Windows Executable Objects

Question 1

_FILE_OBJECT

Answer 1

File - An instance of an open file that represents a process or kernel module’s access into a file, including the permissions, regions of memory that store portions of the file’s contents, and the file’s name.

Question 2

_EPROCESS

Answer 2

A container that allows threads to execute within a private virtual address space and maintains open handles to resources such as files, registry keys, etc.

Question 3

_OBJECT_SYMBOLIC_LINK

Answer 3

SymbolicLink - Created to support aliases that can help map network share paths and removable media devices to drive letters.

Question 4

_TOKEN

Answer 4

Token - Stores security context information (such as security identifiers [SIDs] and privileges) for processes and threads.

Question 5

_ETHREAD

Answer 5

Thread - An object that represents mutual exclusion and is typically used for synchronization purposes or to control access to particular resources.

Question 6

_KMUTANT

Answer 6

Mutant - An object that represents mutual exclusion and is typically used for synchronization purposes or to control access to particular resources.

Question 7

tagWINDOWSTATION

Answer 7

WindowStation - A security boundary for processes and desktops, which also contrains a clipboard and atom tables.

Question 8

tagDESKTOP

Answer 8

Desktop - An object that represents the displayable screen surface and contains user objects such as windows, menus, and buttons.

Question 9

_DRIVER_OBJECT

Answer 9

Driver - Represents the image of a loaded kernel-mode driver and contains addresses of the driver’s input/output control handler functions.

Question 10

_CM_KEY_BODY

Answer 10

Key - An instance of an open registry key that contains information about the key’s values and data.

Question 11

_OBJECT_TYPE

Answer 11

Type - An object with metadata that describes the common properties of all other objects.