Recently Browsing 0 members
No registered users viewing this page.
Kernel Objects Information
Sample output of Object Handles probing
I've assembled a number of UDF's which use "undocumented" features of the O/S over the years. And this here would be the latest, and possibly the last (I hope?).
The purpose of this UDF is to query kernel objects in the system. It's actually a pretty big UDF that ties together a lot of functionality, and hopefully makes it more accessible.
With the UDF you can:
Query a Kernel Object for 'hidden' information using its handle: Object Type and stats (_ObjectGetTypeInfoUD), Attributes and Access (_ObjectGetBasicInfoUD), Kernel Object Name (_ObjectGetNameUD), etc
Query certain Kernel Event Objects for current states:Event, IoCompletion and Mutex ("Mutant") signal states (and more), Semaphore counts, Timer's remaining time, etc
Get a list of opened File handles and filenames (there's already a few UDF's dedicated to that, though) Collect all the current handles held by the O/S and its processes, using specific filters, and get information on what the object is and its current state
Kernel Objects Inspector script
What's an Object you say? Whats a Kernel? Whats an NT? Gosh, maybe you shouldn't be here - go read Youtube.
As Windows programmers, we make use of these Kernel Objects all the time...
Object Types List
Some of the most common System Objects: Token, Process, Thread, Event, Mutant (Mutex), Semaphore, Timer, File (includes NamedPipe and Mailslot), Key (Registry Key)
Anytime you work with these objects, you are generating new objects at the kernel level. Luckily, the O/S allows above 16 million handles per process (see Pushing the Limits of Windows: Handles by Mark Russinovich), so this isn't a concern. However, if an individual process has in excess of 16K handles, there will be some trunacted values returned from the NT API call as it only returns 16-bit values for handles. See >this post where I try to describe this in better detail. However, this is no longer a problem with the latest update, which restores the upper bits of handles through a simple wraparound detection technique.
There's more to say, but perhaps its best to show what functions are available. From the NTKernelObjectsInfo UDF Header:
Querying time issues: Note that any call to query handles (_NTObjGetHandlesUD, _NTObjGetHandlesInfoEx) relies on a call to NtQuerySystemInformation, which gathers information on EVERY handle held by the system and it's processes. This can take a few seconds! Be patient. (Also, _NTObjBuildTypesIndexMap calls it indirectly)
IMPORTANT: Be a little careful with looking for 'File' objects on Vista and Win7.. on XP there's already some safeguards which unfortunately prevent detecting certain objects. Newer versions of the O/S don't seem to have problems with threaded probing of File objects, but there may be some cases..
The Console output is still a bit noisy, but its good for analyzing where there's problems in reading handles, or analyzing "File" handles which can cause major problems, especially in the case of NamedPipes.
Some example UDFs are included:
NTSystemObjectsList: displays a list of System Object Types NTKernelObjectsCollectExample: A collection query at its simplest (see below for this example) NTKernelObjectsSelfExamine: creates a number of different Objects before listing everything NTKernelObjectsInspect: Inspect Kernel Objects with Filtering options from a GUI This GUI needs work! Notice that with the ArrayDisplay function, there is a 'Run User Func' option which will display any extra info retrieved for the object (see ExInfo column).
NTKernelObjectsSpam: Creates a crapload of Kernel Objects. This is mostly useless, but its here to demonstrate how NTKernelObjectsInspect now is able to report correct handle values beyond 65,536
In this example I query only 2 processes for handles, and use exclusion criteria to remove "File" and "EtwRegistration" from the resultant list.
; =========================================================================================================== ; <NTKernelObjectsCollectExample.au3> ; ; Pretty barebones example of NTKernelObjectsInfo, showing the ease with which objects can be collected ; Uses multipe query types, multiple processes, and multiple Object Types with exclusion rules ; ; Author: Ascend4nt ; =========================================================================================================== #include "NTKernelObjectsInfo.au3" #include <Array.au3> ; -= FLAGS to Tweak Object Querying =- ; Force Win2000/XP Attribute skipping (must appear AFTER #include): ;$g_NTKO_bNamedPipeProtect = True ; Alternatively set own: ;$g_NTKO_sFileAttribSkipList = "0x0012019F|" ; Additionally, can force BadMask Skipping to OFF (not recommended): ;$g_NTKO_bSkipBadMasks = False ; Other queries available, although less often used: ; $NTOBJ_QUERYBY_PID (example: @AuotItPID), $NTOBJ_QUERYBY_OBJTYPE (ex: 28), and $NTOBJ_QUERYBY_HANDLE (actual object handle) $aRet = _NTObjGetHandlesInfoEx($NTOBJ_QUERYBY_PROCESSNAME, "firefox.exe|autoit3.exe", _ $NTOBJ_QUERYBY_OBJTYPENAME + $NTOBJ_QUERY_EXCLUDE, "File|EtwRegistration") ConsoleWrite("Errors: " & @error & ", @extended = " & @extended & @CRLF) _ArrayDisplay($aRet, "_NTObjGetHandlesInfoEx") Thanks for testing this out!
NTKernelObjects.zip ~prev Downloads: 55