RE: SPAM-LOW: Re: SPAM-LOW: Re: Re:Referencing a RegKey Object from handle

Digging in structures for diagnostics, understanding, etc. is fine.
Shipping code that relies on it is a mortal sin. How many times do we need
to relearn this lesson? Shall I trot out recent examples?

– arlie

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Dan Partelly
Sent: Friday, August 05, 2005 11:38 AM
To: Windows System Software Devs Interest List
Subject: SPAM-LOW: Re: SPAM-LOW: Re: Re:[ntdev] Referencing a RegKey Object
from handle

> Digging in undocumented, unexposed headers should always be a warning
> that you are doing something wrong.

Please note that dealing with absolutes and emitting such judgements holds
very limited value.
Digging in undocumnted has a very clear value, and can make you understand
much easier how the OS works. It clearly does not show , to ME at least ,
any sign that you are dealing something wrong, except maybe if you are an
automaton writting code.

Dan

The handle could get closed and reopened in between calling ZwQueryKey
and ObReferenceObjectByHandle. The same is true if you invert the call
order. Also you don’t want to call a Zw function on untrusted input
from the user.

You might be able to call NtOpenKey using the provided handle as the
root directory and NULL as the object name. Set the OBJ_KERNEL_HANDLE
flag to ensure that the app can’t remap your handle out from under you.
Note that I’m not certain this will work - you might get an error so you
should try it out before shipping your product :slight_smile:

An alternative would be ZwDuplicateObject which appears to be exposed in
the IFS kit headers (at least it is a the moment that I’m looking at LH
sources … I don’t have a kit installed that I can check). I believe
you can use this to duplicate the caller’s handle to into the system
handle table (OBJ_KERNEL_HANDLE) so as to ensure that your copy can’t be
tampered with. This will keep the underlying object around regardless
of whether the caller closes their handle. It’s also atomic so the
caller can’t screw with you in the middle of your validation pass.

-p

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Arlie Davis
Sent: Friday, August 05, 2005 8:22 AM
To: Windows System Software Devs Interest List
Subject: RE: SPAM-LOW: Re: Re:[ntdev] Referencing a RegKey Object from
handle

No no no no no no NO. Digging in undocumented, unexposed headers should
always be a warning that you are doing something wrong.

If you want to validate that something is a registry key, and you can’t
get direct access to the registry key object type, then at least do
something reasonable – don’t manually dig in undocumented structures.
How many times has this blown up?! Just go read some of Raymond Chen’s
descriptions of the agony that this has caused.

If you have a handle, and you suspect that it is a registry key but you
want to verify this, then ask it to do something that only registry keys
do.
Call ZwQueryKey, and request something innocuous, like
KeyBasicInformation.
If this succeeds, then you have a pretty good idea that it is a registry
key. Then you can call ObReferenceObjectByHandle, with ObjectType =
NULL, and have some peace of mind that this will work two service packs
down the road.

– arlie

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S.
Shatskih
Sent: Friday, August 05, 2005 10:21 AM
To: Windows System Software Devs Interest List
Subject: SPAM-LOW: Re: Re:[ntdev] Referencing a RegKey Object from
handle

Use undocumented means of getting the KeyObjectType, like
ZwOpenKey+ObReferenceObjectByHandle+digging into the undocumented object
header. It holds a type pointer.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

It depends on your definition of “undocumented”. To me at least,
anything exposed by the Windbg dt command is fair game.
Actually, I’m not totally contrary to using something like
Chapeaux-Noirs either - it all depends on what I need to do and
on how much support I get from the OS. To put it simply: if the
OS thwarts me, I feel totally justifying in thwarting the OS.
And serve them right.

Alberto.

----- Original Message -----
From: “Arlie Davis”
To: “Windows System Software Devs Interest List”

Sent: Friday, August 05, 2005 11:22 AM
Subject: RE: SPAM-LOW: Re: Re:[ntdev] Referencing a RegKey
Object from handle

> No no no no no no NO. Digging in undocumented, unexposed
> headers should
> always be a warning that you are doing something wrong.
>
> If you want to validate that something is a registry key, and
> you can’t get
> direct access to the registry key object type, then at least
> do something
> reasonable – don’t manually dig in undocumented structures.
> How many times
> has this blown up?! Just go read some of Raymond Chen’s
> descriptions of the
> agony that this has caused.
>
> If you have a handle, and you suspect that it is a registry
> key but you want
> to verify this, then ask it to do something that only registry
> keys do.
> Call ZwQueryKey, and request something innocuous, like
> KeyBasicInformation.
> If this succeeds, then you have a pretty good idea that it is
> a registry
> key. Then you can call ObReferenceObjectByHandle, with
> ObjectType = NULL,
> and have some peace of mind that this will work two service
> packs down the
> road.
>
> – arlie
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Maxim
> S. Shatskih
> Sent: Friday, August 05, 2005 10:21 AM
> To: Windows System Software Devs Interest List
> Subject: SPAM-LOW: Re: Re:[ntdev] Referencing a RegKey Object
> from handle
>
> Use undocumented means of getting the KeyObjectType, like
> ZwOpenKey+ObReferenceObjectByHandle+digging into the
> undocumented object
> header. It holds a type pointer.
>
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@ieee.org
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com

How many times OBJECT_HEADER changed in Windows?

Digging in undocumented stuff is justified if this is the only way, and is
better then hooking.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Arlie Davis”
To: “Windows System Software Devs Interest List”
Sent: Friday, August 05, 2005 7:22 PM
Subject: RE: SPAM-LOW: Re: Re:[ntdev] Referencing a RegKey Object from handle

> No no no no no no NO. Digging in undocumented, unexposed headers should
> always be a warning that you are doing something wrong.
>
> If you want to validate that something is a registry key, and you can’t get
> direct access to the registry key object type, then at least do something
> reasonable – don’t manually dig in undocumented structures. How many times
> has this blown up?! Just go read some of Raymond Chen’s descriptions of the
> agony that this has caused.
>
> If you have a handle, and you suspect that it is a registry key but you want
> to verify this, then ask it to do something that only registry keys do.
> Call ZwQueryKey, and request something innocuous, like KeyBasicInformation.
> If this succeeds, then you have a pretty good idea that it is a registry
> key. Then you can call ObReferenceObjectByHandle, with ObjectType = NULL,
> and have some peace of mind that this will work two service packs down the
> road.
>
> – arlie
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
> Sent: Friday, August 05, 2005 10:21 AM
> To: Windows System Software Devs Interest List
> Subject: SPAM-LOW: Re: Re:[ntdev] Referencing a RegKey Object from handle
>
> Use undocumented means of getting the KeyObjectType, like
> ZwOpenKey+ObReferenceObjectByHandle+digging into the undocumented object
> header. It holds a type pointer.
>
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

Why? Things like OBJECT_HEADER or the PsLookupProcessByProcessId routine
are here without changes from NT4 up to w2k3.

So, if there are no other ways - why not use them?

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Arlie Davis”
To: “Windows System Software Devs Interest List”
Sent: Friday, August 05, 2005 8:37 PM
Subject: RE: SPAM-LOW: Re: SPAM-LOW: Re: Re:[ntdev] Referencing a RegKey Object
from handle

> Digging in structures for diagnostics, understanding, etc. is fine.
> Shipping code that relies on it is a mortal sin. How many times do we need
> to relearn this lesson? Shall I trot out recent examples?
>
> – arlie
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Dan Partelly
> Sent: Friday, August 05, 2005 11:38 AM
> To: Windows System Software Devs Interest List
> Subject: SPAM-LOW: Re: SPAM-LOW: Re: Re:[ntdev] Referencing a RegKey Object
> from handle
>
> >> Digging in undocumented, unexposed headers should always be a warning
> >> that you are doing something wrong.
>
> Please note that dealing with absolutes and emitting such judgements holds
> very limited value.
> Digging in undocumnted has a very clear value, and can make you understand
> much easier how the OS works. It clearly does not show , to ME at least ,
> any sign that you are dealing something wrong, except maybe if you are an
> automaton writting code.
>
> Dan
>
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

Yes but … pity your poor clients because the NEXT release of the OS or
even the next bug fix “adjusts” these undocumented areas and now their
systems are broke simply because of your arrogance.


The personal opinion of
Gary G. Little

“Alberto Moreira” wrote in message news:xxxxx@ntdev…
> It depends on your definition of “undocumented”. To me at least, anything
> exposed by the Windbg dt command is fair game. Actually, I’m not totally
> contrary to using something like Chapeaux-Noirs either - it all depends on
> what I need to do and on how much support I get from the OS. To put it
> simply: if the OS thwarts me, I feel totally justifying in thwarting the
> OS. And serve them right.
>
> Alberto.
>
>
> ----- Original Message -----
> From: “Arlie Davis”
> To: “Windows System Software Devs Interest List”
> Sent: Friday, August 05, 2005 11:22 AM
> Subject: RE: SPAM-LOW: Re: Re:[ntdev] Referencing a RegKey Object from
> handle
>
>
>> No no no no no no NO. Digging in undocumented, unexposed headers should
>> always be a warning that you are doing something wrong.
>>
>> If you want to validate that something is a registry key, and you can’t
>> get
>> direct access to the registry key object type, then at least do something
>> reasonable – don’t manually dig in undocumented structures. How many
>> times
>> has this blown up?! Just go read some of Raymond Chen’s descriptions of
>> the
>> agony that this has caused.
>>
>> If you have a handle, and you suspect that it is a registry key but you
>> want
>> to verify this, then ask it to do something that only registry keys do.
>> Call ZwQueryKey, and request something innocuous, like
>> KeyBasicInformation.
>> If this succeeds, then you have a pretty good idea that it is a registry
>> key. Then you can call ObReferenceObjectByHandle, with ObjectType =
>> NULL,
>> and have some peace of mind that this will work two service packs down
>> the
>> road.
>>
>> – arlie
>>
>>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com
>> [mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
>> Sent: Friday, August 05, 2005 10:21 AM
>> To: Windows System Software Devs Interest List
>> Subject: SPAM-LOW: Re: Re:[ntdev] Referencing a RegKey Object from handle
>>
>> Use undocumented means of getting the KeyObjectType, like
>> ZwOpenKey+ObReferenceObjectByHandle+digging into the undocumented object
>> header. It holds a type pointer.
>>
>> Maxim Shatskih, Windows DDK MVP
>> StorageCraft Corporation
>> xxxxx@storagecraft.com
>> http://www.storagecraft.com
>>
>>
>>
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: xxxxx@ieee.org
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>

OBJECT_HEADER was not changed since very old times.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Gary G. Little”
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”
Sent: Monday, August 08, 2005 6:36 PM
Subject: Re:[ntdev] SPAM-LOW: Re: Re:Referencing a RegKey Object from handle

> Yes but … pity your poor clients because the NEXT release of the OS or
> even the next bug fix “adjusts” these undocumented areas and now their
> systems are broke simply because of your arrogance.
>
> –
> The personal opinion of
> Gary G. Little
>
> “Alberto Moreira” wrote in message news:xxxxx@ntdev…
> > It depends on your definition of “undocumented”. To me at least, anything
> > exposed by the Windbg dt command is fair game. Actually, I’m not totally
> > contrary to using something like Chapeaux-Noirs either - it all depends on
> > what I need to do and on how much support I get from the OS. To put it
> > simply: if the OS thwarts me, I feel totally justifying in thwarting the
> > OS. And serve them right.
> >
> > Alberto.
> >
> >
> > ----- Original Message -----
> > From: “Arlie Davis”
> > To: “Windows System Software Devs Interest List”
> > Sent: Friday, August 05, 2005 11:22 AM
> > Subject: RE: SPAM-LOW: Re: Re:[ntdev] Referencing a RegKey Object from
> > handle
> >
> >
> >> No no no no no no NO. Digging in undocumented, unexposed headers should
> >> always be a warning that you are doing something wrong.
> >>
> >> If you want to validate that something is a registry key, and you can’t
> >> get
> >> direct access to the registry key object type, then at least do something
> >> reasonable – don’t manually dig in undocumented structures. How many
> >> times
> >> has this blown up?! Just go read some of Raymond Chen’s descriptions of
> >> the
> >> agony that this has caused.
> >>
> >> If you have a handle, and you suspect that it is a registry key but you
> >> want
> >> to verify this, then ask it to do something that only registry keys do.
> >> Call ZwQueryKey, and request something innocuous, like
> >> KeyBasicInformation.
> >> If this succeeds, then you have a pretty good idea that it is a registry
> >> key. Then you can call ObReferenceObjectByHandle, with ObjectType =
> >> NULL,
> >> and have some peace of mind that this will work two service packs down
> >> the
> >> road.
> >>
> >> – arlie
> >>
> >>
> >> -----Original Message-----
> >> From: xxxxx@lists.osr.com
> >> [mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
> >> Sent: Friday, August 05, 2005 10:21 AM
> >> To: Windows System Software Devs Interest List
> >> Subject: SPAM-LOW: Re: Re:[ntdev] Referencing a RegKey Object from handle
> >>
> >> Use undocumented means of getting the KeyObjectType, like
> >> ZwOpenKey+ObReferenceObjectByHandle+digging into the undocumented object
> >> header. It holds a type pointer.
> >>
> >> Maxim Shatskih, Windows DDK MVP
> >> StorageCraft Corporation
> >> xxxxx@storagecraft.com
> >> http://www.storagecraft.com
> >>
> >>
> >>
> >>
> >>
> >> —
> >> Questions? First check the Kernel Driver FAQ at
> >> http://www.osronline.com/article.cfm?id=256
> >>
> >> You are currently subscribed to ntdev as: xxxxx@ieee.org
> >> To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> >
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com