Sunday 3 November 2013

Object Retention - Object Manager

Objects can be temporary or permanent, retention of permanent objects is quite simple, they are not deleted. Temporary objects have two phrases of retention. We should understand that when a process acquires a object, the reference count (handle count + pointer count) is incremented by 1, and when that handle is closed, then the reference count is decremented by 1.

When,  the handle count of an object drops to 0, the Object Manager removes the object's name from the global namespace, therefore stopping any new processes from opening handles to that object.

Once, the name has been removed, then the object will be only deleted, once the reference count has dropped zero, since kernel processes are able to use object with pointers, hence the reason why there is a pointer count field within the object header data structure.

The reference count is a combination of the pointer reference count and handle reference count. 

We can use the !object extension to view the above mentioned fields.


 The reference count would be 48.

It's important to remember that objects which are using paged pool, must only be freed when the IRQL Level is below 2, since page faults will be illegal operations, and thus will cause the system to crash.


 

No comments:

Post a Comment