Kernel objects for the Windows kernel

1 kernel Object definition:

1.1: Each Kernel object is just a block of memory allocated by the kernel and can only be accessed by that kernel.

1.2: the memory block is a data structure whose members are responsible for maintaining various information about the object.

Some data members (such as security descriptors, usage counts, and so on) are the same in all object types, but most data members are of a particular object type. For example, a process object has a process ID, a base priority, and an exit code, and the file object has a byte offset, a shared mode, and an open mode.

2 Kernel Object types:

such as Access symbol object, event object, file object, file mapping object, I/O completion Port object, Job object, mailbox object, mutex object, pipeline object, Process object, Beacon object, thread object, wait timer object, etc.

3 Kernel Object owners:

Kernel objects are owned by the kernel, not by the process. If your process invokes a function that creates a kernel object, and then your process terminates, the kernel object is not necessarily undone. In most cases, the object will be undone, but if another process is using the kernel object created by your process, then the kernel knows that the object must not be undone before another process stops using the object, and it is important to remember that the kernel object can exist longer than the process that created the object.

4 Kernel Object Usage count:

Kernel object Sorrow when created, the count is set to 1, when there is a process to access the kernel object, the Count plus 1, when the process terminates, the kernel will determine whether the object technology is 0, 0, then revoke the kernel object.

5 Process object kernel handle table:

When a process is initialized, the system assigns a handle table to it. The handle table is used only for kernel objects, not for user objects or G-D I objects.

When the process is initialized for the first time, its handle table is empty. Then, when a thread in the process invokes a function that creates a kernel object, such as a CR e a T e F i l e M a p p i n g, the kernel allocates a block of memory to the object and initializes it.

All functions used to create a kernel object return process-related handles that can be successfully used by any or all threads running in the same process.

6 The difference between closing and revoking a kernel object:

The closure of a kernel object refers to a process that uses the CloseHandle (Handle hobj) function to purge a kernel object from the handle table in the process, so that the process can no longer access the kernel object.

The revocation of the kernel object tries to clear the kernel object from memory, at which point the kernel object count is 0.

The difference between the two: the kernel object shutdown is a process operation, the close kernel object does not necessarily undo the object, the Undo object is the kernel operation, when the object is revoked, the object will be closed.

7 Sharing Kernel objects

7.1 Inheritance through object handles

The inheritance of an object handle can only be used if the process has a parent-child relationship. In this case, the parent process can use one or more kernel object handles, and the parent process can decide to generate a child process that gives the child process access to the parent process's kernel object.

Implementation steps:

7.1.1: The parent process must specify an S E C U r i t Y _ at T R i B U TE S structure and initialize it, and then pass the address of the structure to the specific CR e a T-e function.

    Security_attributes sa;     sa.nlength = sizeof (SA);     Sa.lpsecuntydescriptor = NULL;     /make the returned handle inheritable.     Sa.binherithandle =-TRUE;     HANDLE Hmutex = CreateMutex (&sa,false, NULL);

7.1.2: Parent process Generation child process

BOOL CreateProcess (  pctstr pszapplicationname,  ptstr pszcommandline,  psecurity_attributes psaprocess,  psecurity_attributes Psathread,  BOOL binherithandles,  DWORD fdwcreale,  pvoio pvenvironment,  pctstr pszcurdir,  pstartupinfo Psistartinfo,  pprocess_information ppiprocinfo);

To set bInheritHandles to True indicates that the parent process was inherited.

7.1.3 child processes determine how to inherit kernel objects

Child process in order to determine the handle value of the kernel object it expects, the most common method is to pass the handle value as a command-line argument to the child process.

7.1.3 Changing handle Flags

When the parent process wants to choose a different child process with a different handle to the inheritance, it can be implemented by setting the handle's flag. Use this function to implement a flag that sets a handle

BOOL sethandleinformation (   HANDLE hobject,   DWORD dwMask,    //Flag bit   DWORD dwFlags);  Identity value

7.2 Naming objects

7. 2.1 Creating a named Kernel object

HANDLE Createjobobject (

Psecurity_attributes PSA,

Pctstr pszname);

By observing the function that creates the kernel object, we know that the last argument is a string that represents the name of the kernel object. Of course, if we don't want to name it, we can set it to null. The length of the name can be up to MAX_PATH (defined as 260) characters.

HANDLE Hmutexpronessa = CreateMutex (NULL, FALSE, "Jeffmutex"); HANDLE HMUTEXPROCESSB = CreateMutex (NULL, FALSE, "Jeffmutex");

At this time, the first call to the function, create a kernel object named Jeffmutex, the second call to create the kernel object function, because the kernel object to be created the same name and type, and if the permissions are met, in process B will not again create the kernel object, Instead, a Jeffmutex object of the same type with the same name in process a is referenced. At the same time, the count of kernel objects will be added 1.

Warning: If a named kernel object already exists, then when the kernel object of that name is created again, the parameter passed to the function on the second creation is ignored and the kernel object is no longer created, otherwise a new kernel object is created that follows the parameter specified the second time.

7.2.2 opening a named kernel object

Instead of using the create***, you can open an existing named kernel object with the opening function. The two difference is that when the kernel object is not there, the open function fails, and the create*** function creates a new kernel object. For example:

HANDLE openfilemapping (   DWORD dwdesiredaccess,   BOOL binherithandle,   pctstr pszname);

7.3 Replication Process

Copy the handle of one of the kernel objects in process A to the handle table in process B.

BOOL DuplicateHandle (   HANDLE hsourceprocesshandle,   HANDLE hsourcehandle,   Handlehtargetprocesshandle,   Phandle Phtargethandle,   DWORD dwdesiredaccess,   //Access Shield value   BOOL binherithandle,             //Inheritance flag   DWORD dwoptions);             Whether to inherit the access mask value of the source process

Copy an instance of a kernel object

From the example, you can see that the handle table of the same process can have two handles, and they want to access the same values of the kernel objects, but some access flags and inherited permissions can be different.

#include <windows.h>dword CALLBACK threadproc (PVOID pvparam); int main () {HANDLE Hmutex = CreateMutex (NULL, FALSE,    NULL);    HANDLE Hmutexdup, Hthread;    DWORD dwThreadID;                    DuplicateHandle (GetCurrentProcess (), Hmutex, GetCurrentProcess (),    &hmutexdup, 0, FALSE, duplicate_same_access);    Hthread = CreateThread (NULL, 0, ThreadProc, (LPVOID) hmutexdup, 0, &dwthreadid); Perform work here, closing the handle when finished with the//mutex.    If the reference count is zero, the object is destroyed.    CloseHandle (Hmutex);    Wait for the worker, thread to terminate, and clean up.    WaitForSingleObject (Hthread, INFINITE);    CloseHandle (Hthread); return 0;}    DWORD CALLBACK ThreadProc (PVOID pvparam) {HANDLE Hmutex = (HANDLE) pvparam; Perform work here, closing the handle when finished with the//mutex. If the reference count is ZEro, the object is destroyed.    CloseHandle (Hmutex); return 0;}