1. Find the index of handle
1: kd> dt g_hMyEvent
my_bin!g_hMyEvent
0x00001218
Void
2. Use !handle to get the address of the event object.
1: kd> !handle 0x00001218 f -1 Event
Searching for handles of type Event
PROCESS 845f4b40 SessionId: 0 Cid: 040c Peb: 7fbb4000 ParentCid: 023c
DirBase: 7ffea200 ObjectTable: a194d280 HandleCount: 1071.
Image: svchost.exe
Handle table at a194d280 with 1071 entries in use
1218: Object: aa934288 GrantedAccess: 001f0003 Entry: bb591430
Object: aa934288 Type: (845692b8) Event
ObjectHeader: aa934270 (new version)
HandleCount: 1 PointerCount: 62
3. Cast that pointer to the dispatch header it is
1: kd> ?? (PDISPATCHER_HEADER)0xaa934288
PDISPATCHER_HEADER 0xaa934288
+0x000 Type : 0 ''
+0x001 TimerControlFlags : 0 ''
+0x001 Absolute : 0y0
+0x001 Wake : 0y0
+0x001 EncodedTolerableDelay : 0y000000 (0)
+0x001 Abandoned : 0 ''
+0x001 Signalling : 0 ''
+0x002 ThreadControlFlags : 0x4 ''
+0x002 CycleProfiling : 0y0
+0x002 CounterProfiling : 0y0
+0x002 GroupScheduling : 0y1
+0x002 AffinitySet : 0y0
+0x002 Reserved : 0y0000
+0x002 Hand : 0x4 ''
+0x002 Size : 0x4 ''
+0x003 TimerMiscFlags : 0 ''
+0x003 Index : 0y0
+0x003 Processor : 0y00000 (0)
+0x003 Inserted : 0y0
+0x003 Expired : 0y0
+0x003 DebugActive : 0 ''
+0x003 DpcActive : 0 ''
+0x000 Lock : 0n262144
+0x000 LockNV : 0n262144
+0x004 SignalState : 0n1
+0x008 WaitListHead : _LIST_ENTRY [ 0xaa934290 - 0xaa934290 ]
There you go, you can see this event is in a signaled state.
By the way, the member Type 0 means event notification. Other common values:
EventNotificationObject = 0,
EventSynchronizationObject = 1,
MutantObject = 2,
ProcessObject = 3,
QueueObject = 4,
SemaphoreObject = 5,
ThreadObject = 6,
By the way, the member Type 0 means event notification. Other common values:
EventNotificationObject = 0,
EventSynchronizationObject = 1,
MutantObject = 2,
ProcessObject = 3,
QueueObject = 4,
SemaphoreObject = 5,
ThreadObject = 6,
No comments:
Post a Comment