Windows 8 Object Allocation Pool Types


Windows 8 has 47 different types of kernel objects all of which are allocated from one of two pools i.e. PagedPool and NonPagedPoolNx. This note shows how to find out the pool type used to allocate objects of a particular type and then provides the list of objects that are allocated from the two pools.

The following kernel debugger command displays all the object types on Windows 8.

kd> !object \ObjectTypes
Object: fffff8a00000c060  Type: (fffffa800cc60080) Directory
    ObjectHeader: fffff8a00000c030 (new version)
    HandleCount: 0  PointerCount: 49
    Directory Object: fffff8a0000050c0  Name: ObjectTypes

    Hash Address          Type          Name
    ---- -------          ----          ----
     00  fffffa800cc60bf0 Type          TmTm
     01  fffffa800ccc0d40 Type          Desktop
         fffffa800cc7edf0 Type          Process
     03  fffffa800ccc0f20 Type          DebugObject
     04  fffffa800cc8b4f0 Type          TpWorkerFactory
     05  fffffa800cc8f080 Type          Adapter
         fffffa800ccb1660 Type          Token
     06  fffffa800e20a850 Type          DxgkSharedResource
     08  fffffa800cc6cd30 Type          EventPair
     09  fffffa800d9ed400 Type          PcwObject
         fffffa800cc792b0 Type          WmiGuid
     11  fffffa800cc9e5d0 Type          EtwRegistration
     12  fffffa800cc60f20 Type          Session
         fffffa800cc794a0 Type          Timer
     13  fffffa800cca6a20 Type          Mutant
     14  fffffa800ccbb2e0 Type          IRTimer
     16  fffffa800ccb9f20 Type          IoCompletion
     17  fffffa800e21ce30 Type          DxgkSharedSyncObject
         fffffa800cc60290 Type          WindowStation
         fffffa800cc919f0 Type          Profile
     18  fffffa800cca4c80 Type          File
     21  fffffa800cc7eaf0 Type          Semaphore
     23  fffffa800cc788c0 Type          EtwConsumer
         fffffa800cc56af0 Type          CompositionSurface
     25  fffffa800cc64390 Type          TmTx
         fffffa800cca6380 Type          SymbolicLink
     26  fffffa800d9d3400 Type          FilterConnectionPort
         fffffa800ccb2b50 Type          Key
         fffffa800cc72f20 Type          KeyedEvent
         fffffa800ccb4080 Type          Callback
     27  fffffa800cca3b70 Type          WaitCompletionPacket
     28  fffffa800ccbc080 Type          UserApcReserve
         fffffa800ccb3f20 Type          Job
     29  fffffa800cc60920 Type          Controller
         fffffa800ccc0340 Type          IoCompletionReserve
     30  fffffa800cc87540 Type          Device
         fffffa800cc60080 Type          Directory
     31  fffffa800cc76ad0 Type          Section
         fffffa800ccb3340 Type          TmEn
         fffffa800ccbb860 Type          Thread
     32  fffffa800cc836b0 Type          Type
     33  fffffa800d993400 Type          FilterCommunicationPort
         fffffa800cc7c6b0 Type          PowerRequest
     35  fffffa800cc62db0 Type          TmRm
         fffffa800cca1f20 Type          Event
     36  fffffa800cc92630 Type          ALPC Port
         fffffa800cc8ef20 Type          Driver

Each object displayed in the output above is an object type object represented by the structure _OBJECT_TYPE. The _OBJECT_TYPE.TypeInfo.PoolType field contains the pool type that objects of that particular type will be allocted from. Following are some examples of this :

kd> dt nt!_OBJECT_TYPE fffffa800cc60bf0 TypeInfo.PoolType
   +0x040 TypeInfo          : 
      +0x024 PoolType          : 200 ( NonPagedPoolNx )

kd> dt nt!_OBJECT_TYPE fffffa800ccb1660 TypeInfo.PoolType
   +0x040 TypeInfo          : 
      +0x024 PoolType          : 1 ( PagedPool )

Here are the list of objects grouped by the pool type they are allocated from:

Pool Type Object
NonPagedPoolNx TmTm, Desktop, Process, DebugObject, TpWorkerFactory, Adapter, EventPair, WmiGuid, EtwRegistration, Session, Timer, Mutant, IRTimer, IoCompletion, WindowStation, Profile, File, Semaphore, EtwConsumer, CompositionSurface, TmTx, FilterConnectionPort, Callback, WaitCompletionPacket, UserApcReserve, Job, Controller, IoCompletionReserve, Device, TmEn, Thread, Type, FilterCommunicationPort, PowerRequest, TmRm, Event, ALPC Port, Driver
PagedPool Token, DxgkSharedResource, PcwObject, DxgkSharedSyncObject, SymbolicLink, Key, KeyedEvent, Directory, Section

On the Windows 8 X64 both PagedPool and NonPagedPoolNX are marked as non-executable. Since ALL objects are allocated from Non-Executable pool regions, exploits that set fields of an object from user mode to inject executable shell code in to kernel address space, no longer work as they used to on prior versions of Windows.