- This topic has 1 reply, 2 voices, and was last updated 17 years, 10 months ago by
.
-
Posts
-
Hi!
Now I explore Windows Object Manager and it’s internal private functions. But I have a problem: When I take pointer (PVOID) to some object in system (named object) I what know what is size of it’s body. But how? I know that when object was created system allocates (sizeof(some structures)+sizeof(_OBJECT_HEADER)+BodySize)bytes in NonPagedPool. And I know where object body start (pointer), but I don’t know where object body end. Please help me!Some standard windows object, like files, devices, etc. have the Size field at the begining of the structure.
dt -bv nt!_FILE_OBJECT ff4dcd20
struct _FILE_OBJECT, 27 elements, 0x70 bytes
+0x000 Type : 5
+0x002 Size : 112
……
Size value is equal to the object Body size in bytes.The dispatcher objects, like events, mutants, etc., have Header.Size field at the begining of the structure.
dt -bv nt!_KEVENT ff4d6ee8
struct _KEVENT, 1 elements, 0x10 bytes
+0x000 Header : struct _DISPATCHER_HEADER, 10 elements, 0x10 bytes
+0x000 Type : 0x1 ”
+0x001 Absolute : 0x2 ”
+0x001 NpxIrql : 0x2 ”
+0x002 Size : 0x4 ”
…..
Size value is equal to the object Body size in DWORDS.Unfortunately, this rule can’t be applied to the regitsry keys, window stations and desktops.
- You must be logged in to reply to this topic.