Hi everybody!
Target: Kernel mode
OS: Win2K/XP/.NET
Task: Obtain all possible information about an object from the given
handle (information like object’s full name etc.). Like Russinovich’s
ProcessExplorer does…
====================================================================
Does anybody know how to obtain the proper pointers to the OBJECT
structures like OBJECT_HEADER and etc. from a handle that are located
inside a process’s handle database?
I’ve trying to do it in two ways:
-
Using ObReferenceObjectByHandle
It returns a pointer to the object’s body (cf. IFS DDK). As it’s known,
ObjectBodyPtr + sizeof(OBJECT_HEADER) = ObjectHeaderPtr, where
sizeof(OBJECT_HEADER) = 0x18, but when I try to get information from
OBJECT_HEADER fields I see some garbage, so the ObjectHeaderPtr is
incorrect! May the OBJECT_ structures that I use are wrong? May be I
forgot about something? -
using EPROCESS->PHANDLE_TABLE
From the given handle to the object I calculate indexes for HANDLE_LAYER1,
HANDLE_LAYER2 and HANDLE_LAYER3 and gather necessary HANDLE_ENTRY;
BYTE iHE = 0, iHL2 = 0, iHL3 = 0;
PHANDLE_LAYER1 pHL1 = NULL;
PHANDLE_LAYER2 pHL2 = NULL;
PHANDLE_LAYER3 pHL3 = NULL;
PHANDLE_ENTRY pHE = NULL;
pHandleTable = (PEPROCESS)pEprocess->(PHANDLE_TABLE)ObjectTable;
iHL2 = (BYTE) (((DWORD)Handle & 0x03FC0000) >> 18);
iHL3 = (BYTE) (((DWORD)Handle & 0x0003FC00) >> 10);
iHE = (BYTE) (((DWORD)Handle & 0x000003FC) >> 2);
printk((“%i - %i - %i\n”,iHL2,iHL3,iHE));
pHL1 = pHandleTable->Layer1;
pHL2 = pHL1->Layer2[iHL2];
pHL3 = pHL2->Layer3[iHL3];
pHE = &pHL3->Entries[iHE];
And here the HANDLE_ENTRY’s fields also filled by some strange
information!
What is the problem? What is wrong?
May be somebody already has a sample source how to work with handles? Or
may be can provide some additional useful information?
Finally, I need, being inside the process’s context, from the given handle
obtain all possible information about an object bound to this handle.