Uninformed: Informative Information for the Uninformed

Current v9 v8 v7 v6 v5 v4 v3 v2 v1 All About
Vol 4» 2006.Jun


Next: Validating Pool Block Information Up: Detecting Executive Objects Previous: Detecting Executive Objects   Contents

Generic Object Information

Since the OBJECT_HEADER is common to all objects, let's look at it in detail. A static field here refers to all objects of specific type, not all executive objects in the system. 

0: kd> dt _OBJECT_HEADER
   +0x000 PointerCount     : Int4B
   +0x004 HandleCount      : Int4B
   +0x004 NextToFree       : Ptr32 Void
   +0x008 Type             : Ptr32 _OBJECT_TYPE
   +0x00c NameInfoOffset   : UChar
   +0x00d HandleInfoOffset : UChar
   +0x00e QuotaInfoOffset  : UChar
   +0x00f Flags            : UChar
   +0x010 ObjectCreateInfo : Ptr32 _OBJECT_CREATE_INFORMATION
   +0x010 QuotaBlockCharged : Ptr32 Void
   +0x014 SecurityDescriptor : Ptr32 Void
   +0x018 Body             : _QUAD


\begin{tabular}{\vert l\vert c\vert l\vert} \par \hline \par \textbf{PointerCoun... ...dy} & NotValid & Union with the actual object \\ \par \hline \par \end{tabular}

From this it is assumed that the most reliable and unique signature is the Type field of the OBJECT_HEADER which could be used in order to identify objects of a specific type such as EPROCESS, ETHREAD, DRIVER_OBJECT, and DEVICE_OBJECT objects.