0: kd> !process 83c 0 Searching for Process with Cid == 83c PROCESS ffffe000038a2940 SessionId: 2 Cid: 083c Peb: 7ff69204f000 ParentCid: 1174 DirBase: 16753c000 ObjectTable: ffffc00008ed0d80 HandleCount: Image: PING.EXE
1. PsGetCurrentProcessID return 0x83c which is PING.EXE's PID even though current process is java.exe 2. ZwOpenProcess called with 0x83c 3. Pointer count of process object for PING.exe increased 0x8000 in PspReferenceCidTableEntry called
I cannot understand why PsGetCurrentProcessID return child pid and ZwOpenProcess increase pointer cound 0x8000.
Could be a fast reference count. There are optimized paths in Ob where it is not a true increment. I think the NT insider documented this behavior in a previous issue.
d
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Tuesday, July 12, 2016 6:29 PM
To: Windows System Software Devs Interest List Subject: [ntdev] Pointer count increased 0x8000 when ZwOpenProcess called
Deal All
I have a problem that is increasing pointer count of process object increased 0x8000 when device driver call ZwOpenProcess.
0: kd> !object ffffe000038a2940 Object: ffffe000038a2940 Type: (ffffe00000130dc0) Process ObjectHeader: ffffe000038a2910 (new version) HandleCount: 0 PointerCount: 32771
0: kd> !process 83c 0 Searching for Process with Cid == 83c PROCESS ffffe000038a2940 SessionId: 2 Cid: 083c Peb: 7ff69204f000 ParentCid: 1174 DirBase: 16753c000 ObjectTable: ffffc00008ed0d80 HandleCount: Image: PING.EXE
1. PsGetCurrentProcessID return 0x83c which is PING.EXE’s PID even though current process is java.exe 2. ZwOpenProcess called with 0x83c 3. Pointer count of process object for PING.exe increased 0x8000 in PspReferenceCidTableEntry called
I cannot understand why PsGetCurrentProcessID return child pid and ZwOpenProcess increase pointer cound 0x8000.
not sure if this is something relevent but i happened to remember alex
ionescu writing about some object handle changes in 8.1+ and
remembered something about the 32768 = 0x8000 so just as a hunch
googled and it appears as second hit
google alex ionescu pointer object handle http://www.alex-ionescu.com/?p=196 see if you can relate
On 7/13/16, xxxxx@gmail.com wrote: > Deal All > > I have a problem that is increasing pointer count of process object > increased 0x8000 when device driver call ZwOpenProcess. > > 0: kd> !object ffffe000038a2940 > Object: ffffe000038a2940 Type: (ffffe00000130dc0) Process > ObjectHeader: ffffe000038a2910 (new version) > HandleCount: 0 PointerCount: 32771 > > # Child-SP RetAddr Call Site > 00 ffffd00023ebe6c0 fffff8007c640cea nt!PspReferenceCidTableEntry+0x151 > 01 ffffd00023ebe710 fffff8007c6413b4 nt!PsLookupProcessByProcessId+0x32 > 02 ffffd00023ebe750 fffff8007c6410bf nt!PsOpenProcess+0x2f0 > 03 ffffd00023ebea00 fffff8007c3de8b3 nt!NtOpenProcess+0x23 > 04 ffffd00023ebea40 fffff8007c3d6d00 nt!KiSystemServiceCopyEnd+0x13 > 05 ffffd00023ebebd8 fffff8000186c7aa nt!KiServiceLinkage > 06 ffffd00023ebebe0 fffff8000186cd69 ATamptNt+0x157aa > 07 ffffd00023ebec60 fffff8000186049f ATamptNt+0x15d69 > 08 ffffd00023ebecb0 fffff800018b3cd4 ATamptNt+0x949f > 09 ffffd00023ebed10 fffff8007c60fdde AhnRghNt+0x9cd4 > 0a ffffd00023ebee20 fffff8007c6741c2 nt!PspInsertThread+0x76e > 0b ffffd00023ebf060 fffff8007c3de8b3 nt!NtCreateUserProcess+0x806 > 0c ffffd00023ebfbd0 00007ff8e5de865a nt!KiSystemServiceCopyEnd+0x13 > 0d 000000000b4ae748 00007ff8e33dd1f9 ntdll!NtCreateUserProcess+0xa > 0e 000000000b4ae750 00007ff8e33dfd22 > KERNELBASE!CreateProcessInternalW+0xaee > 0f 000000000b4af150 00007ff8e58a3403 KERNELBASE!CreateProcessW+0x66 > 10 000000000b4af1c0 000000006d3c9e88 KERNEL32!CreateProcessWStub+0x53 > 11 000000000b4af220 0000000002081366 > java_6d3c0000!Java_java_lang_ProcessImpl_create+0x2e4 > 12 000000000b4af460 00000000baebd000 0x2081366 > 13 000000000b4af468 0000000000000000 0xbaebd000 > > 0: kd> !process -1 0 > PROCESS ffffe00003385300 > SessionId: 2 Cid: 1174 Peb: 7ff5ffffc000 ParentCid: 1160 > DirBase: 1c8724000 ObjectTable: ffffc00005b5bb00 HandleCount: > Not Accessible> > Image: java.exe > > 0: kd> !process 83c 0 > Searching for Process with Cid == 83c > PROCESS ffffe000038a2940 > SessionId: 2 Cid: 083c Peb: 7ff69204f000 ParentCid: 1174 > DirBase: 16753c000 ObjectTable: ffffc00008ed0d80 HandleCount: > Not Accessible> > Image: PING.EXE > > > 1. PsGetCurrentProcessID return 0x83c which is PING.EXE’s PID even though > current process is java.exe > 2. ZwOpenProcess called with 0x83c > 3. Pointer count of process object for PING.exe increased 0x8000 in > PspReferenceCidTableEntry called > > I cannot understand why PsGetCurrentProcessID return child pid and > ZwOpenProcess increase pointer cound 0x8000. > > > Best regards > Taehwa. > > — > NTDEV is sponsored by OSR > > Visit the list online at: > http: > > MONTHLY seminars on crash dump analysis, WDF, Windows internals and software > drivers! > Details at http: > > To unsubscribe, visit the List Server section of OSR Online at > http: ></http:></http:></http:>
This is not a ‘fast reference’, it’s the new behavior I described in that post. You can use !trueref -v to see some cool output of where the references are coming from.
>I have a problem that is increasing pointer count of process object increased 0x8000 when device driver call ZwOpenProcess.
This is written on Alex Ionescu’s article:
“Each time a new handle is opened to an object, the reference count goes up by 0x7FFF, or 32767, on x64 Windows. On x86 Windows, the same behavior is seen by the way, but with 0x1F instead.”
This probably shows that the pointer count variable is now splitted in a bitfield that may also contain the handle count. If you right-shift 0x8000 by 15 you get 1.
The one thing to do would be to open two or more handles and reference the object pointer as well and look at the value displayed in the debugger.
it is available as a bang command in latest windbg releases
kd> !trueref
!trueref [-v] [ | ] Displays the reference count of the specified object, discounting references cached in handle table entries
If a process is specified, the search for open handles is confined to that process. If handles exist in other processes, the count will be inaccurate.
-v - Show information about each handle that is found.
kd> version Windows 7 Kernel Version 7601 (Service Pack 1) UP Free x86 compatible
32-bit Full kernel dump: C:\Windows\livekd.dmp <<<<
Microsoft (R) Windows Debugger Version 10.0.10586.567 X86 <<<<<
it is a kernelmode extension implemented in kdexts
kd> .extmatch trueref !kdexts.trueref
On 7/22/16, xxxxx@gmail.com wrote: > Hi > > Alex, Thank you for your answer, Unfortunately I cannot find !trueref > extension. Where can I find that windbg extension? > > Best regards > Taehwa. > > — > NTDEV is sponsored by OSR > > Visit the list online at: > http: > > MONTHLY seminars on crash dump analysis, WDF, Windows internals and software > drivers! > Details at http: > > To unsubscribe, visit the List Server section of OSR Online at > http: ></http:></http:></http:>