The Object Handle Database

Some objects maintain process-specific handle counts stored in a so-called "handle database." If this is the case, the HandleDBOffset member of the OBJECT_HEADER contains a non-zero value. Just like the NameOffset described above, this is an offset to be subtracted from the base address of the OBJECT_HEADER to locate this header part. The OBJECT_HANDLE_DB structure is defined in Listing 4. If the OB_FLAG_SINGLE_PROCESS flag is set in the ObjectFlags, the Process member of the union at the beginning of this structure is valid and points to a process object. If more than one process holds handles to the object, the OB_FLAG_SINGLE_PROCESS flag is cleared, and the HandleDBList member becomes valid, pointing to an OBJECT_HANDLE_DB_LIST that constitutes an array of OBJECT_HANDLE_DB structures, preceded by a count value.

Listing 4 The OBJECT_HANDLE_DB Structure

typedef struct _OBJECT_HANDLE_DB
/*000*/ union
/*000*/   struct _EPROCESS       *Process;
/*000*/   struct _OBJECT_HANDLE_DB_LIST *HandleDBList;
/*004*/   };
/*004*/ DWORD HandleCount;
/*008*/ }

    sizeof (OBJECT_HANDLE_DB)

// -----------------------------------------------------------------

typedef struct _OBJECT_HANDLE_DB_LIST
/*000*/ DWORD      Count;
/*004*/ OBJECT_HANDLE_DB Entries [];
/*???*/ }

