OBJ_KERNEL_HANDLE and PsCreateSystemThread

Hello. What does OBJ_KERNEL_HANDLE do exactly? Does it simply mean that IF
the handle is created in a non system process context, it cannot be accessed
by usermode code? Or are there other implications as well (.e.g for the
registry key DDIs does it guarantee that the handle would be in the system
process table, or is it simply the current process handle table)?

Concerning PsCreateSystemThread the DDK states that:

-“Drivers for Windows 2000 and Windows 98/Me must only call
PsCreateSystemThread from the system process context.”. Why? Won’t a NULL
process pointer guarantee that the thread will be created in the system
process? Or is it that the DDI cannot work properly in non system process
context? Is there another reason?

Thanks for any help.

Philip Lukidis

OBJ_KERNEL_HANDLE places the handle in the system process’s handle table
rather than in that of the current process. It also sets the high bit
in the handle to indicate to other OB functions that the handle should
be looked up in the system process table rather than that of the current
process.

WDM DDIs that act on handles often take an “AccessMode” parameter.
Among many things this changes, one is whether the function will accept
a kernel-handle. If the AccessMode is user-mode and you provide a
kernel handle you’ll get STATUS_INVALID_HANDLE since a user-mode process
should never hand you a kernel handle. If it’s kernel-mode and you
provide a kernel handle then it will go through just fine. Routines
that don’t take an AccessMode parameter generally look at the thread’s
PreviousMode to determine if the handle can be used.

I’m not sure on the reasoning for the PsCreateSystemThread documentation
you cite, but I suspect you’re right on. It probably assumed that it
was running in the context of the system process and opened a security
hole if run outside that process by creating the thread handle in the
process it was called from.

-p

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Philip Lukidis
Sent: Friday, February 27, 2004 5:34 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] OBJ_KERNEL_HANDLE and PsCreateSystemThread

Hello. What does OBJ_KERNEL_HANDLE do exactly? Does it simply mean
that IF the handle is created in a non system process context, it cannot
be accessed by usermode code? Or are there other implications as well
(.e.g for the registry key DDIs does it guarantee that the handle would
be in the system process table, or is it simply the current process
handle table)?

Concerning PsCreateSystemThread the DDK states that:

-“Drivers for Windows 2000 and Windows 98/Me must only call
PsCreateSystemThread from the system process context.”. Why? Won’t a
NULL process pointer guarantee that the thread will be created in the
system process? Or is it that the DDI cannot work properly in non
system process context? Is there another reason?

Thanks for any help.

Philip Lukidis

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

So, just to confirm, even if I supply NULL as a process pointer (which
indicates the system process, as per the docs on PsCreateSystemThread) this
does NOT mean that the handle is placed in the system process table? Does
this only mean that the thread is created in the system process, while the
handle is placed in the current process’ handle table?

Granted, I will always use OBJ_KERNEL_HANDLE in Win2k+, I’m just curious.
Thanks.

Philip Lukidis

----- Original Message -----
From: “Peter Wieland”
To: “Windows System Software Devs Interest List”
Sent: Friday, February 27, 2004 10:59 AM
Subject: RE: [ntdev] OBJ_KERNEL_HANDLE and PsCreateSystemThread

OBJ_KERNEL_HANDLE places the handle in the system process’s handle table
rather than in that of the current process. It also sets the high bit
in the handle to indicate to other OB functions that the handle should
be looked up in the system process table rather than that of the current
process.

WDM DDIs that act on handles often take an “AccessMode” parameter.
Among many things this changes, one is whether the function will accept
a kernel-handle. If the AccessMode is user-mode and you provide a
kernel handle you’ll get STATUS_INVALID_HANDLE since a user-mode process
should never hand you a kernel handle. If it’s kernel-mode and you
provide a kernel handle then it will go through just fine. Routines
that don’t take an AccessMode parameter generally look at the thread’s
PreviousMode to determine if the handle can be used.

I’m not sure on the reasoning for the PsCreateSystemThread documentation
you cite, but I suspect you’re right on. It probably assumed that it
was running in the context of the system process and opened a security
hole if run outside that process by creating the thread handle in the
process it was called from.

-p

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Philip Lukidis
Sent: Friday, February 27, 2004 5:34 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] OBJ_KERNEL_HANDLE and PsCreateSystemThread

Hello. What does OBJ_KERNEL_HANDLE do exactly? Does it simply mean
that IF the handle is created in a non system process context, it cannot
be accessed by usermode code? Or are there other implications as well
(.e.g for the registry key DDIs does it guarantee that the handle would
be in the system process table, or is it simply the current process
handle table)?

Concerning PsCreateSystemThread the DDK states that:

-“Drivers for Windows 2000 and Windows 98/Me must only call
PsCreateSystemThread from the system process context.”. Why? Won’t a
NULL process pointer guarantee that the thread will be created in the
system process? Or is it that the DDI cannot work properly in non
system process context? Is there another reason?

Thanks for any help.

Philip Lukidis

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@hotmail.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

yes the process pointer only specifies what process the thread should be
created in.

-p

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Philip Lukidis
Sent: Friday, February 27, 2004 9:03 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] OBJ_KERNEL_HANDLE and PsCreateSystemThread

So, just to confirm, even if I supply NULL as a process pointer (which
indicates the system process, as per the docs on PsCreateSystemThread)
this does NOT mean that the handle is placed in the system process
table? Does this only mean that the thread is created in the system
process, while the handle is placed in the current process’ handle
table?

Granted, I will always use OBJ_KERNEL_HANDLE in Win2k+, I’m just
curious.
Thanks.

Philip Lukidis

----- Original Message -----
From: “Peter Wieland”
To: “Windows System Software Devs Interest List”
Sent: Friday, February 27, 2004 10:59 AM
Subject: RE: [ntdev] OBJ_KERNEL_HANDLE and PsCreateSystemThread

OBJ_KERNEL_HANDLE places the handle in the system process’s handle table
rather than in that of the current process. It also sets the high bit
in the handle to indicate to other OB functions that the handle should
be looked up in the system process table rather than that of the current
process.

WDM DDIs that act on handles often take an “AccessMode” parameter.
Among many things this changes, one is whether the function will accept
a kernel-handle. If the AccessMode is user-mode and you provide a
kernel handle you’ll get STATUS_INVALID_HANDLE since a user-mode process
should never hand you a kernel handle. If it’s kernel-mode and you
provide a kernel handle then it will go through just fine. Routines
that don’t take an AccessMode parameter generally look at the thread’s
PreviousMode to determine if the handle can be used.

I’m not sure on the reasoning for the PsCreateSystemThread documentation
you cite, but I suspect you’re right on. It probably assumed that it
was running in the context of the system process and opened a security
hole if run outside that process by creating the thread handle in the
process it was called from.

-p

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Philip Lukidis
Sent: Friday, February 27, 2004 5:34 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] OBJ_KERNEL_HANDLE and PsCreateSystemThread

Hello. What does OBJ_KERNEL_HANDLE do exactly? Does it simply mean
that IF the handle is created in a non system process context, it cannot
be accessed by usermode code? Or are there other implications as well
(.e.g for the registry key DDIs does it guarantee that the handle would
be in the system process table, or is it simply the current process
handle table)?

Concerning PsCreateSystemThread the DDK states that:

-“Drivers for Windows 2000 and Windows 98/Me must only call
PsCreateSystemThread from the system process context.”. Why? Won’t a
NULL process pointer guarantee that the thread will be created in the
system process? Or is it that the DDI cannot work properly in non
system process context? Is there another reason?

Thanks for any help.

Philip Lukidis

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@hotmail.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Many thanks!

Philip Lukidis
----- Original Message -----
From: “Peter Wieland”
To: “Windows System Software Devs Interest List”
Sent: Friday, February 27, 2004 12:36 PM
Subject: RE: [ntdev] OBJ_KERNEL_HANDLE and PsCreateSystemThread

yes the process pointer only specifies what process the thread should be
created in.

-p

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Philip Lukidis
Sent: Friday, February 27, 2004 9:03 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] OBJ_KERNEL_HANDLE and PsCreateSystemThread

So, just to confirm, even if I supply NULL as a process pointer (which
indicates the system process, as per the docs on PsCreateSystemThread)
this does NOT mean that the handle is placed in the system process
table? Does this only mean that the thread is created in the system
process, while the handle is placed in the current process’ handle
table?

Granted, I will always use OBJ_KERNEL_HANDLE in Win2k+, I’m just
curious.
Thanks.

Philip Lukidis

----- Original Message -----
From: “Peter Wieland”
To: “Windows System Software Devs Interest List”
Sent: Friday, February 27, 2004 10:59 AM
Subject: RE: [ntdev] OBJ_KERNEL_HANDLE and PsCreateSystemThread

OBJ_KERNEL_HANDLE places the handle in the system process’s handle table
rather than in that of the current process. It also sets the high bit
in the handle to indicate to other OB functions that the handle should
be looked up in the system process table rather than that of the current
process.

WDM DDIs that act on handles often take an “AccessMode” parameter.
Among many things this changes, one is whether the function will accept
a kernel-handle. If the AccessMode is user-mode and you provide a
kernel handle you’ll get STATUS_INVALID_HANDLE since a user-mode process
should never hand you a kernel handle. If it’s kernel-mode and you
provide a kernel handle then it will go through just fine. Routines
that don’t take an AccessMode parameter generally look at the thread’s
PreviousMode to determine if the handle can be used.

I’m not sure on the reasoning for the PsCreateSystemThread documentation
you cite, but I suspect you’re right on. It probably assumed that it
was running in the context of the system process and opened a security
hole if run outside that process by creating the thread handle in the
process it was called from.

-p

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Philip Lukidis
Sent: Friday, February 27, 2004 5:34 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] OBJ_KERNEL_HANDLE and PsCreateSystemThread

Hello. What does OBJ_KERNEL_HANDLE do exactly? Does it simply mean
that IF the handle is created in a non system process context, it cannot
be accessed by usermode code? Or are there other implications as well
(.e.g for the registry key DDIs does it guarantee that the handle would
be in the system process table, or is it simply the current process
handle table)?

Concerning PsCreateSystemThread the DDK states that:

-“Drivers for Windows 2000 and Windows 98/Me must only call
PsCreateSystemThread from the system process context.”. Why? Won’t a
NULL process pointer guarantee that the thread will be created in the
system process? Or is it that the DDI cannot work properly in non
system process context? Is there another reason?

Thanks for any help.

Philip Lukidis

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@hotmail.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@hotmail.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

I think that system process’s handle table and kernel handle table are two
different handle tables. It doesn’t matter though.

–htfv

“Peter Wieland” wrote in message
news:xxxxx@ntdev…
OBJ_KERNEL_HANDLE places the handle in the system process’s handle table
rather than in that of the current process. It also sets the high bit
in the handle to indicate to other OB functions that the handle should
be looked up in the system process table rather than that of the current
process.

WDM DDIs that act on handles often take an “AccessMode” parameter.
Among many things this changes, one is whether the function will accept
a kernel-handle. If the AccessMode is user-mode and you provide a
kernel handle you’ll get STATUS_INVALID_HANDLE since a user-mode process
should never hand you a kernel handle. If it’s kernel-mode and you
provide a kernel handle then it will go through just fine. Routines
that don’t take an AccessMode parameter generally look at the thread’s
PreviousMode to determine if the handle can be used.

I’m not sure on the reasoning for the PsCreateSystemThread documentation
you cite, but I suspect you’re right on. It probably assumed that it
was running in the context of the system process and opened a security
hole if run outside that process by creating the thread handle in the
process it was called from.

-p

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Philip Lukidis
Sent: Friday, February 27, 2004 5:34 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] OBJ_KERNEL_HANDLE and PsCreateSystemThread

Hello. What does OBJ_KERNEL_HANDLE do exactly? Does it simply mean
that IF the handle is created in a non system process context, it cannot
be accessed by usermode code? Or are there other implications as well
(.e.g for the registry key DDIs does it guarantee that the handle would
be in the system process table, or is it simply the current process
handle table)?

Concerning PsCreateSystemThread the DDK states that:

-“Drivers for Windows 2000 and Windows 98/Me must only call
PsCreateSystemThread from the system process context.”. Why? Won’t a
NULL process pointer guarantee that the thread will be created in the
system process? Or is it that the DDI cannot work properly in non
system process context? Is there another reason?

Thanks for any help.

Philip Lukidis

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

> Hello. What does OBJ_KERNEL_HANDLE do exactly?

First of all, it creates a handle which principally cannot be accessed from
user mode. Even if the handle value is passed to any user-mode code - it will
be defunct for it.

On the other hand, OBJ_KERNEL_HANDLE leaves its trace in the value of the
created handle (IIRC some junior bit is set) and so this handle can be used in
the kernel mode code in ANY process context. This “any process context while in
kernel mode” is second good property of the kernel handle.

Yes, the System process’s handle table is used to generate this handle, and
this “junior bit set” directs ObReferenceObjectByHandle, ZwClose and other
handle-using routines from other process context to use the System’s handle
table, and not the current process’s one.

The pseudocode for ObReferenceObjectByHandle internals:

if( (ULONG_PTR)Handle & KERNEL_HANDLE_JUNIOR_BIT )
{
if( RequestorMode != KernelMode )
return STATUS_ACCESS_DENIED;
HandleTable = PspSystemProcess->HandleTable;
}
else
HandleTable = PsGetCurrentProcess()->HandleTable;
// Then index HandleTable by Handle and check DesiredAccess
// Then check the object type if asked for
// Then addref the object and return it

Possibly the “KERNEL_HANDLE_JUNIOR_BIT” is documented somewhere. I just do not
remember.

This is a security measure. This handle belongs to something really secure and
important for your driver, and you do not want any user process to use this
handle by accident (or intent) by guessing (or scanning for) the handle value.

Be careful. OBJ_KERNEL_HANDLE (the bit 0x400) is a no-op on NT4. In some
scenarios I had, this leads to closing the raw input thread’s keyboard handle
instead :-). A very funny bug.

On NT4, use ExQueueWorkItem and ZwCreatexxx in this work item to do the same as
OBJ_KERNEL_HANDLE does. Same must be done on any access to this handle and on
close.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

I always used OBJ_KERNEL_HANDLE when in Win2k+, but I admit what I was a bit
confused as to why it was required in calls PsCreateSystemThread. I was
told that not using OBJ_KERNEL_HANDLE in the object attributes for my system
thread (in fact, using no attributes at all) was ok if the process handle
supplied was NULL since the thread would be created in the system process.
As has been made abundantly clear, while the thread would be created in the
system process the handle would be put in the current process’ handle table
and therefore would not be usable in global context.

In any case, since I always use OBJ_KERNEL_HANDLE, I’m not breaking a sweat.
This is pretty much for my own education. Thanks.

Philip Lukidis

----- Original Message -----
From: “Maxim S. Shatskih”
To: “Windows System Software Devs Interest List”
Sent: Saturday, February 28, 2004 1:51 PM
Subject: Re: [ntdev] OBJ_KERNEL_HANDLE and PsCreateSystemThread

> > Hello. What does OBJ_KERNEL_HANDLE do exactly?
>
> First of all, it creates a handle which principally cannot be accessed
from
> user mode. Even if the handle value is passed to any user-mode code - it
will
> be defunct for it.
>
> On the other hand, OBJ_KERNEL_HANDLE leaves its trace in the value of the
> created handle (IIRC some junior bit is set) and so this handle can be
used in
> the kernel mode code in ANY process context. This “any process context
while in
> kernel mode” is second good property of the kernel handle.
>
> Yes, the System process’s handle table is used to generate this handle,
and
> this “junior bit set” directs ObReferenceObjectByHandle, ZwClose and other
> handle-using routines from other process context to use the System’s
handle
> table, and not the current process’s one.
>
> The pseudocode for ObReferenceObjectByHandle internals:
>
> if( (ULONG_PTR)Handle & KERNEL_HANDLE_JUNIOR_BIT )
> {
> if( RequestorMode != KernelMode )
> return STATUS_ACCESS_DENIED;
> HandleTable = PspSystemProcess->HandleTable;
> }
> else
> HandleTable = PsGetCurrentProcess()->HandleTable;
> // Then index HandleTable by Handle and check DesiredAccess
> // Then check the object type if asked for
> // Then addref the object and return it
>
> Possibly the “KERNEL_HANDLE_JUNIOR_BIT” is documented somewhere. I just do
not
> remember.
>
> This is a security measure. This handle belongs to something really secure
and
> important for your driver, and you do not want any user process to use
this
> handle by accident (or intent) by guessing (or scanning for) the handle
value.
>
> Be careful. OBJ_KERNEL_HANDLE (the bit 0x400) is a no-op on NT4. In some
> scenarios I had, this leads to closing the raw input thread’s keyboard
handle
> instead :-). A very funny bug.
>
> On NT4, use ExQueueWorkItem and ZwCreatexxx in this work item to do the
same as
> OBJ_KERNEL_HANDLE does. Same must be done on any access to this handle and
on
> close.
>
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@hotmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>