Windows core programming Chapter 1 kernel objects

3.1 What is a kernel object

A kernel object is a piece of memory in the kernel. It is a structure and can only be accessed by kernel objects. Applications can only operate on kernel objects by calling functions provided by windows. Each kernel object has the same part, such as security attributes and counter usage.

3.1.1 kernel object usage count

The count in the kernel object is irrelevant to the process. When a process creates a kernel object for the first time, the count is changed to 1. When another process also calls this kernel object, the count is changed to 2. When a process is released or the kernel object is closed (closehandle), the kernel uses the Count minus 1. If the count is not 0, the kernel does not release this kernel object.

3.2.2 Security

Kernel objects can be protected by security descriptors. security descriptors define who can create, access, and use the objects. They are generally used in server code and can be ignored by the client.

All the function parameters for creating the kernel object have a pointer to the security_attributes structure.

typedef struct _SECURITY_ATTRIBUTES {    DWORD nLength;    LPVOID lpSecurityDescriptor;    BOOL bInheritHandle;} SECURITY_ATTRIBUTES, *PSECURITY_ATTRIBUTES, *LPSECURITY_ATTRIBUTES;

Only lpsecuritydescriptor members are associated with security attributes. Generally, this parameter is null, indicating the default security description.

If you need:

SECURITY_ATTRIBUTES sa;sa.nLength = sizeof(sa);sa.lpSecurityDescriptor = NULL;sa.bInheritHandle = FALSE;HANDLE h = CreateMutex(&sa, FALSE, "XI");

Other processes can be opened using the openmutex function. If the permission permits, a handle is returned. If the failure returns NULL, getlasterror is set to error_access_denied. In addition to kernel objects, windows also has GDI and user objects. A simple way to distinguish them is to create kernel objects with security descriptor parameters in functions. 3.2 process kernel object handle table

Index kernel object memory block pointer access shielding (DWORD of the Flag) flag (DWORD of the Flag)

1 0x ???????? 0x ???????? 0x ???????? 2 0x ???????? 0x ???????? 0x ????????............

3.2.1 create a kernel object

Call the Create & function family to create the corresponding kernel object, and return the handle of the kernel object (also known as the index of the handle table ), if creation fails, 0 (null) is usually returned, and some return invalid_handle_value =-1. For example, if createfile fails, the latter is returned, the failure may be caused by insufficient memory or security issues. Other functions that operate on the kernel need to pass this handle value as a parameter. If an invalid handle is passed in, the value of the getlasterror function will be set to 6 (error_invalid_handle ).

3.2.2 disable kernel objects

Bool closehandle (handle hobj );

When this function is called, The system clears the corresponding items in the process's handle table. If the counter is 0, the kernel releases the resources of this kernel object. If the counter is not 0, if other processes are still using this kernel object, no resources will be released.

When the process forgets to call the closehandle function, memory leakage may occur, but resources will be released when the process ends.

If the passed parameter is invalid, the function returns false, and the value of the getlasterror function is set to error_invalid_handle. If it is in the debug stage, an error message is returned.

3.3 sharing the inheritance of the kernel object 3.3.1 object handle across process boundaries

1. When the parent process creates a child process, if the inherithandle field of the security_attributes structure is set to true, in the parent process handle table, the flag value indicating the entry of the kernel object will change to true, indicating that the kernel object can be inherited by the child process, it can be inherited (only indicates that the handle value can be inherited, but the kernel object cannot be inherited ).
2. Set the value of the binherithandle parameter of CreateProcess to true, indicating that the created process can inherit the inherited parent process handle.
3. After a child process is created, it does not load the program first. It first searches for the parent process's handle table and copies the inherited project to itself (the index has not changed, so the handle value remains unchanged ).
4. A parent process can pass the handle value to a child process in three ways: parameter transmission, inter-process communication, and environment variable (getenvironmentvariavle function parsing ).

BOOLWINAPICreateProcess(    __in_opt    LPCSTR lpApplicationName,    __inout_opt LPSTR lpCommandLine,    __in_opt    LPSECURITY_ATTRIBUTES lpProcessAttributes,    __in_opt    LPSECURITY_ATTRIBUTES lpThreadAttributes,    __in        BOOL bInheritHandles,    __in        DWORD dwCreationFlags,    __in_opt    LPVOID lpEnvironment,    __in_opt    LPCSTR lpCurrentDirectory,    __in        LPSTARTUPINFOA lpStartupInfo,    __out       LPPROCESS_INFORMATION lpProcessInformation    );

Note:

The sub-process creates its sub-process. If the above method is met, the sub-process can continue to inherit.

If the parent process creates a child process and then creates a handle, the child process will not be inherited.

3.3.2 change HANDLE flag

Bool sethandleinformation (handle hobject, DWORD dwmask, DWORD dwflags); change the HANDLE flag, currently, two types of changeable flag are available: # define handle_flag_inherit 0x00000001 // inheritance flag # define handle_flag_project_from_close 0x00000001 // The disable or operation can be used to set two flag at the same time flag. The first parameter is the handle value to be set, the second parameter is the flag to be changed, and the third parameter is the value of the flag. Bool gethandleinformation (handle hobkect, pdword pdwflags); obtains the flag value of the current handle.

// Set the handle value to inherit: sethandleinformation (hobject, handle_flag_inherit, handle_flag_inherit); // set the handle to be inherited: sethandleinformation (hobject, handle_flag_inherit, 0 ); // set the handle value to disabled. It is protected: sethandleinformation (hobject, handle_flag_project_from_close, callback); // set the handle value to disabled, Unprotected: sethandleinformation (hobject, handle_flag_project_from_close, 0 );

3.3.3 The last parameter in the name object create Kernel Object Function Family create & is pszname. If null is passed, it indicates that it is an anonymous kernel object, you can use the kernel objects of other processes in either of the following ways. When the pszname parameter is passed with a string ending with '/0' (max. Length: max_path 260 characters), it indicates that the name object is enabled. For example, process a calls createmutex (null, false, "Xi"), it will create a kernel object named "Xi". Then, if process B also calls createmutex (null, false, "Xi") at a certain time ") the function takes the following steps:

1. Determine whether the kernel object name is the same.
2. Determine whether the kernel object types are the same. If the names are the same but the types are different, the Create & Function Family returns NULL, And the getlasterror function value is 6 (error_invalid_handle ).
3. To determine the security, the same two steps are returned, and the getlasterror value is the same as the two steps.
4. If the verification succeeds, the returned handle (the value of the returned handle is not necessarily the same as that of other handles of the kernel object), and the value of getlasterror is equal to error_already_exists.

You can also use the open & function family to open the created handle. getlasterror will not be set after the operation is successful. The details are as follows:

Handle open & (DWORD, bool, pcstr );

The first parameter indicates the access permission.

The second parameter indicates whether the newly created handle is inherited (note that it is not a kernel object !).

Third parameter: NULL cannot be passed. If the handle does not exist, null is returned, and getlasterror is set to 2 (error_file_not_found ).

3.3.4 Terminal Server namespace

Globad, local, and session programs keep keywords. What you don't understand is that when the server is running, the client can access the kernel objects starting with these names.

3.3.5 copy object handle

BOOL DuplicateHandle(HANDLE hSourceProcessHandle,HANDLE hSourceHandle,HANDLE TargetProcessHandle,PHANDLE phTargetHandle,DWORD dwDesiredAccess,BOOL bInheritHandle,DWORD dwOptions);

The process for executing the duplicatehandle function is processc, the original process is processs, and the target process is processt. Then, hsourceprocesshandle is the process handle of the Process processs, targetprocesshandle is the process handle of the Process processt, processc copies the handle hsourcehandle from processc to processt, and the value exists in phtargethandle. The new dwdesiredaccess permission, the inheritance of the new binherithandle handle. The dwoptions parameter has two types:

Duplicate_same_access ignores the dwdesiredaccess parameter. The new handle and the original Process Handle have the same permission to ask questions.

Duplicate_close_source disables the copy handle in processs, and the count of kernel objects remains unchanged.

HANDLE hObjProcessS = CreateMutex(NULL, FALSE, NULL);HANDLE hProcessT = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessIdT);HANDLE hObjProcessT;DuplicateHandle(GetCurrentProcess(), hObjProcessS, hProcessT , &hObjProcessT, 0, FALSE, DUPLICATE_SAME_ACCESS);CloseHandle(hObjProcessS);CloseHandle(hProcessT);

Note:
Generally, the duplicatehandle function is not used in three processes, because it is difficult to know the handle value of the original process.
To use the IPC Mechanism to notify the target process, the new handle has been copied.