Windows kernel objects

1. Kernel objects

Each kernel object in Windows is just a block of memory that is allocated by the operating system kernel and accessible only by the operating system kernel, and applications cannot locate the data structures in memory and change their contents directly. This block of memory is a data structure whose members maintain information related to the object. A few members (security descriptors and usage counts) are available for all kernel objects, but most members are unique to different types of objects.

2. Usage count and lifetime of kernel objects

The owner of the kernel object is the operating system kernel, not the process. In other words, when the process exits, the kernel object is not necessarily destroyed. The operating system kernel uses a count of kernel objects to know how many processes are currently using a particular kernel object. The first time you create a kernel object, use a count of 1. When another process obtains access to the kernel object, use the Count plus 1. If the usage count of the kernel object is decremented to 0, the kernel object is destroyed by the operating system kernel. This means that the kernel object is created in the current process, but the kernel object may be accessed by another process when the current process exits. At this point, the process exit will only reduce the usage count of all kernel objects referenced by the current process, without reducing the use count of the kernel objects by other processes, even if the kernel object is created by the current process. Then the usage count for the kernel object is not decremented to 0, and the kernel object is not destroyed by the operating system kernel. Examples are as follows:

(1) Process 1 exits, 2 does not exit. The reference count of the kernel object, a, a, minus 0, is destroyed by the operating system kernel, and process 1 only reduces its reference count to C,d, and does not affect the reference count of process 2 to c,d, at which point the C,d reference count is not 0 and will not be destroyed.
(2) Process 2 exits, 1 does not exit. Process 2 reduces its own reference count for C,d and does not affect process 1, so a,b,c,d will not be destroyed
(3) When the process exits, the reference count of the kernel object a,b,c,d is decremented to 0 and destroyed by the kernel.
(4) When processes 1 and 2 are exited, the reference count of the kernel object a,b,c,d is decremented to 0, and the kernel object with a decrement of 0 is destroyed by the kernel

3. Manipulating Kernel objects

Windows provides a set of functions for manipulating kernel objects. After successfully invoking a function that creates a kernel object, a handle is returned that represents the kernel object that was created and can be used by any thread in the process. In a 32-bit process, the handle is a 32-bit value, and the handle in a 64-bit process is a 64-bit value. We can use a handle that uniquely identifies the kernel object and invoke the kernel action function to manipulate the kernel object.

3. Kernel objects and other types of objects

In addition to kernel objects in the Windows process, there are other types of objects, such as windows, menus, fonts, and so on, which belong to user objects and GDI objects. The simplest way to differentiate between kernel and non-kernel objects is to look at the functions that create the object, and almost all the functions that create the kernel object have a parameter that allows us to specify the security attributes.

Windows kernel objects