Object Directory

Overview

Evidence: Object Directory
Description: Collect Object Directory Information
Category: System
Platform: windows
Short Name: objdirinf
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No

Background

The Windows kernel maintains object directories that contain named kernel objects like devices, drivers, symbolic links, and other kernel-mode objects. These directories are organized hierarchically and can be enumerated to understand the kernel object namespace.

Common object directories include:

\Driver - Loaded driver objects
\Device - Device objects
\Global?? - Global symbolic links and DOS device names

Enumerating these directories can reveal hidden devices, suspicious drivers, and other kernel-level artifacts.

Data Collected

This collector gathers structured data about object directory.

Object Directory Data

Field	Description	Example
`Type`	Object type	Driver
`Path`	Object path	\Driver\Disk
`Target`	Target path (for symbolic links)
`Type`	Object type	Device
`Path`	Object path	\Device\HarddiskVolume3
`Target`	Target path (for symbolic links)
`Type`	Object type	SymbolicLink
`Path`	Object path	\Global??\C:
`Target`	Target path	\Device\HarddiskVolume3

Collection Method

This collector uses kernel driver IOCTL calls:

IoctlCreateObjectDirectorySnapshot to snapshot the directory
IoctlEnumObjectDirectorySnapshot to enumerate objects
Processes three directories: \Driver, \Device, \Global??
Creates separate tables for each directory

Forensic Value

Object directory enumeration helps detect kernel-level threats and hidden devices. Investigators use this data to identify hidden or suspicious drivers, detect rootkit device objects, track symbolic link manipulation, identify unusual kernel objects, verify driver object presence, and correlate with loaded driver enumeration.