Enhanced GFlags Tool

Monday, April 3, 2017

The well-known GFlags tool, part of the Debugging tools for Windows package allows manipulating a 32-bit flags value maintained by the kernel and per-process. Strictly speaking, Gflags allows changing more than just these flags, such as adding the Debugger value to an image file entry that indicates which executable should be activated whenever the original image is executed. GFlags has a crude user interface that has not been updated for ages. The first annoyance with its UI is the lack of a minimize button. Here's a screenshot: The tool provides a way to change flags for three...
no comments

Hiding Named Objects

Thursday, March 2, 2017

A common technique in Windows for sharing kernel objects between processes is by using a name. The cooperating processes call the appropriate Create function (e.g. CreateMutex) and specify a simple string name. The first process to make the call actually creates the object, and subsequent processes get another handle to the exact same object. Whether that's a new object or not does not usually matter; however, that piece of information is returned with a GetLastError() code of ERROR_ALREADY_EXISTS. Another option is to call the corresponding Open (e.g. OpenMutex) function in cases where it's known that the intended object has...
no comments

Kernel Pool Monitor – the GUI Version

Wednesday, September 14, 2016

The Windows Driver Kit (WDK) comes with a well known and pretty old tool called PoolMon. PoolMon shows kernel allocations done with ExAllocatePoolWithTag, where the pool type is typically Paged or NonPaged and each allocations is attached by a ‘tag’ – a four byte value that should indicate the component making the allocation. This is useful for finding memory leaks, since kernel memory is never automatically freed (as opposed to user mode processes). If a kernel component or driver sees its tag with increasing memory consumption – that would indicate a leak (unless it’s a transient burst of allocations...
one comment

RegRenameKey – Hidden registry API

Tuesday, September 29, 2015

While working on a pet project called Registry Explorer (yes, I know there are a bunch of those floating around, most of them pretty old) to be yet another RegEdit.exe replacement, I wanted to add the option to rename a registry key (which RegEdit.exe allows as well). However, looking at the registry APIs (both managed and native) there seems to be no function to rename a key. The closest is the ability to copy a key (with its subkeys and values) via RegCopyTree, so that I can copy the original key with the new name and delete the original...

Creating an Object Manager Browser Part 2–Viewing Object Information

Sunday, February 9, 2014

In the previous post, I’ve shown how to use Native API functions to access information not available through the normal, documented, Windows API. In this post, I’d like to show how to take a look at specific objects, such as mutexes, events and semaphores. But first, a bug fix. In the code that was doing the directory object enumeration was a bug, manifested when the list of objects was too long – or rather, the buffer required to hold all object names and type names was insufficient. The code checked the returned number of bytes needs and compared with...
no comments

Creating a “WinObj”-like Tool

Wednesday, February 5, 2014

The SysInternals WinObj tool allows looking into the Object Manager’s namespace: The left view looks like file system folders, but in fact these are logical folders maintained by the Object Manager (part of the Executive within the kernel) purely in memory. I will not get into details about the information itself that is provided by the tool in this post. You can find some information on the web and the book “The SysInternals Administrative Reference”. How does WinObj gets the information? One obvious way is to use a driver – in kernel mode everything is...