Hi, I am writing a realtime object monitor which should allow monitoring
creation, deletion, parsing and more of every
type of object in the system. It is working and it’s cool as rock but I
still have to overcome a problem which is that I need to know the
OBJECT_TYPE of each individual type of object in the system.
I have done a lot of research and it is often mentioned on this list and in
several books that this information can be obtained from the objects in the
\ObjectTypes\ directory. But my findings are that the objects in the
ObjectTypes directory are logically always of type ‘Type’ so I still do not
have any information on the type object. I have also checked the chained
list entries in there which connect object of a certain type with each
other.
Is there not some type of root object from which all objects or all object
types can be found ? I have looked into ZwQuerySystemInformation with
SystemObjectInformation but according to Gary Nebbett it requires that the
system is booted with certain global flags enabled.
What I currently am doing to get a list of object types is a bit quirky, I
am obtaining a list of handles from the system and then check all the
associated pointers for their object types. But there are no handles
reported for a lot of object types.
I am trying to fill the missing gaps by opening a set of commonly find
objects by name and retrieving their object type info. The amount of
exported object types in the system is very limited and not consistent
between releases, so that’s not enough.
My question is:
Am I maybe overlooking some reasonable way of enumerating the different
object types available in the system without rebooting? Just to get the
names is easy can be done in many ways but that’s not enough, I need
pointers of type POBJECT_TYPE.
Yes I know this all opaque and undocumented stuff, but if I can get this to
work in a solid way on all Windows versions it is going to be worth the pain
because it’s going to be a very useful utility for many purposes.
Thanks,
/Daniel
“Daniel Terhell” wrote in message
news:xxxxx@ntdev…
> Hi, I am writing a realtime object monitor which should allow monitoring
> creation, deletion, parsing and more of every
> type of object in the system. It is working and it’s cool as rock but I
> still have to overcome a problem which is that I need to know the
> OBJECT_TYPE of each individual type of object in the system.
>
> I have done a lot of research and it is often mentioned on this list and
> in several books that this information can be obtained from the objects
> in the \ObjectTypes\ directory. But my findings are that the objects in
> the ObjectTypes directory are logically always of type ‘Type’ so I still
> do not have any information on the type object. I have also checked the
> chained list entries in there which connect object of a certain type with
> each other.
>
An object of “Type” is an object used as the type of another object. So
look at the names, DEVICE_OBJECT are of type “Device” and since “Device” is
a type its type is “Type”. This is not new technology, there have been
extensible type systems for at least 25 years in fact there is a paper
titles “The type of a type is type”.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply
> Is there not some type of root object from which all objects or all object
types can be found ?
Unless FLAG_MAINTAIN_OBJECT_TYPELIST was set in NtGlobalFlags at the boot time (and it is off by default), the system does not maintain the list of object types. If you look at OBJECT_TYPE structure that you can arrive to via OBJECT_HEADER that precedes the body of any object, you will see that both Flink and Blink members of TypeList LIST_ENTRY point to the given OBJECT_TYPE structure itself. Therefore, you cannot walk the list of object types by default. What you can do is to walk the lists of object themselves, but these lists are specific to the given object types (i.e. DRIVER_OBJECTs, EPROCESSs, ETHREADs, etc), and are linked via pointers in object bodies, rather than in object headers…
I have looked into ZwQuerySystemInformation with
SystemObjectInformation but according to Gary Nebbett it requires that the
system is booted with certain global flags enabled.
Sure - the only way ZwQuerySystemInformation() may obtain the sought info is from the object list itself if it exists (and, unless FLAG_MAINTAIN_OBJECT_TYPELIST was set at the boot time, it does not). Therefore, ZwQuerySystemInformation() is out of luck here.
… if I can get this to work in a solid way on all Windows versions
Forget about it - any third-party software that relies upon undocumented, let alone undeclared, structures, cannot be portable across platforms by the very definition. Therefore, if you choose to
use them, you may be required to adjust your product to every minor system update - this is just a part of the job…
Anton Bassov