I dont think this is accurate. the right method to do this would be to use
the output of the !object to find the location of the object_type. From
your own output, we see that the type is at 839b7978
kd> !object* 84cdc860 *
Object: 84cdc860 Type: (839b7978) Process
ObjectHeader: 84cdc848 (new version)
HandleCount: 10 PointerCount: 254
so you should do at dt nt!_OBJECT_TYPE 839b7978
Actually there is a lot of indicators in your original output which hints
at it is incorrect. For example the handle and pointer counts are garbage,
so is the Name field.
With the right type casts you should see:
+0x008 Name : _UNICODE_STRING “Process”
and also the handle and pointer counts would match the output of !object.
Look at the below example:
kd> dt nt!_OBJECT_HEADER
+0x000 PointerCount : Int4B
+0x004 HandleCount : Int4B
+0x004 NextToFree : Ptr32 Void
+0x008 Lock : _EX_PUSH_LOCK
+0x00c TypeIndex : UChar
+0x00d TraceFlags : UChar
+0x00e InfoMask : UChar
+0x00f Flags : UChar
+0x010 ObjectCreateInfo : Ptr32 _OBJECT_CREATE_INFORMATION
+0x010 QuotaBlockCharged : Ptr32 Void
+0x014 SecurityDescriptor : Ptr32 Void
+0x018 Body : _QUAD
So what you are seeing with !process is the address of the ‘Body’ part of
the object. To get the header you will have to subtract (in my os it is at
offset 0x18). So address -0x18 should be starting of the header.
Now if you do a
dt nt!_OBJECT_HEADER
-0x18 you should get the right output. In
that output you will see
+0x000 PointerCount : Int4B
+0x004 HandleCount : Int4B
will match the ones seen in !object's output.
On Wed, Sep 17, 2014 at 7:28 PM, A P wrote:
> i am truing to see the details for a process object, and I am feeding the
> output of the !process to the dt nt!_OBJECT_TYPE, am I doing it right? if
> not what is the way to do this (without using the !object extension).
>
> kd> !process 0 0 lsass.exe
> PROCESS *84cdc860 *SessionId: 0 Cid: 0208 Peb: 7ffda000 ParentCid:
> 018c
> DirBase: 1eed30e0 ObjectTable: 95f00d18 HandleCount: 513.
> Image: lsass.exe
>
> Passing this process address to the !object extension we extract
> information about it.
>
> kd> !object *84cdc860 *
> Object: 84cdc860 Type: (839b7978) Process
> ObjectHeader: 84cdc848 (new version)
> HandleCount: 10 PointerCount: 254
>
> Lets try to typecast this address to OBJECT_TYPE.
>
> kd> dt nt!_OBJECT_TYPE *84cdc860 *
> +0x000 TypeList : _LIST_ENTRY [0x260003 - 0x0]
> +0x008 Name : _UNICODE_STRING "졨蓍䄀蒡鎰蓺졠蓍纘蔀???"
> +0x010 DefaultObject : 0x84cdc870 Void
> +0x014 Index : 0x70 'p'
> +0x018 TotalNumberOfObjects : 0x1eed30e0
> +0x01c TotalNumberOfHandles : 0
> +0x020 HighWaterNumberOfObjects : 0
> +0x024 HighWaterNumberOfHandles : 0
> +0x028 TypeInfo : _OBJECT_TYPE_INITIALIZER
> +0x078 TypeLock : _EX_PUSH_LOCK
> +0x07c Key : 0
> +0x080 CallbackList : _LIST_ENTRY [0x148be247 - 0x0]
>
>
>
> --- NTDEV is sponsored by OSR Visit the list at:
> http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See
> http://www.osr.com/careers For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
--
- ab