Geoff Chappell - Software Analyst
The OBJECT_HANDLE_FLAG_INFORMATION structure (formally _OBJECT_HANDLE_FLAG_INFORMATION) is what a successful call to ZwQueryObject or NtQueryObject produces in its output buffer when given the information class ObjectHandleFlagInformation (3). The information so obtained is not directly about the object that is referenced by the Handle argument, but about the handle’s reference to the object.
The structure can also be provided as input to the ZwSetInformationObject or NtSetInformationObject functions, again with ObjectHandleFlagInformation as the information class.
The OBJECT_HANDLE_FLAG_INFORMATION structure is not documented.
Microsoft does publish the practical equivalent of a C-language definition as type information in a handful of private symbol files that Microsoft has included in packages of public symbol files, starting with Windows 8, and continues to make available through Microsoft’s public symbol server. These private symbol files are not for the kernel, where the structure is prepared, nor even for low-level user-mode DLLs that interpret the structure. They are instead for various higher-level user-mode DLLs such as URLMON.DLL. The latter is here singled out because of its origins in Internet Explorer and thence for the strong suggestion that Microsoft’s programmers of Internet Explorer had access to more details of low-level Windows programming than Microsoft publishes for wider use.
Type information for the structure has also seeped out at the other end of the Windows timeline, though not in symbol files but in statically linked libraries: GDISRVL.LIB from the Device Driver Kit (DDK) for Windows NT 3.51; and SHELL32.LIB from the DDK for Windows NT 4.0.
The OBJECT_HANDLE_FLAG_INFORMATION is two bytes in both 32-bit and 64-bit Windows.
Offset | Definition | Versions |
---|---|---|
0x00 |
BOOLEAN Inherit; |
3.50 and higher |
0x01 |
BOOLEAN ProtectFromClose; |
3.50 and higher |