strange

i am trying to revive the file handles of an open process. after reading the
lists i found that for XP the class is 28 (which i hard coded for th time
being). when i run this progeam in xp with test processes, i get invalid
file handle when i try to run a test app that opens a file and runs in an
infinite loop. i print the handle in the test app also, and they are same in
the list i get in my code also. can some one help.

#include <windows.h>
#include <stdio.h>
#include <aclapi.h>
#include <conio.h>
#include <psapi.h>
#include <tchar.h>
#include <string.h>

#define NT_SUCCESS(status) ((NTSTATUS)(status)>=0)
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)

#define BUFSIZE 256

typedef enum _SYSTEM_INFORMATION_CLASS{
SystemHandleInformation = 16
} SYSTEM_INFORMATION_CLASS;

/
Information Class 16
/
typedef struct _SYSTEM_HANDLE_INFORMATION{
ULONG ProcessId;
UCHAR ObjectTypeNumber;
UCHAR Flags;
USHORT Handle;
PVOID Object;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE_INFORMATION, PSYSTEM_HANDLE_INFORMATION;

#define InitializeObjectAttributes( p, n, a, r, s ) { (p)->Length = sizeof(
OBJECT_ATTRIBUTES ); (p)->RootDirectory = r; (p)->Attributes = a;
(p)->ObjectName = n; (p)->SecurityDescriptor = s;
(p)->SecurityQualityOfService = NULL; }

typedef ULONG ( __stdcall RTLNTSTATUSTODOSERROR ) ( IN NTSTATUS Status );
typedef NTSTATUS (__stdcall ZWQUERYSYSTEMINFORMATION ) ( IN
SYSTEM_INFORMATION_CLASS SystemInformationClass, IN OUT PVOID
SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength
OPTIONAL );

/
*
* Function Prototype
*
/

static DWORD GetEprocessFromPid ( ULONG PID );
static BOOL LocateNtdllEntry ( void );

/
*
* Static Global Var
*
/

static RTLNTSTATUSTODOSERROR RtlNtStatusToDosError = NULL;
static ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation = NULL;

static HMODULE hModule = NULL;
/
************************************************************/

const char * GetFileNameFromHandle(HANDLE hFile)
{

BOOL bSuccess = FALSE;
TCHAR pszFilename[MAX_PATH+1];
HANDLE hFileMap;
char strName;
char buff[512];

// Get the file size.
DWORD dwFileSizeHi = 0;
DWORD dwFileSizeLo = GetFileSize(hFile, &dwFileSizeHi);

strName=(char )malloc(1000);
if( dwFileSizeLo == 0 && dwFileSizeHi == 0 ){
//printf(“Cannot map a file with a length of zero.\n”);
//return FALSE;

strcpy(strName,“Cannot map a file with a length of zero”);
return strName;
}

// Create a file mapping object.
hFileMap = CreateFileMapping(hFile,
NULL,
PAGE_READONLY,
0,
1,
NULL);

if (hFileMap){
// Create a file mapping to get the file name.
void
pMem = MapViewOfFile(hFileMap, FILE_MAP_READ, 0, 0, 1);

if (pMem){

if (GetMappedFileName (GetCurrentProcess(),
pMem,
pszFilename,
MAX_PATH)){

// Translate path with device name to drive letters.
TCHAR szTemp[BUFSIZE];
szTemp[0] = ‘\0’;

if (GetLogicalDriveStrings(BUFSIZE-1, szTemp)){
TCHAR szName[MAX_PATH];
TCHAR szDrive[3] = TEXT(" :");
BOOL bFound = FALSE;
TCHAR
p = szTemp;

do{
// Copy the drive letter to the template string
*szDrive = p;

// Look up each device name
if (QueryDosDevice(szDrive, szName, BUFSIZE)){
UINT uNameLen = _tcslen(szName);

if (uNameLen < MAX_PATH){
bFound = _tcsnicmp(pszFilename, szName,
uNameLen) == 0;

if (bFound){
// Reconstruct pszFilename using szTemp
// Replace device path with DOS path
TCHAR szTempFile[MAX_PATH];
_stprintf(szTempFile,
TEXT(“%s%s”),
szDrive,
pszFilename+uNameLen);
_tcsncpy(pszFilename, szTempFile, MAX_PATH);
}
}
}

// Go to the next NULL character.
while (p++);
} while (!bFound && p); // end of string
} //if (GetLogicalDriveStrings(BUFSIZE-1, szTemp)){
} //if (GetMappedFileName
else{ // GetMappedFileName() == 0
LPSTR lpMsgBuf;
FormatMessage(
FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,
NULL,
GetLastError(),
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language
(LPTSTR) &lpMsgBuf,
0,
NULL
);

// Display the string.
MessageBox( NULL, lpMsgBuf, “GetLastError() for GetMappedFileName()”,
MB_OK|MB_ICONINFORMATION );

// Free the buffer.
LocalFree( lpMsgBuf );
} //else{ // GetMappedFileName() == 0

bSuccess = TRUE;
UnmapViewOfFile(pMem);
} //if (pMem)
else{ //else…if (pMem)
LPSTR lpMsgBuf;
FormatMessage(
FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,
NULL,
GetLastError(),
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language
(LPTSTR) &lpMsgBuf,
0,
NULL
);

// Display the string.
MessageBox( NULL, lpMsgBuf, “GetLastError() for GetMappedFileName()”,
MB_OK|MB_ICONINFORMATION );

// Free the buffer.
LocalFree( lpMsgBuf );
}
bSuccess = TRUE;
UnmapViewOfFile(pMem);
} //if (hFileMap)
else{
LPSTR lpMsgBuf;
FormatMessage(
FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,
NULL,
GetLastError(),
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language
(LPTSTR) &lpMsgBuf,
0,
NULL
);

// Display the string.
MessageBox( NULL, lpMsgBuf, “GetLastError() for GetMappedFileName()”,
MB_OK|MB_ICONINFORMATION );

// Free the buffer.
LocalFree( lpMsgBuf );
}

CloseHandle(hFileMap);

//printf(“File name is %s\n”, pszFilename);

strcpy(strName,pszFilename);
return strName;
//return(bSuccess);
}

static DWORD GetEprocessFromPid ( ULONG PID )
{
NTSTATUS status;
PVOID buf = NULL;
ULONG size = 1;
ULONG NumOfHandle = 0;
ULONG i;
PSYSTEM_HANDLE_INFORMATION h_info = NULL;

for ( size = 1; ; size = 2 ){
if ( NULL == ( buf = calloc( size, 1 ) ) ){
fprintf( stderr, “calloc( %u, 1 ) failed\n”, size );
goto GetEprocessFromPid_exit;
}

status = ZwQuerySystemInformation( SystemHandleInformation, buf, size,
NULL );
if ( !NT_SUCCESS( status ) ){
if ( STATUS_INFO_LENGTH_MISMATCH == status ){
free( buf );
buf = NULL;
}
else{
printf( “ZwQuerySystemInformation() failed”);
goto GetEprocessFromPid_exit;
}
}
else{
break;
}
} /
end of for /

//NumOfHandle = (ULONG)buf;
NumOfHandle = (ULONG)buf;

h_info = ( PSYSTEM_HANDLE_INFORMATION )((ULONG)buf+4);

for(i = 0; i if( ( h_info[i].ProcessId == PID ) &&( h_info[i].ObjectTypeNumber == 28
))//&&( h_info[i].Handle==0x3d8 ) )
// {
printf(“Handle:0x%x,OBJECT 0x%x, Object Type Number is : %d, Name:
%s\n\r”,h_info[i].Handle,h_info[i].Object,h_info[i].ObjectTypeNumber,GetFileNameFromHandle((HANDLE)(h_info[i].Handle)
));
// return((DWORD)(h_info[i].Object));
// }
}
GetEprocessFromPid_exit:
if ( buf != NULL ){
free( buf );
buf = NULL;
}
return(FALSE);
}

/

ntdll.dll
/
static BOOL LocateNtdllEntry ( void )
{
BOOL ret = FALSE;
char NTDLL_DLL[] = “ntdll.dll”;
HMODULE ntdll_dll = NULL;

if ( ( ntdll_dll = GetModuleHandle( NTDLL_DLL ) ) == NULL ){
printf( “GetModuleHandle() failed”);
return( FALSE );
}
if ( !( ZwQuerySystemInformation = ( ZWQUERYSYSTEMINFORMATION
)GetProcAddress( ntdll_dll, “ZwQuerySystemInformation” ) ) ){
goto LocateNtdllEntry_exit;
}
ret = TRUE;

LocateNtdllEntry_exit:

if ( FALSE == ret ){
printf( “GetProcAddress() failed”);
}
ntdll_dll = NULL;
return( ret );
} /
end of LocateNtdllEntry */

int main(int argc,char
argv)
{

HANDLE h;
ULONG inPid;
LocateNtdllEntry( );

//OpenProcess( PROCESS_ALL_ACCESS,FALSE,GetCurrentProcessId() );

printf(“\nEnter the Pid of the proces to be opened : “);
scanf(”%ul”,&inPid);

h = OpenProcess( PROCESS_ALL_ACCESS,FALSE,inPid);
if(!h){
LPVOID lpMsgBuf;
LPVOID lpDisplayBuf;
DWORD dw = GetLastError();

FormatMessage(
FORMAT_MESSAGE_ALLOCATE_BUFFER |
FORMAT_MESSAGE_FROM_SYSTEM,
NULL,
dw,
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(LPTSTR) &lpMsgBuf,
0, NULL );

lpDisplayBuf = LocalAlloc(LMEM_ZEROINIT,
strlen(lpMsgBuf)+40);
wsprintf(lpDisplayBuf,
“failed with error %d: %s”,
dw, lpMsgBuf);
MessageBox(NULL, lpDisplayBuf, “Error”, MB_OK);

LocalFree(lpMsgBuf);
LocalFree(lpDisplayBuf);
ExitProcess(dw);
}

/DWORD Addr =/ //GetEprocessFromPid( (DWORD)GetCurrentProcessId() );
GetEprocessFromPid( inPid);

//printf(“result: Current EPROCESS’s Address is 0x%x \n\r”,Addr);

return TRUE;
}</string.h></tchar.h></psapi.h></conio.h></aclapi.h></stdio.h></windows.h>

seems u didn’t take the cofee break buddy…

how can u expect to directly evaluate a handle of a diff process???

U need to duplicate it and then do this stuff…