Jump to content

Kernel Objects Information


Ascend4nt
 Share

Recommended Posts

Excellent! Thanks for sharing mister.

...I did something similar few weeks ago when that thread about hotkeys was actual, to see if there would be any sign of hotkeys on this level. However, nothing as complete as your code. I wonder if your motivation was similar? That would be mighty cool.

Thanks again.

♡♡♡

.

eMyvnE

Link to comment
Share on other sites

Insteresting. thanks for sharing  Ascend4nt. I've learned a lot from your codes.

Saludos

Link to comment
Share on other sites

trancexx, Actually I've had parts of the code laying around for years now.  I was intending to release something like this last year when I first showed Decipher a >function on getting Object names using a thread.  I've done a bit of work in C++ with multithreading using Semaphores and Mutexes, which gave me the need to query those objects too. Why MS never 'officially' exposed these non-mutating query API's (NtQueryMutant, NtQuerySemaphore, etc), I'll never know.. they are pretty important tools for debugging.

Additionally, I've also seen a few random people asking about handles, files, and other system objects that made me think it might be worth something to someone to release this.

As an unexpected result of this, I've also been able to see why certain processes are eating thousands of handles, sometimes for no good reason (khalmnpr.exe - you dirty little slut).

Ah, but back to that HotKeys thread.. that actually did get me digging, but instead of finding an answer, I went and released that '>Atom Tables' UDF a month or so ago, as some hotkey strings are occasionally stored there.

Man, I dunno about you.. but with this project, I'm pretty much done with the Undocumented Windows world. haha

With the Processes and Threads, Atom Tables, multi-CPU Usage and other UDF's I've released, I think I've had my fill.

Link to comment
Share on other sites

Insteresting. thanks for sharing  Ascend4nt. I've learned a lot from your codes.

Glad to hear it!

Btw, I'd like to hear if the Registry keys, File paths, and NamedPipes/Mailslots etc are being detected properly. (excluding those reporting negative values in the 'ExInfo' column)

Also, hmm.. it appears when running from Scite, querying one of the 'AutoIt3Wrapper' processes fails for certain File types, probably NamedPipes.. the thread querying these doesn't even terminate properly.  I may have to force protection for that specific attribute even on Windows 7

Link to comment
Share on other sites

Link to comment
Share on other sites

JScript: thanks for the compliment

DanyfireX, much appreciated! Are you running a Spanish (or otherwise) language version of the O/S?

Link to comment
Share on other sites

Nice work :)

I recently been trying to work my way through calling process handles and I was trying to get the path name.

here is output of the self inspect (win 7 64 bit, ran with admin rights and has 64 bit)

Once I get a bit more time, I am going to dig through your code and see what I can learn.

 

 

autoit.xlsx

Edited by step887
Link to comment
Share on other sites

Very cool, thank you for sharing Ascend4nt :)

Edited by MikahS

Snips & Scripts


My Snips: graphCPUTemp ~ getENVvars
My Scripts: Short-Order Encrypter - message and file encryption V1.6.1 ~ AuPad - Notepad written entirely in AutoIt V1.9.4

Feel free to use any of my code for your own use.                                                                                                                                                           Forum FAQ

 

Link to comment
Share on other sites

here is output of the self inspect (win 7 64 bit, ran with admin rights and has 64 bit)

step887, thanks for the output. I'm curious why HKEY_CURENT_USER isn't being detected for you properly.  The line that reads "HKEY_USERSS-1-5-21...Software" should be converted, so I'm assuming the call to _Security__LookupAccountName() isn't returning the proper SID for you.  Just out of curiosity, try running this and see if the SID matches the one used in that line:

#include <Security.au3>
ConsoleWrite("SID = " & _Security__LookupAccountName(@UserName)[0] & @CRLF)

But anyway, I'm releasing a new version of the UDF shortly which uses a different method of getting the SID, so we'll see if that one works for you

Link to comment
Share on other sites

SID = S-1-5-21.xxx

That's very odd.  Well, give the new UDF a try and see what the output is!

 

Update:

2014-09-26:

Added: Multiple processes and/or types allowed in filters, plus exclusion flag

Changed: NTKernelObjectsInspect example now allows multiple filters and/or processes

         Also, Object totals are displayed where possible (elevated rights necessary for some processes)

Added: $NTOBJ_QUERYBY_PROCESSNAME Filter -> Must be used with processes as names

Improved: DLL Handles used for DLLCalls()

       Note that the biggest time-sink is still the API call NtQuerySystemInformation

       which grabs ALL system handles in one fell swoop (used inside _NTObjGetHandlesUD)

Added: Internal functions which rely on DLLHandles for speed improvements

Added: $g_NTKO_bNamedPipeProtect which can be toggled to prevent certain attributes

       from being scanned when "File" types are found. This is toggled ON for XP/2003 and under,

       OFF for Vista+

Added: $g_NTKO_sFileAttribSkipList -> assign additional Skip-Attributes with this if desired

Added: 'BadMasks' check in collection function which flags certain Attributes which have

       previously caused Thread timeouts. Use $g_NTKO_bSkipBadMasks to toggle this OFF (ON by default)

Changed: HKCU detection relies on a different technique than _Security__LookupAccountName() to get SID

Added: Smaller simpler example (NTKernelObjectsCollectExample)

Misc: Other misc. changes, additions, fixes which shouldn't affect UDF usage

Link to comment
Share on other sites

Here is the output of NTKernelObjectsSelfExamine.au3

I hope that was a mistake? lol

Link to comment
Share on other sites

Update: I was thankfully wrong about the 64K limit on system object handles.  There's actually a really high limit - 16,777,216 - and its not actually O/S-wide, but Process-specific (which gives quite a lot of legroom).  The unfortunate problem that creates is that 16+million is more than what would fit in a 16-bit variable.  The NtQuerySystemInformation API call which is used to gather information on handles returns an array of SYSTEM_HANDLE_INFORMATION structures, and those structures limit handle values to 16-bits.  This amount is okay when a Process's handles are never in excess of 16-bits, but for values above this (65,536+), the upper bits are lost, and the handle value then indexes other handles, which can create a mess of confusion. Fortunately, this shouldn't be a problem with most processes, as anything more than a few thousand handles for one process is highly unlikely (and probably a sign of a buggy program).

Another important thing to note is that each handle # is process-specific. So even if there are 7,000 handles for 100 processes, the API call will still return the correct results, as each handle # is unique only to the process to which it belongs. This also means that handle # 4 in one process is something completely different in another process.

Also important to note: handle values (or handle-table indexes) are each offset by 4, so approximately 64K/4, or 16K handles can be consumed by a process before it surpasses 16-bits. The example below shows this.  Use NTKernelObjectsInspect to compare handle values to see where the 'wraparound' happens just after 0xFFFC.

For information on system handles, check out Mark Russinovich's excellent blogs, specifically "Pushing the Limits of Windows: Handles"

#include <WinAPI.au3>
#include <Array.au3>

; Handle values (indexes into handle tables) are offset 4 bytes from each other, so aroune 16K handles
; would be the max representable in 16-bits. (There are already handles at this point, so this will
; indeed cause 17+ bits to be used)
Local $aHandles = _HandleGenerate(65536 / 4)
;MsgBox(0, "Handles Generated", "Generated handles = " & UBound($aHandles))
_ArrayDisplay($aHandles, "Handles Generated")

Func _HandleGenerate($iMax)
    ; Limit of 4999999 is much less than the real max (16 million+)
    If $iMax < 0 Or $iMax > 4999999 Then Return SetError(1, 0, 0)

    Local $hEvent, $aHandles[$iMax]

    $hEvent = _WinAPI_CreateEvent(0, True, True, "_EVENTOBJ_")
    If @error Or $hEvent = 0 Then Return SetError(-1, @error, 0)
    ConsoleWrite("Event Handle for '_EVENTOBJ' = " & $hEvent& @CRLF)

    $aHandles[0] = $hEvent

    For $i = 1 To $iMax - 1
        ; DUPLICATE_SAME_ACCESS (2)
        $aHandles[$i] = _WinAPI_DuplicateHandle(Ptr(-1), $hEvent, Ptr(-1), 0, 0, 2)
        If @error Or $aHandles[$i] = 0 Then
            SetError(-1, @error, 0)
            ExitLoop
        EndIf
    Next
    If @error Then
        If $aHandles[$i] = 0 Then
            ReDim $aHandles[$i - 1]
        EndIf
        Return SetError(2, @extended, $aHandles)
    EndIf
    Return $aHandles
EndFunc
Link to comment
Share on other sites

step887, much appreciated. It looks to be working as it should.  I'd recommend deleting or obfuscating the S-1-5-21-xxx SIDs, as I'm not sure if that info can be used for malicious purposes

Link to comment
Share on other sites

Never one to be satisfied with edge cases, I took the initative to properly fool-proof this beast against processes with 16K+ handles. Yup, now the truncated bits of handles are properly restored using simple wraparound detection. Enjoy!

Update 2014-10-01:

Fixed: _NTObjGetHandlesUD() was failing to return an error code if $FilterBy was 0, resulting in empty arras
Improved: _NTObjGetHandlesUD() now tracks & calculates internally what handle values are beyond 65,536
Added: NTKernelObjectSpam (simple test of creating tons of Kernel Objects)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...