How to get a pointer to an object in the object table.
The only call I found is ObReferenceObjectByHandle. Problem is I do not have a handle to the object. Is there any other direction I can head?
The DDK offers some support for exploring the NT object directory, but not all the functions are described in the DDK documentation. One such function, a close cousin of the documented call ObReferenceObjectByHandle, is ObReferenceObjectByName. This function can return a pointer to any object in the object directory if the name of that object is known. This means that it can be used to locate directory objects (including the root), thereby enabling you to do further exploration of the object directory while in kernel mode.
With a little bit of research (and some help from alert readers), we know the prototype for ObReferenceObjectByName looks like this:
NTSTATUS NTAPI ObReferenceObjectByName(
IN PUNICODE_STRING ObjectPath,
IN ULONG Attributes,
IN PACCESS_STATE PassedAccessState OPTIONAL,
IN ACCESS_MASK DesiredAccess OPTIONAL,
IN POBJECT_TYPE ObjectType,
IN KPROCESSOR_MODE AccessMode,
IN OUT PVOID ParseContext OPTIONAL,
OUT PVOID *ObjectPtr
The first parameter, ObjectPath, points to a counted unicode string that holds the path of the object, e.g. \Driver\Serial
Attributes may be zero or OBJ_CASE_INSENSITIVE, which indicates that the name lookup should be performed ignoring the case of the ObjectName.
Set parameter AccessMode to KernelMode.
Parameter ObjectType optionally points to a 'type' object, which can be used to limit the search for the object to a particular type.
ParseContext is an optional pointer that is passed uninterpreted to any parse procedure that is called during the course of performing the name lookup.
Parameter ObjectPtr is the address of the variable that receives a pointer to the object if the object is found.
This service is only callable at PASSIVE_LEVEL.
If you use this routine to reference an object, be sure to call ObDereferenceObject when you are finished with it.
This service is available on Windows 98, as well as all versions of Windows NT. As with all undocumented functions, use this service at your own risk, and check the operating system and version before calling it.