OBJECT_HEADER_HANDLE_REVOCATION_INFO

The OBJECT_HEADER_HANDLE_REVOCATION_INFO structure, rebadged just as HANDLE_REVOCATION_INFO in the 1607 release of Windows 10, is one of several structures that may precede an OBJECT_HEADER in a memory block that contains an Object Manager object.

That an OBJECT_HEADER_HANDLE_REVOCATION_INFO is present for a given object is indicated by a set 0x40 bit in the InfoMask in the OBJECT_HEADER. How far the one precedes the other depends on which other headers are present, which is in turn indicated by other bits in the InfoMask.

Layout

Whether the structure is named OBJECT_PROCESS_HANDLE_REVOCATION_INFO or just HANDLE_REVOCATION_INFO, it is 0x10 or 0x20 bytes in 32-bit and 64-bit Windows, respectively. Microsoft’s names and types are known from type information in public symbol files for the kernel in the applicable versions.

Offset (x86) Offset (x64) Definition Versions
0x00 0x00 
LIST_ENTRY ListEntry;
 10.0 and higher
0x08 0x10 
OB_HANDLE_REVOCATION_BLOCK *RevocationBlock;
 10.0 and higher
0x0C 0x18 
BOOLEAN AllowHandleRevocation;
 1607 and higher
0x0C (10.0 to 1511);
0x0D 		0x18 (10.0 to 1511);
0x19 
UCHAR Padding1 [4];
 10.0 to 1511 
UCHAR Padding1 [3];
 1607 and higher
  0x1C 
UCHAR Padding2 [4];
 10.0 and higher

This page was created on 17th June 2020 but was not published until 30th June 2020.

Copyright © 2020. Geoff Chappell. All rights reserved. Conditions apply.