Windows Kernel Object notes

The device description table objects include HDC, image painter objects such as hbrush, and paint brush objects such as Hpen. These are not core objects, but GDI drawing objects and user objects.

A common method to distinguish between a user object and a kernel object is to create a kernel object with a parameter of the psecurity_attributes type, which is a pointer to the security_attributes structure, this structure describes the security of the created kernel object, for example, whether it can be inherited by the quilt process.

Typedef struct _ security_attributes {
DWORD nlength;
Lpvoid lpsecuritydescriptor;
Bool binherithandle;
} Security_attributes;

The kernel object belongs to Windows rather than the process, but there is a handle table in the process that references the kernel object.

When a kernel object uses a counter, a kernel object is referenced in the kernel object handle table of a process, and the count of the kernel object increases by 1. When the process calls closehandle (hhandle, the reference count is decreasing. When the reference count is 0, the kernel object is destroyed. When the process exits, the reference count of all kernel objects in the process is decreasing.

Common kernel objects: file objects, file ing objects, event objects, mutex objects, process objects, and thread objects.

When creating a kernel object, a handle is returned, which is a 32-bit unsigned 32-bit integer in windows, this integer shifts the two digits to the right to obtain the index value of the handle in the Process Handle table.

The following describes how to share kernel objects between processes.

There are three methods to share kernel objects across process boundaries: object handle inheritance, object naming, copying object handles.

1. object handle inheritance:
Binherithandle, the third member of securyty_attributes, specifies whether the created kernel object can be shared by the quilt process. If it is set to true, when CreateProcess creates a sub-process, the binherithandle parameter is set to true, the object handle will be shared. (In this case, the kernel object handle of the sub-process and the parent process is located in the same position in the two Process Handle tables. Therefore, the same handle value can be used to know the handle record in the handle table, and point to the same memory address, which saves the kernel object. Of course, you cannot directly modify the content of that memory address because you do not have permission to access it ).
The handle value is generally passed through the command line parameter when a sub-process is created, and the handle value is parsed in the sub-process.
You can use the sethandleinformation () and gethandleinformation () functions to reset the inheritance mark of the handle or obtain the inheritance mark.

2. Object Name
When creating a kernel object, the last parameter is of the pctstr type. You can specify a name for the kernel object. When other processes create an object with the same name, the System Kernel Object List is used to check whether there are kernel objects of the same name and type. If no kernel object is created, a new handle is directly created in the process's kernel object handle table, the memory address points to the kernel object. Increase the Count of kernel objects.
You can also use the open * (DWORD dwdesiredaccess, bool binherithandle, pctstr pszname) function to find the kernel object with the specified name. If no kernel object is found, a null value is returned.
The advantage is that the two processes that share the kernel object can not be the relationship between parent and child processes.

3. Copy the object handle