class documentation

class _HandleIndexes:

View In Hierarchy

Class built by reversing the function `ExpLookupHandleTableEntry` of the kernel

A handle could be represented like that on Windows 10 x64:

    union {
        struct {
            uint32_t TagBits:2;
            uint32_t LowIdx:8;
            uint32_t MidIdx:9;
            uint32_t HighIdx:9;
        };
        uint32_t Value;
    };

For Windows 10 x86 only the size of the fields are changing.

As all the table arrays are stored on one page only, using 8 bits for the low idx is too much on an x64 system:

  • PAGE_SIZE = 0x1000
  • HANDLE_ENTRY_SIZE = 0x10
  • MAX_LOW_IDX = (1 << 9) - 1 = 0x1FF

We have 0x1FF * 0x10 = 0x1FF0 which is greater than PAGE_SIZE, using only 7 bits to store the low idx is just enough to fit all the possible index of the low table.

The same could be applied to the mid and high index as their tables contains pointers that are half the size of the HANDLE_ENTRY and so need one more bit to fit the maximum possible index.

I don't know why there is this extra bit, maybe for the sign?

Static Method from_value Undocumented
Method __init__ Undocumented
Property high Undocumented
Property low Undocumented
Property mid Undocumented
Property value Undocumented
Static Method _high_idx_mask Undocumented
Static Method _high_idx_shift Undocumented
Static Method _high_idx_size Undocumented
Static Method _low_idx_mask Undocumented
Static Method _low_idx_shift Undocumented
Static Method _low_idx_size Undocumented
Static Method _mid_idx_mask Undocumented
Static Method _mid_idx_shift Undocumented
Static Method _mid_idx_size Undocumented
Static Method _tag_size Undocumented
Instance Variable _ctx Undocumented
Instance Variable _high Undocumented
Instance Variable _low Undocumented
Instance Variable _mid Undocumented
@staticmethod
def from_value(ctx, value):

Undocumented

Parameters
ctx:_ContextUndocumented
value:intUndocumented
def __init__(self, ctx, low=0, mid=0, high=0):

Undocumented

Parameters
ctx:_ContextUndocumented
low:intUndocumented
mid:intUndocumented
high:intUndocumented
@property
high: int =

Undocumented

@property
low: int =

Undocumented

@property
mid: int =

Undocumented

@property
value: int =

Undocumented

@staticmethod
def _high_idx_mask(ctx):

Undocumented

Parameters
ctx:_ContextUndocumented
Returns
intUndocumented
@staticmethod
def _high_idx_shift(ctx):

Undocumented

Parameters
ctx:_ContextUndocumented
Returns
intUndocumented
@staticmethod
def _high_idx_size(ctx):

Undocumented

Parameters
ctx:_ContextUndocumented
Returns
intUndocumented
@staticmethod
def _low_idx_mask(ctx):

Undocumented

Parameters
ctx:_ContextUndocumented
Returns
intUndocumented
@staticmethod
def _low_idx_shift(ctx):

Undocumented

Parameters
ctx:_ContextUndocumented
Returns
intUndocumented
@staticmethod
def _low_idx_size(ctx):

Undocumented

Parameters
ctx:_ContextUndocumented
Returns
intUndocumented
@staticmethod
def _mid_idx_mask(ctx):

Undocumented

Parameters
ctx:_ContextUndocumented
Returns
intUndocumented
@staticmethod
def _mid_idx_shift(ctx):

Undocumented

Parameters
ctx:_ContextUndocumented
Returns
intUndocumented
@staticmethod
def _mid_idx_size(ctx):

Undocumented

Parameters
ctx:_ContextUndocumented
Returns
intUndocumented
@staticmethod
def _tag_size(ctx):

Undocumented

Parameters
ctx:_ContextUndocumented
Returns
intUndocumented
_ctx =

Undocumented

_high =

Undocumented

_low =

Undocumented

_mid =

Undocumented