Windows Object Allocation Pool Types
As of Windows 8, there are 47 different types of kernel objects all of which are allocated from one of two pools i.e. PagedPool and NonPagedPoolNx. This note shows how to find out the pool type used to allocate objects of a particular type and then provides the list of objects that are allocated from the two pools.
The following kernel debugger command displays all the object types on Windows 8.
kd> !object \ObjectTypes
Object: fffff8a00000c060 Type: (fffffa800cc60080) Directory
ObjectHeader: fffff8a00000c030 (new version)
HandleCount: 0 PointerCount: 49
Directory Object: fffff8a0000050c0 Name: ObjectTypes
Hash Address Type Name
---- ------- ---- ----
00 fffffa800cc60bf0 Type TmTm
01 fffffa800ccc0d40 Type Desktop
fffffa800cc7edf0 Type Process
03 fffffa800ccc0f20 Type DebugObject
04 fffffa800cc8b4f0 Type TpWorkerFactory
05 fffffa800cc8f080 Type Adapter
fffffa800ccb1660 Type Token
06 fffffa800e20a850 Type DxgkSharedResource
08 fffffa800cc6cd30 Type EventPair
09 fffffa800d9ed400 Type PcwObject
fffffa800cc792b0 Type WmiGuid
11 fffffa800cc9e5d0 Type EtwRegistration
12 fffffa800cc60f20 Type Session
fffffa800cc794a0 Type Timer
13 fffffa800cca6a20 Type Mutant
14 fffffa800ccbb2e0 Type IRTimer
16 fffffa800ccb9f20 Type IoCompletion
17 fffffa800e21ce30 Type DxgkSharedSyncObject
fffffa800cc60290 Type WindowStation
fffffa800cc919f0 Type Profile
18 fffffa800cca4c80 Type File
21 fffffa800cc7eaf0 Type Semaphore
23 fffffa800cc788c0 Type EtwConsumer
fffffa800cc56af0 Type CompositionSurface
25 fffffa800cc64390 Type TmTx
fffffa800cca6380 Type SymbolicLink
26 fffffa800d9d3400 Type FilterConnectionPort
fffffa800ccb2b50 Type Key
fffffa800cc72f20 Type KeyedEvent
fffffa800ccb4080 Type Callback
27 fffffa800cca3b70 Type WaitCompletionPacket
28 fffffa800ccbc080 Type UserApcReserve
fffffa800ccb3f20 Type Job
29 fffffa800cc60920 Type Controller
fffffa800ccc0340 Type IoCompletionReserve
30 fffffa800cc87540 Type Device
fffffa800cc60080 Type Directory
31 fffffa800cc76ad0 Type Section
fffffa800ccb3340 Type TmEn
fffffa800ccbb860 Type Thread
32 fffffa800cc836b0 Type Type
33 fffffa800d993400 Type FilterCommunicationPort
fffffa800cc7c6b0 Type PowerRequest
35 fffffa800cc62db0 Type TmRm
fffffa800cca1f20 Type Event
36 fffffa800cc92630 Type ALPC Port
fffffa800cc8ef20 Type Driver
Each object displayed in the output above is an object type object represented by the structure _OBJECT_TYPE. The _OBJECT_TYPE.TypeInfo.PoolType field contains the pool type that objects of that particular type will be allocated from. Following are some examples of this :
kd> dt nt!_OBJECT_TYPE fffffa800cc60bf0 TypeInfo.PoolType
+0x040 TypeInfo :
+0x024 PoolType : 200 ( NonPagedPoolNx )
kd> dt nt!_OBJECT_TYPE fffffa800ccb1660 TypeInfo.PoolType
+0x040 TypeInfo :
+0x024 PoolType : 1 ( PagedPool )
Here are the list of objects grouped by the pool type they are allocated from:
| Pool Type | Object |
|---|---|
| NonPagedPoolNx | TmTm, Desktop, Process, DebugObject, TpWorkerFactory, Adapter, EventPair, WmiGuid, EtwRegistration, Session, Timer, Mutant, IRTimer, IoCompletion, WindowStation, Profile, File, Semaphore, EtwConsumer, CompositionSurface, TmTx, FilterConnectionPort, Callback, WaitCompletionPacket, UserApcReserve, Job, Controller, IoCompletionReserve, Device, TmEn, Thread, Type, FilterCommunicationPort, PowerRequest, TmRm, Event, ALPC Port, Driver |
| PagedPool | Token, DxgkSharedResource, PcwObject, DxgkSharedSyncObject, SymbolicLink, Key, KeyedEvent, Directory, Section |
On the Windows 8 X64 both PagedPool and NonPagedPoolNX are marked as non-executable. Since ALL objects are allocated from Non-Executable pool regions, exploits that set fields of an object from user mode to inject executable shell code in to kernel address space, no longer work as they used to on prior versions of Windows.