NTObjects is useful for exploring and understanding Windows system objects that reside in the kernel memory space. You can control the display to filter by object categories and/or object types. You can also look at the total number of objects currently existing on a system. Examples of Kernel objects are:
|
|
|
Examples of User objects are:
|
|
|
Finally, examples of GDI objects are:
|
|
|
Many objects can be displayed in a details window where individual fields contained in the object are named and displayed. All objects can be dumped to a memory window. And where available and defined security descriptors can be shown for an individual object.
Program caveats - NTObjects is highly experimental and makes use of information that has been reverse engineered or inferred by indirect observation, e.g., writing a small sample program that creates and uses an object and observing how it is laid out in memory. The utility is prone to breaking (BSOD's are not unheard of), especially when new versions of the operating system are made public. Most important of all, since objects and memory in kernel is highly volatile, each display is a snapshot of what the object looks like when a request is made through the user interface. There is no real-time monitoring or diffing features (although the latter can be approximated by opening a details or memory window repeatedly on the same object and looking for changes.)
Screenshot:
Download NTObjects.