how do you get a list of open file handles?

well i read some thing about some one asking the same question some where
it was also describing the difference between ms oh.exe and sysinternals handle

i think one is usermode completely and other uses r0 procedures aka uses a driver
though i cannot find that article now ( i think you have to browse throug holy_fathers forum i think thats where i read about it but i am not sure )

but you can use the undocumented NtQuerySystemInformation() with info class 16
here is a code that was posted on osronline by Prasad Dabak long time back
that you can try out i dont have link i only have this code and referance
but google should fetch you the original thread

Code:

Hello,

Use NtQuerySystemInformation with information class
16. It returns list of handles for all the processes
in the system. The data is returned in the following
structure format.

typedef struct HandleInfo{
        ULONG Pid;
        USHORT  ObjectType;
        USHORT  HandleValue;
        PVOID ObjectPointer;
        ULONG AccessMask;
} HANDLEINFO, *PHANDLEINFO;

typedef struct SystemHandleInfo {
        ULONG nHandleEntries;
        HANDLEINFO HandleInfo[1];
} SYSTEMHANDLEINFO, *PSYSTEMHANDLEINFO;

Example code..

char Buffer[100000];

void HandleInformation()
{
        PSYSTEMHANDLEINFO pSystemHandleInfo;
        NTSTATUS rc;
        ULONG i;

        memset(Buffer, 0, sizeof(Buffer));

        rc=NtQuerySystemInformation(16,
                                                        Buffer,
                                                        sizeof(Buffer),
                                                        NULL);

        if (rc!=STATUS_SUCCESS) {
                printf("NtQuerySystemInformation failed,  rc=%x\n",
rc);
                return;
        }

        pSystemHandleInfo=(PSYSTEMHANDLEINFO)Buffer;

        printf("Number of Handle Entries = %x\n",
pSystemHandleInfo->nHandleEntries);

        printf("Pid       ObjType   ObjHnd    ObjPtr   
AccessMask\n");

        for (i=0; inHandleEntries; i++) {
                printf("%-8x  %-8x  %-8x  %-8x  %-8x\n",
pSystemHandleInfo->HandleInfo[i].Pid,
                                                                
pSystemHandleInfo->HandleInfo[i].ObjectType,
                                                                
pSystemHandleInfo->HandleInfo[i].HandleValue,
                                                        
pSystemHandleInfo->HandleInfo[i].ObjectPointer,
                                                                
pSystemHandleInfo->HandleInfo[i].AccessMask);
        }

        printf("\n\n");
}

authour Prasad Dabak (an answer in osronline regarding file handle enumeration)

Memory Hacking Software comes with a FileWatcher DLL plug-in that monitors all file activity in the target process.
The plug-in itself comes inside the regular download of Memory Hacking Software.
The source for the plug-in is also on the site, which means you can modify it to do anything else you need it to do.

Instructions on how to use the DLL are included in the package.

Load the target process in debug mode to make sure you catch ALL file activity, from the very start of the application��s life.

Again, the source is there to be extended into whatever you need it to do.
Have fun��

h??p://www.memoryhacking.com


L. Spiro