Wednesday 30 October 2013

Process Explorer - Looking at Open Handles

This is going to be my first little post on about how to use some of the features of Process Explorer, which is a very useful tool to have if you understand how to use it properly.

If you understand how objects and handles work, then you may skip this paragraph and read the rest of the blog post, however, if you wish to gain a brief understanding on how objects and handles work then please continue reading. I will not be explaining how objects work completely, since this is quite a lengthy topic, although, I may explain objects in more detail in the future. Objects are basically System Resources, and handled by the Object Manager, we can also see with the WinObj Sysinternals Tool. Each object also maintains a handle count, which is number of open handles or active references to that object from processes. A object can only be destroyed, once all the handles to that object have been closed.

Open WinObj, and then click File and then Run As Administrator. Select the Object Types folder, and you will see all the available Object Types handled by the Object Manager.

We can look further into the details of a certain object by looking at some data structures and extensions in WinDbg. 

Note: Please be aware that these commands and extensions may not be able to gather the desired information from a Minidump, and unfortunately since I've only got a Minidump to work with, then a Minidump will have to be used.

The Object Header data structure maintains information about the object, and points to the type object which maintains information which is common to that object type. A Object Header maintains sub headers which are specific to that object. I will not explain all the fields here, since they are not relevant to the context of this post, the three which I will explain are PointerCount, HandleCount and Flags. 

HandleCount maintains the number of open handles to that object, the PointerCount maintains the number of references to that object (this includes any open handles). You may be wondering why there is also a PointerCount field; this is included since Kernel-Mode objects can reference objects with pointers instead of handles.

The Flags field maintains any attributes for that object. The Flags field in stored in a structure called Object Attributes, which we can view with the !obja extension.

The !obja extension displays the attributes or flags of a object which is stored by the Object Manager. It takes the hexadecimal address of the object, in this case it's a process object.

Let's examine the two flags for the process object:

OBJ_EXCLUSIVE: This specifies that the object can only be used by the process which created it.

OBJ_CASE_INSENSITIVE: Specifies that lookups for the object in the namespace should be case insensitive. 

This brings me to the point, that handles are used primarily since the Object Manager can skip the name lookup and find the object directly. When a object is created by a process by name, it  is given a handle.

Going back to our original discussion, open Process Explorer, and then select the View menu button and then select Show Lower Pane (or CTRL + L). Select the Lower Pane View option to show open handles to any objects being used by a selected process.

In this example, I've chosen Firefox 25, we can use all the associated objects being used by that process, this includes all the threads running under that process. It's important to remember that a process object is more of a shell, in which the threads run within.

We can right-click the File object, and then view it's properties or even close the handle to that object which I would strongly advise against.

1 comment:

  1. Thank you for posting such a great blog. I found your website perfect for my needs. Read About File System Filter Driver Programming