Enumerating Job Objects

Saturday, June 17, 2017

Job objects have been around since Windows 2000, providing a convenient way to set limits and otherwise manage a set of processes. Up until Windows 8 job objects were used sparingly, because a process could only be associated with a single job at most. That would mean an application wanting to set some limits on a process it does not create explicitly had no way of knowing whether that process was already part of a job. If it were, assigning it to another job would simply fail. Starting with Windows 8, jobs can be nested, effectively creating a job hierarchy...
no comments

Monitoring ALPC Messages

Sunday, February 12, 2017

The Advanced (or Asynchronous if you prefer) Local Procedure Calls (ALPC) is the internal communication mechanism Windows components use as an inter-process communication (IPC) mechanism for message exchange. Conceptually, it's similar in principle to Remote Procedure Calls (RPC), with client and server ports, but does not use any networking, and is optimized for different message sizes. ALPC messages can reveal the hidden communication between various processes that are almost invisible otherwise. Conceptually, hooking ALPC messages is possible but not easy. First, the user mode and kernel mode APIs are undocumented. Second, hooking would likely involve all processes for which...
no comments

Tip: Enable Kernel Debug output on Vista and up

Wednesday, December 17, 2014

Those writing device drivers, or are interested in seeing outputs from a kernel driver’s calls to the KdPrint macro or the DbgPrint function may find that the messages don’t appear on Windows Vista or newer versions of Windows. Even when using a tool such as DebugView (from SysInternals), running with administrative privileges, with kernel capture turned on, nothing seem to appear from expected drivers: The reason is that in Vista and up kernel output is conditional, based on some flags that can be set in KdPrintEx, DbgPrintEx, etc. A complete explanation can be found in the MS...

Creating a “WinObj”-like Tool

Wednesday, February 5, 2014

The SysInternals WinObj tool allows looking into the Object Manager’s namespace: The left view looks like file system folders, but in fact these are logical folders maintained by the Object Manager (part of the Executive within the kernel) purely in memory. I will not get into details about the information itself that is provided by the tool in this post. You can find some information on the web and the book “The SysInternals Administrative Reference”. How does WinObj gets the information? One obvious way is to use a driver – in kernel mode everything is...

Test Signing Drivers on Windows 8.x

Sunday, January 26, 2014

I’ve been on a driver streak lately, maybe because I’m completing my third “Windows Internals” course on PluralSight. (if you’re a .NET developer, then you may want to skip this post… ) The last two modules of that course (should be published in a week or two if all goes well) deal with writing a software driver, meaning a driver that exists for the sole purpose of executing code in the all-powerful kernel mode. One of the requirements of a driver for a 64 bit Windows system is to be signed – otherwise it would fail installation. This means...
no comments