(@UserName)[0] & @CRLF)

SID = S-1-5-21-3849832183-2284427975-4186142399-1001

Share this post


Link to post
Share on other sites
Ascend4nt

SID = S-1-5-21.xxx

That's very odd.  Well, give the new UDF a try and see what the output is!

 

Update:

2014-09-26:

Added: Multiple processes and/or types allowed in filters, plus exclusion flag

Changed: NTKernelObjectsInspect example now allows multiple filters and/or processes

         Also, Object totals are displayed where possible (elevated rights necessary for some processes)

Added: $NTOBJ_QUERYBY_PROCESSNAME Filter -> Must be used with processes as names

Improved: DLL Handles used for DLLCalls()

       Note that the biggest time-sink is still the API call NtQuerySystemInformation

       which grabs ALL system handles in one fell swoop (used inside _NTObjGetHandlesUD)

Added: Internal functions which rely on DLLHandles for speed improvements

Added: $g_NTKO_bNamedPipeProtect which can be toggled to prevent certain attributes

       from being scanned when "File" types are found. This is toggled ON for XP/2003 and under,

       OFF for Vista+

Added: $g_NTKO_sFileAttribSkipList -> assign additional Skip-Attributes with this if desired

Added: 'BadMasks' check in collection function which flags certain Attributes which have

       previously caused Thread timeouts. Use $g_NTKO_bSkipBadMasks to toggle this OFF (ON by default)

Changed: HKCU detection relies on a different technique than _Security__LookupAccountName() to get SID

Added: Smaller simpler example (NTKernelObjectsCollectExample)

Misc: Other misc. changes, additions, fixes which shouldn't affect UDF usage

Share this post


Link to post
Share on other sites
step887

Here is the output of NTKernelObjectsSelfExamine.au3

Share this post


Link to post
Share on other sites
Ascend4nt

Here is the output of NTKernelObjectsSelfExamine.au3

I hope that was a mistake? lol

Share this post


Link to post
Share on other sites
Ascend4nt

Update: I was thankfully wrong about the 64K limit on system object handles.  There's actually a really high limit - 16,777,216 - and its not actually O/S-wide, but Process-specific (which gives quite a lot of legroom).  The unfortunate problem that creates is that 16+million is more than what would fit in a 16-bit variable.  The NtQuerySystemInformation API call which is used to gather information on handles returns an array of SYSTEM_HANDLE_INFORMATION structures, and those structures limit handle values to 16-bits.  This amount is okay when a Process's handles are never in excess of 16-bits, but for values above this (65,536+), the upper bits are lost, and the handle value then indexes other handles, which can create a mess of confusion. Fortunately, this shouldn't be a problem with most processes, as anything more than a few thousand handles for one process is highly unlikely (and probably a sign of a buggy program).

Another important thing to note is that each handle # is process-specific. So even if there are 7,000 handles for 100 processes, the API call will still return the correct results, as each handle # is unique only to the process to which it belongs. This also means that handle # 4 in one process is something completely different in another process.

Also important to note: handle values (or handle-table indexes) are each offset by 4, so approximately 64K/4, or 16K handles can be consumed by a process before it surpasses 16-bits. The example below shows this.  Use NTKernelObjectsInspect to compare handle values to see where the 'wraparound' happens just after 0xFFFC.

For information on system handles, check out Mark Russinovich's excellent blogs, specifically "Pushing the Limits of Windows: Handles"

#include <WinAPI.au3>
#include <Array.au3>

; Handle values (indexes into handle tables) are offset 4 bytes from each other, so aroune 16K handles
; would be the max representable in 16-bits. (There are already handles at this point, so this will
; indeed cause 17+ bits to be used)
Local $aHandles = _HandleGenerate(65536 / 4)
;MsgBox(0, "Handles Generated", "Generated handles = " & UBound($aHandles))
_ArrayDisplay($aHandles, "Handles Generated")

Func _HandleGenerate($iMax)
    ; Limit of 4999999 is much less than the real max (16 million+)
    If $iMax < 0 Or $iMax > 4999999 Then Return SetError(1, 0, 0)

    Local $hEvent, $aHandles[$iMax]

    $hEvent = _WinAPI_CreateEvent(0, True, True, "_EVENTOBJ_")
    If @error Or $hEvent = 0 Then Return SetError(-1, @error, 0)
    ConsoleWrite("Event Handle for '_EVENTOBJ' = " & $hEvent& @CRLF)

    $aHandles[0] = $hEvent

    For $i = 1 To $iMax - 1
        ; DUPLICATE_SAME_ACCESS (2)
        $aHandles[$i] = _WinAPI_DuplicateHandle(Ptr(-1), $hEvent, Ptr(-1), 0, 0, 2)
        If @error Or $aHandles[$i] = 0 Then
            SetError(-1, @error, 0)
            ExitLoop
        EndIf
    Next
    If @error Then
        If $aHandles[$i] = 0 Then
            ReDim $aHandles[$i - 1]
        EndIf
        Return SetError(2, @extended, $aHandles)
    EndIf
    Return $aHandles
EndFunc

Share this post


Link to post
Share on other sites
Ascend4nt

step887, much appreciated. It looks to be working as it should.  I'd recommend deleting or obfuscating the S-1-5-21-xxx SIDs, as I'm not sure if that info can be used for malicious purposes

Share this post


Link to post
Share on other sites
Ascend4nt

Never one to be satisfied with edge cases, I took the initative to properly fool-proof this beast against processes with 16K+ handles. Yup, now the truncated bits of handles are properly restored using simple wraparound detection. Enjoy!

Update 2014-10-01:

Fixed: _NTObjGetHandlesUD() was failing to return an error code if $FilterBy was 0, resulting in empty arras
Improved: _NTObjGetHandlesUD() now tracks & calculates internally what handle values are beyond 65,536
Added: NTKernelObjectSpam (simple test of creating tons of Kernel Objects)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Similar Content

    • rcmaehl
      By rcmaehl
      Hi all,
      I've recently be kinda forced into trying to learn OOP within AutoIt. I'm trying to convert XML into objects I guess instead of trying to parse it into arrays within arrays. An example is below:
      <User> <roles> <role>Agent</role> <role>Supervisor</role> </roles> </user>  
      How can I convert this? Would <roles> be $User.Roles? If so would the children be $User.Roles.Role.Agent and $User.Roles.Role.Supervisor?  If not, how do I reference each Object?
        Any assistance would be appreciated. I tried to understand XML.au3 but I'm so confused trying to wrap my head around this.
    • rcmaehl
      By rcmaehl
      Hi all,
      My work has recently switched from a Win32 based application to a web based application. Thankfully there's an API for me to attach to now but I have a few questions since I'm using Objects now for some parts of my scripts...
      Do I need to run ObjCreate("winhttp.winhttprequest.5.1") everytime before any object stuff or can I just run it once at the beginning of my script and reuse it? Is $oHTTP.Open("GET", <url>) followed by $oHTTP.Send() pretty much the same as INetRead and can I use them interchangeably? Do I need to somehow delete the Object after creating it at the end of my script? - Answered by Helpfile Thanks!
    • kingjacob90
      By kingjacob90
      HI
      I am wanting to know what my CPU temp is but don't know what object to use. I don't relay know how objget works so would not know where to start. I have seen people integrate things like windows speech to text into their scripts but don't know how they know what object to use! How do I find the right object? And how dose it work?
       
      Thanks Jacob
    • RaiNote
      By RaiNote
      Hi,
      How to work easily and fast with the oleview.exe which Displays the Object COM from Windows and other programs~
    • Keithw
      By Keithw
      I'm trying to create a remote object using the example script on the ObjCreate function reference page:
      #include <MsgBoxConstants.au3> ;Open the MediaPlayer ona REMOTE computer Local $oRemoteMedia = ObjCreate("WMPlayer.OCX", "W2RATD5NGK32", "W2RATD5NGK32\administrator", "Win7Pilot") If Not @error Then MsgBox($MB_SYSTEMMODAL, "Remote ObjCreate Test", "ObjCreate() of a remote Mediaplayer Object successful !") $oRemoteMedia.openPlayer(@WindowsDir & "\media\tada.wav") ; Play sound if file is present Else MsgBox($MB_SYSTEMMODAL, "Remote ObjCreate Test", "Failed to open remote Object. Error code: " & Hex(@error, 8)) EndIf The message returns:  Failed to open remote Object.  Error Code:  80004002 
       
      I've tried researching this error but haven't found any useful info.  All I know are these requirements below and I know for sure that the services are running, and the script is being executed as x64 with admin rights.
      I'm now at a dead end and not sure how to further troubleshoot this error.  Also, the script runs fine when I use my own hostname.  Any ideas? 
×