in ZwOpenProcess manual
https://msdn.microsoft.com/en-us/library/windows/hardware/ff567022(v=vs.85).aspx
it is not mentioned that you need to close the handle, but when I use it, seems like if I don’t close the handle there is a handle leak.
for (int i = 0; i < 10; i++)
{
HANDLE hProcess = 0;
NTSTATUS status = STATUS_SUCCESS;
OBJECT_ATTRIBUTES obj_attr;
InitializeObjectAttributes(&obj_attr, NULL, 0, NULL, NULL);
CLIENT_ID cid;
cid.UniqueProcess = ProcessId;
cid.UniqueThread = (HANDLE)0;
status = ZwOpenProcess(&hProcess, GENERIC_ALL, &obj_attr, &cid);
DbgPrint(“ZwOpenProcess: status:%x, handle: %x\n”, status, hProcess);
//ZwClose(hProcess);
}
output:
ZwOpenProcess: status:0, handle: 9c
ZwOpenProcess: status:0, handle: 60
ZwOpenProcess: status:0, handle: a0
ZwOpenProcess: status:0, handle: 70
ZwOpenProcess: status:0, handle: a4
ZwOpenProcess: status:0, handle: a8
ZwOpenProcess: status:0, handle: ac
ZwOpenProcess: status:0, handle: b0
ZwOpenProcess: status:0, handle: b4
ZwOpenProcess: status:0, handle: b8
if I close the handle after the call to DbgPrint, there is no handle leak
for (int i = 0; i < 10; i++)
{
HANDLE hProcess = 0;
NTSTATUS status = STATUS_SUCCESS;
OBJECT_ATTRIBUTES obj_attr;
InitializeObjectAttributes(&obj_attr, NULL, 0, NULL, NULL);
CLIENT_ID cid;
cid.UniqueProcess = ProcessId;
cid.UniqueThread = (HANDLE)0;
status = ZwOpenProcess(&hProcess, GENERIC_ALL, &obj_attr, &cid);
DbgPrint(“ZwOpenProcess: status:%x, handle: %x\n”, status, hProcess);
ZwClose(hProcess);
}
output:
ZwOpenProcess: status:0, handle: 60
ZwOpenProcess: status:0, handle: 60
ZwOpenProcess: status:0, handle: 60
ZwOpenProcess: status:0, handle: 60
ZwOpenProcess: status:0, handle: 60
ZwOpenProcess: status:0, handle: 60
ZwOpenProcess: status:0, handle: 60
ZwOpenProcess: status:0, handle: 60
ZwOpenProcess: status:0, handle: 60
ZwOpenProcess: status:0, handle: 60
is the MS document incomplete or am I missing something?