Get information from handle

NTDEV
1

Hello, gurus.

I hooked NtCreateProcessEx API.
After execution of original function, I confirmed the first argument ProcessHandle is pointing newly created process handle.
I saw information through !handle command like below.

kd> !handle 0x00000898
processor number 0, process 81a094f8
PROCESS 81a094f8 SessionId: 0 Cid: 058c Peb: 7ffde000 ParentCid: 054c
DirBase: 14ef0000 ObjectTable: e1a74e20 HandleCount: 557.
Image: explorer.exe

Handle table at e1718000 with 557 Entries in use
0898: Object: 81946020 GrantedAccess: 001f0fff Entry: e1719130
Object: 81946020 Type: (81ed0e70) Process
ObjectHeader: 81946008 (old version)
HandleCount: 1 PointerCount: 1

And I could confirm Object value(81946020) is the EPROCESS structure which contains information of newly created process.

kd> dt _EPROCESS 81946020
nt!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x06c ProcessLock : _EX_PUSH_LOCK
+0x070 CreateTime : _LARGE_INTEGER 0x1c8a5b1`365b3900
+0x168 Filler : 0

+0x170 Session : 0xf89d3000
+0x174 ImageFileName : [16] “NOTEPAD.EXE”
+0x184 JobLinks : _LIST_ENTRY [0x0 - 0x0]
+0x18c LockedPagesList : (null)

What I want to get exactly is ImageFileName.
How can I get this information from just handle value?
I expect that is possible because there is actual command which I can use in Windbg.

Have a nice day~

2

hi
PFILE_OBJECT file=0;
POBJECT_HANDLE_INFORMATION info = NULL;
use this functions this will give you the path
“ObReferenceObjectByHandle(hand,0,0,KernelMode,&file,info);”

this will give you the path.

hope this helps
Regards

3

What the heck are you taking about, first that argument is an input
paremtner so a NULL pointer means return nothing. Second, the info returned
for a process is the granted access not the processes pathname.


Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply

wrote in message news:xxxxx@ntdev…
>
> hi
> PFILE_OBJECT file=0;
> POBJECT_HANDLE_INFORMATION info = NULL;
> use this functions this will give you the path
> “ObReferenceObjectByHandle(hand,0,0,KernelMode,&file,info);”
>
> this will give you the path.
>
> hope this helps
> Regards
>

4

Don, it is really not clear what is the argument that you are talking about.
But another mistake is that he declares the output object as a file object
while he is passing the handle to a process.

/Daniel

“Don Burn” wrote in message news:xxxxx@ntdev…
> What the heck are you taking about, first that argument is an input
> paremtner so a NULL pointer means return nothing. Second, the info
> returned for a process is the granted access not the processes pathname.
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
> Remove StopSpam to reply
>
>
>
>
>
> wrote in message news:xxxxx@ntdev…
>>
>> hi
>> PFILE_OBJECT file=0;
>> POBJECT_HANDLE_INFORMATION info = NULL;
>> use this functions this will give you the path
>> “ObReferenceObjectByHandle(hand,0,0,KernelMode,&file,info);”
>>
>> this will give you the path.
>>
>> hope this helps
>> Regards
>>
>
>
>

5

hello Don ,
you are really Don ! Sorry i am just novice in kernel programing !

the reason i gave this as a found this function in this article

the auther says
" //get the file name via the file handle
hand=(HANDLE)arg[6];
ObReferenceObjectByHandle(hand,0,0,KernelMode,&file,&info);
if(!file)return 1;
"
http://www.codeproject.com/KB/system/soviet_protector.aspx

so i thought it may be userful for him ! so i tried to help him!

sorry if i am wrong!

regards

regards

6

The last parameter was what I was referring to . If you input a NULL it
indicates
do not return data. The results are undocumented, but for processes it is
the
granted access of the handle.

As you said, there are other problems.


Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply

wrote in message news:xxxxx@ntdev…
> Don, it is really not clear what is the argument that you are talking
> about. But another mistake is that he declares the output object as a file
> object while he is passing the handle to a process.
>
> /Daniel
>
>
> “Don Burn” wrote in message news:xxxxx@ntdev…
>> What the heck are you taking about, first that argument is an input
>> paremtner so a NULL pointer means return nothing. Second, the info
>> returned for a process is the granted access not the processes pathname.
>>
>>
>> –
>> Don Burn (MVP, Windows DDK)
>> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>> Website: http://www.windrvr.com
>> Blog: http://msmvps.com/blogs/WinDrvr
>> Remove StopSpam to reply
>>
>>
>>
>>
>>
>> wrote in message news:xxxxx@ntdev…
>>>
>>> hi
>>> PFILE_OBJECT file=0;
>>> POBJECT_HANDLE_INFORMATION info = NULL;
>>> use this functions this will give you the path
>>> “ObReferenceObjectByHandle(hand,0,0,KernelMode,&file,info);”
>>>
>>> this will give you the path.
>>>
>>> hope this helps
>>> Regards
>>>
>>
>>
>>
>

7

>the reason i gave this as a found this function in this article…

so i thought it may be userful for him ! so i tried to help him!

… without having a slightest idea what the code in the article actually does…

The reason I used ObReferenceObjectByHandle() is to get a pointer to FILE_OBJECT - this is what you need in context the article speaks about. If you use it in context the OP speaks about, you will get a pointer to EPROCESS (if you specify the object type properly), and this is not what the OP needs. What he needs here is a call to ZwQueryInformationProcess() - this is what GetModuleFileName() and friends internally
rely upon…

Anton Bassov

8

Don,

Did you miss that this is the hooker from a prior post?


The personal opinion of
Gary G. Little

“Don Burn” wrote in message news:xxxxx@ntdev…
> The last parameter was what I was referring to . If you input a NULL it
> indicates
> do not return data. The results are undocumented, but for processes it is
> the
> granted access of the handle.
>
> As you said, there are other problems.
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
> Remove StopSpam to reply
>
>
>
> wrote in message news:xxxxx@ntdev…
>> Don, it is really not clear what is the argument that you are talking
>> about. But another mistake is that he declares the output object as a
>> file object while he is passing the handle to a process.
>>
>> /Daniel
>>
>>
>> “Don Burn” wrote in message news:xxxxx@ntdev…
>>> What the heck are you taking about, first that argument is an input
>>> paremtner so a NULL pointer means return nothing. Second, the info
>>> returned for a process is the granted access not the processes pathname.
>>>
>>>
>>> –
>>> Don Burn (MVP, Windows DDK)
>>> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>>> Website: http://www.windrvr.com
>>> Blog: http://msmvps.com/blogs/WinDrvr
>>> Remove StopSpam to reply
>>>
>>>
>>>
>>>
>>>
>>> wrote in message news:xxxxx@ntdev…
>>>>
>>>> hi
>>>> PFILE_OBJECT file=0;
>>>> POBJECT_HANDLE_INFORMATION info = NULL;
>>>> use this functions this will give you the path
>>>> “ObReferenceObjectByHandle(hand,0,0,KernelMode,&file,info);”
>>>>
>>>> this will give you the path.
>>>>
>>>> hope this helps
>>>> Regards
>>>>
>>>
>>>
>>>
>>
>
>
>

9

No, I was commenting on the incorrect information of first answer given,
since otherwise we will see this incorrect code popup in a ton of posts with
“but they said this will do it!”


Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply

“Gary G. Little” wrote in message
news:xxxxx@ntdev…
> Don,
>
> Did you miss that this is the hooker from a prior post?
>
> –
> The personal opinion of
> Gary G. Little
>
> “Don Burn” wrote in message news:xxxxx@ntdev…
>> The last parameter was what I was referring to . If you input a NULL it
>> indicates
>> do not return data. The results are undocumented, but for processes it
>> is the
>> granted access of the handle.
>>
>> As you said, there are other problems.
>>
>>
>> –
>> Don Burn (MVP, Windows DDK)
>> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>> Website: http://www.windrvr.com
>> Blog: http://msmvps.com/blogs/WinDrvr
>> Remove StopSpam to reply
>>
>>
>>
>> wrote in message news:xxxxx@ntdev…
>>> Don, it is really not clear what is the argument that you are talking
>>> about. But another mistake is that he declares the output object as a
>>> file object while he is passing the handle to a process.
>>>
>>> /Daniel
>>>
>>>
>>> “Don Burn” wrote in message news:xxxxx@ntdev…
>>>> What the heck are you taking about, first that argument is an input
>>>> paremtner so a NULL pointer means return nothing. Second, the info
>>>> returned for a process is the granted access not the processes
>>>> pathname.
>>>>
>>>>
>>>> –
>>>> Don Burn (MVP, Windows DDK)
>>>> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>>>> Website: http://www.windrvr.com
>>>> Blog: http://msmvps.com/blogs/WinDrvr
>>>> Remove StopSpam to reply
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> wrote in message news:xxxxx@ntdev…
>>>>>
>>>>> hi
>>>>> PFILE_OBJECT file=0;
>>>>> POBJECT_HANDLE_INFORMATION info = NULL;
>>>>> use this functions this will give you the path
>>>>> “ObReferenceObjectByHandle(hand,0,0,KernelMode,&file,info);”
>>>>>
>>>>> this will give you the path.
>>>>>
>>>>> hope this helps
>>>>> Regards
>>>>>
>>>>
>>>>
>>>>
>>>
>>
>>
>>
>
>
>

10

xxxxx@yahoo.co.in wrote:

hello Don ,
you are really Don ! Sorry i am just novice in kernel programing !

the reason i gave this as a found this function in this article

so i thought it may be userful for him ! so i tried to help him!

sorry if i am wrong!

Please allow me to make a gentle suggestion. There are quite number of
people on this mailing list who are acknowledged experts in this field.
As a newcomer to the list, you should probably skip answering questions
when you aren’t absolutely sure of the answer. As you listen more,
you’ll discover which people know about which areas, which people are
not worth listening to, and in which areas you can best contribute.

By the way, this is good general advice any time someone signs up for a
new mailing list. I only wish that I would follow it myself. I would
have saved myself much embarrassment on several occasions.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

11

to, “anton bassov”
thanks once again ! i am clear about it now ! sorry for my lack of knowledge.

To “Tim Roberts”

thanks for advice ! i will try to follow it.

regards