Reply To: Problem with Objects Manager!

Home Forums Discussions General Problem with Objects Manager! Reply To: Problem with Objects Manager!

June 5, 2006 at 2:45 pm #6059
Anton
Participant

    Some standard windows object, like files, devices, etc. have the Size field at the begining of the structure.
    dt -bv nt!_FILE_OBJECT ff4dcd20
    struct _FILE_OBJECT, 27 elements, 0x70 bytes
    +0x000 Type : 5
    +0x002 Size : 112
    ……
    Size value is equal to the object Body size in bytes.

    The dispatcher objects, like events, mutants, etc., have Header.Size field at the begining of the structure.
    dt -bv nt!_KEVENT ff4d6ee8
    struct _KEVENT, 1 elements, 0x10 bytes
    +0x000 Header : struct _DISPATCHER_HEADER, 10 elements, 0x10 bytes
    +0x000 Type : 0x1 ”
    +0x001 Absolute : 0x2 ”
    +0x001 NpxIrql : 0x2 ”
    +0x002 Size : 0x4 ”
    …..
    Size value is equal to the object Body size in DWORDS.

    Unfortunately, this rule can’t be applied to the regitsry keys, window stations and desktops.