3. Kernel Object
3.1
Which are Windows kernel objects?
For example, the token object, event object, file object, directory object, file ing object, Io completion port, mutex, thread object, process object, job, pipeline, and so on.
The kernel object is managed by the operating system, and handle is returned. It is a pointer pointing to a kernel object table managed by the operating system.
3.1.1 usage count
The operating system knows the usage count of kernel objects. When the count is 0, the operating system is responsible for destroying kernel objects.
3.1.2 Kernel Object Security
Security_attributes struct to describe
3.2 process kernel object handle table
3.2.1 create a kernel object
Create a kernel object. It is related to the process, that is, it can only be used in the created process. Other processes do not know the kernel object.
3.2.2 disable kernel objects
The closehandle function is used to disable kernel objects. If kernel objects are not disabled, resource leakage may occur. However, when the process exits, all the resources of the process are reclaimed by the operating system.
3.3 cross-process boundary sharing kernel objects
There are three different mechanisms to allow processes to share kernel objects:
1. Use the object handle to inherit
2. Name the object
3. Copy an object
3.3.1 Use object handle inheritance
Object handle inheritance can be used only when there is a parent-child relationship between processes.
The struct of the security description needs to set the inherited flag to true.
Then it is completed through CreateProcess
3.3.2 flag for changing the handle
Sethandleinformation to change the inheritance handle of the kernel object
Gethandleinformation to get whether the kernel object inherits
3.3.3 name the Kernel Object
Handle createmutex (
Psecurity_attributes PSA,
Bool binitialowner,
Pctstr pszname );
The last kernel object that receives the "string with 0 as the Terminator" uses a namespace. If the name is duplicated, the creation of the kernel object fails.
If there is a kernel object with the same name, the createxx function returns error_invalid_handle
Getlasterror returns error_already_exists, indicating that it exists.
You can use openxx to open a kernel object.