Windows Kernel Object, windows Kernel

Windows Kernel Object, windows Kernel

1. Kernel Object

In Windows, Each kernel object is only a memory block, which is allocated by the operating system kernel and can only be accessed by the operating system kernel, applications cannot locate the data structure in memory and directly change its content. This memory block is a data structure and its members maintain information related to objects. A few members (Security Descriptor and usage count) are available to all kernel objects, but most members are unique to different types of objects.

2. Use count and life cycle of kernel objects

The owner of the kernel object is the operating system kernel, not the process. In other words, when the process exits, the kernel object may not be destroyed. The operating system kernel uses the kernel object usage count to know how many processes are currently using a specific kernel object. The first time you create a kernel object, the count is 1. When another process obtains access to this kernel object, it adds 1 to the count. If the usage count of the kernel object decreases to 0, the operating system kernel will destroy the kernel object. That is to say, the kernel object is created in the current process, but when the current process exits, the kernel object may be accessed by another process. In this case, exiting a process only reduces the usage count of all referenced kernel objects by the current process, this does not reduce the usage count of other processes on kernel objects (even if the kernel object is created by the current process ). If the usage count of the kernel object is not decreased to 0, the operating system kernel will not destroy the kernel object. Example:

(1) process 1 exits, and 2 does not exit. The reference count of kernel objects A and B is reduced to 0 and destroyed by the operating system kernel. Process 1 only reduces the reference count of itself on C and D, and does not affect process 2 on C, the reference count of D. In this case, the reference count of C and D is not 0 and will not be destroyed.
(2) process 2 exits, and 1 does not exit. Process 2 reduces its reference count for C and D and does not affect process 1. Therefore, neither A, B, C, or D will be destroyed.
(3) When both processes Exit 1 and 2, the reference count of kernel objects A, B, C, and D is decreased to 0 and destroyed by the kernel.
(4) When both process 1 and process 2 exit, the reference count of kernel objects A, B, C, and D is decreased to 0 as long as one of, then the kernel object with a decreasing value of 0 will be destroyed by the kernel.

3. Operate kernel objects

Windows provides a set of functions to operate kernel objects. After a function is successfully called to create a kernel object, a handle is returned, indicating the created kernel object, which can be used by any thread in the process. In a 32-bit process, the handle is a 32-bit value, and in a 64-bit process, the handle is a 64-bit value. We can use the handle that uniquely identifies the kernel object and call the kernel operation function to operate the kernel object.

3. kernel objects and other types of objects

In Windows, besides kernel objects, there are other types of objects, such as Windows, menus, and fonts, which belong to user objects and GDI objects. To distinguish between a kernel object and a non-kernel object, the simplest way is to view the function that creates this object. Almost all the functions that create the kernel object have a parameter that allows us to specify the Security attribute.