well i read some thing about some one asking the same question some where
it was also describing the difference between ms oh.exe and sysinternals handle
i think one is usermode completely and other uses r0 procedures aka uses a driver
though i cannot find that article now ( i think you have to browse throug holy_fathers forum i think thats where i read about it but i am not sure )
but you can use the undocumented NtQuerySystemInformation() with info class 16
here is a code that was posted on osronline by Prasad Dabak long time back
that you can try out i dont have link i only have this code and referance
but google should fetch you the original thread
Code:
Hello,
Use NtQuerySystemInformation with information class
16. It returns list of handles for all the processes
in the system. The data is returned in the following
structure format.
typedef struct HandleInfo{
ULONG Pid;
USHORT ObjectType;
USHORT HandleValue;
PVOID ObjectPointer;
ULONG AccessMask;
} HANDLEINFO, *PHANDLEINFO;
typedef struct SystemHandleInfo {
ULONG nHandleEntries;
HANDLEINFO HandleInfo[1];
} SYSTEMHANDLEINFO, *PSYSTEMHANDLEINFO;
Example code..
char Buffer[100000];
void HandleInformation()
{
PSYSTEMHANDLEINFO pSystemHandleInfo;
NTSTATUS rc;
ULONG i;
memset(Buffer, 0, sizeof(Buffer));
rc=NtQuerySystemInformation(16,
Buffer,
sizeof(Buffer),
NULL);
if (rc!=STATUS_SUCCESS) {
printf("NtQuerySystemInformation failed, rc=%x\n",
rc);
return;
}
pSystemHandleInfo=(PSYSTEMHANDLEINFO)Buffer;
printf("Number of Handle Entries = %x\n",
pSystemHandleInfo->nHandleEntries);
printf("Pid ObjType ObjHnd ObjPtr
AccessMask\n");
for (i=0; inHandleEntries; i++) {
printf("%-8x %-8x %-8x %-8x %-8x\n",
pSystemHandleInfo->HandleInfo[i].Pid,
pSystemHandleInfo->HandleInfo[i].ObjectType,
pSystemHandleInfo->HandleInfo[i].HandleValue,
pSystemHandleInfo->HandleInfo[i].ObjectPointer,
pSystemHandleInfo->HandleInfo[i].AccessMask);
}
printf("\n\n");
}
authour Prasad Dabak (an answer in osronline regarding file handle enumeration)