QUestion About !object

OSR_Community_User · July 3, 2012, 3:06am

Hello, I would like to know how to works !object, I’m studying a code, which also uses windbg to show details, but for example, in this:

Object = *(PULONG)GetAddressObject(); // get object

then, it uses windbg, !object command, and always looks like this:

kd> !object address
Object: Type:
ObjectHeader:
HandleCount: PointerCount:

then, in the code this:
Object - 0x10;

how to can I know what field it’s trying access?
there is some structure to object?

raj_r · July 3, 2012, 5:45am

!object

parses the _object_header structures that are probably opaque (subject
to change without warning even during a minor update)

like

dt nt!_object_header (@@masm(poi(nt!ObpRootDirectoryObject))-0x18)

take a look at Windbg Sdk Apis

On 7/3/12, xxxxx@hotmail.com wrote:
> Hello, I would like to know how to works !object, I’m studying a code, which
> also uses windbg to show details, but for example, in this:
>
> Object = *(PULONG)GetAddressObject(); // get object
>
> then, it uses windbg, !object command, and always looks like this:
>
> kd> !object address
> Object: Type:
> ObjectHeader:
> HandleCount: PointerCount:
>
> then, in the code this:
> Object - 0x10;
>
> how to can I know what field it’s trying access?
> there is some structure to object?
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Tim_Roberts · July 3, 2012, 12:42pm

xxxxx@hotmail.com wrote:

Hello, I would like to know how to works !object, I’m studying a code, which also uses windbg to show details, but for example, in this:

Object = *(PULONG)GetAddressObject(); // get object

then, it uses windbg, !object command, and always looks like this:

kd> !object address
Object: Type:
ObjectHeader:
HandleCount: PointerCount:

then, in the code this:
Object - 0x10;

how to can I know what field it’s trying access?
there is some structure to object?

Many of the kernel objects in Windows have a common structure, and are
organized into a tree of objects, like a file system. This includes
objects like events, semaphores, timers, threads, and so on. The
!object command shows you the common parts of those objects. !object
serves much the same purpose as the “winobj” tool from SysInternals.

http://www.dumpanalysis.org/blog/index.php/2007/10/30/object-names-and-waiting-threads/

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.