Detecting Executive Objects

In general, all of the executive components of the NT kernel rely on the object manager in order to manage the objects they allocate. All objects allocated by the object manager have a common header named OBJECT_HEADER and additional optional headers such as OBJECT_HEADER_NAME_INFO, process quota information, and handle trace information. Let's take a look to see what is common to all executive objects and how we can use the pool block header information to identify an allocated executive object. Lastly, some object specific information will be discussed in terms of generating a useful memory signature for an object.

• Generic Object Information
• Validating Pool Block Information
• Object Specific Signatures
  • Process Objects
  • Thread Objects
  • Driver Objects
  • Device Objects
  • Miscellaneous