Read windows core programming-3-kernel objects

(3) kernel objects

What is a kernel object?

The kernel object is the objects allocated and accessed by the Windows operating system kernel. Each kernel object corresponds to a memory block, which can only be allocated, accessed, and released by the kernel. The memory block is a data structure that maintains object-related information. A few members are shared by all kernel objects, such as security descriptor and usage count. Others are unique to each kernel object.

There are many types of kernel objects, such as access tokens, events, files, file ing, jobs, mutex, pipelines, processes, threads, semaphores, waiting timers, and thread pool factories. You can use some tools to observe, such as winobj and process explorer.

Kernel objects can only be accessed in applications through a set of Windows functions create */Open */closehandle and the corresponding kernel object handle (* handle, the kernel object handle (32-bit Windows Process Handle is 32-bit, 64-bit process, the handle is also changed to 64-bit) is an opaque value, the specific significance may also be related to the specific implementation of different versions of Windows, but it can be determined that:

1. The handle is related to the process. It is meaningless to pass the handle of a process to other processes;
   
2. The handle can be used by all threads in the same process;
   
3. The handle contains the index value of the Process Handle table, so the address of the corresponding kernel object can be found through the handle.
   

Usage count

All of the kernel objects are the kernel, not the process. The only way the process operates the kernel object is to use the handle as the parameter to call the corresponding Windows API (create */Open */closehandle ). The Windows operating system can calculate the number of kernel objects, that is, the Windows operating system knows how many processes are referencing the same kernel object. The kernel object is destroyed only when the reference count is changed to 0. Therefore, the life cycle of a kernel object may be longer than that of the process that created it.

Kernel Object Security

Kernel objects are protected by a security descriptor, which defines who owns the object, which groups and users are allowed to access and use the object, and which are denied. This security information is specified using the security_attributes parameter. If null is passed to this parameter, the default security is used (the security information is determined by the security token of the current process ).

In addition to kernel objects, processes may also use other objects, such as menus, windows, mouse, brushes, and fonts, which belong to user objects or GDI objects rather than kernel objects. A simple method to determine whether it is a kernel object depends on whether the create * method specifies a parameter for security information.

Process kernel object handle

The process kernel object handle contains the index value of the Process Handle table, and the process handle table is allocated by the system during process initialization; in fact, the actual index value of the handle table can be obtained by dividing the handle value by 4 (or shifting the two digits to the right to ignore the last two digits used in Windows. A possible handle table structure is as follows:

Each handle contains an index value and only one record in the table can be used. Each record in the handle table is a data structure. The data structure includes:

1. Pointer of a kernel object;
   
2. An access mask );
   
3. Some Flag spaces, such as inheritance.
   

Create a kernel object

Call the create * function to create the kernel object, as shown in the following list. When the creation fails, some functions return NULL (this is the reason why Shenma's first valid handle value is 4 ), some will return invalid_handle_value (this value is-1); but getlasterror () will return error_invalid_handle.

CreateProcess/createthread/createfile/createfilemapping/createmutex/createsemaphore

Disable kernel objects

Closehandle is used to disable kernel objects, regardless of the type and method of creation. If the shutdown fails, closehandle returns false.

After closehandle is called, the corresponding records in the Process Handle table will be cleared, and the reference count of the corresponding kernel object will be reduced by 1. If the Count turns to 0, the kernel object will be destroyed.

If the process forgets to call closehandle, it will wait until the process exits to shut down all used internal object handles for the process. In fact, when the process is terminated, the system will ensure that all resources are released, including kernel objects, resources, GDI objects and memory blocks. (This can be verified using Windows Task Manager or process Explorer ).

Cross-process sharing of kernel objects

Because kernel objects are stored in the process kernel address space, kernel objects can be shared across processes. All processes in the system share the kernel address space: for 32-bit systems, this is 0x80000000 ~ Memory between 0xffffffff, for 64-bit systems, this is 0x00000400 00000000 ~ Space between 0 xffffffffff.

Three methods for sharing kernel objects:

1. Use object handle inheritance
   
   1. When creating a sub-process or sun-process, the process can use handle inheritance.
      
   2. Binherithandle = true must be set for the inherited handle
      
   3. Binherithandles = true must be set when the parent process creates a child process.
      
   4. When all the preceding conditions are met, the child process will copy the handle that can be inherited (binherithandle = true) from the parent process, and the corresponding handle value and index, and the inheritance is the same as that of the parent process.
      

 

1. Use named object
   
   1. When you use create * to create a kernel object, you can name the object so that it can be used across processes. Other processes only need to use the same name to call create */Open *;
      
   2. There is no mechanism for verifying whether the name already exists. Therefore, you need to call open * directly or call getlasterror after create * to check whether error_already_exist is returned, to determine whether to create a new object or simply open the existing kernel object;
      
   3. When you create */Open * to retrieve an existing kernel object, the system searches for the existing kernel object by name and verifies whether the calling process has the corresponding kernel access (read/write) permission, however, security issues still exist. For example, malicious programs can use the same Kernel Object Name as some high-permission processes;
      
   4. The private namespace can partially solve security and rename issues. Related APIs: createprivatenamespace/closeprivatenamespace.
      

 

1. Copy object handle
   
   1. Duplicatehandle can copy the process-related object handle to another process. The copied handle is related to the target process;
      
   2. Because the copied handle is related to the target process (that is, the handle is in the handle table of the target process), it can only be disabled in the target process.
      

 

Example:

DWORD currentprocessid = getcurrentprocessid ();

Handle hmutexinsource = createmutex (null, false, _ T ("mytestmutex "));

Startupinfo Si = {sizeof (SI )};

Si. dwflags = startf_useshowwindow;

Si. wshowwindow = true;

Process_information PI = {};

Handle hmutextintarget = NULL;

Tchar cmdline [] = text ("C: // program files // Internet Explorer // iexplore.exe http://www.baidu.com /");

 

If (CreateProcess (null, cmdline, null, null, false, create_new_console, null, null, & Si, & PI )){

Handle hsourceprocess = getcurrentprocess ();

 

Tcout <"before duplicate handle" <Endl;

// Display_process_handles (PI. dwprocessid );

If (! Duplicatehandle (hsourceprocess, hmutexinsource, Pi. hprocess, & hmutextintarget, 0, false, duplicate_same_access )){

Display_last_error ();

}

Else {

Tcout <"after duplicate handle" <Endl;

// Display_process_handles (PI. dwprocessid );

}

 

Setlocale (lc_all, "CHS ");

_ Tprintf (_ T ("ID of the new process: % d \ n"), Pi. dwprocessid );

_ Tprintf (_ T ("Master thread ID of the new process: % d \ r \ n"), Pi. dwthreadid );

 

Closehandle (PI. hprocess );

}

Else {

Display_last_error ();

}

Closehandle (hmutexinsource );