Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Internals
  New Posts New Posts RSS Feed: Total number of GDI handle
  FAQ FAQ  Forum Search   Calendar   Register Register  Login Login

Total number of GDI handle
 Post Reply Post Reply Page  12>
Author
Message Reverse Sort Order
  Share Topic Share Topic  Topic Search Topic Search  Topic Options Topic Options
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Online Status: Offline
Posts: 17492 		Post Options Post Options   Quote molotov Quote  Post ReplyReply Direct Link To This Post Topic: Total number of GDI handle
    Posted: 18 February 2008 at 9:02am
I think it may use a different method from PE.
Setting a bp on user32!NtUserGetGuiResources while debugging taskmgr.exe shows that it is called twice for each process (one for USER, one for GDI, presumably).
0007f3c4 0100ce03 5750b2c0 00000000 000b7db8 USER32!NtUserGetGuiResources
0007f61c 0100cea0 00000001 01002d49 00000000 taskmgr!CProcPage::UpdateProcInfoArray+0x3af
0007f624 01002d49 00000000 00000000 0007f8b0 taskmgr!CProcPage::TimerEvent+0x10
0007f634 01004d0a 0014014a 00000000 00000000 taskmgr!MainWnd_OnTimer+0x39
0007f8b0 01005295 0014014a 00009c75 00000000 taskmgr!MainWnd_OnCommand+0x59b
0007f8e4 7e418734 0014014a 00000111 00019c75 taskmgr!MainWindowProc+0x43e
0007f910 7e423745 01004e57 0014014a 00000111 USER32!InternalCallWinProc+0x28
0007f97c 7e423591 00000000 01004e57 0014014a USER32!UserCallDlgProcCheckWow+0x146
0007f9c4 7e4237bc 00000000 00000111 00019c75 USER32!DefDlgProcWorker+0xa8
0007f9e0 7e418734 0014014a 00000111 00019c75 USER32!DefDlgProcW+0x22
0007fa0c 7e418816 7e42379a 0014014a 00000111 USER32!InternalCallWinProc+0x28
0007fa74 7e41b4c0 00000000 7e42379a 0014014a USER32!UserCallWinProcCheckWow+0x150
0007fac8 7e41b50c 0054f9d0 00000111 00019c75 USER32!DispatchClientMessage+0xa3
0007faf0 7c90eae3 0007fb00 00000018 0054f9d0 USER32!__fnDWORD+0x24
0007fb14 7e42fac7 7e43668f 0014014a 00080101 ntdll!KiUserCallbackDispatcher+0x13
0007fb2c 01005775 0014014a 00080101 0007fb4c USER32!NtUserTranslateAccelerator+0xc
0007ff5c 01005937 01000000 00000000 0002078e taskmgr!WinMainT+0x3e7
0007ffc0 7c816fd7 00011970 7c9118f1 7ffdf000 taskmgr!_ModuleEntry+0xdf
0007fff0 00000000 01005944 00000000 78746341 kernel32!BaseProcessStart+0x23
Daily affirmation:
net helpmsg 4006
Back to Top
a_d_13 View Drop Down
Senior Member
Senior Member
Avatar

Joined: 08 September 2007
Online Status: Offline
Posts: 266 		Post Options Post Options   Quote a_d_13 Quote  Post ReplyReply Direct Link To This Post Posted: 18 February 2008 at 7:29am
Hey - thanks for testing this out.
 
Interesting that Task Manager doesn't display them properly.  I think it may use a different method from PE.  I'll look into that a little more and post back here.
 
 
Thanks,
--AD
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Online Status: Offline
Posts: 17492 		Post Options Post Options   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 18 February 2008 at 6:35am
Made the change in the kernel debugger (eb bf9110cb 0xeb), and PE is able to get the USER / GDI count for processes running in another session:
 
Interestingly, Task Manager is not - it displays 0 and 0 for USER and GDI objects of most processes not running in the same session as it, except for winlogon.exe (and seeminlgy a few other processes), where it displays the correct numbers.  Perhaps taskmgr.exe performs an internal check for most cases (Confused), similar to win32k.sys?


Edited by molotov - 18 February 2008 at 6:46am
Daily affirmation:
net helpmsg 4006
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Online Status: Offline
Posts: 17492 		Post Options Post Options   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 18 February 2008 at 6:00am
Changing the je @ 0x1110cb to jmp and bypassing (ignoring) WFP results in a BSOD on boot:
STOP: c000021a {Fatal System Error}
The Session Manager Initialization system process terminated unexpectedly with a status of 0xc000026c (0x00000000 0x00000000).
The system has been shut down.
 
0xc000021a is STATUS_SYSTEM_PROCESS_TERMINATED - conveniently:
The %hs system process terminated unexpectedly with a status of 0x%08x (0x%08x 0x%08x).
The system has been shut down.
 
0xc000026c is STATUS_DRIVER_UNABLE_TO_LOAD -
{Unable to Load Device Driver}
%hs device driver could not be loaded.
Error Status was 0x%x
 
fc /b done after the replace but before reboot shows the only differences in Win32k.sys to be the changed byte:
C:\>fc /b c:\windows\system32\win32k.sys c:\temp\win32k.sys
Comparing files C:\WINDOWS\SYSTEM32\win32k.sys and C:\TEMP\WIN32K.SYS
001110CB: 74 EB
 
Memory-patch required for this one?
Daily affirmation:
net helpmsg 4006
Back to Top
a_d_13 View Drop Down
Senior Member
Senior Member
Avatar

Joined: 08 September 2007
Online Status: Offline
Posts: 266 		Post Options Post Options   Quote a_d_13 Quote  Post ReplyReply Direct Link To This Post Posted: 18 February 2008 at 4:50am

It's simple enough - in XP SP2, search the win32k.sys (C:\Windows\System32\win32k.sys) binary for:

74 13 6a 57 e8
 
Then, replace the "74", the opcode for "jump if equal", with "eb", which is the opcode for "always jump".  Please note, not tested, if you break something, it's not my fault, etc.  There should also be ONLY ONE result for that search string - if there's more, don't do anything.
Finally, on my machine, it's at offset 1118411 (0x1110cb in hexadecimal) from the beginning of the file.
 
To return to normal, change it back.  DO NOT DO THIS ON AN IMPORTANT MACHINE.
 
 
Thanks,
--AD
 
P.S. You'll probably have to deal with Windows File Protection - Google how to disable that.
Back to Top
x-faktor View Drop Down
Senior Member
Senior Member
Avatar

Joined: 07 June 2005
Location: France
Online Status: Offline
Posts: 157 		Post Options Post Options   Quote x-faktor Quote  Post ReplyReply Direct Link To This Post Posted: 18 February 2008 at 3:55am
Molotov make a kernel patch of win32k.sys :)
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Online Status: Offline
Posts: 17492 		Post Options Post Options   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 17 February 2008 at 8:33pm
OK, so I tossed a kernel debugger on an XP VM and set a BP on NtUserGetGuiResources.  I logged into two sessions in XP, and launched PE from session 0, while running calc.exe in session 1.  Upon viewing the properties of calc.exe in PE, the debugger broke in.  I stepped through NtUserGetGuiResources and made the following observations...
 
win32k!NtUserGetGuiResources+0x53:
bf9110bf ff1594c298bf    call    dword ptr [win32k!_imp__PsGetProcessSessionId (bf98c294)]
win32k!NtUserGetGuiResources+0x59:
bf9110c5 3b05b09d9abf    cmp     eax,dword ptr [win32k!gSessionId (bf9a9db0)]
;EAX was 1, win32k!gSessionId was 0.
bf9110cb 7413            je      win32k!NtUserGetGuiResources+0x74 (bf9110e0) ;path not taken, of course
bf9110cd 6a57            push    57h ;ERROR_INVALID_PARAMETER
bf9110cf e85527efff      call    win32k!UserSetLastError (bf803829)
; rest is cleanup and exit
 
However, manipulating the comparison at bf9110c5 by setting eax to 0 before executing it did not appear to have any ill effects, and Process Explorer in session 0 was able to display the appropriate values for USER and GDI objects (49 and 21) for calc.exe running in session 1, per an instance of PE running in session 1.
 
Not sure exactly why the session check is made in NtUserGetGuiResources, and ERROR_INVALID_PARAMETER returned if the sessions don't match... Confused


Edited by molotov - 17 February 2008 at 8:34pm
Daily affirmation:
net helpmsg 4006
Back to Top
EP_X0FF View Drop Down
Senior Member
Senior Member
Avatar

Joined: 08 March 2006
Location: Russian Federation
Online Status: Offline
Posts: 4753 		Post Options Post Options   Quote EP_X0FF Quote  Post ReplyReply Direct Link To This Post Posted: 17 February 2008 at 12:07am
ReactOS USER/GDI implementation is very different than it actually is on Windows NT platform.

Edited by EP_X0FF - 17 February 2008 at 12:07am
Ring0 - the source of inspiration
Back to Top
a_d_13 View Drop Down
Senior Member
Senior Member
Avatar

Joined: 08 September 2007
Online Status: Offline
Posts: 266 		Post Options Post Options   Quote a_d_13 Quote  Post ReplyReply Direct Link To This Post Posted: 16 February 2008 at 8:31pm
Actually, I meant hooking WinDbg up for remote kernel debugging (ie. using a VM, serial cable, etc.), setting a breakpoint on NtUserGetGuiResources, calling it on a process where it is known to fail with ERROR_INVALID_PARAMETER, and then tracing to see why it fails.  That may help to narrow down the problem.  However, I'm rather low on free time at the moment, so if someone else could do this, and post back, that'd be great.
If I get some free time in the upcoming week, I'll take a look at it, too.
 
Thanks,
--AD
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Online Status: Offline
Posts: 17492 		Post Options Post Options   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 16 February 2008 at 10:04am
I had gone down a similar path at one point.  But I'm not getting what you mean by "debug the function in the kernel" (I get the concept, of course, but not how it might be used, practically, in this case).
 
Are you conceiving a driver-based solution for this?
Daily affirmation:
net helpmsg 4006
Back to Top
 Post Reply Post Reply Page  12>

Forum Jump Forum Permissions View Drop Down