Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   how do you get a list of open file handles? (https://forum.exetools.com/showthread.php?t=8711)

mokokan 12-29-2005 15:25
how do you get a list of open file handles?
 
I know of some programs that do this, such as SysInternals' Handle.exe or ProcessExplorer.

But I am trying to do it in my own code, and I don't know what I should be looking for.

One thing I found was to maybe use the ROT (Running Objects Table), but I don't see enough information.

Another possiblity is to get a list of handles for each process, but the closest I find is HandleCount:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfsystemdiagnosticsprocessmemberstopic.asp
and that is just the number of handles, no way to access the Handles themselves and find what process has them open.

I would like to look at the process handle table directly, but apparently you have to inject a device driver to do this, which is more complicated than I'd like it to be.

It would be a big help if someone could help me with disassembling this:
http://www.sysinternals.com/Utilities/Handle.html

or this:
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/oh-o.asp

So I could have some idea of what they are doing, namely what system calls they're making. But I have never done any disassembly before and I am confused about how to handle this.

JuneMouse 12-31-2005 18:10
well i read some thing about some one asking the same question some where :)
it was also describing the difference between ms oh.exe and sysinternals handle

i think one is usermode completely and other uses r0 procedures aka uses a driver
though i cannot find that article now ( i think you have to browse throug holy_fathers forum i think thats where i read about it but i am not sure )

but you can use the undocumented NtQuerySystemInformation() with info class 16
here is a code that was posted on osronline by Prasad Dabak long time back
that you can try out i dont have link i only have this code and referance
but google should fetch you the original thread

Code:
Hello,

Use NtQuerySystemInformation with information class
16. It returns list of handles for all the processes
in the system. The data is returned in the following
structure format.

typedef struct HandleInfo{
        ULONG Pid;
        USHORT  ObjectType;
        USHORT  HandleValue;
        PVOID ObjectPointer;
        ULONG AccessMask;
} HANDLEINFO, *PHANDLEINFO;

typedef struct SystemHandleInfo {
        ULONG nHandleEntries;
        HANDLEINFO HandleInfo[1];
} SYSTEMHANDLEINFO, *PSYSTEMHANDLEINFO;

Example code..

char Buffer[100000];

void HandleInformation()
{
        PSYSTEMHANDLEINFO pSystemHandleInfo;
        NTSTATUS rc;
        ULONG i;

        memset(Buffer, 0, sizeof(Buffer));

        rc=NtQuerySystemInformation(16,
                                                        Buffer,
                                                        sizeof(Buffer),
                                                        NULL);

        if (rc!=STATUS_SUCCESS) {
                printf("NtQuerySystemInformation failed,  rc=%x\n",
rc);
                return;
        }

        pSystemHandleInfo=(PSYSTEMHANDLEINFO)Buffer;

        printf("Number of Handle Entries = %x\n",
pSystemHandleInfo->nHandleEntries);

        printf("Pid      ObjType  ObjHnd    ObjPtr 
AccessMask\n");

        for (i=0; inHandleEntries; i++) {
                printf("%-8x  %-8x  %-8x  %-8x  %-8x\n",
pSystemHandleInfo->HandleInfo[i].Pid,
                                                               
pSystemHandleInfo->HandleInfo[i].ObjectType,
                                                               
pSystemHandleInfo->HandleInfo[i].HandleValue,
                                                       
pSystemHandleInfo->HandleInfo[i].ObjectPointer,
                                                               
pSystemHandleInfo->HandleInfo[i].AccessMask);
        }

        printf("\n\n");
}

authour Prasad Dabak (an answer in osronline regarding file handle enumeration)

L. Spiro 01-03-2006 16:22
Memory Hacking Software comes with a FileWatcher DLL plug-in that monitors all file activity in the target process.
The plug-in itself comes inside the regular download of Memory Hacking Software.
The source for the plug-in is also on the site, which means you can modify it to do anything else you need it to do.

Instructions on how to use the DLL are included in the package.

Load the target process in debug mode to make sure you catch ALL file activity, from the very start of the application��s life.

Again, the source is there to be extended into whatever you need it to do.
Have fun��

h??p://www.memoryhacking.com


L. Spiro

SecondAnt 01-04-2006 02:56
for Windows 95/98 sample:

Code:
// OpenFiles.cpp (Windows 95/98 Only!)
//
// This example will show you how you can retrieve the information
// about what files are currently open on your Windows 95/98 system.
// The information includes the path, the way the file has been opened
// and the access and share modes.
//
// (c)1999 Ashot Oganesyan K, SmartLine, Inc
// mailto:[email protected], http://www.protect-me.com, http://www.codepile.com




#include <windows.h>
#include <stdio.h>


typedef struct _DIOC_REGISTERS {
    DWORD reg_EBX;
    DWORD reg_EDX;
    DWORD reg_ECX;
    DWORD reg_EAX;
    DWORD reg_EDI;
    DWORD reg_ESI;
    DWORD reg_Flags;
} DIOC_REGISTERS, *PDIOC_REGISTERS;


#if !defined VWIN32_DIOC_DOS_IOCTL
#define VWIN32_DIOC_DOS_IOCTL          0x0001
#endif

// Intel x86 processor status flags
#define CARRY_FLAG                    0x0001

// Access modes
#define OPEN_ACCESS_READONLY          0x0000
#define OPEN_ACCESS_WRITEONLY          0x0001
#define OPEN_ACCESS_READWRITE          0x0002
#define OPEN_ACCESS_RO_NOMODLASTACCESS 0x0004
// Share modes
#define OPEN_SHARE_COMPATIBLE          0x0000
#define OPEN_SHARE_DENYREADWRITE      0x0010
#define OPEN_SHARE_DENYWRITE          0x0020
#define OPEN_SHARE_DENYREAD            0x0030
#define OPEN_SHARE_DENYNONE            0x0040
// Open flags
#define OPEN_FLAGS_NOINHERIT          0x0080
#define OPEN_FLAGS_NO_BUFFERING        0x0100
#define OPEN_FLAGS_NO_COMPRESS        0x0200
#define OPEN_FLAGS_ALIAS_HINT          0x0400
#define OPEN_FLAGS_NOCRITERR          0x2000
#define OPEN_FLAGS_COMMIT              0x4000
// File types
#define FILENORMAL                    0x0000
#define MEMORYMAPPED                  0x0001
#define DLLOREXECUTABLE                0x0002
#define SWAPFILE                      0x0004

// Opens a handle to VWIN32 that can be used to issue low-level commands
HANDLE WINAPI OpenVWin32 (void);
// Closes the handle opened by OpenVWin32
BOOL WINAPI CloseVWin32 (HANDLE hVWin32);


void main(void)
{
        HANDLE hVWin32 = OpenVWin32();
        if (hVWin32 == INVALID_HANDLE_VALUE)
                return;

        DWORD Dev = GetLogicalDrives();
       
        DIOC_REGISTERS        regs;
        int i;
        char buf[MAX_PATH];
        BOOL fResult;
        DWORD cb;

        for (register int k=0; k<26; ++k)
        {
                if (Dev & 0x01)
                {
                        i=0;
                        while (TRUE)
                        {
                                ZeroMemory(&regs,sizeof(regs));
                                regs.reg_EBX = k+1;        // Drive ID (0-Default drive,A-1,B-2,C-3,...)
                                regs.reg_EDX = (DWORD)buf; // File name
                                regs.reg_ECX = 0x486D;    // Enumerate Open Files
                                regs.reg_EAX = 0x440D;    // IOCTL for block devices
                                regs.reg_EDI = 0x0000;    // 0-enum all,1-unmovable files only
                                regs.reg_ESI = i++;        // Zero-based file ID

                                fResult = DeviceIoControl (hVWin32, VWIN32_DIOC_DOS_IOCTL,
                                                                          &regs, sizeof(regs), &regs, sizeof(regs),
                                                                          &cb, 0);

                                if (!fResult || regs.reg_Flags & CARRY_FLAG)
                                        break;

                                printf("%s\t",buf);

                                switch(LOWORD(regs.reg_ECX))
                                {
                                case FILENORMAL:
                                        printf("Normal\t");
                                        break;
                                case MEMORYMAPPED:
                                        printf("Memory Mapped\t");
                                        break;
                                case DLLOREXECUTABLE:
                                        printf("DLL or Executable\t");
                                        break;
                                case SWAPFILE:
                                        printf("Swap File\t");
                                        break;
                                default:
                                        printf("Unknown\t");
                                        break;
                                }

                                if (LOWORD(regs.reg_EAX) & OPEN_ACCESS_RO_NOMODLASTACCESS)
                                        printf("NOMODALASTACCESS\t");
                                else
                                if (LOWORD(regs.reg_EAX) & OPEN_ACCESS_READWRITE)
                                        printf("READWRITE\t");
                                else
                                if (LOWORD(regs.reg_EAX) & OPEN_ACCESS_WRITEONLY)
                                        printf("WRITEONLY\t");
                                else
                                        printf("READONLY\t");


                                if (LOWORD(regs.reg_EAX) & OPEN_SHARE_DENYNONE)
                                        printf("DENYNONE\t");
                                else
                                if (LOWORD(regs.reg_EAX) & OPEN_SHARE_DENYWRITE)
                                        printf("DENYWRITE\t");
                                else
                                if (LOWORD(regs.reg_EAX) & OPEN_SHARE_DENYREAD)
                                        printf("DENYREAD\t");
                                else
                                if (LOWORD(regs.reg_EAX) & OPEN_SHARE_DENYREADWRITE)
                                        printf("DENYREADWRITE\t");
                                else
                                        printf("COMPATIBLE\t");


                                if (LOWORD(regs.reg_EAX) & OPEN_FLAGS_COMMIT)
                                        printf("COMMIT\n");
                                else
                                if (LOWORD(regs.reg_EAX) & OPEN_FLAGS_NOCRITERR)
                                        printf("NOCRITERR\n");
                                else
                                if (LOWORD(regs.reg_EAX) & OPEN_FLAGS_ALIAS_HINT)
                                        printf("ALIASHINT\n");
                                else
                                if (LOWORD(regs.reg_EAX) & OPEN_FLAGS_NO_COMPRESS)
                                        printf("NOCOMPRESS\n");
                                else
                                if (LOWORD(regs.reg_EAX) & OPEN_FLAGS_NO_BUFFERING)
                                        printf("NOBUFFER\n");
                                else
                                if (LOWORD(regs.reg_EAX) & OPEN_FLAGS_NOINHERIT)
                                        printf("NOINHERIT\n");
                                else
                                        printf("\n");
                        }
                }

                Dev = Dev >> 1;
        }

        CloseVWin32(hVWin32);
}



HANDLE WINAPI OpenVWin32 (void)
{
  return CreateFile (TEXT("\\\\.\\vwin32"), 0, 0, NULL, 0,
                      FILE_FLAG_DELETE_ON_CLOSE, NULL);
}

BOOL WINAPI CloseVWin32 (HANDLE hVWin32)
{
  return CloseHandle (hVWin32);
} [QUOTE]

adaptor 01-05-2006 01:55
�ne little addition to JuneMouse's answer:
given code enumerates _all_ handles, not just open file handles.
The way to determine witch of them are _file_ handles is to check ObjectType member of HandleInfo structure. ObjectType value for file type is different for different OS'es and, so, it must be detected dynamically. It could be done, for example, by searching known file handle.


All times are GMT +8. The time now is 16:38.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX