What is _PEB. GdiSharedHandleTable RRS feed

  • Question

  • Hi
    I try to examine a userdump  (Xp sp2) for GDI usage. In the _PEB I found the
    +0x094 GdiSharedHandleTable : 0x01010000 Void
    0:000> !address 0x01010000
    Usage:                  <unclassified>
    Allocation Base:        01010000
    Base Address:           01010000
    End Address:            01113000
    Region Size:            00103000
    Type:                   00040000    MEM_MAPPED
    State:                  00001000     MEM_COMMIT
    Protect:                00000002   PAGE_READONLY

    < snip from dump of the of GdiSharedHandleTable>
    01012f80  e1330470 000000d4 00050505 00000000
    01012f90  e146e000 000000d4 00080308 00000000
    01012fa0  e13b1e80 000000d4 00050505 00000000
    01012fb0  e145b008 000000d4 00010401 021e0570
    01012fc0  e139ae80 000000d4 00050b05 00000000

    My dumped process has PID Id: d4

    Is the GdiSharedHandleTable a pointer to shared memory ?
    and are those rows with 00d4 at offset 4  entries for my process ?
    Offset 0 looks like a kernel address right?
    Offset C looks like a user address, but some are zero what does that mean?
    Thank You
    Kjell Gunnar

    Friday, October 22, 2010 6:36 PM


  • Hi and thank you

    The article mentioned confirmed my thoughts  
    Kjell Gunnar


    • Marked as answer by kgt Tuesday, September 13, 2011 10:16 AM
    Tuesday, September 13, 2011 10:15 AM

All replies