|
| i am trying to revive the file handles of an open process. after
reading the lists i found that for XP the class is 28 (which i hard
coded for th time being). when i run this progeam in xp with test
processes, i get invalid file handle when i try to run a test app that
opens a file and runs in an infinite loop. i print the handle in the
test app also, and they are same in the list i get in my code also. can
some one help.
u may directly mail me at pinto.albert@gmail.com also.
#include <windows.h>
#include <stdio.h>
#include <aclapi.h>
#include <conio.h>
#include <psapi.h>
#include <tchar.h>
#include <string.h>
#define NT_SUCCESS(status) ((NTSTATUS)(status)>=0)
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)
#define BUFSIZE 256
typedef enum _SYSTEM_INFORMATION_CLASS{
SystemHandleInformation = 16
} SYSTEM_INFORMATION_CLASS;
/*
*Information Class 16
*/
typedef struct _SYSTEM_HANDLE_INFORMATION{
ULONG ProcessId;
UCHAR ObjectTypeNumber;
UCHAR Flags;
USHORT Handle;
PVOID Object;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
#define InitializeObjectAttributes( p, n, a, r, s ) { (p)->Length =
sizeof( OBJECT_ATTRIBUTES ); (p)->RootDirectory = r; (p)->Attributes =
a; (p)->ObjectName = n; (p)->SecurityDescriptor = s;
(p)->SecurityQualityOfService = NULL; }
typedef ULONG ( __stdcall *RTLNTSTATUSTODOSERROR ) ( IN NTSTATUS Status
);
typedef NTSTATUS ( __stdcall *ZWQUERYSYSTEMINFORMATION ) ( IN
SYSTEM_INFORMATION_CLASS SystemInformationClass, IN OUT PVOID
SystemInformation, IN ULONG SystemInformationLength, OUT PULONG
ReturnLength OPTIONAL );
/ ****************************************
********************************
* *
* Function Prototype *
* *
****************************************
********************************/
static DWORD GetEprocessFromPid ( ULONG PID );
static BOOL LocateNtdllEntry ( void );
/ ****************************************
********************************
* *
* Static Global Var *
* *
****************************************
********************************/
static RTLNTSTATUSTODOSERROR RtlNtStatusToDosError = NULL;
static ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation = NULL;
static HMODULE hModule = NULL;
/ ****************************************
********************************/
const char * GetFileNameFromHandle(HANDLE hFile)
{
BOOL bSuccess = FALSE;
TCHAR pszFilename[MAX_PATH+1];
HANDLE hFileMap;
char *strName;
char buff[512];
// Get the file size.
DWORD dwFileSizeHi = 0;
DWORD dwFileSizeLo = GetFileSize(hFile, &dwFileSizeHi);
strName=(char *)malloc(1000);
if( dwFileSizeLo == 0 && dwFileSizeHi == 0 ){
//printf("Cannot map a file with a length of zero.\n");
//return FALSE;
strcpy(strName,"Cannot map a file with a length of zero");
return strName;
}
// Create a file mapping object.
hFileMap = CreateFileMapping(hFile,
NULL,
PAGE_READONLY,
0,
1,
NULL);
if (hFileMap){
// Create a file mapping to get the file name.
void* pMem = MapViewOfFile(hFileMap, FILE_MAP_READ, 0, 0, 1);
if (pMem){
if (GetMappedFileName (GetCurrentProcess(),
pMem,
pszFilename,
MAX_PATH)){
// Translate path with device name to drive letters.
TCHAR szTemp[BUFSIZE];
szTemp[0] = '\0';
if (GetLogicalDriveStrings(BUFSIZE-1, szTemp)){
TCHAR szName[MAX_PATH];
TCHAR szDrive[3] = TEXT(" :");
BOOL bFound = FALSE;
TCHAR* p = szTemp;
do{
// Copy the drive letter to the template string
*szDrive = *p;
// Look up each device name
if (QueryDosDevice(szDrive, szName, BUFSIZE)){
UINT uNameLen = _tcslen(szName);
if (uNameLen < MAX_PATH){
bFound = _tcsnicmp(pszFilename, szName,
uNameLen) == 0;
if (bFound){
// Reconstruct pszFilename using szTemp
// Replace device path with DOS path
TCHAR szTempFile[MAX_PATH];
_stprintf(szTempFile,
TEXT("%s%s"),
szDrive,
pszFilename+uNameLen);
_tcsncpy(pszFilename, szTempFile, MAX_PATH);
}
}
}
// Go to the next NULL character.
while (*p++);
} while (!bFound && *p); // end of string
} //if (GetLogicalDriveStrings(BUFSIZE-1, szTemp)){
} //if (GetMappedFileName
else{ // GetMappedFileName() == 0
LPSTR lpMsgBuf;
FormatMessage(
FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,
NULL,
GetLastError(),
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language
(LPTSTR) &lpMsgBuf,
0,
NULL
);
// Display the string.
MessageBox( NULL, lpMsgBuf, "GetLastError() for
GetMappedFileName()", MB_OK|MB_ICONINFORMATION );
// Free the buffer.
LocalFree( lpMsgBuf );
} //else{ // GetMappedFileName() == 0
bSuccess = TRUE;
UnmapViewOfFile(pMem);
} //if (pMem)
else{ //else...if (pMem)
LPSTR lpMsgBuf;
FormatMessage(
FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,
NULL,
GetLastError(),
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language
(LPTSTR) &lpMsgBuf,
0,
NULL
);
// Display the string.
MessageBox( NULL, lpMsgBuf, "GetLastError() for
GetMappedFileName()", MB_OK|MB_ICONINFORMATION );
// Free the buffer.
LocalFree( lpMsgBuf );
}
bSuccess = TRUE;
UnmapViewOfFile(pMem);
} //if (hFileMap)
else{
LPSTR lpMsgBuf;
FormatMessage(
FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,
NULL,
GetLastError(),
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language
(LPTSTR) &lpMsgBuf,
0,
NULL
);
// Display the string.
MessageBox( NULL, lpMsgBuf, "GetLastError() for
GetMappedFileName()", MB_OK|MB_ICONINFORMATION );
// Free the buffer.
LocalFree( lpMsgBuf );
}
CloseHandle(hFileMap);
//printf("File name is %s\n", pszFilename);
strcpy(strName,pszFilename);
return strName;
//return(bSuccess);
}
static DWORD GetEprocessFromPid ( ULONG PID )
{
NTSTATUS status;
PVOID buf = NULL;
ULONG size = 1;
ULONG NumOfHandle = 0;
ULONG i;
PSYSTEM_HANDLE_INFORMATION h_info = NULL;
for ( size = 1; ; size *= 2 ){
if ( NULL == ( buf = calloc( size, 1 ) ) ){
fprintf( stderr, "calloc( %u, 1 ) failed\n", size );
goto GetEprocessFromPid_exit;
}
status = ZwQuerySystemInformation( SystemHandleInformation, buf,
size, NULL );
if ( !NT_SUCCESS( status ) ){
if ( STATUS_INFO_LENGTH_MISMATCH == status ){
free( buf );
buf = NULL;
}
else{
printf( "ZwQuerySystemInformation() failed");
goto GetEprocessFromPid_exit;
}
}
else{
break;
}
} /* end of for */
//NumOfHandle = (ULONG)buf;
NumOfHandle = *(ULONG*)buf;
h_info = ( PSYSTEM_HANDLE_INFORMATION )((ULONG)buf+4);
for(i = 0; i<NumOfHandle ;i++){
if( ( h_info[i].ProcessId == PID ) &&( h_info[i].ObjectTypeNumber ==
28 ))//&&( h_info[i].Handle==0x3d8 ) )
// {
printf("Handle:0x%x,OBJECT 0x%x, Object Type Number is : %d, Name:
%s\n\r",h_info[i].Handle,h_info[i].Object,h_info[i]. ObjectTypeNumber,GetFileNameFromHandle((
HANDLE)(h_info[i].Handle)
));
// return((DWORD)(h_info[i].Object));
// }
}
GetEprocessFromPid_exit:
if ( buf != NULL ){
free( buf );
buf = NULL;
}
return(FALSE);
}
/*
* ntdll.dll
*/
static BOOL LocateNtdllEntry ( void )
{
BOOL ret = FALSE;
char NTDLL_DLL[] = "ntdll.dll";
HMODULE ntdll_dll = NULL;
if ( ( ntdll_dll = GetModuleHandle( NTDLL_DLL ) ) == NULL ){
printf( "GetModuleHandle() failed");
return( FALSE );
}
if ( !( ZwQuerySystemInformation = ( ZWQUERYSYSTEMINFORMATION
)GetProcAddress( ntdll_dll, "ZwQuerySystemInformation" ) ) ){
goto LocateNtdllEntry_exit;
}
ret = TRUE;
LocateNtdllEntry_exit:
if ( FALSE == ret ){
printf( "GetProcAddress() failed");
}
ntdll_dll = NULL;
return( ret );
} /* end of LocateNtdllEntry */
int main(int argc,char **argv)
{
HANDLE h;
ULONG inPid;
LocateNtdllEntry( );
//OpenProcess( PROCESS_ALL_ACCESS,FALSE,GetCurrentProce
ssId() );
printf("\nEnter the Pid of the proces to be opened : ");
scanf("%ul",&inPid);
h = OpenProcess( PROCESS_ALL_ACCESS,FALSE,inPid);
if(!h){
LPVOID lpMsgBuf;
LPVOID lpDisplayBuf;
DWORD dw = GetLastError();
FormatMessage(
FORMAT_MESSAGE_ALLOCATE_BUFFER |
FORMAT_MESSAGE_FROM_SYSTEM,
NULL,
dw,
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(LPTSTR) &lpMsgBuf,
0, NULL );
lpDisplayBuf = LocalAlloc(LMEM_ZEROINIT,
strlen(lpMsgBuf)+40);
wsprintf(lpDisplayBuf,
"failed with error %d: %s",
dw, lpMsgBuf);
MessageBox(NULL, lpDisplayBuf, "Error", MB_OK);
LocalFree(lpMsgBuf);
LocalFree(lpDisplayBuf);
ExitProcess(dw);
}
/*DWORD Addr =*/ //GetEprocessFromPid( (DWORD)GetCurrentProcessId() );
GetEprocessFromPid( inPid);
//printf("result: Current EPROCESS's Address is 0x%x \n\r",Addr);
return TRUE;
}
|
|