Returning true HandleValue

DTG · December 11, 2015, 9:58pm

I am somewhat new to programming and very new to kernel mode programming. I’m trying to develop a
legacy driver that is able to delete pretty much anything. I am able to use KeStackAttachProcess,
ZwCreateFile, ZwDuplicateObject, and ObCloseHandle to get and close most handles. On some open system
files this method results in a Delete Pending status that never really removes the file. If I use Handle.exe
or Process Hacker to find the handle value, I can change it to high bit, i.e 0x0f4 to 0x800000f4 and
plug this value into ObCloseHandle which immediately closes that handle and deletes the file. My problem is
that I’m hung up trying to return these specific values instead of the “psuedo handles” of ZwCreateFile or some other
function. I would like to be able to concisely get such a value without enumerating all system handles. Can someone
help me with an outline of how to accomplish this?

Alex_Grig · December 12, 2015, 8:14pm

What’s the purpose of this exercise?

DTG · December 13, 2015, 12:42am

I don’t expect to have the time to learn c++ well enough to produce advanced apps, but
I decided if I concentrated on one aspect, I might make a good program. My feeling is that
there are too many restrictions on deleting objects even as Administrator, so I chose to work
on a driver that could thoroughly delete items in Windows.

anton_bassov · December 13, 2015, 2:13am

> My feeling is that there are too many restrictions on deleting objects even as Administrator,

so I chose to work on a driver that could thoroughly delete items in Windows.

A guy who was asking how to rename files in Explorer must be getting pretty nervous - the OP seems to be close to breaking his “record”…

Anton Bassov

Alex_Grig · December 13, 2015, 11:16am

Run Windows 98, if you don’t want security.

DTG · December 13, 2015, 6:57pm

Security is o.k. I’m working on limitatations.

anton_bassov · December 14, 2015, 3:18am

>I am able to use KeStackAttachProcess, ZwCreateFile, ZwDuplicateObject,

and ObCloseHandle to get and close most handles.

And what about the brain? Are you able to use this organ?

Anton Bassov

Tim_Roberts · December 14, 2015, 2:02pm

xxxxx@gmail.com wrote:

Security is o.k. I’m working on limitatations.

When some action is blocked to normal processes, that’s usually trying
to prevent accidents. When some action is blocked to admin processes,
that’s usually trying to prevent damage. Put another way, there is
usually a very good reason for those limitations, and an arbitrary
bypass mechanism is only going to cause tears.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

anton_bassov · December 14, 2015, 4:00pm

Don’t you find it distrurbing to discover that one needs to explain something as obvious as that to a would-be kernel developer?

Anton Bassov