(This is a user-land API question. I hope it’s okay to ask here as it’s
windows and FS related. Kindly help me redirect this in case this is the
wrong forum.)
I have an case where I need to determine in user-mode the share-mode of a
file handle opened by another process, mainly to determine if the file is
opened exclusively (sharemode = 0). I do the following:
The issue is that the Object Attributes returned by the NtQueryObject is
always zero. I was hoping that there would be an OBJ_EXCLUSIVE indicating
that the open is exclusive. Is this a valid assumption for this problem ?
Is there some other way I can get the shared-mode, other than (attempting
to open the file as that would be slower)?
P.S.: The calls above have worked with no errors. I can also get the file
path etc from other similar calls. I’m stuck only at the share-mode.
I know that it is possible to get the ShareMode from the FILE_OBJECT in a
mini-filter. But I am unable to know this from user-mode. There is an
object address that I get as part of each entry returned by
NtQuerySystemInformation but I cannot access that memory area.
Is there any other way ?
Thanks,
Arun
On Sun, Oct 26, 2014 at 1:51 AM, Arun M. Krishnakumar wrote:
> Hi, > > (This is a user-land API question. I hope it’s okay to ask here as it’s > windows and FS related. Kindly help me redirect this in case this is the > wrong forum.) > > I have an case where I need to determine in user-mode the share-mode of a > file handle opened by another process, mainly to determine if the file is > opened exclusively (sharemode = 0). I do the following: > > 1. Set Debug Privilege > 2. NtQuerySystemInformation > 3. OpenProcess > 4. NtDuplicateObject (process, handle) > 5. NtQueryObject(duplicate-handle, ObjectBasicInformation) > > The issue is that the Object Attributes returned by the NtQueryObject is > always zero. I was hoping that there would be an OBJ_EXCLUSIVE indicating > that the open is exclusive. Is this a valid assumption for this problem ? > > Is there some other way I can get the shared-mode, other than (attempting > to open the file as that would be slower)? > > P.S.: The calls above have worked with no errors. I can also get the file > path etc from other similar calls. I’m stuck only at the share-mode. > > Thanks, > >