Talking about handles in Windows

Talking about handles in Windows

whenever a process opens an object, the system returns a handle as a credential, so it can be thought that the handle is dependent on the specific process, in other words, the handle must belong to a process, and later in the access to this object will use this credential! so a handle can also be thought of as a connection between a process and an object, a bridge, a context, like a door, already open. This connection persists until it is closed. a process can have multiple handles open to an object, so each process has a handle table with a pointer in the process control block eprocess objecttable isThe _handle_table type , which points to the handle table of this process! look down ._handle_table Structure:

1Kd>DT _handle_table2Nt!_handle_table3+0x000tablecode:uint4b4+0x004Quotaprocess:ptr32 _eprocess5+0x008Uniqueprocessid:ptr32 Void6+0x00cHandlelock: _ex_push_lock7+0x010Handletablelist: _list_entry//Handle table doubly linked list8+0x018handlecontentionevent: _ex_push_lock9+0x01cDebuginfo:ptr32 _handle_trace_debug_infoTen+0x020extrainfopages:int4b One+0x024flags:uint4b A+0x024Strictfifo:pos0,1Bit -+0x028firstfreehandle:uint4b -+0x02cLastfreehandleentry:ptr32 _handle_table_entry the+0x030handlecount:uint4b -+0x034nexthandleneedingpool:uint4b -+0x038handlecounthighwatermark:uint4b

the low two bits of the tablecode are used as flag bits to represent the level of the current handle table, 0,1,2 represent the first table, level two table, and level three table.
The first table is actually a _handle_table_entry array, each _handle_table_entry 8 bytes, and the primary table is the size of a page, so the level table can accommodate 2^9 _ Handle_table_entry

1Lkd>DT _handle_table_entry2Nt!_handle_table_entry3+0x000Object:ptr32 Void//A pointer to an object4+0x000obattributes:uint4b5+0x000Infotable:ptr32 _handle_table_entry_info6+0x000value:uint4b7+0x004grantedaccess:uint4b8+0x004GRANTEDACCESSINDEX:UINT2B9+0x006CREATORBACKTRACEINDEX:UINT2BTen+0x004nextfreetableentry:uint4b

The handle takes 4 for stepping ( Note 0), so the maximum handle is 0x200*4=0x800. Where the maximum handle that can be stored is no more than 0x800 (max. 0x800-4), and the first handle_table_ of each level table The entry object is always 0 because we all know that 0 is an invalid handle and it does not point to a valid object. As a result, the number of handles that are actually stored for each level table is 511!
There is a tablecode field in the _handle_table structure, which has 32 bits, a low 2 bits as a level table, 0 is a class, 1 is 2, and 2 is 3. When 0 o'clock, the Tablecode value points to a page, which is the handle table, each table item 8 bytes is a entry, the lower 4 bytes is the object address, note that the first entry does not represent any object. if the first two bits of Tablecode are 1 or 2, then tablecode&0xfffffffd points to two or three levels, each table entry is four bytes, points to a level one or level two table, and so on!! Note: Because object bodies are all 8-byte aligned, the low 3 bits of the object address are always 0 and can be used to tag some properties of an object, so the object address in the first-level handle table is &0XFFFFFFF8 to represent the address of the object header. Add 0x18 to get the object body (this involves managing objects in the Windows kernel, see another article on objects)! Handle table Schema:

as to why the number of the handle table is a multiple of 4?

The handle table of a process contains pointers to all those objects that have been opened by the process. An object handle is a "pseudo-index" that is used to retrieve a handle table. For the handle table mechanism, the Achillis <<windows handle Table >> series article has been analyzed very thoroughly, but the "handle with 4 for stepping" source is unknown. After investigation, the root causes are as follows:

typedef struct _EXHANDLE
{
 union
 {
  struct
  {
   ULONG tagbits:2;
   ULONG index:30;
 }
  HANDLE generichandleoverlay;
  #define HANLE_VALUE_INC 4
  ULONG_PTR Value;
&NBSP;}

}exhandle,* Pexhandle;
This structure is used to define the handle type. A low 2-bit tagbits is a flag bit for other purposes, so a low 2-bit handle value is meaningless to it as a handle table index, so it is equal to a multiple of 4. With the above analysis, it is natural that the handle value must be/4 when the handle table entry is indexed with the handle value. Therefore, the value of the handle used in the program is not directly indexed to the handle table, and there is a "pseudo-index" argument.

 

Talking about handles in Windows