Understanding Atom Tables

Atom Tables have been a structure on Windows which I wanted to investigate for a while, but only have managed to find the time to write about now.

Atom Tables enable strings to be encoded by with a 16-bit integer (an atom) which can then be shared among different processes. The encoded strings stored within the table are then referred to as atom names. There is two forms of Atom Table: Global Atom Table defined for all processes on the system and Local Atom Table which is defined privately for process which created the table.

Following from this, there are two types of Atom; String Atoms and Integer Atoms. The type which I had mentioned in the first paragraph refers to String Atoms.

For a String Atom, a string is passed to GlobalAddAtom or AddAtom, either function then returns a 16-bit integer which can be used to access the string stored within the atom table. We can use the GlobalFindAtom or FindAtom functions to do so.

Properties of String Atoms:

  • The values returned are within the range of 0xC000 to 0xFFFF.
  • The string can be no longer than 255 bytes in size.
  • The reference count associated with each atom name, is incremented when the string is added to the table, and decremented when a string is removed from the table. The atom is only removed from the atom table when the atom name reference count has decremented to 0.

Properties of Integer Atoms:

  • The values given are within the range of 0x0001 to 0xBFFF.
  • There is no reference count or storage limitations associated.

The Atom Table has the following structure:

0: kd> dt _RTL_ATOM_TABLE
nt!_RTL_ATOM_TABLE
+0x000 Signature : Uint4B
+0x004 ReferenceCount : Int4B
+0x008 PushLock : _EX_PUSH_LOCK
+0x010 ExHandleTable : Ptr64 _HANDLE_TABLE
+0x018 Flags : Uint4B
+0x01c NumberOfBuckets : Uint4B
+0x020 Buckets : [1] Ptr64 _RTL_ATOM_TABLE_ENTRY

Each entry within the atom table is then represented with the following structure:

0: kd> dt _RTL_ATOM_TABLE_ENTRY
nt!_RTL_ATOM_TABLE_ENTRY
   +0x000 HashLink         : Ptr64 _RTL_ATOM_TABLE_ENTRY
   +0x008 HandleIndex      : Uint2B
   +0x00a Atom             : Uint2B
   +0x010 Reference        : _RTL_ATOM_TABLE_REFERENCE
   +0x028 NameLength       : UChar
   +0x02a Name             : [1] Wchar

You can dump a Local Atom Table with the !atom extension, and dump a Global Atom Table with the !gatom extension. Here is an example of !gatom:

6: kd> !gatom

Global atom table c00c( 1) = Protocols (18) pinned
c031( 1) = Button (12)
c042( 1) = msctls_updown32 (30)
c00d( 1) = Topics (12) pinned
c00e( 1) = Formats (14) pinned
c024( 1) = TaskbandHWND (24)
c04b( 1) = SysIPAddress32 (28)
c023(47) = OleEndPointID (26)
c04a( 1) = RichEdit20W (22)
c02b( 1) = _IDH_ALTTAB_STICKY_PREV (46)
c032( 1) = Static (12)
c02d( 1) = _IDH_WINALTTAB_PREV (38)
c045( 1) = SysTreeView32 (26)
c018( 1) = UxSubclassInfo (28) pinned
c03c( 1) = msctls_hotkey32 (30)
c044( 1) = tooltips_class32 (32)
c046( 1) = SysMonthCal32 (26)
c047( 1) = SysDateTimePick32 (34)
c007( 1) = StdShowItem (22) pinned
c053( 1) = ClipboardDataObjectInterface (56)
c011( 1) = True (8) pinned
c03f( 1) = SysListView32 (26)
c04c( 1) = UIAE{46a56456-04b6-4a08-a2bd-9a764fc58246} (84)
c010( 1) = EditEnvItems (24) pinned
c01c( 1) = PROGMAN (14)
c02a( 1) = _IDH_ALTTAB_STICKY_NEXT (46)
c04e( 1) = MozillaPluginWindowPropertyAssociation (76)
c012( 1) = False (10) pinned
c02c( 1) = _IDH_WINALTTAB_NEXT (38)
c03e( 1) = msctls_trackbar32 (34)
c015( 1) = Close (10) pinned
c021( 4) = AllowConsentToStealFocus (48)
c038( 1) = ToolbarWindow32 (30)
c04d( 2) = MSAA_*FCFFFFFF00000000 (44)
[...]

The first column is the entry within the atom table, the number represents the unique 16-bit decimal representation of the string assigned to that atom; I believe the second column is the the number entries within that bucket and the last column is the number of references. Atom Tables are based upon the Hash Table data structure.

References:

Advertisements

About 0x14c

I'm a Computer Science student and writer. My primary interests are Graph Theory, Number Theory, Programming Language Theory, Logic and Windows Debugging.
This entry was posted in Computer Science, WinDbg, Windows Internals. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s