# Everything is an Object
On *nix type operating systems, "everything is a file". Meaning the operating system exposes a set of programming calls that treat all the various parts of an operating system as though they were files. Network sockets, processes and threads, and areas of live memory are files with relative locations in a tree structure, that can be read from and written to, and have read and write permissions applied for certain users and groups.

On Windows, everything is instead, an Object. This means everything is represented in memory as an object data structure, with properties and members, and methods that collectively provide an API to that operating system component.

The **object manager** is the component of the Windows NTOSKernel (or kernel for short) that managed these objects, their memory allocation, and lifetimes.

The kernel maintains a list of _types_ of object it supports, which can be examined with the `Get-NtType` cmdlet.

In [2]:
Get-NtType | Select -First 20


[32;1mName[0m
[32;1m----[0m
Type
Directory
SymbolicLink
Token
Job
Process
Thread
Partition
UserApcReserve
IoCompletionReserve
ActivityReference
ProcessStateChange
ThreadStateChange
CpuPartition
PsSiloContextPaged
PsSiloContextNonPaged
DebugObject
Event
Mutant
Callback



# Object Manager Namespace
The Object Manager Namespace or OMNS for short, is a filesystem like structure hidden in the background of the operating system. Calling it filesystem like is not just descrptive - its literally made out of `Directory` type objects, and can be interacted with like a disc backed filesystem. The directory objects contain instances of kernel objects as they exist in memory, which can be interacted with like files in the directory.

The `NtObjectManager` module contains a PSdrive provider so we can use PowerShell to traverse the OMNS like any other drive.

In [18]:
Get-ChildItem NtObject:\ | Sort Name


[32;1mName[0m
[32;1m----                                                                                               [0m
ArcName                                                                                            
BaseNamedObjects                                                                                   
BindFltPort                                                                                        
Callback                                                                                           
CLDMSGPORT                                                                                         
clfs                                                                                               
Container_Microsoft.WidgetsPlatformRuntime_1.6.1.0_x64__8wekyb3d8bbwe-S-1-5-21-2776884319-30901428…
Container_Microsoft.YourPhone_1.24121.85.0_x64__8wekyb3d8bbwe-S-1-5-21-2776884319-3090142823-33783…
Container_MicrosoftWindows.Client.WebExperience_524.34401.20.0_x64__cw5n

In [24]:
Get-ChildItem NtObject:\Dfs | Select -Property *


[32;1mPSPath               : [0mNtObjectManager\NtObjectManager::nt:\Dfs
[32;1mPSParentPath         : [0mNtObjectManager\NtObjectManager::nt:
[32;1mPSChildName          : [0mDfs
[32;1mPSDrive              : [0mNtObject
[32;1mPSProvider           : [0mNtObjectManager\NtObjectManager
[32;1mPSIsContainer        : [0mFalse
[32;1mName                 : [0mDfs
[32;1mTypeName             : [0mSymbolicLink
[32;1mIsDirectory          : [0mFalse
[32;1mIsDevice             : [0mFalse
[32;1mIsSymbolicLink       : [0mTrue
[32;1mRelativePath         : [0mDfs
[32;1mSecurityDescriptor   : [0mO:BAG:SYD:(A;;CCRC;;;WD)(A;;CCSDRCWDWO;;;SY)(A;;CCSDRCWDWO;;;BA)(A;;CCRC;;;R
                       C)
[32;1mSymbolicLinkTarget   : [0m\Device\DfsClient
[32;1mMaximumGrantedAccess : [0mQuery, ReadControl
[32;1mDeviceType           : [0mUNKNOWN
[32;1mCharacteristics      : [0mNone



In [26]:
Get-Item NtObject:\Device\DfsClient | Select -Property *


[32;1mPSPath               : [0mNtObjectManager\NtObjectManager::nt:\Device\DfsClient
[32;1mPSParentPath         : [0mNtObjectManager\NtObjectManager::nt:\Device
[32;1mPSChildName          : [0mDfsClient
[32;1mPSDrive              : [0mNtObject
[32;1mPSProvider           : [0mNtObjectManager\NtObjectManager
[32;1mPSIsContainer        : [0mFalse
[32;1mName                 : [0mDfsClient
[32;1mTypeName             : [0mDevice
[32;1mIsDirectory          : [0mFalse
[32;1mIsDevice             : [0mTrue
[32;1mIsSymbolicLink       : [0mFalse
[32;1mRelativePath         : [0mDevice\DfsClient
[32;1mSecurityDescriptor   : [0mO:BAG:SYD:(A;;FA;;;S-1-5-80-719998295-2833700043-1566817583-4093942769-14140
                       26312)(A;;FA;;;SY)(A;;FA;;;BA)(A;;FX;;;WD)
[32;1mSymbolicLinkTarget   : [0m
[32;1mMaximumGrantedAccess : [0mExecute, ReadAttributes, ReadControl, Synchronize
[32;1mDeviceType           : [0mDISK_FILE_SYSTEM
[32;1mCharacteristics      : [0mRemo