Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 12-29-2005, 15:25
mokokan
 
Posts: n/a
how do you get a list of open file handles?

I know of some programs that do this, such as SysInternals' Handle.exe or ProcessExplorer.

But I am trying to do it in my own code, and I don't know what I should be looking for.

One thing I found was to maybe use the ROT (Running Objects Table), but I don't see enough information.

Another possiblity is to get a list of handles for each process, but the closest I find is HandleCount:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfsystemdiagnosticsprocessmemberstopic.asp
and that is just the number of handles, no way to access the Handles themselves and find what process has them open.

I would like to look at the process handle table directly, but apparently you have to inject a device driver to do this, which is more complicated than I'd like it to be.

It would be a big help if someone could help me with disassembling this:
http://www.sysinternals.com/Utilities/Handle.html

or this:
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/oh-o.asp

So I could have some idea of what they are doing, namely what system calls they're making. But I have never done any disassembly before and I am confused about how to handle this.
Reply With Quote
  #2  
Old 12-31-2005, 18:10
JuneMouse
 
Posts: n/a
well i read some thing about some one asking the same question some where
it was also describing the difference between ms oh.exe and sysinternals handle

i think one is usermode completely and other uses r0 procedures aka uses a driver
though i cannot find that article now ( i think you have to browse throug holy_fathers forum i think thats where i read about it but i am not sure )

but you can use the undocumented NtQuerySystemInformation() with info class 16
here is a code that was posted on osronline by Prasad Dabak long time back
that you can try out i dont have link i only have this code and referance
but google should fetch you the original thread

Code:
Hello,

Use NtQuerySystemInformation with information class
16. It returns list of handles for all the processes
in the system. The data is returned in the following
structure format.

typedef struct HandleInfo{
        ULONG Pid;
        USHORT  ObjectType;
        USHORT  HandleValue;
        PVOID ObjectPointer;
        ULONG AccessMask;
} HANDLEINFO, *PHANDLEINFO;

typedef struct SystemHandleInfo {
        ULONG nHandleEntries;
        HANDLEINFO HandleInfo[1];
} SYSTEMHANDLEINFO, *PSYSTEMHANDLEINFO;

Example code..

char Buffer[100000];

void HandleInformation()
{
        PSYSTEMHANDLEINFO pSystemHandleInfo;
        NTSTATUS rc;
        ULONG i;

        memset(Buffer, 0, sizeof(Buffer));

        rc=NtQuerySystemInformation(16,
                                                        Buffer,
                                                        sizeof(Buffer),
                                                        NULL);

        if (rc!=STATUS_SUCCESS) {
                printf("NtQuerySystemInformation failed,  rc=%x\n",
rc);
                return;
        }

        pSystemHandleInfo=(PSYSTEMHANDLEINFO)Buffer;

        printf("Number of Handle Entries = %x\n",
pSystemHandleInfo->nHandleEntries);

        printf("Pid       ObjType   ObjHnd    ObjPtr   
AccessMask\n");

        for (i=0; inHandleEntries; i++) {
                printf("%-8x  %-8x  %-8x  %-8x  %-8x\n",
pSystemHandleInfo->HandleInfo[i].Pid,
                                                                
pSystemHandleInfo->HandleInfo[i].ObjectType,
                                                                
pSystemHandleInfo->HandleInfo[i].HandleValue,
                                                        
pSystemHandleInfo->HandleInfo[i].ObjectPointer,
                                                                
pSystemHandleInfo->HandleInfo[i].AccessMask);
        }

        printf("\n\n");
}

authour Prasad Dabak (an answer in osronline regarding file handle enumeration)
Reply With Quote
  #3  
Old 01-03-2006, 16:22
L. Spiro
 
Posts: n/a
Memory Hacking Software comes with a FileWatcher DLL plug-in that monitors all file activity in the target process.
The plug-in itself comes inside the regular download of Memory Hacking Software.
The source for the plug-in is also on the site, which means you can modify it to do anything else you need it to do.

Instructions on how to use the DLL are included in the package.

Load the target process in debug mode to make sure you catch ALL file activity, from the very start of the application¡¯s life.

Again, the source is there to be extended into whatever you need it to do.
Have fun¡­

h??p://www.memoryhacking.com


L. Spiro
Reply With Quote
  #4  
Old 01-04-2006, 02:56
SecondAnt
 
Posts: n/a
for Windows 95/98 sample:

Code:
// OpenFiles.cpp (Windows 95/98 Only!)
//
// This example will show you how you can retrieve the information
// about what files are currently open on your Windows 95/98 system.
// The information includes the path, the way the file has been opened
// and the access and share modes.
//
// (c)1999 Ashot Oganesyan K, SmartLine, Inc
// mailto:ashot@aha.ru, http://www.protect-me.com, http://www.codepile.com




#include <windows.h>
#include <stdio.h>


typedef struct _DIOC_REGISTERS { 
    DWORD reg_EBX;
    DWORD reg_EDX;
    DWORD reg_ECX;
    DWORD reg_EAX;
    DWORD reg_EDI;
    DWORD reg_ESI;
    DWORD reg_Flags;
} DIOC_REGISTERS, *PDIOC_REGISTERS;


#if !defined VWIN32_DIOC_DOS_IOCTL
#define VWIN32_DIOC_DOS_IOCTL          0x0001
#endif

// Intel x86 processor status flags
#define CARRY_FLAG                     0x0001

// Access modes 
#define OPEN_ACCESS_READONLY           0x0000
#define OPEN_ACCESS_WRITEONLY          0x0001
#define OPEN_ACCESS_READWRITE          0x0002
#define OPEN_ACCESS_RO_NOMODLASTACCESS 0x0004
// Share modes 
#define OPEN_SHARE_COMPATIBLE          0x0000
#define OPEN_SHARE_DENYREADWRITE       0x0010
#define OPEN_SHARE_DENYWRITE           0x0020
#define OPEN_SHARE_DENYREAD            0x0030
#define OPEN_SHARE_DENYNONE            0x0040
// Open flags 
#define OPEN_FLAGS_NOINHERIT           0x0080
#define OPEN_FLAGS_NO_BUFFERING        0x0100
#define OPEN_FLAGS_NO_COMPRESS         0x0200
#define OPEN_FLAGS_ALIAS_HINT          0x0400
#define OPEN_FLAGS_NOCRITERR           0x2000
#define OPEN_FLAGS_COMMIT              0x4000
// File types
#define FILENORMAL                     0x0000
#define MEMORYMAPPED                   0x0001
#define DLLOREXECUTABLE                0x0002
#define SWAPFILE                       0x0004

// Opens a handle to VWIN32 that can be used to issue low-level commands
HANDLE WINAPI OpenVWin32 (void);
// Closes the handle opened by OpenVWin32
BOOL WINAPI CloseVWin32 (HANDLE hVWin32);


void main(void)
{
	HANDLE hVWin32 = OpenVWin32();
	if (hVWin32 == INVALID_HANDLE_VALUE)
		return;

	DWORD Dev = GetLogicalDrives();
	
	DIOC_REGISTERS	regs;
	int i;
	char buf[MAX_PATH];
	BOOL fResult;
	DWORD cb;

	for (register int k=0; k<26; ++k)
	{
		if (Dev & 0x01)
		{
			i=0;
			while (TRUE)
			{
				ZeroMemory(&regs,sizeof(regs));
				regs.reg_EBX = k+1;        // Drive ID (0-Default drive,A-1,B-2,C-3,...)
				regs.reg_EDX = (DWORD)buf; // File name
				regs.reg_ECX = 0x486D;     // Enumerate Open Files
				regs.reg_EAX = 0x440D;     // IOCTL for block devices
				regs.reg_EDI = 0x0000;     // 0-enum all,1-unmovable files only
				regs.reg_ESI = i++;        // Zero-based file ID

				fResult = DeviceIoControl (hVWin32, VWIN32_DIOC_DOS_IOCTL,
									  &regs, sizeof(regs), &regs, sizeof(regs),
									  &cb, 0);

				if (!fResult || regs.reg_Flags & CARRY_FLAG)
					break;

				printf("%s\t",buf);

				switch(LOWORD(regs.reg_ECX))
				{
				case FILENORMAL:
					printf("Normal\t");
					break;
				case MEMORYMAPPED:
					printf("Memory Mapped\t");
					break;
				case DLLOREXECUTABLE:
					printf("DLL or Executable\t");
					break;
				case SWAPFILE:
					printf("Swap File\t");
					break;
				default:
					printf("Unknown\t");
					break;
				}

				if (LOWORD(regs.reg_EAX) & OPEN_ACCESS_RO_NOMODLASTACCESS)
					printf("NOMODALASTACCESS\t");
				else
				if (LOWORD(regs.reg_EAX) & OPEN_ACCESS_READWRITE)
					printf("READWRITE\t");
				else
				if (LOWORD(regs.reg_EAX) & OPEN_ACCESS_WRITEONLY)
					printf("WRITEONLY\t");
				else
					printf("READONLY\t");


				if (LOWORD(regs.reg_EAX) & OPEN_SHARE_DENYNONE)
					printf("DENYNONE\t");
				else
				if (LOWORD(regs.reg_EAX) & OPEN_SHARE_DENYWRITE)
					printf("DENYWRITE\t");
				else
				if (LOWORD(regs.reg_EAX) & OPEN_SHARE_DENYREAD)
					printf("DENYREAD\t");
				else
				if (LOWORD(regs.reg_EAX) & OPEN_SHARE_DENYREADWRITE)
					printf("DENYREADWRITE\t");
				else
					printf("COMPATIBLE\t");


				if (LOWORD(regs.reg_EAX) & OPEN_FLAGS_COMMIT)
					printf("COMMIT\n");
				else
				if (LOWORD(regs.reg_EAX) & OPEN_FLAGS_NOCRITERR)
					printf("NOCRITERR\n");
				else
				if (LOWORD(regs.reg_EAX) & OPEN_FLAGS_ALIAS_HINT)
					printf("ALIASHINT\n");
				else
				if (LOWORD(regs.reg_EAX) & OPEN_FLAGS_NO_COMPRESS)
					printf("NOCOMPRESS\n");
				else
				if (LOWORD(regs.reg_EAX) & OPEN_FLAGS_NO_BUFFERING)
					printf("NOBUFFER\n");
				else
				if (LOWORD(regs.reg_EAX) & OPEN_FLAGS_NOINHERIT)
					printf("NOINHERIT\n");
				else
					printf("\n");
			}
		}

		Dev = Dev >> 1;
	}

	CloseVWin32(hVWin32);
}



HANDLE WINAPI OpenVWin32 (void)
{ 
   return CreateFile (TEXT("\\\\.\\vwin32"), 0, 0, NULL, 0,
                      FILE_FLAG_DELETE_ON_CLOSE, NULL);
}

BOOL WINAPI CloseVWin32 (HANDLE hVWin32)
{ 
   return CloseHandle (hVWin32);
} [QUOTE]
Reply With Quote
  #5  
Old 01-05-2006, 01:55
adaptor adaptor is offline
Friend
 
Join Date: Jan 2006
Posts: 27
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
adaptor Reputation: 0
Îne little addition to JuneMouse's answer:
given code enumerates _all_ handles, not just open file handles.
The way to determine witch of them are _file_ handles is to check ObjectType member of HandleInfo structure. ObjectType value for file type is different for different OS'es and, so, it must be detected dynamically. It could be done, for example, by searching known file handle.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Issue with IDB file watch list crashing IDA Chuck954 General Discussion 1 01-17-2019 01:20
File: *.htz ? (how to open it) hosiminh General Discussion 2 12-21-2004 06:17
LINK : fatal error LNK1104: cannot open file 'libcid.lib' Nilrem General Discussion 6 04-04-2004 23:17


All times are GMT +8. The time now is 17:22.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )