jxy-s
commented
1 week ago I'll check the code when I'm able. But I suspect we're showing the pointer count and not the true reference, as you've pointed out.
Open alabuzhev opened 1 week ago
jxy-s
commented
1 week ago I'll check the code when I'm able. But I suspect we're showing the pointer count and not the true reference, as you've pointed out.
Brief description of your issue
In Handle properties window there's a "References" section with "References" and "Handles". "Handles" looks good, but "References" usually contains some large number that doesn't make much sense, like 32763 or 65520 or 11863049.
The number, however, is usually oddly close to a multiple of 32768 and the multiplier is usually oddly close to Handles:
11863049 / 32768 = 362 ≈ 365
Which suggests that reference count isn't really just a number and should be treated specially to be human-readable.
There's an article by Alex Ionescu from 2014, explaining what is going on: https://www.alex-ionescu.com/the-case-of-the-bloated-reference-count-handle-table-entry-changes-in-windows-8-1/
Perhaps it would make sense to:
Other related sources: https://community.osr.com/t/pointer-count-increased-0x8000-when-zwopenprocess-called/52999 https://ntamonsec.blogspot.com/2020/06/journey-into-object-manager-executive-handles.html https://bsodtutorials.wordpress.com/2022/01/24/object-headers-handles-and-types/ https://www.google.com/search?q="PointerCount"+0x7FFF
Steps to reproduce (optional)
Open SI Open properties of any readable process Go to Handles tab Open properties of any readable handle Inspect the References section
Expected behavior (optional)
References should be some reasonable number, not tens or hundreds of thousands.
Actual behavior (optional)
No response
Environment (optional)
No response