ZwOpenProcess handle leak

in ZwOpenProcess manual
https://msdn.microsoft.com/en-us/library/windows/hardware/ff567022(v=vs.85).aspx
it is not mentioned that you need to close the handle, but when I use it, seems like if I don’t close the handle there is a handle leak.

for (int i = 0; i < 10; i++)
{
HANDLE hProcess = 0;
NTSTATUS status = STATUS_SUCCESS;
OBJECT_ATTRIBUTES obj_attr;
InitializeObjectAttributes(&obj_attr, NULL, 0, NULL, NULL);
CLIENT_ID cid;
cid.UniqueProcess = ProcessId;
cid.UniqueThread = (HANDLE)0;
status = ZwOpenProcess(&hProcess, GENERIC_ALL, &obj_attr, &cid);
DbgPrint(“ZwOpenProcess: status:%x, handle: %x\n”, status, hProcess);
//ZwClose(hProcess);
}

output:
ZwOpenProcess: status:0, handle: 9c
ZwOpenProcess: status:0, handle: 60
ZwOpenProcess: status:0, handle: a0
ZwOpenProcess: status:0, handle: 70
ZwOpenProcess: status:0, handle: a4
ZwOpenProcess: status:0, handle: a8
ZwOpenProcess: status:0, handle: ac
ZwOpenProcess: status:0, handle: b0
ZwOpenProcess: status:0, handle: b4
ZwOpenProcess: status:0, handle: b8

if I close the handle after the call to DbgPrint, there is no handle leak

for (int i = 0; i < 10; i++)
{
HANDLE hProcess = 0;
NTSTATUS status = STATUS_SUCCESS;
OBJECT_ATTRIBUTES obj_attr;
InitializeObjectAttributes(&obj_attr, NULL, 0, NULL, NULL);
CLIENT_ID cid;
cid.UniqueProcess = ProcessId;
cid.UniqueThread = (HANDLE)0;
status = ZwOpenProcess(&hProcess, GENERIC_ALL, &obj_attr, &cid);
DbgPrint(“ZwOpenProcess: status:%x, handle: %x\n”, status, hProcess);
ZwClose(hProcess);
}

output:
ZwOpenProcess: status:0, handle: 60
ZwOpenProcess: status:0, handle: 60
ZwOpenProcess: status:0, handle: 60
ZwOpenProcess: status:0, handle: 60
ZwOpenProcess: status:0, handle: 60
ZwOpenProcess: status:0, handle: 60
ZwOpenProcess: status:0, handle: 60
ZwOpenProcess: status:0, handle: 60
ZwOpenProcess: status:0, handle: 60
ZwOpenProcess: status:0, handle: 60

is the MS document incomplete or am I missing something?

Do you understand a concept of handle?

It is a pointer to a resource (file, process…) with a set of permissions.
are you saying there is no problem with kernel handle leak? what about user mode handle leak?

You are exaggerating.
Anyway, this is an excerpt from the description for Win32 OpenProcess which calls ZwOpenProcess

“When you are finished with the handle, be sure to close it using the CloseHandle function.”

I hope this solved your problem.

So I am right and the MS document for ZwOpenProcess is missing a remark to call ZwClose on the returned handle?

Yes, you right.

OK, thanks.

xxxxx@meir.li wrote:

So I am right and the MS document for ZwOpenProcess is missing a remark to call ZwClose on the returned handle?

No. ANY TIME you create a handle, you need to close that handle. They
shouldn’t have to remind you of that in every API. It’s true in user
mode and in kernel mode, but in user-mode any open handles are closed
for you when the process terminates, and most programmers rely on that.
In kernel mode, the process never terminates, even when the driver unloads.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.