Several types of kernel objects, such as access token objects, event objects, file objects, file-mapping objects, I/O completion port objects, job objects, mailslot objects, mutex objects, pipe objects, process objects, semaphore objects, thread objects, and waitable timer objects.
2. What is a kernel object?
Each kernel object is simply a memory block allocated by the kernel and is accessible only by the kernel. This memory block is a data structure whose members maintain information about the object. Some members (security descriptor, usage count, and so on) are the same across all object types, but most are specific to a particular object type. For example, a process object has a process ID, a base priority, and an exit code, whereas a file object has a byte offset, a sharing mode, and an open mode.
3. User can access these kernel objects structures?
Kernel object data structures are accessible only by the kernel
4. If we cannot alter these Kernel Object structures directly, how do our applications manipulate these kernel objects?
The answer is that Windows offers a set of functions that manipulate these structures in well-defined ways. These kernel objects are always accessible via these functions. When you call a function that creates a kernel object, the function returns a handle that identifies the object.
5. How owns the Kernel Object?
Kernel objects are owned by the kernel, not by a process
6. How does the kernel object outlive the process that created it?
If your process calls a function that creates a kernel object and then your process terminates, the kernel object is not necessarily destroyed. Under most circumstances, the object will be destroyed; but if another process is using the kernel object your process created, the kernel knows not to destroy the object until the other process has stopped using it
7. Which is the data member common to all the kernel object and what is the use of it?
The usage count is one of the data members common to all kernel object types
8. How to identify the difference between the kernel object and user object?
The easiest way to determine whether an object is a kernel object is to examine the function that creates the object. Almost all functions that create kernel objects have a parameter that allows you to specify security attribute information.
9. What is the purpose of Process Handle Table?
When a process is initialized, the system allocates a handle table for it. This handle table is used only for kernel objects, not for User objects or GDI objects. When a process first initializes, its handle table is empty. Then when a thread in the process calls a function that creates a kernel object, such as CreateFileMapping , the kernel allocates a block of memory for the object and initializes it; the kernel then scans the process’s handle table for an empty entry
10. Name few functions that create Kernel Objects?
HANDLE CreateThread(…),HANDLE CreateFile(..),HANDLE CreateFileMapping(..)HANDLE CreateSemaphore(..)etcAll functions that create kernel objects return process-relative handles that can be used successfully by any and all threads that are running in the same process.
11. What is handle?
Handle value is actually the index into the process’s handle table that identifies where the kernel object’s information is stored.
12. How the handle helps in manipulating the kernel objects?
Whenever you call a function that accepts a kernel object handle as an argument, you pass the value returned by one of the Create* functions. Internally, the function looks in your process’s handle table to get the address of the kernel object you want to manipulate and then manipulates the object’s data structure in a well-defined fashion.
13. What happens when the CloseHandle(handle) is called?
This function first checks the calling process’s handle table to ensure that the index (handle) passed to it identifies an object that the process does in fact have access to. If the index is valid, the system gets the address of the kernel object’s data structure and decrements the usage count member in the structure; if the count is zero, the kernel destroys the kernel object from memory.
14. You forget to call CloseHandle - will there be a memory leak?
Well, yes and no. It is possible for a process to leak resources (such as kernel objects) while the process runs. However, when the process terminates, the operating system ensures that any and all resources used by the process are freed—this is guaranteed. For kernel objects, the system performs the following actions: When your process terminates, the system automatically scans the process’s handle table. If the table has any valid entries (objects that you didn’t close before terminating), the system closes these object handles for you. If the usage count of any of these objects goes to zero, the kernel destroys the object.
15. What is the need of process relative handles?
The most important reason was robustness. If kernel object handles were system-wide values, one process could easily obtain the handle to an object that another process was using and wreak havoc on that process. Another reason for process-relative handles is security. Kernel objects are protected with security, and a process must request permission to manipulate an object before attempting to manipulate it. The creator of the object can prevent an unauthorized user from touching the object simply by denying access to it
16. How the handles are handled in the child process?
The operating system creates the new child process but does not allow the child process to begin executing its code right away. Of course, the system creates a new, empty process handle table for the child process just as it would for any new process. But because you passed TRUE to CreateProcess’s bInheritHandles parameter, the system does one more thing: it walks the parent process’s handle table, and for each entry it finds that contains a valid inheritable handle, the system copies the entry exactly into the child process’s handle table. The entry is copied to the exact same position in the child process’s handle table as in the parent’s handle table.
17. Why the entries in the parent process table and child table are same?
It means that the handle value that identifies a kernel object is identical in both the parent and the child processes.
18. What about the usage count in the parent child process tables?
The system increments the usage count of the kernel object because two processes are now using the object. For the kernel object to be destroyed, both the parent process and the child process must either call CloseHandle on the object or terminate.
19. What are Named Objects?
Method available for sharing kernel objects across process boundaries is to name the objects. Below are the kernel named objects:
There are APIs to create these objects with last parameter as the object name.
20. What do you mean by unnamed object?
When you are creating the kernel objects with the help of API’s like CreateMutex(, , , ,pzname). And the Pzname parameter is NULL , you are indicating to the system that you want to create an unnamed (anonymous) kernel object. When you create an unnamed object, you can share the object across processes by using either inheritance or DuplicateHandle
21. What is DuplicateHandle (API)?
Takes an entry in one process’s handle table and makes a copy of the entry into another process’s handle table
22. What is a thread?
A thread describes a path of execution within a process. Every time a process is initialized, the system creates a primary thread. This thread begins executing with the C/C++ run-time library’s startup code, which in turn calls your entry-point function ( main , Wmain , WinMain , or WWinMain ) and continues executing until the entry-point function returns and the C/C++ run-time library’s startup code calls ExitProcess
23. What is the limit on per process for creating a thread?
The number of threads a process can create is limited by the available virtual memory and depends on the default stack size
24. What is Synchronization Objects?
Synchronization object s are use to co-ordinate the execution of multiple threads. Which kernel objects are use for Thread Synchronization on different processes? - Event, Mutex, Semaphore
25. What is Event Object and why it is used?
Event is the thread synchronization object to set signaled state or non-signaled state.
26. What is signaled and non signaled state?
An event is in signaled state means that it has the capacity to release the threads waiting for this event to be signaled. An event is in non signaled state means that it will not release any thread that is waiting for this particular event.example in our project: when user clicks the image application icon double simultaneously. Two image application windows were created. so PAIG created an event and set it to non-signaled state. Then the image application will reset the event to signaled state, after this all the threads are released.
27. APIs for creating event and set and reset the events
CreateEvent- to create the event
OpenEvent - to open already created event
SetEvent - to set the event signaled state
RestEvent - To set the Event To non-Signaled State
28. What is Mutex Object and why it is used?
A mutex object is a synchronization object whose state is set to signaled when it is not owned by any thread, and non-signaled when it is owned. For example, to prevent two threads from writing to shared memory at the same time, each thread waits for ownership of a mutex object before executing the code that accesses the memory. After writing to the shared memory, the thread releases the mutex object.
29. How do I create a Mutex?
A thread uses the CreateMutex function to create a mutex object. The creating thread can request immediate ownership of the mutex object and can also specify a name for the mutex object
30. How do other threads own the mutex?
Threads in other processes can open a handle to an existing named mutex object by specifying its name in a call to theOpenMutex - function. Any thread with a handle to a mutex object can use one of the wait functions to request ownership of the mutex object. If the mutex object is owned by another thread, the wait function blocks the requesting thread until the owning thread releases the mutex object using theReleaseMutex - function.
31. How do other threads own the mutex?
A semaphore object is a synchronization object that maintains a count between zero and a specified maximum value. The count is decremented each time a thread completes a wait for the semaphore object and incremented each time a thread releases the semaphore. When the count reaches zero, no more threads can successfully wait for the semaphore object state to become signaled. The state of a semaphore is set to signaled when its count is greater than zero, and non-signaled when its count is zero. The semaphore object is useful in controlling a shared resource that can support a limited number of users. It acts as a gate that limits the number of threads sharing the resource to a specified maximum number. For example, an application might place a limit on the number of windows that it creates. It uses a semaphore with a maximum count equal to the window limit, decrementing the count whenever a window is created and incrementing it whenever a window is closed. The application specifies the semaphore object in call to one of the wait functions before each window is created. When the count is zero - indicating that the window limit has been reached - the wait function blocks execution of the window-creation code.