Enhanced GFlags Tool

Monday, April 3, 2017

The well-known GFlags tool, part of the Debugging tools for Windows package allows manipulating a 32-bit flags value maintained by the kernel and per-process. Strictly speaking, Gflags allows changing more than just these flags, such as adding the Debugger value to an image file entry that indicates which executable should be activated whenever the original image is executed. GFlags has a crude user interface that has not been updated for ages. The first annoyance with its UI is the lack of a minimize button. Here's a screenshot: The tool provides a way to change flags for three...
no comments

Hiding Named Objects

Thursday, March 2, 2017

A common technique in Windows for sharing kernel objects between processes is by using a name. The cooperating processes call the appropriate Create function (e.g. CreateMutex) and specify a simple string name. The first process to make the call actually creates the object, and subsequent processes get another handle to the exact same object. Whether that's a new object or not does not usually matter; however, that piece of information is returned with a GetLastError() code of ERROR_ALREADY_EXISTS. Another option is to call the corresponding Open (e.g. OpenMutex) function in cases where it's known that the intended object has...
no comments

Creating an Object Manager Browser Part 2–Viewing Object Information

Sunday, February 9, 2014

In the previous post, I’ve shown how to use Native API functions to access information not available through the normal, documented, Windows API. In this post, I’d like to show how to take a look at specific objects, such as mutexes, events and semaphores. But first, a bug fix. In the code that was doing the directory object enumeration was a bug, manifested when the list of objects was too long – or rather, the buffer required to hold all object names and type names was insufficient. The code checked the returned number of bytes needs and compared with...
no comments

Creating a “WinObj”-like Tool

Wednesday, February 5, 2014

The SysInternals WinObj tool allows looking into the Object Manager’s namespace: The left view looks like file system folders, but in fact these are logical folders maintained by the Object Manager (part of the Executive within the kernel) purely in memory. I will not get into details about the information itself that is provided by the tool in this post. You can find some information on the web and the book “The SysInternals Administrative Reference”. How does WinObj gets the information? One obvious way is to use a driver – in kernel mode everything is...
17 comments