Enumerate Object Types

There are many ways to enumerate the various object types of the Microsoft Windows kernel. In this short post, I'm going to present the Microsoft debugger, Sysinternals WinObj and a Volatility plugin.

Microsoft Debugger

The Microsoft debugger WinDbg provides an easy way to enumerate the list of kernel objects. Just query for all entities in the \ObjectTypes directory:

kd> !object \ObjectTypes
Object: e1004ab0  Type: (812be278) Directory
    ObjectHeader: e1004a98 (old version)
    HandleCount: 0  PointerCount: 25
    Directory Object: e1004dc0  Name: ObjectTypes

    Hash Address  Type          Name
    ---- -------  ----          ----
     00  812be278 Type          Directory
     01  8128f5e0 Type          Mutant
         81292c68 Type          Thread
     03  81293c28 Type          FilterCommunicationPort
     05  812b5e70 Type          Controller
     07  8128eca0 Type          Profile
         8128f980 Type          Event
         812be448 Type          Type
     09  8128e560 Type          Section
         8128f7b0 Type          EventPair
         812be0a8 Type          SymbolicLink
     10  8128e730 Type          Desktop
     11  8128ee70 Type          Timer
     12  812b5730 Type          File
         8128e900 Type          WindowStation
     16  812b5ad0 Type          Driver
     18  812b0e70 Type          WmiGuid
         8128ead0 Type          KeyedEvent
     19  812b5ca0 Type          Device
         81292040 Type          Token
     20  81292398 Type          DebugObject
     21  812b5900 Type          IoCompletion
     22  81292e38 Type          Process
     24  812b5040 Type          Adapter
     26  8128b980 Type          Key
     28  81292a98 Type          Job
     31  812b68c0 Type          WaitablePort
         812b6a90 Type          Port
     32  8128f410 Type          Callback
     33  81293df8 Type          FilterConnectionPort
     34  8128e040 Type          Semaphore

This gives you a list of object types and their addresses. Further details are then available either through the !object or display type (dt) commands:

kd> !object 81292e38
Object: 81292e38  Type: (812be448) Type
    ObjectHeader: 81292e20 (old version)
    HandleCount: 0  PointerCount: 1
    Directory Object: e1004ab0  Name: Process

kd> dt _OBJECT_TYPE 81292e38 
ntdll!_OBJECT_TYPE
   +0x000 Mutex            : _ERESOURCE
   +0x038 TypeList         : _LIST_ENTRY [ 0x81292e70 - 0x81292e70 ]
   +0x040 Name             : _UNICODE_STRING "Process"
   +0x048 DefaultObject    : (null) 
   +0x04c Index            : 5
   +0x050 TotalNumberOfObjects : 0x15
   +0x054 TotalNumberOfHandles : 0x4e
   +0x058 HighWaterNumberOfObjects : 0x16
   +0x05c HighWaterNumberOfHandles : 0x52
   +0x060 TypeInfo         : _OBJECT_TYPE_INITIALIZER
   +0x0ac Key              : 0x636f7250
   +0x0b0 ObjectLocks      : [4] _ERESOURCE

WinObj

If you just want to explore the object hierarchy and prefer a graphical tool, then WinObj by Mark Russinovich might be just right for you. Again, all the object types are listed in the ObjectTypes directory.

WinObj enumerates Windows' object types

Volatility

Finally I decided to write my own plugin on top of the Volatility memory analysis framework. Unfortunately I had to hack a couple of the framework's files, so the plugin won't run with a stock version. Please extract the distribution archive in your Volatility base directory (don't forget to create a backup first!).

04/11/2009: The modified files have been added to the Volatility SVN version. Thanks moyix!

The plugin contains some trickery to parse the _OBJECT_HEADER structure and to convert physical addresses into virtual addresses of the System process; the latter was inspired by the "strings" module of the Volatility core.

The plugin displays the following values:

  • Phys.Addr - the physical address of the ObjT pool allocation
  • Obj Type - object type pointer of the "ObjectType" class. The value may change between systems or even reboots, but while Windows is running it should be the same among all objects of the same class.
  • #Ptr - the number of pointers to the ObjectType object
  • #Hnd - the number of handles to the ObjectType object
  • Objects - the current and maximum number of objects of the corresponding class
  • Handles - the current and maximum number of handles of the corresponding class
  • Pool alloc - pool tag and pool type (paged/nonpaged) to store objects of that class
  • TypePtr - kernel virtual address of the ObjectType object
  • Name - name associated with the ObjectType

Here is some sample output from running
python volatility objtypescan -f xp-laptop-2005-06-25.dd
on a popular memory dump from the NIST CFReDS project.

I have to admit that most information is not overly helpful in a forensic investigation. The high-water marks for objects and handles of a certain object class may give some leads, though.

Archives

Imprint

This blog is a project of:
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
impressum@forensikblog.de

Copyright © 2005-2012 by
Andreas Schuster
All rights reserved.