Process and Thread handles

Processes and threads are assigned acending integer indices from a single range space. To go from an index to a Process or Thread Object requires going through the Cid Table, pointed to by global location PspCidTable. The structure at this address is a HANDLE_TABLE (see ntos/inc/ex.h ). The fourth DWORD in the table is the base of the handle table.

This array differs from a user's handle table in that the object pointers need not be adjusted by 0x1c, and that the rights DWORD is always 0. Here is an example:

kd> dd PspCidTable
80156df0  80726b48 80726be0 00000002 00000000
80156e00  e1228890 77f60000 77f67574 77f60000
80156e10  e1000750 80726940 00000000 00000000
80156e20  003e003c e11fd608 00000000 00000000
80156e30  80726ce0 80157200 00000000 00000000
80156e40  00000000 00000000 00000000 00000000
80156e50  00000000 00000000 00000000 00000000
80156e60  00000000 00000000 00000000 00000000
kd> dd  80726b48
80726b48  00000000 00000000 00000000 e13a9008
80726b58  e13a9880 000000da 00000000 00000000
80726b68  00000010 80726b6c 80726b6c 00040001
80726b78  00000000 80726b7c 80726b7c 00050005
80726b88  00000000 80726b8c 80726b8c 7fffffff
80726b98  00000000 00000000 08010003 d46a624f
80726ba8  80700850 000e000c e1001688 ffffffff
80726bb8  806ff338 80726cb8 00000000 00000000
kd> dd e13a9008
e13a9008  e13a9698 e13a96e0 807266e0 00000000
e13a9018  80726940 00000000 807004a0 00000000
e13a9028  80700240 00000000 806ff020 00000000
e13a9038  806ffdc0 00000000 806ffb60 00000000
e13a9048  806ff900 00000000 806ff6a0 00000000
e13a9058  806ff440 00000000 806fe020 00000000
e13a9068  806fedc0 00000000 806fddc0 00000000
e13a9078  806fdb60 00000000 806fd900 00000000
kd> !object  807266e0
Object: 807266e0  Type: (80726be0) Thread
    ObjectHeader: 807266c8
    HandleCount: 0  PointerCount: 3
kd> !thread  807266e0 0
THREAD 807266e0  Cid 2.1  Teb: 00000000  Win32Thread: 00000000 WAIT:
kd> !object  80726940
Object: 80726940  Type: (80726ce0) Process
    ObjectHeader: 80726928
    HandleCount: 3  PointerCount: 34
kd> !process  80726940 0
PROCESS 80726940  LogonId: 0  Cid: 0002  Peb: 00000000  ParentCid: 0000
    DirBase: 00030000  ObjectTable: 80725f28  TableSize: 222.
    Image: System
kd>