Windows Kernel API Reference: Object Manager

The Object Manager is a core component of the Windows operating system kernel that manages kernel objects. It provides a consistent interface for creating, naming, opening, and closing various kernel objects, such as processes, threads, files, and registry keys. This ensures that all kernel objects are handled uniformly, regardless of their type.

ObCreateHandle

Creates a handle for a kernel object.

Syntax:

NTSTATUS ObCreateHandle(
  PVOID Object,
  ACCESS_MASK DesiredAccess,
  POBJECT_ATTRIBUTES ObjectAttributes,
  KPROCESSOR_MODE AccessMode,
  BOOLEAN CreateHandle,
  PHANDLE Handle
);
            

Parameters:

Parameter	Description
`Object`	A pointer to the kernel object for which to create a handle.
`DesiredAccess`	An ACCESS_MASK value that specifies the type of access requested for the handle.
`ObjectAttributes`	A pointer to an OBJECT_ATTRIBUTES structure that specifies the attributes of the object.
`AccessMode`	Specifies the processor mode (KernelMode or UserMode) in which to audit access to the object.
`CreateHandle`	A BOOLEAN value that, if TRUE, causes a handle to be created.
`Handle`	A pointer to a variable that receives the handle.

Return Value: Returns STATUS_SUCCESS if the handle was created successfully, or an appropriate NTSTATUS error code otherwise.

ObOpenObjectByName

Opens an existing kernel object by its name.

Syntax:

NTSTATUS ObOpenObjectByName(
  PUNICODE_STRING ObjectName,
  POBJECT_TYPE ObjectType,
  KPROCESSOR_MODE AccessMode,
  PACCESS_MASK DesiredAccess,
  PVOID ObjectInformation,
  PHANDLE Handle
);
            

Parameters:

ObjectName: A pointer to a UNICODE_STRING that contains the name of the object to open.
ObjectType: A pointer to the type of the object to open.
AccessMode: The processor mode (KernelMode or UserMode) to use for accessing the object.
DesiredAccess: A pointer to an ACCESS_MASK value that specifies the type of access requested.
ObjectInformation: Reserved for future use. Must be NULL.
Handle: A pointer to a variable that receives the handle to the opened object.

Return Value: Returns STATUS_SUCCESS if the object was opened successfully, or an appropriate NTSTATUS error code otherwise.

ObQueryNameString

Retrieves the name of a kernel object.

Syntax:

NTSTATUS ObQueryNameString(
  PVOID Object,
  PUNICODE_STRING ObjectName,
  ULONG Length,
  PULONG ReturnLength
);
            

Parameters:

Object: A pointer to the object whose name is to be retrieved.
ObjectName: A pointer to a UNICODE_STRING structure that receives the object's name. The caller is responsible for allocating buffer space for this string.
Length: The size, in bytes, of the buffer pointed to by ObjectName.
ReturnLength: A pointer to a variable that receives the number of bytes written to ObjectName.

Return Value: Returns STATUS_SUCCESS if the name was successfully retrieved, or an appropriate NTSTATUS error code otherwise.

For more detailed information on the Object Manager and its related functions, please refer to the official Windows Driver Kit (WDK) documentation.