Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Sept/Oct 2019 Issue of The NT Insider available


Download PDF here: http://insider.osr.com/2019/ntinsider_2019_01.pdf

It’s a particularly BIG issue, too: 40 pages of technical goodness, ranging from WDF to Minifilters. Check it out.
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

ZwOpenProcess handle leak

OSR_Community_UserOSR_Community_User Member Posts: 110,217
in ZwOpenProcess manual
https://msdn.microsoft.com/en-us/library/windows/hardware/ff567022(v=vs.85).aspx
it is not mentioned that you need to close the handle, but when I use it, seems like if I don't close the handle there is a handle leak.

for (int i = 0; i < 10; i++)
{
HANDLE hProcess = 0;
NTSTATUS status = STATUS_SUCCESS;
OBJECT_ATTRIBUTES obj_attr;
InitializeObjectAttributes(&obj_attr, NULL, 0, NULL, NULL);
CLIENT_ID cid;
cid.UniqueProcess = ProcessId;
cid.UniqueThread = (HANDLE)0;
status = ZwOpenProcess(&hProcess, GENERIC_ALL, &obj_attr, &cid);
DbgPrint("ZwOpenProcess: status:%x, handle: %x\n", status, hProcess);
//ZwClose(hProcess);
}

output:
ZwOpenProcess: status:0, handle: 9c
ZwOpenProcess: status:0, handle: 60
ZwOpenProcess: status:0, handle: a0
ZwOpenProcess: status:0, handle: 70
ZwOpenProcess: status:0, handle: a4
ZwOpenProcess: status:0, handle: a8
ZwOpenProcess: status:0, handle: ac
ZwOpenProcess: status:0, handle: b0
ZwOpenProcess: status:0, handle: b4
ZwOpenProcess: status:0, handle: b8

if I close the handle after the call to DbgPrint, there is no handle leak

for (int i = 0; i < 10; i++)
{
HANDLE hProcess = 0;
NTSTATUS status = STATUS_SUCCESS;
OBJECT_ATTRIBUTES obj_attr;
InitializeObjectAttributes(&obj_attr, NULL, 0, NULL, NULL);
CLIENT_ID cid;
cid.UniqueProcess = ProcessId;
cid.UniqueThread = (HANDLE)0;
status = ZwOpenProcess(&hProcess, GENERIC_ALL, &obj_attr, &cid);
DbgPrint("ZwOpenProcess: status:%x, handle: %x\n", status, hProcess);
ZwClose(hProcess);
}

output:
ZwOpenProcess: status:0, handle: 60
ZwOpenProcess: status:0, handle: 60
ZwOpenProcess: status:0, handle: 60
ZwOpenProcess: status:0, handle: 60
ZwOpenProcess: status:0, handle: 60
ZwOpenProcess: status:0, handle: 60
ZwOpenProcess: status:0, handle: 60
ZwOpenProcess: status:0, handle: 60
ZwOpenProcess: status:0, handle: 60
ZwOpenProcess: status:0, handle: 60


is the MS document incomplete or am I missing something?

Comments

  • Alex_GrigAlex_Grig Member Posts: 3,238
    Do you understand a concept of handle?
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    It is a pointer to a resource (file, process...) with a set of permissions.
    are you saying there is no problem with kernel handle leak? what about user mode handle leak?
  • Slava_ImameevSlava_Imameev Member Posts: 480
    You are exaggerating.
    Anyway, this is an excerpt from the description for Win32 OpenProcess which calls ZwOpenProcess

    "When you are finished with the handle, be sure to close it using the CloseHandle function."

    I hope this solved your problem.
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    So I am right and the MS document for ZwOpenProcess is missing a remark to call ZwClose on the returned handle?
  • Slava_ImameevSlava_Imameev Member Posts: 480
    Yes, you right.
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    OK, thanks.
  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,103
    xxxxx@meir.li wrote:
    > So I am right and the MS document for ZwOpenProcess is missing a remark to call ZwClose on the returned handle?

    No. ANY TIME you create a handle, you need to close that handle. They
    shouldn't have to remind you of that in every API. It's true in user
    mode and in kernel mode, but in user-mode any open handles are closed
    for you when the process terminates, and most programmers rely on that.
    In kernel mode, the process never terminates, even when the driver unloads.

    --
    Tim Roberts, xxxxx@probo.com
    Providenza & Boekelheide, Inc.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Writing WDF Drivers 21 Oct 2019 OSR Seminar Space & ONLINE
Internals & Software Drivers 18 Nov 2019 Dulles, VA
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 27 Apr 2020 OSR Seminar Space & ONLINE