Reputation: 64333
Question about Windows Kernel Object
I have got many of my questions solved here, many thanks to you guys. And I'd like to ask one more. :)
I am reading about < Windows via C/C++ >, it said:
When we wnat to gain access to an existing kernel object (rather than create a new one), we must speicify the operations we intend to perform on the object. If we are allowed access with such operations, a handle to the kernel object is returned.
...if the returned handle is used to call an API that requires a right different from you requested for, the access-denied error occurs.
AFAIK, handle is just a plain integer number, it's just an index into the process' handle table, nothing more could the handle value provide. If we have already got a handle to a kernel object, how could the system detect we use it for other operations than we requested for?
A kernel object can have more than one handles, and the owners of these handles may have different access types. Where does the system store these different access type info? I think it should be in the process' handle table.
Suppose I try to open a single kernel object with 2 different access types, 2 handles to the same kernel object should be returned, and thus there'll be 2 entries in the process' handle table, pointing to the same kernel object.
Any insight will be deeply appreciated.
Update 1
Thanks guys.
I referred to the < Windows Internals > 5th edition, it said at Ch 6. Access Checks:
The Windows security model requires that a therad speicfy up front, at the time that it opens an object, what types of actions it wants to perfrom on the object. The object manager calls the SRM to perform access checks based on a thread's desired access, and if the access is granted, a handle is assigned to the thread's process with which the thread (or other threads in the process) can perform further operations on the object. As explained in Chapter 3, the object menager records the access permissions granted for a handle in the process's handle table.
So it seems my guess is right.
Thanks.
Upvotes: 3
Views: 1158
Answers (1)
Reputation: 65516
Every kernel object that is active will have a series of rights stored against it. This is just another table managed by the Security Reference Manager (SRM). When the security is asserted by the object manager then the object handle will looked up to collect the object reference (ObReferenceObjectByHandle) and the resultant object , can be used to look up the rights (ObCheckObjectAccess). There will be indirections involving security tokens, but in essence this is the theory. So two handles may indeed point to the same reference object.
There is a good description of what happens during a ObCheckObjectAccess call in Windows Internals (mine version 5).
Paraphrasing it here :
The ObCheckObjectAccess takes the object, the credentials of the calling thread and the access requested and calls the SRM (SeAccessCheck) so that it can work out whether the right is asserted or denied.
Upvotes: 2
Related Questions
- How to share kernel objects, such as Waitable Timers, between processes?
- What does it mean when a Windows Kernel structure is Opaque?
- getting a list of kernel objects windows
- Getting Windows NT Kernel Object by Name from within a kernel driver
- in kernel and user space
- Accessing Remote Kernel Objects In Windows
- What does a Windows kernel object name starting with \??\ mean?
- Inquiry about kernel programming
- What does kernel memory contain in Windows OS?
- What's the difference between kernel object and event object in Windows?