Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle reference count doesn't make much sense #2296

Open
alabuzhev opened this issue Nov 23, 2024 · 1 comment
Open

Handle reference count doesn't make much sense #2296

alabuzhev opened this issue Nov 23, 2024 · 1 comment
Assignees
@jxy-s
Labels
enhancement

Comments

@alabuzhev
Copy link
Contributor

Brief description of your issue

In Handle properties window there's a "References" section with "References" and "Handles".
"Handles" looks good, but "References" usually contains some large number that doesn't make much sense, like 32763 or 65520 or 11863049.

The number, however, is usually oddly close to a multiple of 32768 and the multiplier is usually oddly close to Handles:

image

11863049 / 32768 = 362 ≈ 365

Which suggests that reference count isn't really just a number and should be treated specially to be human-readable.

There's an article by Alex Ionescu from 2014, explaining what is going on:
https://www.alex-ionescu.com/the-case-of-the-bloated-reference-count-handle-table-entry-changes-in-windows-8-1/

Windows 8.1 not only introduces a major rewrite to the handle table entry format but also makes these seemingly internal data structure changes to have a visible side effect when using the Windows Debugger or other tools to analyze reference counts on objects

  • Each time a new handle is opened to an object, the reference count goes up by 0x7FFF, or 32767, on x64 Windows. On x86 Windows, the same behavior is seen by the way, but with 0x1F instead.
  • Each time an existing handle to an object is used, the reference count goes down by 1.

Perhaps it would make sense to:

  • Decode the value before showing it to the user:

    systeminformer/SystemInformer/hndlprp.c

    Line 783 in 57a30b1

    PhPrintUInt32(string, basicInfo.PointerCount);
  • Update the manual adjustments that are likely incorrect now:

    systeminformer/phlib/hndlinfo.c

    Lines 151 to 153 in 57a30b1

    // The object was referenced in KSystemInformer, so we need to subtract 1 from the
    // pointer count.
    BasicInformation->PointerCount -= 1;

    systeminformer/phlib/hndlinfo.c

    Lines 170 to 173 in 57a30b1

    // The object was referenced in NtQueryObject and a handle was opened to the object. We
    // need to subtract 1 from the pointer count, then subtract 1 from both counts.
    BasicInformation->HandleCount -= 1;
    BasicInformation->PointerCount -= 2;

Other related sources:
https://community.osr.com/t/pointer-count-increased-0x8000-when-zwopenprocess-called/52999
https://ntamonsec.blogspot.com/2020/06/journey-into-object-manager-executive-handles.html
https://bsodtutorials.wordpress.com/2022/01/24/object-headers-handles-and-types/
https://www.google.com/search?q="PointerCount"+0x7FFF

Steps to reproduce (optional)

Open SI
Open properties of any readable process
Go to Handles tab
Open properties of any readable handle
Inspect the References section

Expected behavior (optional)

References should be some reasonable number, not tens or hundreds of thousands.

Actual behavior (optional)

No response

Environment (optional)

No response
@jxy-s
Copy link
Member

jxy-s commented Nov 23, 2024

I'll check the code when I'm able. But I suspect we're showing the pointer count and not the true reference, as you've pointed out.

@jxy-s jxy-s self-assigned this Nov 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jxy-s jxy-s

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alabuzhev @jxy-s