Windows core programming-kernel object and handle Leakage

1. What is a kernel object?

The kernel object is a memory block allocated by the operating system. The memory block is a data structure used to manage various object information.

When the application needs to interact with the system device, it will use the kernel object. For security reasons, the process cannot directly access the kernel object, the operating system provides corresponding functions to access them.

The access symbol object, event object, file object, job object, mutex object, pipeline object, and wait timer object are all kernel objects. We often create, open, and operate on them during programming.

A kernel object is owned by a kernel, not a process. Each kernel object has a counter to store information about how many processes are using it. When a process is called, the counter is increased by 1, the call is finished, the counter is reduced by 1, and the kernel object counter is set to zero. This kernel object is destroyed.

Kernel objects are protected by security descriptors, which describe who created the object and who can use it. Almost all functions used to create kernel objects have a pointer to the SEC URITY_ATTRIBUTES structure as its parameter.

Most applications create objects with default security by passing NULL values. To restrict access to objects, you must create a SECURITY_ATTRIBUTES object and initialize it.

2. What is a handle?

Common Concept: A handle is a unique integer used by WONDOWS to identify objects created or used by applications. WINDOWS uses various handles to identify application instances, WINDOWS, controls, bitmaps, GDI objects. When an application accesses a kernel object, it returns a header indicating the kernel object, which is a handle. The "handle" of the kernel object, which uniquely identifies the object. When an application creates a kernel object, a handle is returned. All threads of this kernel object process can use this handle to access the kernel object.

 

3. Create a kernel object?

When the creat * function, such as creatfilemapping, is used to create a kernel object, the kernel allocates a memory block for the object when calling this function and initializes the object, then the kernel scans the process handle table, initializes a record, and places it in the handle table. The so-called handle table means that each process will be allocated a handle table during initialization. The handle table will store the handle of the kernel object. The handle table contains three contents: kernel Object handle, kernel object handle address, and access shield flag.

 

4. Disable kernel objects

No matter how the process creates a kernel object, when this object is not used, it should be declared to the operating system through Bool CloseHandle (HANDLE hobj) to end access to this object.

Here is a question: why can the process end to release all occupied resources?

It is because the process may have memory leakage during running. When a process stops running, the system automatically scans the process handle table. If the table has any invalid items (objects not closed before the process ends), the system will close the handles of these objects. If the counter of the object is set to 0, the kernel will undo these objects.

 

5. How can I discover and analyze handle leaks?

As mentioned above, we know that after an application uses the kernel object, it needs to release resources to close the kernel object. If CloseHandle is not used, the current process may be unable to open the corresponding kernel object, and the system will occupy a large amount of memory, resulting in system slowdown. So sometimes it is found that the application process itself occupies a small amount of memory, but the system memory usage is very high, it may be caused by handle leakage.

The following describes two methods to determine handle leakage:

1) Open Task Manager: Select menu: View-Select column, and check "handle count", for example:

 

In this case, the task manager has one more handle column. If you find that the number of handles for a process is increasing, memory leakage may occur for the process.

 

 

2) using Process Explorer, the tool can clearly see the kernel objects used by the Process. When there is a handle object, it can help you find the cause. The following uses a simple program with handle leakage as an example:

 

 

The program does not close the handle when it is running the file "cmd1.txt", causing the file to be opened continuously.

Here you can also see the concepts of GDI handles and USER Handles. I understand that these handle can be collectively referred to as the kernel-to-image handle, but they only correspond to different contents, handles directly operates files and registries, while gdi and user operations are visible. gdi and user operations are fine-grained, and gdi focuses more on graphics and user interaction.

Vivilisa 03.09.2009