0. What are kernel objects? - - Several types of kernel objects, such as access token objects, event objects, file objects, file-mapping objects, I/O completion port objects, job objects, mailslot objects, mutex objects, pipe objects, process objects, semaphore objects, thread objects, and waitable timer objects.
1. What is a kernel object? - Each kernel object is simply a memory block allocated by the kernel and is accessible only by the kernel. This memory block is a data structure whose members maintain information about the object. Some members (security descriptor, usage count, and so on) are the same across all object types, but most are specific to a particular object type. For example, a process object has a process ID, a base priority, and an exit code, whereas a file object has a byte offset, a sharing mode, and an open mode.
2. User can access these kernel objects structures? - Kernel object data structures are accessible only by the kernel
3. If we cannot alter these Kernel Object structures directly, how do our applications manipulate these kernel objects? - The answer is that Windows offers a set of functions that manipulate these structures in well-defined ways. These kernel objects are always accessible via these functions. When you call a function that creates a kernel object, the function returns a handle that identifies the object.
4. How owns the Kernel Object? - Kernel objects are owned by the kernel, not by a process
5. How does the kernel object outlive the process that created it? - If your process calls a function that creates a kernel object and then your process terminates, the kernel object is not necessarily destroyed. Under most circumstances, the object will be destroyed; but if another process is using the kernel object your process created, the kernel knows not to destroy the object until the other process has stopped using it
6. Which is the data member common to all the kernel object and what is the use of it? - The usage count is one of the data members common to all kernel object types
7. How to identify the difference between the kernel object and user object? - The easiest way to determine whether an object is a kernel object is to examine the function that creates the object. Almost all functions that create kernel objects have a parameter that allows you to specify security attribute information.
8. What is the purpose of Process Handle Table? - When a process is initialized, the system allocates a handle table for it. This handle table is used only for kernel objects, not for User objects or GDI objects. When a process first initializes, its handle table is empty. Then when a thread in the process calls a function that creates a kernel object, such as CreateFileMapping , the kernel allocates a block of memory for the object and initializes it; the kernel then scans the process’s handle table for an empty entry
9. Name few functions that create Kernel Objects? - HANDLE CreateThread(…),HANDLE CreateFile(..),HANDLE CreateFileMapping(..)HANDLE CreateSemaphore(..)etcAll functions that create kernel objects return process-relative handles that can be used successfully by any and all threads that are running in the same process.
10. What is handle? - Handle value is actually the index into the process’s handle table that identifies where the kernel object’s information is stored.
11. How the handle helps in manipulating the kernel objects? - Whenever you call a function that accepts a kernel object handle as an argument, you pass the value returned by one of the Create* functions. Internally, the function looks in your process’s handle table to get the address of the kernel object you want to manipulate and then manipulates the object’s data structure in a well-defined fashion.
12. What happens when the CloseHandle(handle) is called? - This function first checks the calling process’s handle table to ensure that the index (handle) passed to it identifies an object that the process does in fact have access to. If the index is valid, the system gets the address of the kernel object’s data structure and decrements the usage count member in the structure; if the count is zero, the kernel destroys the kernel object from memory.
13. You forget to call CloseHandle - will there be a memory leak? - Well, yes and no. It is possible for a process to leak resources (such as kernel objects) while the process runs. However, when the process terminates, the operating system ensures that any and all resources used by the process are freed—this is guaranteed. For kernel objects, the system performs the following actions: When your process terminates, the system automatically scans the process’s handle table. If the table has any valid entries (objects that you didn’t close before terminating), the system closes these object handles for you. If the usage count of any of these objects goes to zero, the kernel destroys the object.
14. What is the need of process relative handles? - The most important reason was robustness. If kernel object handles were system-wide values, one process could easily obtain the handle to an object that another process was using and wreak havoc on that process. Another reason for process-relative handles is security. Kernel objects are protected with security, and a process must request permission to manipulate an object before attempting to manipulate it. The creator of the object can prevent an unauthorized user from touching the object simply by denying access to it
15. How the handles are handled in the child process? - The operating system creates the new child process but does not allow the child process to begin executing its code right away. Of course, the system creates a new, empty process handle table for the child process—just as it would for any new process. But because you passed TRUE to CreateProcess’s bInheritHandles parameter, the system does one more thing: it walks the parent process’s handle table, and for each entry it finds that contains a valid inheritable handle, the system copies the entry exactly into the child process’s handle table. The entry is copied to the exact same position in the child process’s handle table as in the parent’s handle table.
16. Why the entries in the parent process table and child table are same? - It means that the handle value that identifies a kernel object is identical in both the parent and the child processes.
17. What about the usage count in the parent child process tables? - The system increments the usage count of the kernel object because two processes are now using the object. For the kernel object to be destroyed, both the parent process and the child process must either call CloseHandle on the object or terminate.
18. What are Named Objects? - Method available for sharing kernel objects across process boundaries is to name the objects. Below are the kernel named objects 1) mutex, 2) Events, 3) semaphore, 4) waitableTimers, 5)file mapping, 6)job object. There are APIs to create these objects with last parameter as the object name.
19. What do you mean by unnamed object? - When you are creating the kernel objects with the help of API’s like CreateMutex(, , , ,pzname). And the Pzname parameter is NULL , you are indicating to the system that you want to create an unnamed (anonymous) kernel object. When you create an unnamed object, you can share the object across processes by using either inheritance or DuplicateHandle
