Object Directory

Overview

Evidence: Object Directory Description: Collect Object Directory Information Category: System Platform: Windows Short Name: objdirinf Is Parsed: Yes - Object directory entries parsed Sent to Investigation Hub: Yes Collect File(s): No

Background

The Windows kernel maintains object directories that contain named kernel objects like devices, drivers, symbolic links, and other kernel-mode objects. These directories are organized hierarchically and can be enumerated to understand the kernel object namespace.

Common object directories include:

• \Driver - Loaded driver objects

• \Device - Device objects

• \Global?? - Global symbolic links and DOS device names

Enumerating these directories can reveal hidden devices, suspicious drivers, and other kernel-level artifacts.

Data Collected

Three separate tables are created for each object directory:

ObjDirDriver Table

ObjDirDevice Table

ObjDirGlobal Table

Collection Method

This collector uses kernel driver IOCTL calls:

• IoctlCreateObjectDirectorySnapshot to snapshot the directory

• IoctlEnumObjectDirectorySnapshot to enumerate objects

• Processes three directories: \Driver, \Device, \Global??

• Creates separate tables for each directory

Usage

Object directory enumeration helps detect kernel-level threats and hidden devices. Investigators use this data to identify hidden or suspicious drivers, detect rootkit device objects, track symbolic link manipulation, identify unusual kernel objects, verify driver object presence, and correlate with loaded driver enumeration.

Known Limitations

• Requires kernel driver

• Only captures state at collection time

• Some objects may be transient

• Interpretation requires kernel knowledge

Notes

The \Global?? directory contains symbolic links that map DOS device names (C:, D:, etc.) to actual device objects. Malware may create hidden devices or manipulate symbolic links for stealth.