#1
|
|||
|
|||
how do you get a list of open file handles?
I know of some programs that do this, such as SysInternals' Handle.exe or ProcessExplorer.
But I am trying to do it in my own code, and I don't know what I should be looking for. One thing I found was to maybe use the ROT (Running Objects Table), but I don't see enough information. Another possiblity is to get a list of handles for each process, but the closest I find is HandleCount: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfsystemdiagnosticsprocessmemberstopic.asp and that is just the number of handles, no way to access the Handles themselves and find what process has them open. I would like to look at the process handle table directly, but apparently you have to inject a device driver to do this, which is more complicated than I'd like it to be. It would be a big help if someone could help me with disassembling this: http://www.sysinternals.com/Utilities/Handle.html or this: http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/oh-o.asp So I could have some idea of what they are doing, namely what system calls they're making. But I have never done any disassembly before and I am confused about how to handle this. |
#2
|
|||
|
|||
well i read some thing about some one asking the same question some where
it was also describing the difference between ms oh.exe and sysinternals handle i think one is usermode completely and other uses r0 procedures aka uses a driver though i cannot find that article now ( i think you have to browse throug holy_fathers forum i think thats where i read about it but i am not sure ) but you can use the undocumented NtQuerySystemInformation() with info class 16 here is a code that was posted on osronline by Prasad Dabak long time back that you can try out i dont have link i only have this code and referance but google should fetch you the original thread Code:
Hello, Use NtQuerySystemInformation with information class 16. It returns list of handles for all the processes in the system. The data is returned in the following structure format. typedef struct HandleInfo{ ULONG Pid; USHORT ObjectType; USHORT HandleValue; PVOID ObjectPointer; ULONG AccessMask; } HANDLEINFO, *PHANDLEINFO; typedef struct SystemHandleInfo { ULONG nHandleEntries; HANDLEINFO HandleInfo[1]; } SYSTEMHANDLEINFO, *PSYSTEMHANDLEINFO; Example code.. char Buffer[100000]; void HandleInformation() { PSYSTEMHANDLEINFO pSystemHandleInfo; NTSTATUS rc; ULONG i; memset(Buffer, 0, sizeof(Buffer)); rc=NtQuerySystemInformation(16, Buffer, sizeof(Buffer), NULL); if (rc!=STATUS_SUCCESS) { printf("NtQuerySystemInformation failed, rc=%x\n", rc); return; } pSystemHandleInfo=(PSYSTEMHANDLEINFO)Buffer; printf("Number of Handle Entries = %x\n", pSystemHandleInfo->nHandleEntries); printf("Pid ObjType ObjHnd ObjPtr AccessMask\n"); for (i=0; inHandleEntries; i++) { printf("%-8x %-8x %-8x %-8x %-8x\n", pSystemHandleInfo->HandleInfo[i].Pid, pSystemHandleInfo->HandleInfo[i].ObjectType, pSystemHandleInfo->HandleInfo[i].HandleValue, pSystemHandleInfo->HandleInfo[i].ObjectPointer, pSystemHandleInfo->HandleInfo[i].AccessMask); } printf("\n\n"); } authour Prasad Dabak (an answer in osronline regarding file handle enumeration) |
#3
|
|||
|
|||
Memory Hacking Software comes with a FileWatcher DLL plug-in that monitors all file activity in the target process.
The plug-in itself comes inside the regular download of Memory Hacking Software. The source for the plug-in is also on the site, which means you can modify it to do anything else you need it to do. Instructions on how to use the DLL are included in the package. Load the target process in debug mode to make sure you catch ALL file activity, from the very start of the application¡¯s life. Again, the source is there to be extended into whatever you need it to do. Have fun¡ h??p://www.memoryhacking.com L. Spiro |
#4
|
|||
|
|||
for Windows 95/98 sample:
Code:
// OpenFiles.cpp (Windows 95/98 Only!) // // This example will show you how you can retrieve the information // about what files are currently open on your Windows 95/98 system. // The information includes the path, the way the file has been opened // and the access and share modes. // // (c)1999 Ashot Oganesyan K, SmartLine, Inc // mailto:ashot@aha.ru, http://www.protect-me.com, http://www.codepile.com #include <windows.h> #include <stdio.h> typedef struct _DIOC_REGISTERS { DWORD reg_EBX; DWORD reg_EDX; DWORD reg_ECX; DWORD reg_EAX; DWORD reg_EDI; DWORD reg_ESI; DWORD reg_Flags; } DIOC_REGISTERS, *PDIOC_REGISTERS; #if !defined VWIN32_DIOC_DOS_IOCTL #define VWIN32_DIOC_DOS_IOCTL 0x0001 #endif // Intel x86 processor status flags #define CARRY_FLAG 0x0001 // Access modes #define OPEN_ACCESS_READONLY 0x0000 #define OPEN_ACCESS_WRITEONLY 0x0001 #define OPEN_ACCESS_READWRITE 0x0002 #define OPEN_ACCESS_RO_NOMODLASTACCESS 0x0004 // Share modes #define OPEN_SHARE_COMPATIBLE 0x0000 #define OPEN_SHARE_DENYREADWRITE 0x0010 #define OPEN_SHARE_DENYWRITE 0x0020 #define OPEN_SHARE_DENYREAD 0x0030 #define OPEN_SHARE_DENYNONE 0x0040 // Open flags #define OPEN_FLAGS_NOINHERIT 0x0080 #define OPEN_FLAGS_NO_BUFFERING 0x0100 #define OPEN_FLAGS_NO_COMPRESS 0x0200 #define OPEN_FLAGS_ALIAS_HINT 0x0400 #define OPEN_FLAGS_NOCRITERR 0x2000 #define OPEN_FLAGS_COMMIT 0x4000 // File types #define FILENORMAL 0x0000 #define MEMORYMAPPED 0x0001 #define DLLOREXECUTABLE 0x0002 #define SWAPFILE 0x0004 // Opens a handle to VWIN32 that can be used to issue low-level commands HANDLE WINAPI OpenVWin32 (void); // Closes the handle opened by OpenVWin32 BOOL WINAPI CloseVWin32 (HANDLE hVWin32); void main(void) { HANDLE hVWin32 = OpenVWin32(); if (hVWin32 == INVALID_HANDLE_VALUE) return; DWORD Dev = GetLogicalDrives(); DIOC_REGISTERS regs; int i; char buf[MAX_PATH]; BOOL fResult; DWORD cb; for (register int k=0; k<26; ++k) { if (Dev & 0x01) { i=0; while (TRUE) { ZeroMemory(®s,sizeof(regs)); regs.reg_EBX = k+1; // Drive ID (0-Default drive,A-1,B-2,C-3,...) regs.reg_EDX = (DWORD)buf; // File name regs.reg_ECX = 0x486D; // Enumerate Open Files regs.reg_EAX = 0x440D; // IOCTL for block devices regs.reg_EDI = 0x0000; // 0-enum all,1-unmovable files only regs.reg_ESI = i++; // Zero-based file ID fResult = DeviceIoControl (hVWin32, VWIN32_DIOC_DOS_IOCTL, ®s, sizeof(regs), ®s, sizeof(regs), &cb, 0); if (!fResult || regs.reg_Flags & CARRY_FLAG) break; printf("%s\t",buf); switch(LOWORD(regs.reg_ECX)) { case FILENORMAL: printf("Normal\t"); break; case MEMORYMAPPED: printf("Memory Mapped\t"); break; case DLLOREXECUTABLE: printf("DLL or Executable\t"); break; case SWAPFILE: printf("Swap File\t"); break; default: printf("Unknown\t"); break; } if (LOWORD(regs.reg_EAX) & OPEN_ACCESS_RO_NOMODLASTACCESS) printf("NOMODALASTACCESS\t"); else if (LOWORD(regs.reg_EAX) & OPEN_ACCESS_READWRITE) printf("READWRITE\t"); else if (LOWORD(regs.reg_EAX) & OPEN_ACCESS_WRITEONLY) printf("WRITEONLY\t"); else printf("READONLY\t"); if (LOWORD(regs.reg_EAX) & OPEN_SHARE_DENYNONE) printf("DENYNONE\t"); else if (LOWORD(regs.reg_EAX) & OPEN_SHARE_DENYWRITE) printf("DENYWRITE\t"); else if (LOWORD(regs.reg_EAX) & OPEN_SHARE_DENYREAD) printf("DENYREAD\t"); else if (LOWORD(regs.reg_EAX) & OPEN_SHARE_DENYREADWRITE) printf("DENYREADWRITE\t"); else printf("COMPATIBLE\t"); if (LOWORD(regs.reg_EAX) & OPEN_FLAGS_COMMIT) printf("COMMIT\n"); else if (LOWORD(regs.reg_EAX) & OPEN_FLAGS_NOCRITERR) printf("NOCRITERR\n"); else if (LOWORD(regs.reg_EAX) & OPEN_FLAGS_ALIAS_HINT) printf("ALIASHINT\n"); else if (LOWORD(regs.reg_EAX) & OPEN_FLAGS_NO_COMPRESS) printf("NOCOMPRESS\n"); else if (LOWORD(regs.reg_EAX) & OPEN_FLAGS_NO_BUFFERING) printf("NOBUFFER\n"); else if (LOWORD(regs.reg_EAX) & OPEN_FLAGS_NOINHERIT) printf("NOINHERIT\n"); else printf("\n"); } } Dev = Dev >> 1; } CloseVWin32(hVWin32); } HANDLE WINAPI OpenVWin32 (void) { return CreateFile (TEXT("\\\\.\\vwin32"), 0, 0, NULL, 0, FILE_FLAG_DELETE_ON_CLOSE, NULL); } BOOL WINAPI CloseVWin32 (HANDLE hVWin32) { return CloseHandle (hVWin32); } [QUOTE] |
#5
|
|||
|
|||
Îne little addition to JuneMouse's answer:
given code enumerates _all_ handles, not just open file handles. The way to determine witch of them are _file_ handles is to check ObjectType member of HandleInfo structure. ObjectType value for file type is different for different OS'es and, so, it must be detected dynamically. It could be done, for example, by searching known file handle. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Issue with IDB file watch list crashing IDA | Chuck954 | General Discussion | 1 | 01-17-2019 01:20 |
File: *.htz ? (how to open it) | hosiminh | General Discussion | 2 | 12-21-2004 06:17 |
LINK : fatal error LNK1104: cannot open file 'libcid.lib' | Nilrem | General Discussion | 6 | 04-04-2004 23:17 |