Back to binalyze.com

Object Directory

Overview

Evidence: Object Directory Description: Collect Object Directory Information Category: System Platform: windows Short Name: objdirinf Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

The Windows kernel maintains object directories that contain named kernel objects like devices, drivers, symbolic links, and other kernel-mode objects. These directories are organized hierarchically and can be enumerated to understand the kernel object namespace.

Common object directories include:

  • \Driver - Loaded driver objects

  • \Device - Device objects

  • \Global?? - Global symbolic links and DOS device names

Enumerating these directories can reveal hidden devices, suspicious drivers, and other kernel-level artifacts.

Data Collected

This collector gathers structured data about object directory.

Object Directory Data

Field
Description
Example

Type

Object type

Driver

Path

Object path

\Driver\Disk

Target

Target path (for symbolic links)

Type

Object type

Device

Path

Object path

\Device\HarddiskVolume3

Target

Target path (for symbolic links)

Type

Object type

SymbolicLink

Path

Object path

\Global??\C:

Target

Target path

\Device\HarddiskVolume3

Collection Method

This collector uses kernel driver IOCTL calls:

  • IoctlCreateObjectDirectorySnapshot to snapshot the directory

  • IoctlEnumObjectDirectorySnapshot to enumerate objects

  • Processes three directories: \Driver, \Device, \Global??

  • Creates separate tables for each directory

Forensic Value

Object directory enumeration helps detect kernel-level threats and hidden devices. Investigators use this data to identify hidden or suspicious drivers, detect rootkit device objects, track symbolic link manipulation, identify unusual kernel objects, verify driver object presence, and correlate with loaded driver enumeration.

PreviousNTDS.ditNextOfficeMRU

Last updated

Was this helpful?