Comments on: Signaled Objects https://www.dumpanalysis.org/blog/index.php/2008/03/06/signaled-objects/ Structural and Behavioral Patterns for Software Diagnostics, Forensics and Prognostics Wed, 06 May 2026 11:40:16 +0000 http://wordpress.org/?v=2.3.3 By: Dmitry Vostokov https://www.dumpanalysis.org/blog/index.php/2008/03/06/signaled-objects/#comment-741697 Dmitry Vostokov Mon, 14 Mar 2016 17:21:27 +0000 https://www.dumpanalysis.org/blog/index.php/2008/03/06/signaled-objects/#comment-741697 The structures are different in Windows 8.x (for example, TypeIndex instead of a pointer): <code>0: kd> dt _OBJECT_HEADER nt!_OBJECT_HEADER +0x000 PointerCount : Int8B +0x008 HandleCount : Int8B +0x008 NextToFree : Ptr64 Void +0x010 Lock : _EX_PUSH_LOCK +0x018 TypeIndex : UChar +0x019 TraceFlags : UChar +0x019 DbgRefTrace : Pos 0, 1 Bit +0x019 DbgTracePermanent : Pos 1, 1 Bit +0x01a InfoMask : UChar +0x01b Flags : UChar +0x01c Spare : Uint4B +0x020 ObjectCreateInfo : Ptr64 _OBJECT_CREATE_INFORMATION +0x020 QuotaBlockCharged : Ptr64 Void +0x028 SecurityDescriptor : Ptr64 Void +0x030 Body : _QUAD</code> <code>0: kd> dt _DISPATCHER_HEADER ntdll!_DISPATCHER_HEADER +0x000 Type : UChar +0x001 TimerControlFlags : UChar +0x001 Absolute : Pos 0, 1 Bit +0x001 Wake : Pos 1, 1 Bit +0x001 EncodedTolerableDelay : Pos 2, 6 Bits +0x001 Abandoned : UChar +0x001 Signalling : UChar +0x002 ThreadControlFlags : UChar +0x002 CycleProfiling : Pos 0, 1 Bit +0x002 CounterProfiling : Pos 1, 1 Bit +0x002 GroupScheduling : Pos 2, 1 Bit +0x002 AffinitySet : Pos 3, 1 Bit +0x002 Reserved : Pos 4, 4 Bits +0x002 Hand : UChar +0x002 Size : UChar +0x003 TimerMiscFlags : UChar +0x003 Index : Pos 0, 6 Bits +0x003 Inserted : Pos 6, 1 Bit +0x003 Expired : Pos 7, 1 Bit +0x003 DebugActive : UChar +0x003 ActiveDR7 : Pos 0, 1 Bit +0x003 Instrumented : Pos 1, 1 Bit +0x003 Reserved2 : Pos 2, 4 Bits +0x003 UmsScheduled : Pos 6, 1 Bit +0x003 UmsPrimary : Pos 7, 1 Bit +0x003 DpcActive : UChar +0x000 Lock : Int4B +0x000 LockNV : Int4B +0x004 SignalState : Int4B +0x008 WaitListHead : _LIST_ENTRY</code> <code>0: kd> dt _OBJECT_TYPE ntdll!_OBJECT_TYPE +0x000 TypeList : _LIST_ENTRY +0x010 Name : _UNICODE_STRING +0x020 DefaultObject : Ptr64 Void +0x028 Index : UChar +0x02c TotalNumberOfObjects : Uint4B +0x030 TotalNumberOfHandles : Uint4B +0x034 HighWaterNumberOfObjects : Uint4B +0x038 HighWaterNumberOfHandles : Uint4B +0x040 TypeInfo : _OBJECT_TYPE_INITIALIZER +0x0b8 TypeLock : _EX_PUSH_LOCK +0x0c0 Key : Uint4B +0x0c8 CallbackList : _LIST_ENTRY</code> <code>0: kd> dp ObTypeIndexTable fffff802`b3d22dc0 00000000`00000000 00000000`bad0b0b0 fffff802`b3d22dd0 fffffa80`01816100 fffffa80`017f5080 fffff802`b3d22de0 fffffa80`0182a610 fffffa80`0181cf20 fffff802`b3d22df0 fffffa80`01828af0 fffffa80`01825670 fffff802`b3d22e00 fffffa80`0183cf20 fffffa80`01844930 fffff802`b3d22e10 fffffa80`01843080 fffffa80`0184b2c0 fffff802`b3d22e20 fffffa80`01812d80 fffffa80`017f9080 fffff802`b3d22e30 fffffa80`0182f080 fffffa80`017f9f20</code> <code>0: kd> dt _OBJECT_TYPE fffffa80`01825670 ntdll!_OBJECT_TYPE +0x000 TypeList : _LIST_ENTRY [ 0xfffffa80`01825670 - 0xfffffa80`01825670 ] +0x010 Name : _UNICODE_STRING "Process" +0x020 DefaultObject : (null) +0x028 Index : 0x7 '' +0x02c TotalNumberOfObjects : 0x2c +0x030 TotalNumberOfHandles : 0x136 +0x034 HighWaterNumberOfObjects : 0x31 +0x038 HighWaterNumberOfHandles : 0x149 +0x040 TypeInfo : _OBJECT_TYPE_INITIALIZER +0x0b8 TypeLock : _EX_PUSH_LOCK +0x0c0 Key : 0x636f7250 +0x0c8 CallbackList : _LIST_ENTRY [ 0xfffff8a0`00098a30 - 0xfffff8a0`00098a30 ]</code> The structures are different in Windows 8.x (for example, TypeIndex instead of a pointer):

0: kd> dt _OBJECT_HEADER
nt!_OBJECT_HEADER
+0x000 PointerCount : Int8B
+0x008 HandleCount : Int8B
+0x008 NextToFree : Ptr64 Void
+0x010 Lock : _EX_PUSH_LOCK
+0x018 TypeIndex : UChar
+0x019 TraceFlags : UChar
+0x019 DbgRefTrace : Pos 0, 1 Bit
+0x019 DbgTracePermanent : Pos 1, 1 Bit
+0x01a InfoMask : UChar
+0x01b Flags : UChar
+0x01c Spare : Uint4B
+0x020 ObjectCreateInfo : Ptr64 _OBJECT_CREATE_INFORMATION
+0x020 QuotaBlockCharged : Ptr64 Void
+0x028 SecurityDescriptor : Ptr64 Void
+0x030 Body : _QUAD

0: kd> dt _DISPATCHER_HEADER
ntdll!_DISPATCHER_HEADER
+0x000 Type : UChar
+0x001 TimerControlFlags : UChar
+0x001 Absolute : Pos 0, 1 Bit
+0x001 Wake : Pos 1, 1 Bit
+0x001 EncodedTolerableDelay : Pos 2, 6 Bits
+0x001 Abandoned : UChar
+0x001 Signalling : UChar
+0x002 ThreadControlFlags : UChar
+0x002 CycleProfiling : Pos 0, 1 Bit
+0x002 CounterProfiling : Pos 1, 1 Bit
+0x002 GroupScheduling : Pos 2, 1 Bit
+0x002 AffinitySet : Pos 3, 1 Bit
+0x002 Reserved : Pos 4, 4 Bits
+0x002 Hand : UChar
+0x002 Size : UChar
+0x003 TimerMiscFlags : UChar
+0x003 Index : Pos 0, 6 Bits
+0x003 Inserted : Pos 6, 1 Bit
+0x003 Expired : Pos 7, 1 Bit
+0x003 DebugActive : UChar
+0x003 ActiveDR7 : Pos 0, 1 Bit
+0x003 Instrumented : Pos 1, 1 Bit
+0x003 Reserved2 : Pos 2, 4 Bits
+0x003 UmsScheduled : Pos 6, 1 Bit
+0x003 UmsPrimary : Pos 7, 1 Bit
+0x003 DpcActive : UChar
+0x000 Lock : Int4B
+0x000 LockNV : Int4B
+0x004 SignalState : Int4B
+0x008 WaitListHead : _LIST_ENTRY

0: kd> dt _OBJECT_TYPE
ntdll!_OBJECT_TYPE
+0x000 TypeList : _LIST_ENTRY
+0x010 Name : _UNICODE_STRING
+0x020 DefaultObject : Ptr64 Void
+0x028 Index : UChar
+0x02c TotalNumberOfObjects : Uint4B
+0x030 TotalNumberOfHandles : Uint4B
+0x034 HighWaterNumberOfObjects : Uint4B
+0x038 HighWaterNumberOfHandles : Uint4B
+0x040 TypeInfo : _OBJECT_TYPE_INITIALIZER
+0x0b8 TypeLock : _EX_PUSH_LOCK
+0x0c0 Key : Uint4B
+0x0c8 CallbackList : _LIST_ENTRY

0: kd> dp ObTypeIndexTable
fffff802`b3d22dc0 00000000`00000000 00000000`bad0b0b0
fffff802`b3d22dd0 fffffa80`01816100 fffffa80`017f5080
fffff802`b3d22de0 fffffa80`0182a610 fffffa80`0181cf20
fffff802`b3d22df0 fffffa80`01828af0 fffffa80`01825670
fffff802`b3d22e00 fffffa80`0183cf20 fffffa80`01844930
fffff802`b3d22e10 fffffa80`01843080 fffffa80`0184b2c0
fffff802`b3d22e20 fffffa80`01812d80 fffffa80`017f9080
fffff802`b3d22e30 fffffa80`0182f080 fffffa80`017f9f20

0: kd> dt _OBJECT_TYPE fffffa80`01825670
ntdll!_OBJECT_TYPE
+0x000 TypeList : _LIST_ENTRY [ 0xfffffa80`01825670 - 0xfffffa80`01825670 ]
+0x010 Name : _UNICODE_STRING "Process"
+0x020 DefaultObject : (null)
+0x028 Index : 0x7 ''
+0x02c TotalNumberOfObjects : 0x2c
+0x030 TotalNumberOfHandles : 0x136
+0x034 HighWaterNumberOfObjects : 0x31
+0x038 HighWaterNumberOfHandles : 0x149
+0x040 TypeInfo : _OBJECT_TYPE_INITIALIZER
+0x0b8 TypeLock : _EX_PUSH_LOCK
+0x0c0 Key : 0x636f7250
+0x0c8 CallbackList : _LIST_ENTRY [ 0xfffff8a0`00098a30 - 0xfffff8a0`00098a30 ]

]]> By: Software Generalist » Blog Archive » Reading Notebook: 17-August-09 https://www.dumpanalysis.org/blog/index.php/2008/03/06/signaled-objects/#comment-89325 Software Generalist » Blog Archive » Reading Notebook: 17-August-09 Mon, 17 Aug 2009 15:51:18 +0000 https://www.dumpanalysis.org/blog/index.php/2008/03/06/signaled-objects/#comment-89325 [...] structure (p. 138) - I created a simplified UML diagram when I was investigating object signaling: http://www.dumpanalysis.org/blog/index.php/2008/03/06/signaled-objects/. Here’s another example of how to get an object header from the dispatcher address a thread [...] […] structure (p. 138) - I created a simplified UML diagram when I was investigating object signaling: http://www.dumpanalysis.org/blog/index.php/2008/03/06/signaled-objects/. Here’s another example of how to get an object header from the dispatcher address a thread […]

]]>