A forum for reverse engineering, OS internals and malware analysis 

Handle Table

Discussion on reverse-engineering and debugging.

Handle Table

 #8147  by utsav.0202
 Fri Aug 19, 2011 1:41 pm
Hi

I just want to see the handle table of a process.

I chose pid:c40 for the test
Code: Select all
lkd> !process c40 0
Searching for Process with Cid == c40
Cid handle table at e2382000 with 630 entries in use

PROCESS 852e7b18  SessionId: 0  Cid: 0c40    Peb: 7ffd9000  ParentCid: 0818
    DirBase: 06f70000  ObjectTable: e23736c8  HandleCount:  46.
    Image: vsnp2uvc.exe
and got the ObjectTable address: e23736c8
Here is the handle table
Code: Select all
lkd> dt _handle_table e23736c8  
nt!_HANDLE_TABLE
   +0x000 TableCode        : 0xe2d1e000
   +0x004 QuotaProcess     : 0x852e7b18 _EPROCESS
   +0x008 UniqueProcessId  : 0x00000c40 Void
   +0x00c HandleTableLock  : [4] _EX_PUSH_LOCK
   +0x01c HandleTableList  : _LIST_ENTRY [ 0xe1cce19c - 0xe20e820c ]
   +0x024 HandleContentionEvent : _EX_PUSH_LOCK
   +0x028 DebugInfo        : (null) 
   +0x02c ExtraInfoPages   : 0n0
   +0x030 FirstFree        : 0xbc
   +0x034 LastFree         : 0
   +0x038 NextHandleNeedingPool : 0x800
   +0x03c HandleCount      : 0n46
   +0x040 Flags            : 0
   +0x040 StrictFIFO       : 0y0
TableCode : 0xe2d1e000 is the array of _HANDLE_TABLE_ENTRY

I took an entry of a handle of an opened process (xyz.exe) and its member 'Object' gave the address 85c84989
but PEPROCESS of xyz.exe was 85c849a0.
why the difference of 17 bytes? Then I thought of OBJECT_HEADER but then again it is of 18 bytes.
and also in case of inheritable handles there was a difference of 15 bytes.

Thanks and Regards
Utsav

Re: Handle Table

 #8151  by GamingMasteR
 Fri Aug 19, 2011 3:32 pm
Hi,

You should consider "Object" as EX_FAST_REF :
Code: Select all
typedef struct _EX_FAST_REF {
    union {
        PVOID Object;
        ULONG RefCnt : 3;
        ULONG Value;
    };
} EX_FAST_REF, *PEX_FAST_REF;
So masking the 3 bits of RefCnt you will get pointer = 0x85c84988

0x85c849a0 - 0x85c84988 = 0x18 = sizeof(OBJECT_HEADER) ;)

Re: Handle Table

 #8209  by utsav.0202
 Mon Aug 22, 2011 3:13 pm
I am not able to get the HANDLE_TABLE_ENTRYs for the SYSTEM process(pid 4)
Is it different from other processes?
How to get it?

Re: Handle Table

 #8226  by utsav.0202
 Tue Aug 23, 2011 6:43 am
I don't know about multilevel tables.

For the SYSTEM process the value of TableCode in HANDLE_TABLE is
Code: Select all
TableCode        : 0xe1944001
and
Code: Select all
lkd> dd 0xe1944001
e1944001  00e10040 00e19450 00e19f70 00000000
e1944011  00000000 00000000 00000000 00000000
e1944021  00000000 00000000 00000000 00000000
e1944031  00000000 00000000 00000000 00000000
e1944041  00000000 00000000 00000000 00000000
e1944051  00000000 00000000 00000000 00000000
e1944061  00000000 00000000 00000000 00000000
e1944071  00000000 00000000 00000000 00000000
It shows three pointer values. Are these pointer to some tables that have HANDLE_TABLE_ENTRYs?
refer me to something to read about it.

Thanks.

Re: Handle Table

 #8229  by GamingMasteR
 Tue Aug 23, 2011 11:26 am
I don't know about multilevel tables.
you should read a little about it, handle tables are implemented as three-level scheme.
In windows XP, the 1st two bits of HandleTable->TableCode determine the depth of the handle table. If it's clear then TableCode points directly to array of HANDLE_TABLE_ENTRY structures. If it's one then TableCode points to array of pointers, each points to array of HANDLE_TABLE_ENTRY structures, and so on ...
You will find more detailed information if you google for it.

I'll take SYSTEM process in my machine as a case :
PROCESS 8af987c0 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 0b400020 ObjectTable: e1002eb0 HandleCount: 883.
Image: System
lkd> dt _HANDLE_TABLE e1002eb0
nt!_HANDLE_TABLE
+0x000 TableCode : 0xe2e80001
 +0x004 QuotaProcess : (null)
+0x008 UniqueProcessId : 0x00000004 Void
As you can see the table level = 0xe2e80001 & 0x3 = 0x1
lkd> dd 0xe2e80000
e2e80000 e1004000 e2e84000 e5ca9000 00000000
e2e80010 00000000 00000000 00000000 00000000
We will examin the second pointer for instance :
lkd> dd e2e84000
e2e84000 00000000 fffffffe 8a2a9011 0012019f
e2e84010 8a2a9e89 0012019f 8a2a9c89 0012019f
Examin second entry for instance (after masking off 1st bit) :
lkd> !object 8a2a9010+18
Object: 8a2a9028 Type: (8af87e70) File
ObjectHeader: 8a2a9010 (old version)
HandleCount: 1 PointerCount: 2
lkd> !fileobj 8a2a9010+18
Device Object: 0x8a4c4768 \Driver\Tcpip
Vpb is NULL
Event signalled
Flags: 0x40000
Handle Created
FsContext: 0x8a2aa0f0 FsContext2: 0x00000002
CurrentByteOffset: 0
It's a valid object ...
 Return to “Reverse Engineering and Debugging”