#include <ntoskrnl.h>#include <debug.h>
Include dependency graph for obhandle.c:
Go to the source code of this file.
Macros | |
| #define | NDEBUG |
Variables | |
| PHANDLE_TABLE | ObpKernelHandleTable = NULL |
Macro Definition Documentation
◆ NDEBUG
| #define NDEBUG |
Definition at line 17 of file obhandle.c.
Function Documentation
◆ NtClose()
Definition at line 3402 of file obhandle.c.
3403{
3404 /* Call the internal API */
3406}
NTSTATUS NTAPI ObpCloseHandle(IN HANDLE Handle, IN KPROCESSOR_MODE AccessMode)
Definition: obhandle.c:1730
Referenced by _At_(), _main(), _tmain(), AccessCheckEmptyMappingTest(), AccessGrantedMultipleObjectsTests(), AccessGrantedNoDaclTests(), AccessGrantedTests(), AccpCloseObjectHandle(), AddCodepageToRegistry(), AddFontsSettingsToRegistry(), AddHotkeySettings(), AddKbLayoutsToRegistry(), AddPartitionToDisk(), AddVolumeToList(), AfdBind(), AfdConnect(), AfdGetInformation(), AfdSend(), AfdSendTo(), AfdSetInformation(), AllocConsole(), BaseComputeProcessDllPath(), BaseGetNamedObjectDirectory(), BaseInitializeStaticServerData(), BasepCopyFileExW(), BasepIsProcessAllowed(), BasepMapFile(), BasepMoveFileDelayed(), BasepNotifyTrackingService(), BasepOpenFileForMove(), BasepSxsCloseHandles(), BaseSrvCleanupVDMResources(), BaseSrvCreatePairWaitHandles(), BaseSrvDestroyConsoleRecord(), BaseSrvDestroyPairWaitHandles(), BaseSrvIsVdmAllowed(), Beep(), CabinetExtractFile(), CallApphelpWithImage(), CallCacheControl(), check_boot_options(), CheckForGlobalDriveLetter(), CheckTokenMembership(), clean_main(), ClientThread(), CloseCabinet(), CloseDefaultKeys(), CloseDevice(), CloseHandle(), CloseIniBootLoaderStore(), closeTcpFile(), CmGetSystemDriverList(), CmInitSystem1(), CmpCreateControlSet(), CmpCreateHardwareProfile(), CmpInitializeHardwareConfiguration(), CmpInitializeMachineDependentConfiguration(), CmpInitializeRegistryNode(), CmpSetSystemValues(), CmpSetupConfigurationTree(), CmpSetVersionData(), CommandDumpSector(), CommandPartInfo(), CON_API(), ConCfgOpenUserSettings(), ConDrvDeinitInputBuffer(), ConnectConsole(), ConnectRegistry(), ConSrvDeleteConsole(), ConSrvInitConsole(), ConvertNtPathToWin32Path(), create_classes_root_hkey(), create_key(), create_registry_key(), CreateBaseAcls(), CreateContext(), CreateDirectoryExW(), CreateDirectoryW(), CreateHardLinkW(), CreateIoCompletionPort(), CreateKeyTest(), CreateNestedKey(), CreatePartitionList(), CreatePipe(), CreateProcessAsUserCommon(), CreateProcessInternalW(), CreateRegistryFile(), CreateRemoteThread(), CreateSymbolicLinkW(), CreateSymLinkKey(), CreateWindowStationW(), CSR_API(), CsrApiPortInitialize(), CsrCreateRemoteThread(), CsrGetProcessLuid(), CsrpCheckRequestThreads(), CsrpConnectToServer(), CsrProcessRefcountZero(), CsrSbApiRequestThread(), CsrSetProcessSecurity(), CsrSrvCreateSharedSection(), CsrThreadRefcountZero(), DbgUiIssueRemoteBreakin(), DebugActiveProcess(), DebugActiveProcessStop(), DeleteFileW(), DeleteKeyTest(), DeleteSymLinkKey(), DeleteValueTest(), DenyAccessTests(), DestroyProtoHive(), DismountVolume(), do_enumeratekey(), DoesPathExist(), DumpDisk(), DumpPartition(), DumpRegistryData(), EnumerateKeyTest(), EnumerateValueTest(), ExpandSymbolicLink(), ExpCreateSystemRootLink(), ExpInitializeCallbacks(), Ext2CloseDevice(), FindClose(), FindFirstChangeNotificationW(), FindFirstFileExW(), FindFirstStreamW(), FindNTOSInstallations(), FormatEx2(), FreeConsole(), get_manifest_in_associated_manifest(), get_manifest_in_manifest_file(), get_manifest_in_pe_file(), get_registry_locale_info(), get_system_root(), GetCallerLuid(), GetComputerIdentifier(), GetComputerNameFromRegistry(), GetCPFileNameFromRegistry(), GetDiskFreeSpaceExW(), GetDiskFreeSpaceW(), GetDisplayIdentifier(), GetDllList(), GetDosDevicesProtection(), GetDriveTypeW(), GetFileSecurityW(), GetFileSystem(), GetFileSystemInfo(), GetFileSystemName_UStr(), GetNTObjectSymbolicLinkTarget(), GetPhysicalFileSize(), GetRegInt(), GetSocketInformation(), GetSourcePaths(), GetTempFileNameW(), GetTimeouts(), GetToken(), GetTokenProcess(), GetUserGeoID(), GetVolumeInformationW(), GetVolumeNameForRoot(), GrantedAccessTests(), GRAPHICS_BUFFER_Destroy(), GRAPHICS_BUFFER_Initialize(), GuiApplyUserSettings(), GuiConsoleShowConsoleProperties(), GuiDeinitFrontEnd(), GuiInit(), GuiInitFrontEnd(), IcmpCloseHandle(), ImpersonateLoggedOnUser(), InferFileSystem(), InfOpenFile(), InfWriteFile(), IniCacheLoad(), IniCacheSave(), InitFunctionPtrs(), InitializeFmIfsOnce(), InitializeUserModePnpManager(), InitLogPort(), InstallBootCodeToDisk(), InstallBootCodeToFile(), InstallDevice(), InstallDriver(), InstallSetupInfFile(), IntAllocConsole(), IntAttachConsole(), IntGetCodePageEntry(), IopCreateRootDirectories(), IopInitializePlugPlayServices(), IopMarkBootPartition(), is_mounted_multi_device(), IsAcpiComputer(), IsShimInfrastructureDisabled(), IsThisARootDirectory(), IsValidLanguageGroup(), IsValidNTOSInstallation(), JapaneseEra_IsFirstYearGannen(), JapaneseEra_Load(), keyed_event_thread(), KsecOpenDevice(), LdrOpenImageFileOptionsKey(), LdrpCheckForKnownDll(), LdrpCheckForLoadedDll(), LdrpCreateDllSection(), LdrpDisableProcessCompatGuidDetection(), LdrpInitializeProcess(), LdrpMapDll(), LdrQueryImageFileExecutionOptionsEx(), LdrVerifyImageMatchesChecksum(), ListDirectory(), LoadModule(), LoadSymbolsRoutine(), LogfBackupFile(), LogfClose(), LogfCreate(), lookup_assembly(), lookup_winsxs(), LsaConnectUntrusted(), LsapAddNotification(), LsapCheckLogonProcess(), LsapCloseDbObject(), LsapCloseLsaPort(), LsapCreateDatabaseKeys(), LsapCreateDbObject(), LsapDeleteDbObject(), LsapDeregisterLogonProcess(), LsapEnumLogonSessions(), LsapGetLogonSessionData(), LsapGetObjectAttribute(), LsapIsDatabaseInstalled(), LsapIsTrustedClient(), LsapLogonUser(), LsapOpenDbObject(), LsapRegCloseKey(), LsapRegDeleteSubKey(), LsapRemoveNotification(), LsapSetObjectAttribute(), LsarSetSecurityObject(), main(), MoveFileWithProgressW(), MyDeleteFile(), NetUserChangePassword(), NLS_EnumLanguageGroupLocales(), NLS_EnumSystemCodePages(), NLS_EnumSystemLanguageGroups(), NlsInit(), NlsUninit(), NtQueryOpenSubKeys(), ObDuplicateObject(), ObInitSystem(), ObpCreateDosDevicesDirectory(), OpenAndMapFile(), OpenBootStore_UStr(), OpenFile(), OpenWindowStationW(), nt_handle::operator=(), ParamsValidationTests(), ParamValidationNoObjsList(), parse_file(), Phase1InitializationDiscard(), PipGetDriverTagPriority(), PortThreadRoutine(), PrintProcess(), PrintThreads(), PrivMoveFileIdentityW(), ProcessDisplayRegistry(), ProcessIdToSessionId(), ProcessLocaleRegistry(), QueryDosDeviceW(), QueryTokenImpersonationTests(), QueryTokenIsSandboxInert(), QueryTokenPrivilegesAndGroupsTests(), QueryTokenRestrictedSidsTest(), ReadBlock(), ReadBootCodeFromFile(), RegCleanupRegistry(), RegCloseKey(), RegCopyTreeW(), RegDeleteKeyExW(), RegInitializeRegistry(), RegisterUncProvider(), registry_callback(), RegOverridePredefKey(), RegpCopyTree(), RegReplaceKeyW(), RegRestoreKeyW(), RegSaveKeyW(), RegSetKeyValueA(), RegSetKeyValueW(), RemoveDirectoryW(), ReplaceFileW(), ResolveArcNameNtSymLink(), RSetServiceObjectSecurity(), RtlCreateActivationContext(), RtlCreateTimerQueue(), RtlCreateUserSecurityObject(), RtlCreateUserThread(), RtlDefaultNpAcl(), RtlDeleteCriticalSection(), RtlDeleteResource(), RtlDeleteTimer(), RtlDeleteTimerQueueEx(), RtlDeregisterWaitEx(), RtlImpersonateSelf(), RtlInitializeRXact(), RtlNewSecurityGrantedAccess(), RtlpCloseKeyedEvent(), RtlpExecuteIoWorkItem(), RtlpExecuteWorkItem(), RtlpIoWorkerThreadProc(), RtlpIsIoPending(), RtlpStartWorkerThread(), RtlQueryRegistryValues(), RtlQueueWorkItem(), RtlRegisterWait(), RtlReleaseRelativeName(), RtlSetCurrentDirectory_U(), RXactpCommit(), SampRegCloseKey(), SampRegDeleteKey(), SamrSetSecurityObject(), SaveBootSector(), ScmCheckDriver(), ScmConvertToBootPathName(), ScmGetDriverStatus(), SdbCloseDatabase(), SdbDeletePermLayerKeys(), SdbpCloseMemMappedFile(), SdbpGetPermLayersInternal(), SdbpOpenMemMappedFile(), SdbRegisterDatabaseEx(), SdbSetPermLayerKeys(), SdbUnregisterDatabase(), ServerThread(), SetActiveComputerNameToRegistry(), SetComputerNameToRegistry(), SetDefaultPagefile(), SetFileAttributesW(), SetFileSecurityW(), SetGeoID(), SetLocaleInfoW(), SetMountedDeviceValue(), SetRosSpecificInfo(), SetSocketInformation(), SetupCopyFile(), SetupCreateSingleDirectory(), SetupDeleteFile(), SetupMoveFile(), SetUserGeoID(), SetValueTest1(), SetValueTest2(), SetVolumeLabelW(), SmExecPgm(), SmExecuteProgram(), SmLookupSubsystem(), SmpAcquirePrivilege(), SmpConfigureObjectDirectories(), SmpCreateDynamicEnvironmentVariables(), SmpCreateVolumeDescriptors(), SmpDeletePagingFile(), SmpDereferenceSubsystem(), SmpExecPgm(), SmpExecuteImage(), SmpExecuteInitialCommand(), SmpGetPagingFileSize(), SmpGetVolumeFreeSpace(), SmpHandleConnectionRequest(), SmpInit(), SmpInitializeDosDevices(), SmpInitializeKnownDllsInternal(), SmpLoadDataFromRegistry(), SmpLoadSubSystem(), SmpProcessFileRenames(), SmpQueryRegistrySosOption(), SmpReleasePrivilege(), SmpSbCreateSession(), SmpStartCsr(), SmpTranslateSystemPartitionInformation(), SockCreateOrReferenceAsyncThread(), SpeakerCleanup(), START_TEST(), StartAuthenticationPort(), TerminateUserModePnpManager(), test1(), test2(), test3(), test5(), test6(), test7(), test9(), Test_ApphelpCheckRunApp(), Test_EmptyFile(), Test_ImageSection(), test_keyed_events(), Test_KeyFullInformation(), Test_KeyNameInformation(), test_mutant(), test_NtOpenKey(), Test_PageFileSection(), Test_RawSize(), Test_recv(), Test_SectionContents(), test_tp_multi_wait(), TestCreateOpen_(), TestSend(), TestSendTo(), TestTcp(), TestUdp(), TH32CreateSnapshotSectionInitialize(), timer_queue_thread_proc(), UnhandledExceptionFilter(), UnMapFile(), UserpFormatMessages(), VfatFormat(), VfatxFormat(), Wait_thread_proc(), WaitNamedPipeW(), WinExec(), WritePartitions(), WSPAccept(), WSPBind(), WSPCloseSocket(), WSPConnect(), WSPDuplicateSocket(), WSPEnumNetworkEvents(), WSPEventSelect(), WSPGetPeerName(), WSPGetSockName(), WSPListen(), WSPRecv(), WSPRecvFrom(), WSPSelect(), WSPSend(), WSPSendTo(), WSPShutdown(), WSPSocket(), CEnumNTDirectory::~CEnumNTDirectory(), mountmgr::~mountmgr(), and nt_handle::~nt_handle().
◆ NtDuplicateObject()
| NTSTATUS NTAPI NtDuplicateObject | ( | IN HANDLE | SourceProcessHandle, |
| IN HANDLE | SourceHandle, | ||
| IN HANDLE TargetProcessHandle | OPTIONAL, | ||
| OUT PHANDLE TargetHandle | OPTIONAL, | ||
| IN ACCESS_MASK | DesiredAccess, | ||
| IN ULONG | HandleAttributes, | ||
| IN ULONG | Options | ||
| ) |
Definition at line 3410 of file obhandle.c.
3417{
3419 HANDLE hTarget;
3423 "%s - Duplicating handle: %p for %p into %p.\n",
3424 __FUNCTION__,
3425 SourceHandle,
3426 SourceProcessHandle,
3427 TargetProcessHandle);
3428
3429 /* Check if we have a target handle */
3431 {
3432 /* Enter SEH */
3433 _SEH2_TRY
3434 {
3435 /* Probe the handle and assume failure */
3438 }
3440 {
3441 /* Return the exception code */
3443 }
3444 _SEH2_END;
3445 }
3446
3447 /* Now reference the input handle */
3449 PROCESS_DUP_HANDLE,
3450 PsProcessType,
3451 PreviousMode,
3452 (PVOID*)&SourceProcess,
3453 NULL);
3455
3456 /* Check if got a target handle */
3458 {
3459 /* Now reference the output handle */
3461 PROCESS_DUP_HANDLE,
3462 PsProcessType,
3463 PreviousMode,
3464 (PVOID*)&TargetProcess,
3465 NULL);
3467 {
3468 /* Use this target process */
3469 Target = TargetProcess;
3470 }
3471 else
3472 {
3473 /* No target process */
3475 }
3476 }
3477 else
3478 {
3479 /* No target process */
3482 }
3483
3484 /* Call the internal routine */
3486 SourceHandle,
3487 Target,
3488 &hTarget,
3489 DesiredAccess,
3490 HandleAttributes,
3491 Options,
3492 PreviousMode);
3493
3494 /* Check if the caller wanted the return handle */
3496 {
3497 /* Protect the write to user mode */
3498 _SEH2_TRY
3499 {
3500 /* Write the new handle */
3501 *TargetHandle = hTarget;
3502 }
3504 {
3505 /* Otherwise, get the exception code */
3507 }
3508 _SEH2_END;
3509 }
3510
3511 /* Dereference the processes */
3513 "%s - Duplicated handle: %p into %p S %lx\n",
3514 __FUNCTION__,
3515 hTarget,
3516 TargetProcessHandle,
3517 Status);
3519 ObDereferenceObject(SourceProcess);
3521}
#define PROCESS_DUP_HANDLE
Definition: nsiface.idl:2307
_In_ HANDLE _In_opt_ HANDLE _Out_opt_ PHANDLE _In_ ACCESS_MASK _In_ ULONG HandleAttributes
Definition: obfuncs.h:433
NTSTATUS NTAPI ObDuplicateObject(IN PEPROCESS SourceProcess, IN HANDLE SourceHandle, IN PEPROCESS TargetProcess OPTIONAL, IN PHANDLE TargetHandle OPTIONAL, IN ACCESS_MASK DesiredAccess, IN ULONG HandleAttributes, IN ULONG Options, IN KPROCESSOR_MODE PreviousMode)
Definition: obhandle.c:2204
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
Definition: obref.c:494
Definition: pstypes.h:1261
_Must_inspect_result_ _In_ WDFDEVICE _In_ ULONG _In_ ACCESS_MASK DesiredAccess
Definition: wdfdevice.h:2658
Referenced by BaseSrvCreatePairWaitHandles(), BaseSrvDestroyPairWaitHandles(), ConSrvAllocateConsole(), ConSrvInheritConsole(), CSR_API(), CsrCreateRemoteThread(), DuplicateHandle(), GRAPHICS_BUFFER_Destroy(), GRAPHICS_BUFFER_Initialize(), GuiApplyUserSettings(), GuiConsoleShowConsoleProperties(), GuiInit(), LsapAddNotification(), LsapLogonUser(), RtlpIoWorkerThreadProc(), RtlpIsIoPending(), SmpExecPgm(), SmpExecuteInitialCommand(), SmpLoadSubSystem(), SmpSbCreateSession(), START_TEST(), and StuffStdHandle().
◆ ObClearProcessHandleTable()
Definition at line 2027 of file obhandle.c.
2028{
2033
2035
2036 /* Ensure the handle table doesn't go away while we use it */
2039
2040 /* Attach to the current process if needed */
2042 {
2044 AttachedToProcess = TRUE;
2045 }
2046
2047 /* Enter a critical region */
2048 KeEnterCriticalRegion();
2049
2050 /* Fill out the context */
2053
2054 /* Sweep the handle table to close all handles */
2056 ObpCloseHandleCallback,
2057 &Context);
2058
2059 /* Leave the critical region */
2060 KeLeaveCriticalRegion();
2061
2062 /* Detach if needed */
2063 if (AttachedToProcess)
2065
2066 /* Let the handle table go */
2068}
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
Definition: fsrtlfuncs.h:223
VOID NTAPI ExSweepHandleTable(IN PHANDLE_TABLE HandleTable, IN PEX_SWEEP_HANDLE_CALLBACK EnumHandleProcedure, IN PVOID Context)
Definition: handle.c:1232
VOID NTAPI ObDereferenceProcessHandleTable(IN PEPROCESS Process)
Definition: obhandle.c:48
BOOLEAN NTAPI ObpCloseHandleCallback(IN PHANDLE_TABLE_ENTRY HandleTableEntry, IN HANDLE Handle, IN PVOID Context)
Definition: obhandle.c:1924
PHANDLE_TABLE NTAPI ObReferenceProcessHandleTable(IN PEPROCESS Process)
Definition: obhandle.c:26
VOID NTAPI KeStackAttachProcess(IN PKPROCESS Process, OUT PRKAPC_STATE ApcState)
Definition: procobj.c:704
VOID NTAPI KeUnstackDetachProcess(IN PRKAPC_STATE ApcState)
Definition: procobj.c:756
Definition: compobj.c:4795
Definition: extypes.h:617
Definition: ob.h:116
Referenced by NtTerminateProcess(), and PspTerminateProcess().
◆ ObCloseHandle()
Definition at line 3379 of file obhandle.c.
3381{
3382 /* Call the internal API */
3384}
Referenced by _IRQL_requires_max_(), CheckDirectorySecurity__(), CheckKeySecurity__(), CmpAddToHiveFileList(), CmpLinkKeyToHive(), CmpRemoveFromHiveFileList(), DbgkCreateThread(), DbgkMapViewOfSection(), DbgkpFreeDebugEvent(), DbgkpOpenHandles(), DbgkpPostFakeModuleMessages(), DbgkpPostFakeThreadMessages(), DisplayBootBitmap(), ExitThreadCallback(), ExpCreateSystemRootLink(), ExpCreateWorkerThread(), ExpInitializeWorkerThreads(), ExpInitNls(), InitThreadCallback(), IntCopyRegistryKey(), IntCreateDesktop(), IntCreateNewRegistryPath(), IntLoadRegistryParameters(), IntResolveDesktop(), IntSetupDeviceSettingsKey(), IntVideoPortInbvCleanup(), IoCreateController(), IoCreateDevice(), IoCreateStreamFileObjectEx(), IopDetectResourceConflict(), IopOpenLinkOrRenameTarget(), IopReassignSystemRoot(), IopStoreSystemPartitionInformation(), KernelModeTest(), KmtStartThread(), LpcpCreatePort(), MmCreatePhysicalMemorySection(), NotificationCallback(), NtLoadKeyEx(), NtSaveKeyEx(), NtSaveMergedKeys(), NtSecureConnectPort(), NtSetDefaultLocale(), NtSetInformationFile(), NtUnloadKey2(), NtUserCloseDesktop(), NtUserCloseWindowStation(), NtUserResolveDesktop(), PnpRootCreateDevice(), PspCreateProcess(), PspCreateThread(), PspExitThread(), PspInitPhase0(), RawInputThreadMain(), RunTest(), ScrInbvCleanup(), SepRmCommandServerThread(), SepRmCommandServerThreadInit(), SeRmInitPhase1(), START_TEST(), TestAllInformation(), TestConnect(), TestCreateNamedPipe(), TestDuplicate(), TestIoCreateFile(), TestObRootSecurity(), TestPhysicalMemorySection(), TestReadWrite(), TestRelativeNames(), TestSharedCacheMap(), UserModeTest(), and UserSetProcessWindowStation().
◆ ObDereferenceProcessHandleTable()
Definition at line 48 of file obhandle.c.
49{
50 /* Release the process lock */
52}
Referenced by ObClearProcessHandleTable(), ObDuplicateObject(), ObFindHandleForObject(), ObGetProcessHandleCount(), and ObInitProcess().
◆ ObDuplicateObject()
| NTSTATUS NTAPI ObDuplicateObject | ( | IN PEPROCESS | SourceProcess, |
| IN HANDLE | SourceHandle, | ||
| IN PEPROCESS TargetProcess | OPTIONAL, | ||
| IN PHANDLE TargetHandle | OPTIONAL, | ||
| IN ACCESS_MASK | DesiredAccess, | ||
| IN ULONG | HandleAttributes, | ||
| IN ULONG | Options, | ||
| IN KPROCESSOR_MODE | PreviousMode | ||
| ) |
Definition at line 2204 of file obhandle.c.
2212{
2213 HANDLE_TABLE_ENTRY NewHandleEntry;
2215 PVOID SourceObject;
2216 POBJECT_HEADER ObjectHeader;
2218 HANDLE NewHandle;
2221 ACCESS_MASK TargetAccess, SourceAccess;
2224 AUX_ACCESS_DATA AuxData;
2227 ULONG AuditMask;
2229
2230 PAGED_CODE();
2232 "%s - Duplicating handle: %p for %p into %p\n",
2233 __FUNCTION__,
2234 SourceHandle,
2235 SourceProcess,
2236 TargetProcess);
2237
2238 /* Assume failure */
2240
2241 /* Check if we're not duplicating the same access */
2243 {
2244 /* Validate the desired access */
2247 }
2248
2249 /* Reference the object table */
2252
2253 /* Reference the process object */
2255 SourceProcess,
2256 HandleTable,
2257 PreviousMode,
2258 &SourceObject,
2259 &HandleInformation,
2260 &AuditMask);
2262 {
2263 /* Fail */
2264 ObDereferenceProcessHandleTable(SourceProcess);
2266 }
2267 else
2268 {
2269 /* Check if we have to don't have to audit object close */
2271 {
2272 /* Then there is no audit mask */
2273 AuditMask = 0;
2274 }
2275 }
2276
2277 /* Check if there's no target process */
2278 if (!TargetProcess)
2279 {
2280 /* Check if the caller wanted actual duplication */
2282 {
2283 /* Invalid request */
2285 }
2286 else
2287 {
2288 /* Otherwise, do the attach */
2290
2291 /* Close the handle and detach */
2294 }
2295
2296 /* Return */
2297 ObDereferenceProcessHandleTable(SourceProcess);
2298 ObDereferenceObject(SourceObject);
2300 }
2301
2302 /* Create a kernel handle if asked, but only in the system process */
2305 TargetProcess == PsInitialSystemProcess)
2306 {
2308 }
2309
2310 /* Get the target handle table */
2313 {
2314 /* Check if the caller wanted us to close the handle */
2316 {
2317 /* Do the attach */
2319
2320 /* Close the handle and detach */
2323 }
2324
2325 /* Return */
2326 ObDereferenceProcessHandleTable(SourceProcess);
2327 ObDereferenceObject(SourceObject);
2329 }
2330
2331 /* Get the source access */
2332 SourceAccess = HandleInformation.GrantedAccess;
2333
2334 /* Check if we're not in the target process */
2336 {
2337 /* Attach to it */
2339 AttachedToProcess = TRUE;
2340 }
2341
2342 /* Check if we're duplicating the attributes */
2344 {
2345 /* Duplicate them */
2347 }
2348 else
2349 {
2350 /* Don't allow caller to bypass auditing */
2352 OBJ_AUDIT_OBJECT_CLOSE;
2353 }
2354
2355 /* Check if we're duplicating the access */
2357
2358 /* Get object data */
2359 ObjectHeader = OBJECT_TO_OBJECT_HEADER(SourceObject);
2361
2362 /* Fill out the entry */
2364 NewHandleEntry.Object = ObjectHeader;
2366
2367 /* Check if we're using a generic mask */
2369 {
2370 /* Map it */
2372 &ObjectType->TypeInfo.GenericMapping);
2373 }
2374
2375 /* Set the target access, always propagate ACCESS_SYSTEM_SECURITY */
2377 ACCESS_SYSTEM_SECURITY);
2378 NewHandleEntry.GrantedAccess = TargetAccess;
2379
2380 /* Check if we're asking for new access */
2381 if (TargetAccess & ~SourceAccess)
2382 {
2383 /* We are. We need the security procedure to validate this */
2385 {
2386 /* Use our built-in access state */
2389 &AuxData,
2390 TargetAccess,
2391 &ObjectType->TypeInfo.GenericMapping);
2392 }
2393 else
2394 {
2395 /* Otherwise we can't allow this privilege elevation */
2397 }
2398 }
2399 else
2400 {
2401 /* We don't need an access state */
2403 }
2404
2405 /* Make sure the access state was created OK */
2407 {
2408 /* Add a new handle */
2410 PassedAccessState,
2411 PreviousMode,
2412 HandleAttributes,
2413 PsGetCurrentProcess(),
2414 ObDuplicateHandle);
2415 }
2416
2417 /* Check if we were attached */
2418 if (AttachedToProcess)
2419 {
2420 /* We can safely detach now */
2422 AttachedToProcess = FALSE;
2423 }
2424
2425 /* Check if we have to close the source handle */
2427 {
2428 /* Attach and close */
2432 }
2433
2434 /* Check if we had an access state */
2436
2437 /* Now check if incrementing actually failed */
2439 {
2440 /* Dereference handle tables */
2441 ObDereferenceProcessHandleTable(SourceProcess);
2442 ObDereferenceProcessHandleTable(TargetProcess);
2443
2444 /* Dereference the source object */
2445 ObDereferenceObject(SourceObject);
2447 }
2448
2450 {
2451 NewHandleEntry.ObAttributes &= ~OBJ_PROTECT_CLOSE;
2453 }
2454
2455 /* Now create the handle */
2457 if (!NewHandle)
2458 {
2459 /* Undo the increment */
2460 ObpDecrementHandleCount(SourceObject,
2461 TargetProcess,
2462 TargetAccess,
2463 ObjectType);
2464
2465 /* Deference the object and set failure status */
2466 ObDereferenceObject(SourceObject);
2468 }
2469
2470 /* Mark it as a kernel handle if requested */
2472 {
2473 NewHandle = ObMarkHandleAsKernelHandle(NewHandle);
2474 }
2475
2476 /* Return the handle */
2478
2479 /* Dereference handle tables */
2480 ObDereferenceProcessHandleTable(SourceProcess);
2481 ObDereferenceProcessHandleTable(TargetProcess);
2482
2483 /* Return status */
2485 "%s - Duplicated handle: %p for %p into %p. Source: %p HC PC %lx %lx\n",
2486 __FUNCTION__,
2487 NewHandle,
2488 SourceProcess,
2489 TargetProcess,
2490 SourceObject,
2491 ObjectHeader->PointerCount,
2492 ObjectHeader->HandleCount);
2494}
NTSYSAPI VOID NTAPI RtlMapGenericMask(PACCESS_MASK AccessMask, PGENERIC_MAPPING GenericMapping)
HANDLE NTAPI ExCreateHandle(IN PHANDLE_TABLE HandleTable, IN PHANDLE_TABLE_ENTRY HandleTableEntry)
Definition: handle.c:827
NTSTATUS NTAPI SeCreateAccessState(_Inout_ PACCESS_STATE AccessState, _In_ PAUX_ACCESS_DATA AuxData, _In_ ACCESS_MASK Access, _In_ PGENERIC_MAPPING GenericMapping)
Creates an access state.
Definition: access.c:121
VOID NTAPI SeDeleteAccessState(_In_ PACCESS_STATE AccessState)
Deletes an allocated access state from the memory.
Definition: access.c:150
VOID NTAPI ObpDecrementHandleCount(IN PVOID ObjectBody, IN PEPROCESS Process, IN ACCESS_MASK GrantedAccess, IN POBJECT_TYPE ObjectType)
Definition: obhandle.c:530
NTSTATUS NTAPI ObpReferenceProcessObjectByHandle(IN HANDLE Handle, IN PEPROCESS Process, IN PHANDLE_TABLE HandleTable, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation, OUT PACCESS_MASK AuditMask)
Definition: obhandle.c:85
NTSTATUS NTAPI ObpIncrementHandleCount(IN PVOID Object, IN PACCESS_STATE AccessState OPTIONAL, IN KPROCESSOR_MODE AccessMode, IN ULONG HandleAttributes, IN PEPROCESS Process, IN OB_OPEN_REASON OpenReason)
Definition: obhandle.c:811
Definition: setypes.h:224
Definition: setypes.h:257
Definition: extypes.h:596
Definition: iotypes.h:179
Definition: obtypes.h:486
Definition: obtypes.h:380
_In_ ACCESS_MASK _In_opt_ POBJECT_TYPE _In_ KPROCESSOR_MODE _Out_ PVOID _Out_opt_ POBJECT_HANDLE_INFORMATION HandleInformation
Definition: obfuncs.h:44
#define DUPLICATE_SAME_ACCESS
#define DUPLICATE_CLOSE_SOURCE
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE AccessState
Definition: sefuncs.h:417
Referenced by DbgkpOpenHandles(), and NtDuplicateObject().
◆ ObFindHandleForObject()
| BOOLEAN NTAPI ObFindHandleForObject | ( | IN PEPROCESS | Process, |
| IN PVOID | Object, | ||
| IN POBJECT_TYPE | ObjectType, | ||
| IN POBJECT_HANDLE_INFORMATION | HandleInformation, | ||
| OUT PHANDLE | Handle | ||
| ) |
Definition at line 2856 of file obhandle.c.
2861{
2862 OBP_FIND_HANDLE_DATA FindData;
2864 PVOID ObjectTable;
2865
2866 /* Make sure we have an object table */
2868 if (ObjectTable)
2869 {
2870 /* Check if we have an object */
2872 {
2873 /* Set its header */
2875 }
2876 else
2877 {
2878 /* Otherwise, no object to match*/
2880 }
2881
2882 /* Set other information */
2885
2886 /* Enumerate the handle table */
2889 &FindData,
2890 Handle))
2891 {
2892 /* Set success */
2894 }
2895
2896 /* Let go of the table */
2898 }
2899
2900 /* Return the result */
2902}
BOOLEAN NTAPI ExEnumHandleTable(IN PHANDLE_TABLE HandleTable, IN PEX_ENUM_HANDLE_CALLBACK EnumHandleProcedure, IN OUT PVOID Context, OUT PHANDLE EnumHandle OPTIONAL)
Definition: handle.c:1271
BOOLEAN NTAPI ObpEnumFindHandleProcedure(IN PHANDLE_TABLE_ENTRY HandleEntry, IN HANDLE Handle, IN PVOID Context)
Definition: obhandle.c:211
Definition: ob.h:122
POBJECT_HANDLE_INFORMATION HandleInformation
Definition: ob.h:125
_At_(*)(_In_ PWSK_CLIENT Client, _In_opt_ PUNICODE_STRING NodeName, _In_opt_ PUNICODE_STRING ServiceName, _In_opt_ ULONG NameSpace, _In_opt_ GUID *Provider, _In_opt_ PADDRINFOEXW Hints, _Outptr_ PADDRINFOEXW *Result, _In_opt_ PEPROCESS OwningProcess, _In_opt_ PETHREAD OwningThread, _Inout_ PIRP Irp Result)(Mem)) NTSTATUS(WSKAPI *PFN_WSK_GET_ADDRESS_INFO
Definition: wsk.h:409
Referenced by IntGetDesktopObjectHandle(), and IntResolveDesktop().
◆ ObGetProcessHandleCount()
Definition at line 56 of file obhandle.c.
57{
58 ULONG HandleCount;
60
62
63 /* Ensure the handle table doesn't go away while we use it */
65
67 {
68 /* Count the number of handles the process has */
69 HandleCount = HandleTable->HandleCount;
70
71 /* Let the handle table go */
73 }
74 else
75 {
76 /* No handle table, no handles */
77 HandleCount = 0;
78 }
79
80 return HandleCount;
81}
Referenced by NtQueryInformationProcess(), and QSI_DEF().
◆ ObInitProcess()
Definition at line 2090 of file obhandle.c.
2092{
2093 PHANDLE_TABLE ParentTable, ObjectTable;
2094
2095 /* Check for a parent */
2097 {
2098 /* Reference the parent's table */
2101
2102 /* Duplicate it */
2104 ParentTable,
2106 OBJ_INHERIT);
2107 }
2108 else
2109 {
2110 /* Otherwise just create a new table */
2111 ParentTable = NULL;
2113 }
2114
2115 /* Make sure we have a table */
2116 if (ObjectTable)
2117 {
2118 /* Associate it */
2119 Process->ObjectTable = ObjectTable;
2120
2121 /* Check for auditing */
2123 {
2124 /* FIXME: TODO */
2126 }
2127
2128 /* Get rid of the old table now */
2130
2131 /* We are done */
2133 }
2134 else
2135 {
2136 /* Fail */
2140 }
2141}
ACPI_PHYSICAL_ADDRESS ACPI_SIZE BOOLEAN Warn UINT32 *TableIdx UINT32 ACPI_TABLE_HEADER *OutTableHeader ACPI_TABLE_HEADER **OutTable ACPI_HANDLE UINT32 ACPI_WALK_CALLBACK ACPI_WALK_CALLBACK void void **ReturnValue UINT32 ACPI_BUFFER *RetPathPtr ACPI_OBJECT_HANDLER void *Data ACPI_OBJECT_HANDLER void **Data ACPI_STRING ACPI_OBJECT_LIST ACPI_BUFFER *ReturnObjectBuffer ACPI_DEVICE_INFO **ReturnBuffer ACPI_HANDLE Parent
Definition: acpixf.h:732
PHANDLE_TABLE NTAPI ExCreateHandleTable(IN PEPROCESS Process OPTIONAL)
Definition: handle.c:801
PHANDLE_TABLE NTAPI ExDupHandleTable(IN PEPROCESS Process, IN PHANDLE_TABLE HandleTable, IN PEX_DUPLICATE_HANDLE_CALLBACK DupHandleProcedure, IN ULONG_PTR Mask)
Definition: handle.c:1072
BOOLEAN NTAPI SeDetailedAuditingWithToken(_In_ PTOKEN Token)
Peforms a detailed security auditing with an access token.
Definition: audit.c:34
BOOLEAN NTAPI ObpDuplicateHandleCallback(IN PEPROCESS Process, IN PHANDLE_TABLE HandleTable, IN PHANDLE_TABLE_ENTRY OldEntry, IN PHANDLE_TABLE_ENTRY HandleTableEntry)
Definition: obhandle.c:1960
Referenced by PspCreateProcess().
◆ ObInsertObject()
| NTSTATUS NTAPI ObInsertObject | ( | IN PVOID | Object, |
| IN PACCESS_STATE AccessState | OPTIONAL, | ||
| IN ACCESS_MASK | DesiredAccess, | ||
| IN ULONG | ObjectPointerBias, | ||
| OUT PVOID *NewObject | OPTIONAL, | ||
| OUT PHANDLE | Handle | ||
| ) |
Definition at line 2935 of file obhandle.c.
2941{
2942 POBJECT_CREATE_INFORMATION ObjectCreateInfo;
2943 POBJECT_HEADER ObjectHeader;
2946 PVOID InsertObject;
2949 POBJECT_HEADER_NAME_INFO ObjectNameInfo;
2951 ACCESS_STATE LocalAccessState;
2952 AUX_ACCESS_DATA AuxData;
2953 OB_OPEN_REASON OpenReason;
2956 BOOLEAN IsNewObject;
2957 PAGED_CODE();
2958
2959 /* Get the Header */
2961
2962 /* Detect invalid insert */
2964 {
2965 /* Display warning and break into debugger */
2967 DbgBreakPoint();
2968
2969 /* Allow debugger to continue */
2972 }
2973
2974 /* Get the create and name info, as well as the object type */
2975 ObjectCreateInfo = ObjectHeader->ObjectCreateInfo;
2976 ObjectNameInfo = ObpReferenceNameInfo(ObjectHeader);
2979
2980 /* Check if this is an named object */
2982 {
2983 /* Get the object name */
2985 }
2986
2987 /* Sanity check */
2989 ((ObjectPointerBias == 0) &&
2991 (ObjectType->TypeInfo.SecurityRequired) &&
2993
2994 /* Check if the object is unnamed and also doesn't have security */
2997 {
2998 /* Assume failure */
3001
3002 /* Create the handle */
3004 DesiredAccess,
3005 ObjectPointerBias + 1,
3006 ObjectCreateInfo->Attributes,
3007 PreviousMode,
3008 NewObject,
3009 Handle);
3010
3011 /* Free the create information */
3012 ObpFreeObjectCreateInformation(ObjectCreateInfo);
3013
3014 /* Release the object name information */
3015 ObpDereferenceNameInfo(ObjectNameInfo);
3016
3017 /* Remove the extra keep-alive reference */
3019
3020 /* Return */
3022 "%s - returning Object with PC S: %lx %lx\n",
3023 __FUNCTION__,
3024 ObjectHeader->PointerCount,
3025 Status);
3027 }
3028
3029 /* Check if we didn't get an access state */
3031 {
3032 /* Use our built-in access state */
3033 AccessState = &LocalAccessState;
3035 &AuxData,
3036 DesiredAccess,
3037 &ObjectType->TypeInfo.GenericMapping);
3039 {
3040 /* Fail */
3041 ObpDereferenceNameInfo(ObjectNameInfo);
3044 }
3045 }
3046
3047 /* Save the security descriptor */
3049
3050 /* Validate the access mask */
3053 {
3054 /* Fail */
3055 ObpDereferenceNameInfo(ObjectNameInfo);
3058 }
3059
3060 /* Setup a lookup context */
3062 InsertObject = Object;
3063 OpenReason = ObCreateHandle;
3064
3065 /* Check if the object is named */
3067 {
3068 /* Look it up */
3070 ObjectName,
3071 ObjectCreateInfo->Attributes,
3072 ObjectType,
3075 ObjectCreateInfo->ParseContext,
3076 ObjectCreateInfo->SecurityQos,
3077 Object,
3078 AccessState,
3079 &Context,
3080 &InsertObject);
3081
3082 /* Check if we found an object that doesn't match the one requested */
3084 {
3085 /* This means we're opening an object, not creating a new one */
3086 OpenReason = ObOpenHandle;
3087
3088 /* Make sure the caller said it's OK to do this */
3090 {
3091 /* He did, but did he want this type? */
3093 {
3094 /* Wrong type, so fail */
3096 }
3097 else
3098 {
3099 /* Right type, so warn */
3101 }
3102 }
3103 else
3104 {
3105 /* Check if this was a symbolic link */
3108 {
3109 /* Dereference it */
3110 ObDereferenceObject(InsertObject);
3111 }
3112
3113 /* Caller wanted to create a new object, fail */
3115 }
3116 }
3117
3118 /* Check if anything until now failed */
3120 {
3121 /* Cleanup after lookup */
3123
3124 /* Remove query reference that we added */
3125 ObpDereferenceNameInfo(ObjectNameInfo);
3126
3127 /* Dereference the object and delete the access state */
3130 {
3131 /* We used a local one; delete it */
3133 }
3134
3135 /* Return failure code */
3137 }
3138 else
3139 {
3140 /* Check if this is a symbolic link */
3142 {
3143 /* Create the internal name */
3145 }
3146 }
3147 }
3148
3149 /* Now check if this object is being created */
3151 {
3152 /* Check if it's named or forces security */
3154 {
3155 /* Make sure it's inserted into an object directory */
3157 {
3158 /* Get the current descriptor */
3160 &ParentDescriptor,
3161 &SdAllocated);
3162 }
3163
3164 /* Now assign it */
3166 ParentDescriptor,
3167 Object,
3168 ObjectType);
3169
3170 /* Check if we captured one */
3171 if (ParentDescriptor)
3172 {
3173 /* We did, release it */
3174 ObReleaseObjectSecurity(ParentDescriptor, SdAllocated);
3175 }
3177 {
3178 /* Other we didn't, but we were able to use the current SD */
3180 ObjectCreateInfo->ProbeMode,
3181 TRUE);
3182
3183 /* Clear the current one */
3184 AccessState->SecurityDescriptor =
3186 }
3187 }
3188
3189 /* Check if anything until now failed */
3191 {
3192 /* Check if the directory was added */
3194 {
3195 /* Weird case where we need to do a manual delete */
3198 }
3199
3200 /* Cleanup the lookup */
3202
3203 /* Remove query reference that we added */
3204 ObpDereferenceNameInfo(ObjectNameInfo);
3205
3206 /* Dereference the object and delete the access state */
3209 {
3210 /* We used a local one; delete it */
3212 }
3213
3214 /* Return failure code */
3217 }
3218 }
3219
3220 /* Save the actual status until here */
3221 RealStatus = Status;
3222
3223 /* Check if caller wants us to create a handle */
3226 {
3227 /* Create the handle */
3229 InsertObject,
3230 NULL,
3231 AccessState,
3232 ObjectPointerBias + 1,
3233 ObjectCreateInfo->Attributes,
3234 &Context,
3235 PreviousMode,
3236 NewObject,
3237 Handle);
3239 {
3240 /* If the object had a name, backout everything */
3242
3243 /* Return the status of the failure */
3245 RealStatus = Status;
3246 }
3247
3248 /* Remove a query reference */
3249 ObpDereferenceNameInfo(ObjectNameInfo);
3250
3251 /* Remove the extra keep-alive reference */
3253 }
3254 else
3255 {
3256 /* Otherwise, lock the object */
3257 ObpAcquireObjectLock(ObjectHeader);
3258
3259 /* And charge quota for the process to make it appear as used */
3260 RealStatus = ObpChargeQuotaForObject(ObjectHeader,
3261 ObjectType,
3262 &IsNewObject);
3263
3264 /* Release the lock */
3265 ObpReleaseObjectLock(ObjectHeader);
3266
3267 /* Check if we failed and dereference the object if so */
3269 }
3270
3271 /* We can delete the Create Info now */
3272 ObpFreeObjectCreateInformation(ObjectCreateInfo);
3273
3274 /* Check if we created our own access state and delete it if so */
3276
3277 /* Return status code */
3279 "%s - returning Object with PC RS/S: %lx %lx %lx\n",
3280 __FUNCTION__,
3282 RealStatus, Status);
3283 return RealStatus;
3284}
NTSYSAPI void WINAPI DbgBreakPoint(void)
enum _OB_OPEN_REASON OB_OPEN_REASON
NTSTATUS NTAPI SeReleaseSecurityDescriptor(_In_ PSECURITY_DESCRIPTOR CapturedSecurityDescriptor, _In_ KPROCESSOR_MODE CurrentMode, _In_ BOOLEAN CaptureIfKernelMode)
Releases a captured security descriptor buffer.
Definition: sd.c:760
VOID NTAPI ObpCreateSymbolicLinkName(IN POBJECT_SYMBOLIC_LINK SymbolicLink)
Definition: oblink.c:334
NTSTATUS NTAPI ObpLookupObjectName(IN HANDLE RootHandle OPTIONAL, IN OUT PUNICODE_STRING ObjectName, IN ULONG Attributes, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, IN OUT PVOID ParseContext, IN PSECURITY_QUALITY_OF_SERVICE SecurityQos OPTIONAL, IN PVOID InsertObject OPTIONAL, IN OUT PACCESS_STATE AccessState, OUT POBP_LOOKUP_CONTEXT LookupContext, OUT PVOID *FoundObject)
Definition: obname.c:446
FORCEINLINE VOID ObpAcquireObjectLock(IN POBJECT_HEADER ObjectHeader)
Definition: ob_x.h:48
FORCEINLINE VOID ObpInitializeLookupContext(IN POBP_LOOKUP_CONTEXT Context)
Initializes a new object directory lookup context. Used for lookup operations (insertions/deletions) ...
Definition: ob_x.h:258
FORCEINLINE VOID ObpReleaseObjectLock(IN POBJECT_HEADER ObjectHeader)
Definition: ob_x.h:84
FORCEINLINE VOID ObpDereferenceNameInfo(IN POBJECT_HEADER_NAME_INFO HeaderNameInfo)
Definition: ob_x.h:143
FORCEINLINE VOID ObpReleaseLookupContext(IN POBP_LOOKUP_CONTEXT Context)
Releases an initialized object directory lookup context. Unlocks it if necessary, and dereferences th...
Definition: ob_x.h:323
FORCEINLINE POBJECT_HEADER_NAME_INFO ObpReferenceNameInfo(IN POBJECT_HEADER ObjectHeader)
Definition: ob_x.h:102
FORCEINLINE VOID ObpFreeObjectCreateInformation(IN POBJECT_CREATE_INFORMATION ObjectCreateInfo)
Definition: ob_x.h:460
NTSTATUS NTAPI ObpCreateHandle(IN OB_OPEN_REASON OpenReason, IN PVOID Object, IN POBJECT_TYPE Type OPTIONAL, IN PACCESS_STATE AccessState, IN ULONG AdditionalReferences, IN ULONG HandleAttributes, IN POBP_LOOKUP_CONTEXT Context, IN KPROCESSOR_MODE AccessMode, OUT PVOID *ReturnedObject, OUT PHANDLE ReturnedHandle)
Definition: obhandle.c:1497
NTSTATUS NTAPI ObpChargeQuotaForObject(IN POBJECT_HEADER ObjectHeader, IN POBJECT_TYPE ObjectType, OUT PBOOLEAN NewObject)
Definition: obhandle.c:431
NTSTATUS NTAPI ObpCreateUnnamedHandle(IN PVOID Object, IN ACCESS_MASK DesiredAccess, IN ULONG AdditionalReferences, IN ULONG HandleAttributes, IN KPROCESSOR_MODE AccessMode, OUT PVOID *ReturnedObject, OUT PHANDLE ReturnedHandle)
Definition: obhandle.c:1312
NTSTATUS NTAPI ObpValidateAccessMask(IN PACCESS_STATE AccessState)
Definition: obhandle.c:488
NTSTATUS NTAPI ObGetObjectSecurity(IN PVOID Object, OUT PSECURITY_DESCRIPTOR *SecurityDescriptor, OUT PBOOLEAN MemoryAllocated)
Definition: obsecure.c:611
VOID NTAPI ObReleaseObjectSecurity(IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN BOOLEAN MemoryAllocated)
Definition: obsecure.c:709
NTSTATUS NTAPI ObAssignSecurity(IN PACCESS_STATE AccessState, IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PVOID Object, IN POBJECT_TYPE Type)
Definition: obsecure.c:550
Definition: obtypes.h:336
PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: obtypes.h:344
PSECURITY_QUALITY_OF_SERVICE SecurityQos
Definition: obtypes.h:345
Definition: obtypes.h:431
POBJECT_CREATE_INFORMATION ObjectCreateInfo
Definition: obtypes.h:500
Definition: obtypes.h:511
Definition: ms-dtyp.idl:301
Definition: env_spec_w32.h:368
_In_ PVOID _Out_opt_ PULONG_PTR _Outptr_opt_ PCUNICODE_STRING * ObjectName
Definition: cmfuncs.h:64
_Inout_opt_ PACCESS_STATE _In_opt_ ACCESS_MASK _In_ ULONG ObjectPointerBias
Definition: obfuncs.h:73
_Inout_opt_ PACCESS_STATE _In_opt_ ACCESS_MASK _In_ ULONG _Out_opt_ PVOID * NewObject
Definition: obfuncs.h:74
Referenced by _IRQL_requires_max_(), CmpCreateRegistryRoot(), CreateClientPort(), ExCreateCallback(), HalpDmaAllocateChildAdapter(), IntCreateWindowStation(), IoCreateController(), IoCreateDevice(), IoCreateDriver(), IoCreateStreamFileObjectEx(), IopInitializeDriverModule(), LpcpCreatePort(), MmCreatePhysicalMemorySection(), NtCreateDebugObject(), NtCreateDirectoryObject(), NtCreateEvent(), NtCreateEventPair(), NtCreateIoCompletion(), NtCreateJobObject(), NtCreateMutant(), NtCreateProfile(), NtCreateSection(), NtCreateSemaphore(), NtCreateSymbolicLinkObject(), NtCreateTimer(), NtDuplicateToken(), NtFilterToken(), NtSecureConnectPort(), ObtCreateObjects(), PspCreateProcess(), PspCreateThread(), SeFilterToken(), SepCreateToken(), SepInitializationPhase1(), SepOpenThreadToken(), and SeSubProcessToken().
◆ ObIsKernelHandle()
Definition at line 3525 of file obhandle.c.
3526{
3527 /* Use the inlined version. We know we are in kernel mode. */
3529}
◆ ObKillProcess()
Definition at line 2160 of file obhandle.c.
2161{
2164 BOOLEAN HardErrors;
2165 PAGED_CODE();
2166
2167 /* Wait for process rundown and then complete it */
2170
2171 /* Get the object table */
2174
2175 /* Disable hard errors while we close handles */
2177
2178 /* Enter a critical region */
2179 KeEnterCriticalRegion();
2180
2181 /* Fill out the context */
2184
2185 /* Sweep the handle table to close all handles */
2187 ObpCloseHandleCallback,
2188 &Context);
2190
2191 /* Leave the critical region */
2192 KeLeaveCriticalRegion();
2193
2194 /* Re-enable hard errors */
2195 IoSetThreadHardErrorMode(HardErrors);
2196
2197 /* Destroy the object table */
2200}
VOID NTAPI ExDestroyHandleTable(IN PHANDLE_TABLE HandleTable, IN PVOID DestroyHandleProcedure OPTIONAL)
Definition: handle.c:963
BOOLEAN NTAPI IoSetThreadHardErrorMode(IN BOOLEAN HardErrorEnabled)
Definition: error.c:726
Referenced by PspDeleteProcess(), and PspExitThread().
◆ ObOpenObjectByName()
| NTSTATUS NTAPI ObOpenObjectByName | ( | IN POBJECT_ATTRIBUTES | ObjectAttributes, |
| IN POBJECT_TYPE | ObjectType, | ||
| IN KPROCESSOR_MODE | AccessMode, | ||
| IN PACCESS_STATE | PassedAccessState, | ||
| IN ACCESS_MASK | DesiredAccess, | ||
| IN OUT PVOID | ParseContext, | ||
| OUT PHANDLE | Handle | ||
| ) |
Definition at line 2532 of file obhandle.c.
2539{
2543 POBJECT_HEADER ObjectHeader;
2545 OB_OPEN_REASON OpenReason;
2546 POB_TEMP_BUFFER TempBuffer;
2547 PAGED_CODE();
2548
2549 /* Assume failure */
2551
2552 /* Check if we didn't get any Object Attributes */
2554 {
2555 /* Fail with special status code */
2557 }
2558
2559 /* Allocate the temporary buffer */
2562 TAG_OB_TEMP_STORAGE);
2564
2565 /* Capture all the info */
2567 AccessMode,
2568 AccessMode,
2569 TRUE,
2570 &TempBuffer->ObjectCreateInfo,
2571 &ObjectName);
2573 {
2574 /* Fail */
2577 }
2578
2579 /* Check if we didn't get an access state */
2581 {
2582 /* Try to get the generic mapping if we can */
2584
2585 /* Use our built-in access state */
2588 &TempBuffer->AuxData,
2589 DesiredAccess,
2590 GenericMapping);
2592 }
2593
2594 /* Get the security descriptor */
2596 {
2597 /* Save it in the access state */
2600 }
2601
2602 /* Validate the access mask */
2605 {
2606 /* Cleanup after lookup */
2609 }
2610
2611 /* Now do the lookup */
2613 &ObjectName,
2615 ObjectType,
2616 AccessMode,
2617 ParseContext,
2619 NULL,
2620 PassedAccessState,
2621 &TempBuffer->LookupContext,
2622 &Object);
2624 {
2625 /* Cleanup after lookup */
2628 }
2629
2630 /* Check if this object has create information */
2633 {
2634 /* Then we are creating a new handle */
2635 OpenReason = ObCreateHandle;
2636
2637 /* Check if we still have create info */
2639 {
2640 /* Free it */
2641 ObpFreeObjectCreateInformation(ObjectHeader->
2642 ObjectCreateInfo);
2644 }
2645 }
2646 else
2647 {
2648 /* Otherwise, we are merely opening it */
2649 OpenReason = ObOpenHandle;
2650 }
2651
2652 /* Check if we have invalid object attributes */
2655 {
2656 /* Set failure code */
2658
2659 /* Cleanup after lookup */
2661
2662 /* Dereference the object */
2664 }
2665 else
2666 {
2667 /* Create the actual handle now */
2668 Status2 = ObpCreateHandle(OpenReason,
2669 Object,
2670 ObjectType,
2671 PassedAccessState,
2672 0,
2674 &TempBuffer->LookupContext,
2675 AccessMode,
2676 NULL,
2677 Handle);
2679 {
2681 Status = Status2;
2682 }
2683 }
2684
2685Cleanup:
2686 /* Delete the access state */
2688 {
2690 }
2691
2692Quickie:
2693 /* Release the object attributes and temporary buffer */
2697
2698 /* Return status */
2700 "%s - returning Object %p with PC S: %lx %lx\n",
2701 __FUNCTION__,
2702 Object,
2704 Status);
2706}
NTSTATUS NTAPI ObpCaptureObjectCreateInformation(IN POBJECT_ATTRIBUTES ObjectAttributes, IN KPROCESSOR_MODE AccessMode, IN KPROCESSOR_MODE CreatorMode, IN BOOLEAN AllocateFromLookaside, IN POBJECT_CREATE_INFORMATION ObjectCreateInfo, OUT PUNICODE_STRING ObjectName)
Definition: oblife.c:455
VOID NTAPI ObpFreeObjectNameBuffer(IN PUNICODE_STRING Name)
Definition: oblife.c:346
FORCEINLINE VOID ObpReleaseObjectCreateInformation(IN POBJECT_CREATE_INFORMATION ObjectCreateInfo)
Definition: ob_x.h:364
Definition: nt_native.h:564
Definition: ob.h:162
Referenced by CmLoadKey(), CmpLinkHiveToMaster(), CreateGreenFdo(), ExCreateCallback(), GetObjectType(), IntCreateDesktop(), IntCreateWindowStation(), IntResolveDesktop(), IoFastQueryNetworkAttributes(), IopCreateFile(), IopQueryAttributesFile(), NtCreateKey(), NtDeleteFile(), NtOpenDirectoryObject(), NtOpenEvent(), NtOpenEventPair(), NtOpenIoCompletion(), NtOpenJobObject(), NtOpenKey(), NtOpenMutant(), NtOpenProcess(), NtOpenSection(), NtOpenSemaphore(), NtOpenSymbolicLinkObject(), NtOpenThread(), NtOpenTimer(), NtQueryOpenSubKeys(), NtUnloadKey2(), NtUserOpenDesktop(), NtUserOpenWindowStation(), ObtCreateObjectTypes(), and START_TEST().
◆ ObOpenObjectByPointer()
| NTSTATUS NTAPI ObOpenObjectByPointer | ( | IN PVOID | Object, |
| IN ULONG | HandleAttributes, | ||
| IN PACCESS_STATE | PassedAccessState, | ||
| IN ACCESS_MASK | DesiredAccess, | ||
| IN POBJECT_TYPE | ObjectType, | ||
| IN KPROCESSOR_MODE | AccessMode, | ||
| OUT PHANDLE | Handle | ||
| ) |
Definition at line 2742 of file obhandle.c.
2749{
2753 AUX_ACCESS_DATA AuxData;
2754 PAGED_CODE();
2755
2756 /* Assume failure */
2758
2759 /* Reference the object */
2761 0,
2762 ObjectType,
2763 AccessMode);
2765
2766 /* Get the Header Info */
2768
2769 /* Check if we didn't get an access state */
2771 {
2772 /* Use our built-in access state */
2775 &AuxData,
2776 DesiredAccess,
2777 &Header->Type->TypeInfo.GenericMapping);
2779 {
2780 /* Fail */
2783 }
2784 }
2785
2786 /* Check if we have invalid object attributes */
2788 {
2789 /* Delete the access state */
2791 {
2793 }
2794
2795 /* Dereference the object */
2798 }
2799
2800 /* Create the handle */
2802 Object,
2803 ObjectType,
2804 PassedAccessState,
2805 0,
2806 HandleAttributes,
2807 NULL,
2808 AccessMode,
2809 NULL,
2810 Handle);
2812
2813 /* Delete the access state */
2815 {
2817 }
2818
2819 /* Return */
2821 "%s - returning Object with PC S: %lx %lx\n",
2822 __FUNCTION__,
2824 Status);
2826}
Definition: Header.h:9
NTSTATUS NTAPI ObReferenceObjectByPointer(IN PVOID Object, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode)
Definition: obref.c:381
Referenced by AfdBindSocket(), CmpConvertHandleToKernelHandle(), DbgkOpenProcessDebugPort(), DbgkpOpenHandles(), IntGetDesktopObjectHandle(), IntResolveDesktop(), NtOpenProcess(), NtOpenProcessTokenEx(), NtOpenThread(), RawInputThreadMain(), SepOpenThreadToken(), SerenumDetectLegacyDevice(), SerenumDetectPnpDevice(), SermouseDetectLegacyDevice(), START_TEST(), UserOpenInputDesktop(), and WmipOpenGuidObject().
◆ ObpChargeQuotaForObject()
| NTSTATUS NTAPI ObpChargeQuotaForObject | ( | IN POBJECT_HEADER | ObjectHeader, |
| IN POBJECT_TYPE | ObjectType, | ||
| OUT PBOOLEAN | NewObject | ||
| ) |
Definition at line 431 of file obhandle.c.
434{
435 POBJECT_HEADER_QUOTA_INFO ObjectQuota;
436 ULONG PagedPoolCharge, NonPagedPoolCharge;
437
438 /* Get quota information */
439 ObjectQuota = OBJECT_HEADER_TO_QUOTA_INFO(ObjectHeader);
441
442 /* Check if this is a new object */
444 {
445 /* Remove the flag */
446 ObjectHeader->Flags &= ~ OB_FLAG_CREATE_INFO;
447 if (ObjectQuota)
448 {
449 /* We have a quota, get the charges */
450 PagedPoolCharge = ObjectQuota->PagedPoolCharge +
451 ObjectQuota->SecurityDescriptorCharge;
452 NonPagedPoolCharge = ObjectQuota->NonPagedPoolCharge;
453 }
454 else
455 {
456 /* Get it from the object type */
457 PagedPoolCharge = ObjectType->TypeInfo.DefaultPagedPoolCharge;
458 NonPagedPoolCharge = ObjectType->TypeInfo.DefaultNonPagedPoolCharge;
459 }
460
461 /* Is this the system process? */
463 {
464 /* It is, don't do anything */
465 ObjectHeader->QuotaBlockCharged = OBP_SYSTEM_PROCESS_QUOTA;
466 }
467 else
468 {
469 /* Charge the quota */
471 PagedPoolCharge,
472 NonPagedPoolCharge);
473 }
474
475 /* Check if we don't have a quota block */
477
478 /* Now set the flag */
480 }
481
482 /* Return success */
484}
PEPROCESS_QUOTA_BLOCK NTAPI PsChargeSharedPoolQuota(_In_ PEPROCESS Process, _In_ SIZE_T AmountToChargePaged, _In_ SIZE_T AmountToChargeNonPaged)
Charges the shared (paged and non paged) pool quotas. The function is used exclusively by the Object ...
Definition: quota.c:674
Definition: obtypes.h:472
ULONG SecurityDescriptorCharge
Definition: obtypes.h:475
Referenced by ObInsertObject(), ObpIncrementHandleCount(), and ObpIncrementUnnamedHandleCount().
◆ ObpCloseHandle()
Definition at line 1730 of file obhandle.c.
1732{
1736 PHANDLE_TABLE_ENTRY HandleTableEntry;
1739 PAGED_CODE();
1742
1745
1746 /* Check if we're dealing with a kernel handle */
1748 {
1749 /* Use the kernel table and convert the handle */
1752
1753 /* Check if we're not in the system process */
1755 {
1756 /* Attach to the system process */
1758 AttachedToProcess = TRUE;
1759 }
1760 }
1761 else
1762 {
1763 /* Use the process's handle table */
1765 }
1766
1767 /* Enter a critical region to protect handle access */
1768 KeEnterCriticalRegion();
1769
1770 /* Get the handle entry */
1772 if (HandleTableEntry)
1773 {
1774 /* Now close the entry */
1776 HandleTableEntry,
1777 Handle,
1778 AccessMode,
1779 FALSE);
1780
1781 /* We can quit the critical region now */
1782 KeLeaveCriticalRegion();
1783
1784 /* Detach and return success */
1786 }
1787 else
1788 {
1789 /* We failed, quit the critical region */
1790 KeLeaveCriticalRegion();
1791
1792 /* Detach */
1794
1795 /* Check if we have a valid handle that's not the process or thread */
1799 {
1800 /* Check if we came from user mode */
1802 {
1803 /* Check if we have no debug port */
1805 {
1806 /* Make sure we're not attached */
1808 {
1809 /* Raise an exception */
1811 }
1812 }
1813 }
1814 else
1815 {
1816 /* This is kernel mode. Check if we're exiting */
1818 (Process->Peb))
1819 {
1820 /* Check if the debugger is enabled */
1822 {
1823 /* Bugcheck */
1825 }
1826 }
1827 }
1828 }
1829
1830 /* Set invalid status */
1832 }
1833
1834 /* Return status */
1836 "%s - Closed handle: %p S: %lx\n",
1839}
PHANDLE_TABLE_ENTRY NTAPI ExMapHandleToPointer(IN PHANDLE_TABLE HandleTable, IN HANDLE Handle)
Definition: handle.c:1046
NTSTATUS NTAPI KeRaiseUserException(IN NTSTATUS ExceptionCode)
Definition: except.c:413
BOOLEAN NTAPI PsIsThreadTerminating(IN PETHREAD Thread)
Definition: thread.c:868
NTSTATUS NTAPI ObpCloseHandleTableEntry(IN PHANDLE_TABLE HandleTable, IN PHANDLE_TABLE_ENTRY HandleEntry, IN HANDLE Handle, IN KPROCESSOR_MODE AccessMode, IN BOOLEAN IgnoreHandleProtection)
Definition: obhandle.c:685
VOID NTAPI KeBugCheckEx(_In_ ULONG BugCheckCode, _In_ ULONG_PTR BugCheckParameter1, _In_ ULONG_PTR BugCheckParameter2, _In_ ULONG_PTR BugCheckParameter3, _In_ ULONG_PTR BugCheckParameter4)
Definition: rtlcompat.c:108
#define NtCurrentThread()
Referenced by NtClose(), and ObCloseHandle().
◆ ObpCloseHandleCallback()
| BOOLEAN NTAPI ObpCloseHandleCallback | ( | IN PHANDLE_TABLE_ENTRY | HandleTableEntry, |
| IN HANDLE | Handle, | ||
| IN PVOID | Context | ||
| ) |
Definition at line 1924 of file obhandle.c.
1927{
1929
1930 /* Simply decrement the handle count */
1932 HandleTableEntry,
1933 Handle,
1934 CloseContext->AccessMode,
1935 TRUE);
1937}
struct _OBP_CLOSE_HANDLE_CONTEXT * POBP_CLOSE_HANDLE_CONTEXT
Referenced by ObClearProcessHandleTable(), and ObKillProcess().
◆ ObpCloseHandleTableEntry()
| NTSTATUS NTAPI ObpCloseHandleTableEntry | ( | IN PHANDLE_TABLE | HandleTable, |
| IN PHANDLE_TABLE_ENTRY | HandleEntry, | ||
| IN HANDLE | Handle, | ||
| IN KPROCESSOR_MODE | AccessMode, | ||
| IN BOOLEAN | IgnoreHandleProtection | ||
| ) |
Definition at line 685 of file obhandle.c.
690{
691 PVOID Body;
693 POBJECT_HEADER ObjectHeader;
695 KIRQL CalloutIrql;
696 PAGED_CODE();
697
698 /* Get the object data */
699 ObjectHeader = ObpGetHandleObject(HandleEntry);
701 Body = &ObjectHeader->Body;
702 GrantedAccess = HandleEntry->GrantedAccess;
704 "%s - Closing handle: %p for %p. HC PC %lx %lx\n",
705 __FUNCTION__,
706 Handle,
707 Body,
708 ObjectHeader->HandleCount,
709 ObjectHeader->PointerCount);
710
711 /* Check if the object has an Okay To Close procedure */
713 {
714 /* Call it and check if it's not letting us close it */
715 ObpCalloutStart(&CalloutIrql);
717 Body,
718 Handle,
719 AccessMode))
720 {
721 /* Fail */
725 }
726
727 /* Success, validate callout retrn */
729 }
730
731 /* The callback allowed us to close it, but does the handle itself? */
733 !(IgnoreHandleProtection))
734 {
735 /* It doesn't, are we from user mode? */
737 {
738 /* We are! Unlock the entry */
740
741 /* Make sure we have a debug port */
743 {
744 /* Raise an exception */
746 }
747 else
748 {
749 /* Return the error instead */
751 }
752 }
753 else
754 {
755 /* Otherwise, bugcheck the OS */
757 }
758 }
759
760 /* Destroy and unlock the handle entry */
762
763 /* Now decrement the handle count */
764 ObpDecrementHandleCount(Body,
765 PsGetCurrentProcess(),
766 GrantedAccess,
767 ObjectType);
768
769 /* Dereference the object as well */
770 ObDereferenceObject(Body);
771
772 /* Return to caller */
774 "%s - Closed handle: %p for %p.\n",
775 __FUNCTION__,
776 Handle,
777 Body);
779}
BOOLEAN NTAPI ExDestroyHandle(IN PHANDLE_TABLE HandleTable, IN HANDLE Handle, IN PHANDLE_TABLE_ENTRY HandleTableEntry OPTIONAL)
Definition: handle.c:984
VOID NTAPI ExUnlockHandleTableEntry(IN PHANDLE_TABLE HandleTable, IN PHANDLE_TABLE_ENTRY HandleTableEntry)
Definition: handle.c:923
FORCEINLINE VOID ObpCalloutEnd(IN KIRQL CalloutIrql, IN PCHAR Procedure, IN POBJECT_TYPE ObjectType, IN PVOID Object)
Definition: ob_x.h:505
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK GrantedAccess
Definition: sefuncs.h:20
Referenced by ObpCloseHandle(), and ObpCloseHandleCallback().
◆ ObpCreateHandle()
| NTSTATUS NTAPI ObpCreateHandle | ( | IN OB_OPEN_REASON | OpenReason, |
| IN PVOID | Object, | ||
| IN POBJECT_TYPE Type | OPTIONAL, | ||
| IN PACCESS_STATE | AccessState, | ||
| IN ULONG | AdditionalReferences, | ||
| IN ULONG | HandleAttributes, | ||
| IN POBP_LOOKUP_CONTEXT | Context, | ||
| IN KPROCESSOR_MODE | AccessMode, | ||
| OUT PVOID * | ReturnedObject, | ||
| OUT PHANDLE | ReturnedHandle | ||
| ) |
Definition at line 1497 of file obhandle.c.
1507{
1508 HANDLE_TABLE_ENTRY NewEntry;
1509 POBJECT_HEADER ObjectHeader;
1517 PAUX_ACCESS_DATA AuxData;
1518 PAGED_CODE();
1519
1520 /* Get the object header and type */
1524 "%s - Creating handle for: %p. Reason: %lx. HC PC %lx %lx\n",
1525 __FUNCTION__,
1526 Object,
1527 OpenReason,
1528 ObjectHeader->HandleCount,
1529 ObjectHeader->PointerCount);
1530
1531 /* Check if the types match */
1533 {
1534 /* They don't, cleanup */
1537 }
1538
1539 /* Save the object header */
1540 NewEntry.Object = ObjectHeader;
1541
1542 /* Check if this is a kernel handle */
1544 {
1545 /* Set the handle table */
1548
1549 /* Check if we're not in the system process */
1551 {
1552 /* Attach to the system process */
1554 AttachedToProcess = TRUE;
1555 }
1556 }
1557 else
1558 {
1559 /* Get the current handle table */
1561 }
1562
1563 /* Increment the handle count */
1565 AccessState,
1566 AccessMode,
1567 HandleAttributes,
1568 PsGetCurrentProcess(),
1569 OpenReason);
1571 {
1572 /*
1573 * We failed (meaning security failure, according to NT Internals)
1574 * detach and return
1575 */
1579 }
1580
1581 /* Check if we are doing audits on close */
1583 {
1584 /* Force the attribute on */
1586 }
1587
1588 /* Mask out the internal attributes */
1590
1591 /* Get the original desired access */
1593 AccessState->PreviouslyGrantedAccess;
1594
1595 /* Remove what's not in the valid access mask */
1597 ACCESS_SYSTEM_SECURITY);
1598
1599 /* Update the value in the access state */
1601
1602 /* Get the auxiliary data */
1603 AuxData = AccessState->AuxData;
1604
1605 /* Handle extra references */
1606 if (AdditionalReferences)
1607 {
1608 /* Add them to the header */
1610 AdditionalReferences);
1611 }
1612
1613 /* Now we can release the object */
1615
1616 /* Save the access mask */
1618
1619 /*
1620 * Create the actual handle. We'll need to do this *after* calling
1621 * ObpIncrementHandleCount to make sure that Object Security is valid
1622 * (specified in Gl00my documentation on Ob)
1623 */
1625 "%s - Handle Properties: [%p-%lx-%lx]\n",
1626 __FUNCTION__,
1629
1630 /* Make sure we got a handle */
1632 {
1633 /* Check if this was a kernel handle */
1635
1636 /* Return it */
1637 *ReturnedHandle = Handle;
1638
1639 /* Check if we need to generate on audit */
1641 {
1642 /* Audit the handle creation */
1643 //SeAuditHandleCreation(AccessState, Handle);
1644 }
1645
1646 /* Check if this was a create */
1648 {
1649 /* Check if we need to audit the privileges */
1652 {
1653 /* Do the audit */
1654#if 0
1656 &AccessState->
1657 SubjectSecurityContext,
1658 GrantedAccess,
1659 AuxData->PrivilegeSet,
1660 TRUE,
1661 ExGetPreviousMode());
1662#endif
1663 }
1664 }
1665
1666 /* Return the new object only if caller wanted it biased */
1667 if ((AdditionalReferences) && (ReturnedObject))
1668 {
1669 /* Return it */
1670 *ReturnedObject = Object;
1671 }
1672
1673 /* Detach if needed */
1675
1676 /* Trace and return */
1678 "%s - Returning Handle: %p HC PC %lx %lx\n",
1679 __FUNCTION__,
1680 Handle,
1681 ObjectHeader->HandleCount,
1682 ObjectHeader->PointerCount);
1684 }
1685
1686 /* Decrement the handle count and detach */
1688 PsGetCurrentProcess(),
1689 GrantedAccess,
1690 ObjectType);
1691
1692 /* Handle extra references */
1693 if (AdditionalReferences)
1694 {
1695 /* Check how many extra references were added */
1696 if (AdditionalReferences > 1)
1697 {
1698 /* Dereference it many times */
1700 -(LONG)(AdditionalReferences - 1));
1701 }
1702
1703 /* Dereference the object one last time */
1705 }
1706
1707 /* Detach if necessary and fail */
1710}
VOID NTAPI SePrivilegeObjectAuditAlarm(_In_ HANDLE Handle, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ ACCESS_MASK DesiredAccess, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted, _In_ KPROCESSOR_MODE CurrentMode)
Raises an audit with alarm notification message when an object tries to acquire this privilege.
Definition: audit.c:1321
Referenced by ObInsertObject(), ObOpenObjectByName(), and ObOpenObjectByPointer().
◆ ObpCreateUnnamedHandle()
| NTSTATUS NTAPI ObpCreateUnnamedHandle | ( | IN PVOID | Object, |
| IN ACCESS_MASK | DesiredAccess, | ||
| IN ULONG | AdditionalReferences, | ||
| IN ULONG | HandleAttributes, | ||
| IN KPROCESSOR_MODE | AccessMode, | ||
| OUT PVOID * | ReturnedObject, | ||
| OUT PHANDLE | ReturnedHandle | ||
| ) |
Definition at line 1312 of file obhandle.c.
1319{
1320 HANDLE_TABLE_ENTRY NewEntry;
1321 POBJECT_HEADER ObjectHeader;
1329 PAGED_CODE();
1330
1331 /* Get the object header and type */
1335 "%s - Creating handle for: %p. UNNAMED. HC PC %lx %lx\n",
1336 __FUNCTION__,
1337 Object,
1338 ObjectHeader->HandleCount,
1339 ObjectHeader->PointerCount);
1340
1341 /* Save the object header */
1342 NewEntry.Object = ObjectHeader;
1343
1344 /* Mask out the internal attributes */
1346
1347 /* Check if this is a kernel handle */
1349 {
1350 /* Set the handle table */
1353
1354 /* Check if we're not in the system process */
1356 {
1357 /* Attach to the system process */
1359 AttachedToProcess = TRUE;
1360 }
1361 }
1362 else
1363 {
1364 /* Get the current handle table */
1366 }
1367
1368 /* Increment the handle count */
1370 &DesiredAccess,
1371 AccessMode,
1372 HandleAttributes,
1373 PsGetCurrentProcess());
1375 {
1376 /*
1377 * We failed (meaning security failure, according to NT Internals)
1378 * detach and return
1379 */
1382 }
1383
1384 /* Remove what's not in the valid access mask */
1386 ACCESS_SYSTEM_SECURITY);
1387
1388 /* Handle extra references */
1389 if (AdditionalReferences)
1390 {
1391 /* Add them to the header */
1393 AdditionalReferences);
1394 }
1395
1396 /* Save the access mask */
1398
1399 /*
1400 * Create the actual handle. We'll need to do this *after* calling
1401 * ObpIncrementHandleCount to make sure that Object Security is valid
1402 * (specified in Gl00my documentation on Ob)
1403 */
1405 "%s - Handle Properties: [%p-%lx-%lx]\n",
1406 __FUNCTION__,
1409
1410 /* Make sure we got a handle */
1412 {
1413 /* Check if this was a kernel handle */
1415
1416 /* Return handle and object */
1417 *ReturnedHandle = Handle;
1418
1419 /* Return the new object only if caller wanted it biased */
1420 if ((AdditionalReferences) && (ReturnedObject))
1421 {
1422 /* Return it */
1423 *ReturnedObject = Object;
1424 }
1425
1426 /* Detach if needed */
1428
1429 /* Trace and return */
1431 "%s - Returning Handle: %p HC PC %lx %lx\n",
1432 __FUNCTION__,
1433 Handle,
1434 ObjectHeader->HandleCount,
1435 ObjectHeader->PointerCount);
1437 }
1438
1439 /* Handle extra references */
1440 if (AdditionalReferences)
1441 {
1442 /* Dereference it as many times as required */
1444 -(LONG)AdditionalReferences);
1445 }
1446
1447 /* Decrement the handle count and detach */
1449 PsGetCurrentProcess(),
1450 GrantedAccess,
1451 ObjectType);
1452
1453 /* Detach and fail */
1456}
NTSTATUS NTAPI ObpIncrementUnnamedHandleCount(IN PVOID Object, IN PACCESS_MASK DesiredAccess, IN KPROCESSOR_MODE AccessMode, IN ULONG HandleAttributes, IN PEPROCESS Process)
Definition: obhandle.c:1090
Referenced by ObInsertObject().
◆ ObpDecrementHandleCount()
| VOID NTAPI ObpDecrementHandleCount | ( | IN PVOID | ObjectBody, |
| IN PEPROCESS | Process, | ||
| IN ACCESS_MASK | GrantedAccess, | ||
| IN POBJECT_TYPE | ObjectType | ||
| ) |
Definition at line 530 of file obhandle.c.
534{
535 POBJECT_HEADER ObjectHeader;
537 LONG NewCount;
538 KIRQL CalloutIrql;
539 POBJECT_HEADER_HANDLE_INFO HandleInfo;
540 POBJECT_HANDLE_COUNT_ENTRY HandleEntry;
541 POBJECT_HANDLE_COUNT_DATABASE HandleDatabase;
543 PAGED_CODE();
544
545 /* Get the object type and header */
546 ObjectHeader = OBJECT_TO_OBJECT_HEADER(ObjectBody);
548 "%s - Decrementing count for: %p. HC PC %lx %lx\n",
549 __FUNCTION__,
550 ObjectBody,
551 ObjectHeader->HandleCount,
552 ObjectHeader->PointerCount);
553
554 /* Lock the object */
555 ObpAcquireObjectLock(ObjectHeader);
556
557 /* Set default counts */
558 SystemHandleCount = ObjectHeader->HandleCount;
559 ProcessHandleCount = 0;
560
561 /* Decrement the handle count */
563
564 /* Check if we're out of handles and this was an exclusive object */
566 {
567 /* Clear the exclusive flag */
569 }
570
571 /* Is the object type keeping track of handles? */
573 {
574 /* Get handle information */
575 HandleInfo = OBJECT_HEADER_TO_HANDLE_INFO(ObjectHeader);
576
577 /* Check if there's only a single entry */
579 {
580 /* It should be us */
583
584 /* Get the handle counts */
586 HandleEntry = &HandleInfo->SingleEntry;
587 }
588 else
589 {
590 /* Otherwise, get the database */
591 HandleDatabase = HandleInfo->HandleCountDatabase;
592 if (HandleDatabase)
593 {
594 /* Get the entries and loop them */
596 HandleEntry = &HandleDatabase->HandleCountEntries[0];
598 {
599 /* Check if this is a match */
602 {
603 /* Found it, get the process handle count */
605 break;
606 }
607
608 /* Keep looping */
609 HandleEntry++;
610 i--;
611 }
612 }
613 else
614 {
615 /* No database, so no entry */
616 HandleEntry = NULL;
617 }
618 }
619
620 /* Check if this is the last handle */
622 {
623 /* Then clear the entry */
625 HandleEntry->HandleCount = 0;
626 }
627 }
628
629 /* Release the lock */
630 ObpReleaseObjectLock(ObjectHeader);
631
632 /* Check if we have a close procedure */
634 {
635 /* Call it */
636 ObpCalloutStart(&CalloutIrql);
638 ObjectBody,
639 GrantedAccess,
640 ProcessHandleCount,
641 SystemHandleCount);
643 }
644
645 /* Check if we should delete the object */
646 ObpDeleteNameCheck(ObjectBody);
647
648 /* Decrease the total number of handles for this type */
651 "%s - Decremented count for: %p. HC PC %lx %lx\n",
652 __FUNCTION__,
653 ObjectBody,
654 ObjectHeader->HandleCount,
655 ObjectHeader->PointerCount);
656}
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble const GLfloat const GLdouble const GLfloat GLint i
Definition: glfuncs.h:248
Definition: obtypes.h:449
OBJECT_HANDLE_COUNT_ENTRY HandleCountEntries[1]
Definition: obtypes.h:451
Definition: obtypes.h:443
Definition: obtypes.h:455
POBJECT_HANDLE_COUNT_DATABASE HandleCountDatabase
Definition: obtypes.h:458
OBJECT_HANDLE_COUNT_ENTRY SingleEntry
Definition: obtypes.h:459
Referenced by ObDuplicateObject(), ObpCloseHandleTableEntry(), ObpCreateHandle(), and ObpCreateUnnamedHandle().
◆ ObpDuplicateHandleCallback()
| BOOLEAN NTAPI ObpDuplicateHandleCallback | ( | IN PEPROCESS | Process, |
| IN PHANDLE_TABLE | HandleTable, | ||
| IN PHANDLE_TABLE_ENTRY | OldEntry, | ||
| IN PHANDLE_TABLE_ENTRY | HandleTableEntry | ||
| ) |
Definition at line 1960 of file obhandle.c.
1964{
1965 POBJECT_HEADER ObjectHeader;
1969 PAGED_CODE();
1970
1971 /* Make sure that the handle is inheritable */
1972 Ret = (HandleTableEntry->ObAttributes & OBJ_INHERIT) != 0;
1973 if (Ret)
1974 {
1975 /* Get the object header */
1976 ObjectHeader = ObpGetHandleObject(HandleTableEntry);
1977
1978 /* Increment the pointer count */
1980
1981 /* Release the handle lock */
1983
1984 /* Setup the access state */
1985 AccessState.PreviouslyGrantedAccess = HandleTableEntry->GrantedAccess;
1986
1987 /* Call the shared routine for incrementing handles */
1989 &AccessState,
1990 KernelMode,
1991 HandleTableEntry->ObAttributes & OBJ_HANDLE_ATTRIBUTES,
1992 Process,
1993 ObInheritHandle);
1995 {
1996 /* Return failure */
1998 Ret = FALSE;
1999 }
2000 }
2001 else
2002 {
2003 /* Release the handle lock */
2005 }
2006
2007 /* Return duplication result */
2008 return Ret;
2009}
Referenced by ObInitProcess().
◆ ObpEnumFindHandleProcedure()
| BOOLEAN NTAPI ObpEnumFindHandleProcedure | ( | IN PHANDLE_TABLE_ENTRY | HandleEntry, |
| IN HANDLE | Handle, | ||
| IN PVOID | Context | ||
| ) |
Definition at line 211 of file obhandle.c.
214{
215 POBJECT_HEADER ObjectHeader;
219
220 /* Get the object header */
221 ObjectHeader = ObpGetHandleObject(HandleEntry);
222
223 /* Make sure it's valid and matching */
225 {
226 /* No match, fail */
228 }
229
230 /* Now attempt to match the object type */
232 {
233 /* No match, fail */
235 }
236
237 /* Check if we have extra information */
239 {
240 /* Get the granted access and attributes */
241 GrantedAccess = HandleEntry->GrantedAccess;
243
244 /* Attempt to match them */
247 {
248 /* No match, fail */
250 }
251 }
252
253 /* We have a match */
255}
Referenced by ObFindHandleForObject().
◆ ObpIncrementHandleCount()
| NTSTATUS NTAPI ObpIncrementHandleCount | ( | IN PVOID | Object, |
| IN PACCESS_STATE AccessState | OPTIONAL, | ||
| IN KPROCESSOR_MODE | AccessMode, | ||
| IN ULONG | HandleAttributes, | ||
| IN PEPROCESS | Process, | ||
| IN OB_OPEN_REASON | OpenReason | ||
| ) |
Definition at line 811 of file obhandle.c.
817{
818 POBJECT_HEADER ObjectHeader;
822 PEPROCESS ExclusiveProcess;
824 POBJECT_HEADER_CREATOR_INFO CreatorInfo;
825 KIRQL CalloutIrql;
827 ULONG Total;
828 POBJECT_HEADER_NAME_INFO NameInfo;
829 PAGED_CODE();
830
831 /* Get the object header and type */
835 "%s - Incrementing count for: %p. Reason: %lx. HC PC %lx %lx\n",
836 __FUNCTION__,
837 Object,
838 OpenReason,
839 ObjectHeader->HandleCount,
840 ObjectHeader->PointerCount);
841
842 /* Check if caller is forcing user mode */
844 {
845 /* Force it */
847 }
848 else
849 {
850 /* Keep original setting */
852 }
853
854 /* Lock the object */
855 ObpAcquireObjectLock(ObjectHeader);
856
857 /* Charge quota and remove the creator info flag */
860
861 /* Check if the open is exclusive */
863 {
864 /* Check if the object allows this, or if the inherit flag was given */
867 {
868 /* Incorrect attempt */
870 goto Quickie;
871 }
872
873 /* Check if we have access to it */
874 ExclusiveProcess = OBJECT_HEADER_TO_EXCLUSIVE_PROCESS(ObjectHeader);
876 ((ExclusiveProcess) && (ExclusiveProcess != PsGetCurrentProcess())))
877 {
878 /* This isn't the right process */
880 goto Quickie;
881 }
882
883 /* Now you got exclusive access */
885 }
887 (OBJECT_HEADER_TO_EXCLUSIVE_PROCESS(ObjectHeader)))
888 {
889 /* Caller didn't want exclusive access, but the object is exclusive */
891 goto Quickie;
892 }
893
894 /* Check for exclusive kernel object */
895 NameInfo = OBJECT_HEADER_TO_NAME_INFO(ObjectHeader);
898 {
899 /* Caller is not kernel, but the object is kernel exclusive */
901 goto Quickie;
902 }
903
904 /*
905 * Check if this is an object that went from 0 handles back to existence,
906 * but doesn't have an open procedure, only a close procedure. This means
907 * that it will never realize that the object is back alive, so we must
908 * fail the request.
909 */
911 !(NewObject) &&
912 (ObjectType->TypeInfo.MaintainHandleCount) &&
913 !(ObjectType->TypeInfo.OpenProcedure) &&
914 (ObjectType->TypeInfo.CloseProcedure))
915 {
916 /* Fail */
918 goto Quickie;
919 }
920
921 /* Check if we're opening an existing handle */
924 {
925 /* Validate the caller's access to this object */
927 AccessState,
928 TRUE,
929 ProbeMode,
930 &Status))
931 {
932 /* Access was denied, so fail */
933 goto Quickie;
934 }
935 }
937 {
938 /* Convert MAXIMUM_ALLOWED to GENERIC_ALL */
940 {
941 /* Mask out MAXIMUM_ALLOWED and stick GENERIC_ALL instead */
942 AccessState->RemainingDesiredAccess &= ~MAXIMUM_ALLOWED;
944 }
945
946 /* Check if we have to map the GENERIC mask */
948 {
949 /* Map it to the correct access masks */
951 &ObjectType->TypeInfo.GenericMapping);
952 }
953
954 /* Check if the caller is trying to access system security */
956 {
957 /* FIXME: TODO */
959 }
960 }
961
962 /* Check if this is an exclusive handle */
964 {
965 /* Save the owner process */
967 }
968
969 /* Increase the handle count */
971 ProcessHandleCount = 0;
972
973 /* Check if we have a handle database */
975 {
976 /* Increment the handle database */
978 Process,
979 &ProcessHandleCount);
981 {
982 /* FIXME: This should never happen for now */
985 goto Quickie;
986 }
987 }
988
989 /* Release the lock */
990 ObpReleaseObjectLock(ObjectHeader);
991
992 /* Check if we have an open procedure */
995 {
996 /* Call it */
997 ObpCalloutStart(&CalloutIrql);
999 Process,
1000 Object,
1001 AccessState ?
1002 AccessState->
1003 PreviouslyGrantedAccess :
1004 0,
1005 ProcessHandleCount);
1007
1008 /* Check if the open procedure failed */
1010 {
1011 /* FIXME: This should never happen for now */
1015 }
1016 }
1017
1018 /* Check if this is a create operation */
1020 {
1021 /* Check if we have creator info */
1022 CreatorInfo = OBJECT_HEADER_TO_CREATOR_INFO(ObjectHeader);
1023 if (CreatorInfo)
1024 {
1025 /* We do, acquire the lock */
1027
1028 /* Insert us on the list */
1030
1031 /* Release the lock */
1033 }
1034 }
1035
1036 /* Increase total number of handles */
1039 {
1040 /* Fixup count */
1041 ObjectType->HighWaterNumberOfHandles = Total;
1042 }
1043
1044 /* Trace call and return */
1046 "%s - Incremented count for: %p. Reason: %lx HC PC %lx %lx\n",
1047 __FUNCTION__,
1048 Object,
1049 OpenReason,
1050 ObjectHeader->HandleCount,
1051 ObjectHeader->PointerCount);
1053
1054Quickie:
1055 /* Release lock and return */
1056 ObpReleaseObjectLock(ObjectHeader);
1058}
#define OBJECT_HEADER_TO_EXCLUSIVE_PROCESS(h)
Definition: obtypes.h:131
BOOLEAN NTAPI ObCheckObjectAccess(IN PVOID Object, IN OUT PACCESS_STATE AccessState, IN BOOLEAN LockHeld, IN KPROCESSOR_MODE AccessMode, OUT PNTSTATUS ReturnedStatus)
Definition: obsecure.c:441
FORCEINLINE VOID ObpLeaveObjectTypeMutex(IN POBJECT_TYPE ObjectType)
Definition: ob_x.h:352
FORCEINLINE VOID ObpEnterObjectTypeMutex(IN POBJECT_TYPE ObjectType)
Definition: ob_x.h:340
NTSTATUS NTAPI ObpIncrementHandleDataBase(IN POBJECT_HEADER ObjectHeader, IN PEPROCESS Process, IN OUT PULONG NewProcessHandleCount)
Definition: obhandle.c:333
Definition: obtypes.h:464
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK PreviouslyGrantedAccess
Definition: sefuncs.h:16
Referenced by ObDuplicateObject(), ObpCreateHandle(), and ObpDuplicateHandleCallback().
◆ ObpIncrementHandleDataBase()
| NTSTATUS NTAPI ObpIncrementHandleDataBase | ( | IN POBJECT_HEADER | ObjectHeader, |
| IN PEPROCESS | Process, | ||
| IN OUT PULONG | NewProcessHandleCount | ||
| ) |
Definition at line 333 of file obhandle.c.
336{
337 POBJECT_HEADER_HANDLE_INFO HandleInfo;
339 POBJECT_HANDLE_COUNT_DATABASE HandleDatabase;
341 PAGED_CODE();
342
343 /* Get the handle info and check if we only have one entry */
344 HandleInfo = OBJECT_HEADER_TO_HANDLE_INFO(ObjectHeader);
346 {
347 /* Check if the entry is free */
349 {
350 /* Add ours */
353
354 /* Return success and 1 handle */
355 *NewProcessHandleCount = 1;
357 }
359 {
360 /* Busy entry, but same process */
363 }
364 else
365 {
366 /* Insert a new entry */
367 FreeEntry = ObpInsertHandleCount(ObjectHeader);
371
372 /* Fill it out */
374 FreeEntry->HandleCount = 1;
375
376 /* Return success and 1 handle */
377 *NewProcessHandleCount = 1;
379 }
380 }
381
382 /* We have a database instead */
383 HandleDatabase = HandleInfo->HandleCountDatabase;
384 if (HandleDatabase)
385 {
386 /* Get the entries and loop them */
388 HandleEntry = &HandleDatabase->HandleCountEntries[0];
390 {
391 /* Check if this is a match */
393 {
394 /* Found it, get the process handle count */
395 *NewProcessHandleCount = ++HandleEntry->HandleCount;
397 }
399 {
400 /* Found a free entry */
401 FreeEntry = HandleEntry;
402 }
403
404 /* Keep looping */
405 HandleEntry++;
406 i--;
407 }
408
409 /* Check if we couldn't find a free entry */
410 if (!FreeEntry)
411 {
412 /* Allocate one */
413 FreeEntry = ObpInsertHandleCount(ObjectHeader);
417 }
418
419 /* Fill out the entry */
421 FreeEntry->HandleCount = 1;
422 *NewProcessHandleCount = 1;
423 }
424
425 /* Return success if we got here */
427}
POBJECT_HANDLE_COUNT_ENTRY NTAPI ObpInsertHandleCount(IN POBJECT_HEADER ObjectHeader)
Definition: obhandle.c:259
Referenced by ObpIncrementHandleCount(), and ObpIncrementUnnamedHandleCount().
◆ ObpIncrementUnnamedHandleCount()
| NTSTATUS NTAPI ObpIncrementUnnamedHandleCount | ( | IN PVOID | Object, |
| IN PACCESS_MASK | DesiredAccess, | ||
| IN KPROCESSOR_MODE | AccessMode, | ||
| IN ULONG | HandleAttributes, | ||
| IN PEPROCESS | Process | ||
| ) |
Definition at line 1090 of file obhandle.c.
1095{
1096 POBJECT_HEADER ObjectHeader;
1100 PEPROCESS ExclusiveProcess;
1102 POBJECT_HEADER_CREATOR_INFO CreatorInfo;
1103 KIRQL CalloutIrql;
1104 ULONG Total;
1105
1106 /* Get the object header and type */
1110 "%s - Incrementing count for: %p. UNNAMED. HC PC %lx %lx\n",
1111 __FUNCTION__,
1112 Object,
1113 ObjectHeader->HandleCount,
1114 ObjectHeader->PointerCount);
1115
1116 /* Lock the object */
1117 ObpAcquireObjectLock(ObjectHeader);
1118
1119 /* Charge quota and remove the creator info flag */
1122
1123 /* Check if the open is exclusive */
1125 {
1126 /* Check if the object allows this, or if the inherit flag was given */
1129 {
1130 /* Incorrect attempt */
1132 goto Quickie;
1133 }
1134
1135 /* Check if we have access to it */
1136 ExclusiveProcess = OBJECT_HEADER_TO_EXCLUSIVE_PROCESS(ObjectHeader);
1138 ((ExclusiveProcess) && (ExclusiveProcess != PsGetCurrentProcess())))
1139 {
1140 /* This isn't the right process */
1142 goto Quickie;
1143 }
1144
1145 /* Now you got exclusive access */
1147 }
1149 (OBJECT_HEADER_TO_EXCLUSIVE_PROCESS(ObjectHeader)))
1150 {
1151 /* Caller didn't want exclusive access, but the object is exclusive */
1153 goto Quickie;
1154 }
1155
1156 /*
1157 * Check if this is an object that went from 0 handles back to existence,
1158 * but doesn't have an open procedure, only a close procedure. This means
1159 * that it will never realize that the object is back alive, so we must
1160 * fail the request.
1161 */
1163 !(NewObject) &&
1164 (ObjectType->TypeInfo.MaintainHandleCount) &&
1165 !(ObjectType->TypeInfo.OpenProcedure) &&
1166 (ObjectType->TypeInfo.CloseProcedure))
1167 {
1168 /* Fail */
1170 goto Quickie;
1171 }
1172
1173 /* Convert MAXIMUM_ALLOWED to GENERIC_ALL */
1175 {
1176 /* Mask out MAXIMUM_ALLOWED and stick GENERIC_ALL instead */
1177 *DesiredAccess &= ~MAXIMUM_ALLOWED;
1179 }
1180
1181 /* Check if we have to map the GENERIC mask */
1183 {
1184 /* Map it to the correct access masks */
1186 &ObjectType->TypeInfo.GenericMapping);
1187 }
1188
1189 /* Check if this is an exclusive handle */
1191 {
1192 /* Save the owner process */
1194 }
1195
1196 /* Increase the handle count */
1198 ProcessHandleCount = 0;
1199
1200 /* Check if we have a handle database */
1202 {
1203 /* Increment the handle database */
1205 Process,
1206 &ProcessHandleCount);
1208 {
1209 /* FIXME: This should never happen for now */
1212 goto Quickie;
1213 }
1214 }
1215
1216 /* Release the lock */
1217 ObpReleaseObjectLock(ObjectHeader);
1218
1219 /* Check if we have an open procedure */
1222 {
1223 /* Call it */
1224 ObpCalloutStart(&CalloutIrql);
1226 Process,
1227 Object,
1228 *DesiredAccess,
1229 ProcessHandleCount);
1231
1232 /* Check if the open procedure failed */
1234 {
1235 /* FIXME: This should never happen for now */
1239 }
1240 }
1241
1242 /* Check if we have creator info */
1243 CreatorInfo = OBJECT_HEADER_TO_CREATOR_INFO(ObjectHeader);
1244 if (CreatorInfo)
1245 {
1246 /* We do, acquire the lock */
1248
1249 /* Insert us on the list */
1251
1252 /* Release the lock */
1254 }
1255
1256 /* Increase total number of handles */
1259 {
1260 /* Fixup count */
1261 ObjectType->HighWaterNumberOfHandles = Total;
1262 }
1263
1264 /* Trace call and return */
1266 "%s - Incremented count for: %p. UNNAMED HC PC %lx %lx\n",
1267 __FUNCTION__,
1268 Object,
1269 ObjectHeader->HandleCount,
1270 ObjectHeader->PointerCount);
1272
1273Quickie:
1274 /* Release lock and return */
1275 ObpReleaseObjectLock(ObjectHeader);
1277}
Referenced by ObpCreateUnnamedHandle().
◆ ObpInsertHandleCount()
| POBJECT_HANDLE_COUNT_ENTRY NTAPI ObpInsertHandleCount | ( | IN POBJECT_HEADER | ObjectHeader | ) |
Definition at line 259 of file obhandle.c.
260{
261 POBJECT_HEADER_HANDLE_INFO HandleInfo;
262 POBJECT_HANDLE_COUNT_ENTRY FreeEntry;
263 POBJECT_HANDLE_COUNT_DATABASE HandleDatabase, OldHandleDatabase;
266 OBJECT_HANDLE_COUNT_DATABASE SingleDatabase;
267 PAGED_CODE();
268
269 /* Get the handle info */
270 HandleInfo = OBJECT_HEADER_TO_HANDLE_INFO(ObjectHeader);
272
273 /* Check if we only have one entry */
275 {
276 /* Fill out the single entry */
277 SingleDatabase.CountEntries = 1;
279
280 /* Use this as the old size */
281 OldHandleDatabase = &SingleDatabase;
282 OldSize = sizeof(SingleDatabase);
283
284 /* Now we'll have two entries, and an entire DB */
285 i = 2;
288 }
289 else
290 {
291 /* We already have a DB, get the information from it */
292 OldHandleDatabase = HandleInfo->HandleCountDatabase;
296
297 /* Add 4 more entries */
298 i += 4;
300 }
301
302 /* Allocate the DB */
305
306 /* Copy the old database */
307 RtlCopyMemory(HandleDatabase, OldHandleDatabase, OldSize);
308
309 /* Check if we he had a single entry before */
311 {
312 /* Now we have more */
313 ObjectHeader->Flags &= ~OB_FLAG_SINGLE_PROCESS;
314 }
315 else
316 {
317 /* Otherwise we had a DB, free it */
319 }
320
321 /* Find the end of the copy and zero out the new data */
324
325 /* Set the new information and return the free entry */
327 HandleInfo->HandleCountDatabase = HandleDatabase;
328 return FreeEntry;
329}
struct _OBJECT_HANDLE_COUNT_ENTRY OBJECT_HANDLE_COUNT_ENTRY
struct _OBJECT_HANDLE_COUNT_DATABASE OBJECT_HANDLE_COUNT_DATABASE
_Must_inspect_result_ _In_ WDFDEVICE _In_ PWDF_DEVICE_PROPERTY_DATA _In_ DEVPROPTYPE _In_ ULONG Size
Definition: wdfdevice.h:4533
Referenced by ObpIncrementHandleDataBase().
◆ ObpReferenceProcessObjectByHandle()
| NTSTATUS NTAPI ObpReferenceProcessObjectByHandle | ( | IN HANDLE | Handle, |
| IN PEPROCESS | Process, | ||
| IN PHANDLE_TABLE | HandleTable, | ||
| IN KPROCESSOR_MODE | AccessMode, | ||
| OUT PVOID * | Object, | ||
| OUT POBJECT_HANDLE_INFORMATION | HandleInformation, | ||
| OUT PACCESS_MASK | AuditMask | ||
| ) |
Definition at line 85 of file obhandle.c.
92{
93 PHANDLE_TABLE_ENTRY HandleEntry;
94 POBJECT_HEADER ObjectHeader;
99
100 /* Assume failure */
102
103 /* Check if this is a special handle */
105 {
106 /* Check if the caller wants the current process */
108 {
109 /* Return handle info */
110 HandleInformation->HandleAttributes = 0;
112
113 /* No audit mask */
114 *AuditMask = 0;
115
116 /* Reference ourselves */
119
120 /* Return the pointer */
124 }
125
126 /* Check if the caller wants the current thread */
128 {
129 /* Return handle information */
130 HandleInformation->HandleAttributes = 0;
132
133 /* Reference ourselves */
136
137 /* No audit mask */
138 *AuditMask = 0;
139
140 /* Return the pointer */
144 }
145
146 /* This is a kernel handle... do we have access? */
148 {
149 /* Use the kernel handle table and get the actual handle value */
152 }
153 else
154 {
155 /* This is an illegal attempt to access a kernel handle */
157 }
158 }
159
160 /* Enter a critical region while we touch the handle table */
162 KeEnterCriticalRegion();
163
164 /* Get the handle entry */
166 if (HandleEntry)
167 {
168 /* Get the object header and validate the type*/
169 ObjectHeader = ObpGetHandleObject(HandleEntry);
170
171 /* Get the granted access and validate it */
173
174 /* Mask out the internal attributes */
176
177 /* Fill out the information */
180
181 /* No audit mask (FIXME!) */
182 *AuditMask = 0;
183
184 /* Return the pointer */
186
187 /* Add a reference */
189
190 /* Unlock the handle */
192 KeLeaveCriticalRegion();
193
194 /* Return success */
197 }
198 else
199 {
200 /* Invalid handle */
202 }
203
204 /* Return failure status */
205 KeLeaveCriticalRegion();
207}
Definition: pstypes.h:1102
_Must_inspect_result_ _In_ WDFDMAENABLER _In_ _In_opt_ PWDF_OBJECT_ATTRIBUTES Attributes
Definition: wdfcommonbuffer.h:97
Referenced by ObDuplicateObject().
◆ ObpSetHandleAttributes()
| BOOLEAN NTAPI ObpSetHandleAttributes | ( | IN OUT PHANDLE_TABLE_ENTRY | HandleTableEntry, |
| IN ULONG_PTR | Context | ||
| ) |
Definition at line 1859 of file obhandle.c.
1861{
1864
1865 /* Check if making the handle inheritable */
1867 {
1868 /* Check if inheriting is not supported for this object */
1870 {
1871 /* Fail without changing anything */
1873 }
1874
1875 /* Set the flag */
1876 HandleTableEntry->ObAttributes |= OBJ_INHERIT;
1877 }
1878 else
1879 {
1880 /* Otherwise this implies we're removing the flag */
1881 HandleTableEntry->ObAttributes &= ~OBJ_INHERIT;
1882 }
1883
1884 /* Check if making the handle protected */
1886 {
1887 /* Set the flag */
1888 HandleTableEntry->GrantedAccess |= ObpAccessProtectCloseBit;
1889 }
1890 else
1891 {
1892 /* Otherwise, remove it */
1893 HandleTableEntry->GrantedAccess &= ~ObpAccessProtectCloseBit;
1894 }
1895
1896 /* Return success */
1898}
BOOLEAN ProtectFromClose
Definition: obtypes.h:273
Definition: ob.h:110
OBJECT_HANDLE_ATTRIBUTE_INFORMATION Information
Definition: ob.h:112
Referenced by NtSetInformationObject(), and ObSetHandleAttributes().
◆ ObpValidateAccessMask()
| NTSTATUS NTAPI ObpValidateAccessMask | ( | IN PACCESS_STATE | AccessState | ) |
Definition at line 488 of file obhandle.c.
489{
491
492 /* We're only interested if the object for this access state has an SD */
495 {
496 /* Check if the SD has a system ACL but hasn't been granted access to get/set it */
499 {
500 /* We're gonna need access */
502 }
503 }
504
505 /* This can't fail */
507}
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:191
Referenced by ObInsertObject(), and ObOpenObjectByName().
◆ ObReferenceProcessHandleTable()
| PHANDLE_TABLE NTAPI ObReferenceProcessHandleTable | ( | IN PEPROCESS | Process | ) |
Definition at line 26 of file obhandle.c.
27{
29
30 /* Lock the process */
32 {
33 /* Get the handle table */
36 {
37 /* No table, release the lock */
39 }
40 }
41
42 /* Return the handle table */
44}
Referenced by ObClearProcessHandleTable(), ObDuplicateObject(), ObFindHandleForObject(), ObGetProcessHandleCount(), and ObInitProcess().
◆ ObSetHandleAttributes()
| NTSTATUS NTAPI ObSetHandleAttributes | ( | IN HANDLE | Handle, |
| IN POBJECT_HANDLE_ATTRIBUTE_INFORMATION | HandleFlags, | ||
| IN KPROCESSOR_MODE | PreviousMode | ||
| ) |
Definition at line 3308 of file obhandle.c.
3311{
3312 OBP_SET_HANDLE_ATTRIBUTES_CONTEXT SetHandleAttributesContext;
3316 PAGED_CODE();
3317
3318 /* Check if this is a kernel handle */
3320 {
3321 /* Use the kernel table and convert the handle */
3324
3325 /* Check if we're not in the system process */
3327 {
3328 /* Attach to the system process */
3330 AttachedToSystemProcess = TRUE;
3331 }
3332 }
3333 else
3334 {
3335 /* Get the current process' handle table */
3337 }
3338
3339 /* Initialize the handle attribute context */
3341 SetHandleAttributesContext.Information = *HandleFlags;
3342
3343 /* Invoke the ObpSetHandleAttributes callback */
3345 Handle,
3346 ObpSetHandleAttributes,
3347 (ULONG_PTR)&SetHandleAttributesContext);
3348
3349 /* Did we attach to the system process? */
3350 if (AttachedToSystemProcess)
3351 {
3352 /* Detach from it */
3354 }
3355
3356 /* Return the result as an NTSTATUS value */
3358}
BOOLEAN NTAPI ExChangeHandle(IN PHANDLE_TABLE HandleTable, IN HANDLE Handle, IN PEX_CHANGE_HANDLE_CALLBACK ChangeRoutine, IN ULONG_PTR Context)
Definition: handle.c:1189
BOOLEAN NTAPI ObpSetHandleAttributes(IN OUT PHANDLE_TABLE_ENTRY HandleTableEntry, IN ULONG_PTR Context)
Definition: obhandle.c:1859
Variable Documentation
◆ ObpKernelHandleTable
| PHANDLE_TABLE ObpKernelHandleTable = NULL |
Definition at line 20 of file obhandle.c.
Referenced by NtSetInformationObject(), NtWaitForMultipleObjects(), ObInitSystem(), ObpCloseHandle(), ObpCreateHandle(), ObpCreateUnnamedHandle(), ObpReferenceProcessObjectByHandle(), ObQueryObjectAuditingByHandle(), ObReferenceFileObjectForWrite(), ObReferenceObjectByHandle(), and ObSetHandleAttributes().
