Can someone tell me how to get address of USER objects in paged pool on windows 8 (some code or any ideas)?
F.e. on win 7 we can do this by min. 2 ways: by CsrClientConnectToServer and gSharedInfo.
Thanks!
Ok. Here are some of the articles which may help you in finding your answer..
http://msdn.microsoft.com/en-us/library/ms810501.aspx
Object Manager is the centralized resource broker in the Windows NT line of Operating Systems, which keeps track of the resources allocated to processes. It is resource-agnostic and can manage any type of resource, including device and file handles. All resources are represented as objects, each belonging to a logical namespace for categorization and having a type that represents the type of the resource, which exposes the capabilities and functionalities via properties.
An object is kept available until all processes are done with it; Object Manager maintains the record of which objects are currently in use via reference counting, as well as the ownership information. Any system call that changes the state of resource allocation to processes goes via the Object Manager.
Source: http://en.wikipedia.org/wiki/Object_Manager_(Windows)
Something about Kernal Objects and their difference from the GDI/User Objects
http://windowsarchitecture.wordpress.com/2010/11/24/kernel-objects-%E2%80%9Care%E2%80%9D-different-from-gdi-user-objects/
Here is an article which may give you some idea about paged pool in the kernal..
http://vishu25.wordpress.com/2012/08/30/kernelmemory/
And below paper will surely help you in your deeper study...
www.mista.nu/research/MANDT-kernelpool-PAPER.pdf
Let me know if it helps you..
Related
I have written a windows service using .NET technologies. I am using `JetBrains dotMemory' tool to understand the memory leak.
I am getting below report but as a new bee I am not sure how to read this.
System namespace is showing more survived bytes. But how do I know which code is the root cause of memory leak?
At the first your should decide which kind of memory issue you are going to find
Constantly growing memory consumption - get base snaphsot, get another after memory consumption is increased, open snapshots comparison, open new objects created after first snapshot, look at them to understand which should be collected.
Ensure that some key object doesn't leak - set your app in a state when some object should not be presented in memory (e.g. close some view), get snapshot, using filter on "Group by type" view to ensure that this object is not presented in memory.
Memory traffic - get base snapshot if needed, run action/algorithm in your app which you want to check, get snapshot. Open "Memory Traffic" view, look if it looks as you implemented or more objects then you expected were allocated during the action.
Grab this free book for other possible memory issues.
P.S. Only you as an app author can answer the question, is it a problem or it is as designed.
You should look at the survived bytes / retained bytes which will point you to the base instance or the root object of the creation. It depends on your application design and implementation to decide whether the specified object in the memory should be retained or not.
If you identify the root object of the creation, you should try to separate the linkage and make the .net garbage collector to automatically collect the unwanted objects.
There is no fixed flag points to identify memory leaks.
Using ANTS Memory Profiler
Using Windbg or here
One source of memory leaks are the event handlers that are not being de-referenced.
Example:
myClass.DoSomething += Event_DoSomething
You need to make sure the resources are being clearead like below:
myClass.DoSomething -= Event_DoSomething
I am working on a windows system. I need to create a shared memory for inter process communication to share objects (containing pointers as members). Or some equivalent way for fast transfer of objects from a generator process to a receiver process. the size of the objects are also huge. How do i do that? The porblem is that even if i share the objects I need a way so that the other process gets the access to the locations pointed by the pointers in the objects. And sharing each of those locations for each object is not feasible.
It's difficult to say without more details, but I would consider a memory mapped file. How you create the file depends on whether you need to communicate between sessions or not. You would also need a notification mechanism when new data was posted. You could do that with a registered message, but again that's only possible if your processes are in the same session/desktop.
I can't really be more specific without knowing the details of the requirement.
is there any way to determine which driver is the owner of the hanlde?
I mean is it stored any where is Windows objects?
I can see handles via volatilty but all kernel handles are assigned to System.exe pid:4, I need to know exactly which driver is using this system handle?
thanks
Is there any way to determine which driver is the owner of the
handle?
When kernel modules (or thread in kernel space) call Kernel API (NtCreateFile, for example), the handles are allocated from handle table of System process. In this case, the answer is: no.
I mean is it stored any where is Windows objects?
I guess no
I need to know exactly which driver is using this system handle?
Depend on analisys you're doing. If you need to associate an object back to the driver that owns it, you can try to analize _POOL_HEADER structure to obtain information about who produced the allocation. BUT if you need to analyze an executive object (_FILE object, for example), the PoolTag field in this header will be equal to ObjectType.Key, so this way is not very useful for your purpose.
In general, if you're looking for which resources a process can access (i.e. memory-mapped files), you can analyze with memmap volatility's plugin the process' page tables and so the memory area of the process. I suggest you to use VAD structures' dedicated plugin so that you can gather an high-level information about virtual address space of the process.
Upon analysis, I learnt that even _KPROCESS objects can be members of the ActiveProcessLinks list. What is the difference between _EPROCESS and _KPROCESS objects? When is one created and one not? What are the conceptual differences between them?
This is simplified, but the kernel mode portion of the Windows O/S is broken up into three pieces: the HAL, the Kernel, and the Executive Subsystems. The Executive Subsystems deal with general O/S policy and operation. The Kernel deals with process architecture specific details for low level operations (e.g. spinlocks, thread switching) as well as scheduling. The HAL deals with differences that arise in particular implementations of a processor architecture (e.g. how interrupts are routed on this implementation of the x86). This is all explained in greater detail in the Windows Internals book.
When you create a new Win32 process, both the Kernel and the Executive Subsystems want to track it. For example, the Kernel wants to know the priority and affinity of the threads in the process because that's going to affect scheduling. The Executive Subsystems want to track the process because, for example, the Security Executive Subsystem wants to associate a token with the process so we can do security checking later.
The structure that the Kernel uses to track the process is the KPROCESS. The structure that the Executive Subsystems use to track it is the EPROCESS. As an implementation detail, the KPROCESS is the first field of the EPROCESS, so the Executive Subsystems allocate the EPROCESS structure and then call the Kernel to initialize the KPROCESS portion of it. In the end, both structures are part of the Process Object that represents the instance of the user process. This should also all be covered in the Windows Internals book.
-scott
Have a look here:
http://channel9.msdn.com/Shows/Going+Deep/Arun-Kishan-Process-Management-in-Windows-Vista
EPROCESS is the kernel mode equivalent of the PEB from user mode. More details can be found in this document on Alex Ionescu's site as well as the book by Schreiber and other books about the NT internals.
Use dt in WinDbg to get an idea how they look.
EPROCESS is not available in user mode. Neither is KPROCESS.
KPROCESS is a subset of EPROCESS. If you look at the fields in a debugger, you'll see the KPROCESS contains fields more related to scheduling and book-keeping of the process at a lower level, while EPROCESS has higher-level process contexts inside of it. The names, as far as I am aware, come from different subsystems that interact with these structures (the Executive has structures and functions frequently prefixed with Ex while the Kernel has structures and functions frequently prefixed with Ke)
You can see this in different documented functions. Consider the prototype for KeStackAttachProcess ( http://msdn.microsoft.com/en-us/library/ff549659(v=vs.85).aspx ), which is a Ke functions and takes a KPROCESS. There aren't any exported and documented Ex functions that accept EPROCESS (or KPROCESS), but Ps functions deal entirely in EPROCESSES.
A similar divide exists for threads, with KTHREAD and ETHREAD.
I have got many of my questions solved here, many thanks to you guys. And I'd like to ask one more. :)
I am reading about < Windows via C/C++ >, it said:
When we wnat to gain access to an existing kernel object (rather than create a new one), we must speicify the operations we intend to perform on the object. If we are allowed access with such operations, a handle to the kernel object is returned.
...if the returned handle is used to call an API that requires a right different from you requested for, the access-denied error occurs.
AFAIK, handle is just a plain integer number, it's just an index into the process' handle table, nothing more could the handle value provide. If we have already got a handle to a kernel object, how could the system detect we use it for other operations than we requested for?
A kernel object can have more than one handles, and the owners of these handles may have different access types. Where does the system store these different access type info? I think it should be in the process' handle table.
Suppose I try to open a single kernel object with 2 different access types, 2 handles to the same kernel object should be returned, and thus there'll be 2 entries in the process' handle table, pointing to the same kernel object.
Any insight will be deeply appreciated.
Update 1
Thanks guys.
I referred to the < Windows Internals > 5th edition, it said at Ch 6. Access Checks:
The Windows security model requires that a therad speicfy up front, at the time that it opens an object, what types of actions it wants to perfrom on the object. The object manager calls the SRM to perform access checks based on a thread's desired access, and if the access is granted, a handle is assigned to the thread's process with which the thread (or other threads in the process) can perform further operations on the object. As explained in Chapter 3, the object menager records the access permissions granted for a handle in the process's handle table.
So it seems my guess is right.
Thanks.
Every kernel object that is active will have a series of rights stored against it. This is just another table managed by the Security Reference Manager (SRM). When the security is asserted by the object manager then the object handle will looked up to collect the object reference (ObReferenceObjectByHandle) and the resultant object , can be used to look up the rights (ObCheckObjectAccess). There will be indirections involving security tokens, but in essence this is the theory. So two handles may indeed point to the same reference object.
There is a good description of what happens during a ObCheckObjectAccess call in Windows Internals (mine version 5).
Paraphrasing it here :
The ObCheckObjectAccess takes the object, the credentials of the calling thread and the access requested and calls the SRM (SeAccessCheck) so that it can work out whether the right is asserted or denied.