>I have a problem that is increasing pointer count of process object increased 0x8000 when device driver call ZwOpenProcess.
This is written on Alex Ionescu’s article:
“Each time a new handle is opened to an object, the reference count goes up by 0x7FFF, or 32767, on x64 Windows. On x86 Windows, the same behavior is seen by the way, but with 0x1F instead.”
This probably shows that the pointer count variable is now splitted in a bitfield that may also contain the handle count. If you right-shift 0x8000 by 15 you get 1.
The one thing to do would be to open two or more handles and reference the object pointer as well and look at the value displayed in the debugger.