Geoff Chappell - Software Analyst
From as long ago as Windows NT 3.50, the OBJECT_HEADER has a byte that’s interpreted as bit flags. From type information in public symbol files for the kernel, it is known that Windows 8.1 formalises these flags as a structure of UCHAR bit fields in union with the Flags byte for conveniently accessing multiple bits together:
| Mask | Definition | Versions |
|---|---|---|
| 0x01 |
UCHAR NewObject : 1; |
6.3 and higher |
| 0x02 |
UCHAR KernelObject : 1; |
6.3 and higher |
| 0x04 |
UCHAR KernelOnlyAccess : 1; |
6.3 and higher |
| 0x08 |
UCHAR ExclusiveObject : 1; |
6.3 and higher |
| 0x10 |
UCHAR PermanentObject : 1; |
6.3 and higher |
| 0x20 |
UCHAR DefaultSecurityQuota : 1; |
6.3 and higher |
| 0x40 |
UCHAR SingleHandleEntry : 1; |
6.3 and higher |
| 0x80 |
UCHAR DeletedInline : 1; |
6.3 and higher |
Before Windows 8.1, the bits look to have been accessd only through macro definitions of the masks. These are known from public disclosure of NTOSP.H in the original and Version 1511 editions of the Windows Driver Kit (WDK) for Windows 10:
| Mask | Name | Versions |
|---|---|---|
| 0x01 | OBJ_FLAG_NEW_OBJECT | 3.50 and higher |
| 0x02 | OBJ_FLAG_KERNEL_OBJECT | 3.50 and higher |
| 0x04 | OBJ_FLAG_KERNEL_ONLY_ACCESS | 3.51 and higher |
| 0x08 | OBJ_FLAG_EXCLUSIVE_OBJECT | 3.51 and higher |
| 0x10 | OBJ_FLAG_PERMANENT_OBJECT | 3.50 and higher |
| 0x20 | OBJ_FLAG_DEFAULT_SECURITY_QUOTA | 3.50 and higher |
| 0x40 | OBJ_FLAG_SINGLE_HANDLE_ENTRY | 3.51 and higher |
| 0x80 | OBJ_FLAG_DELETED_INLINE | 5.1 and higher |
The versions are the first for which the flag is yet known to be used. Identifying first use from inspection of binaries is, perhaps forever, a work in progress.
What makes an object count as new, in the sense of having a set OBJ_FLAG_NEW_OBJECT, is that the OBJECT_CREATE_INFORMATION that temporarily held parameters while creating the object has not yet been freed. Its address remains in the OBJECT_HEADER as the ObjectCreateInfo member.