c++ - GetFinalPathByHandle returns the same path for all handles returned by NtQuerySystemInformation -
c++ - GetFinalPathByHandle returns the same path for all handles returned by NtQuerySystemInformation -
i want retrieve file paths accessed processes in os. list of processes retrieved , has right handle values. want utilize getfinalpathnamebyhandle function path files, path variable same records. need hand here guys.
source code here: http://pastebin.com/nu26vcsd or here if pastebin not accessible http://hastebin.com/wahudogawa.avrasm
line 66 need help. path same each file handler of tested process , equal path programme executed( , not process start folder).
i run as: testprogram.exe | grep 5231 5231 pid of process need.
results looks like:
pid: 5231 filehandlepid: 44 final path is: \device\harddiskvolume4\killfilehandle\c++\debug while should like:
pid: 5231 filehandlepid: 44 final path is: \device\harddiskvolume2\users\username\appdata\roaming\testapp or right me please if wrong in expected result.
latest addition:
thanks @raymond chen comments trying move forwards , utilize duplicatehandle() funtion. far i've updated code (hardcoded pid now, sorry) , added handlevaluetemp, trying pass duplicatehandle. output changed nonprintable characters.
for (i = 0; < hcount; ++i) if ((hfirstentry[i].objecttype == 28)) { handle targethandlevaluetemp = (handle)hfirstentry[i].handlevalue; handle sourceprochandletemp = openprocess(process_dup_handle, false, hfirstentry[i].ownerpid); if (!duplicatehandle(sourceprochandletemp, (handle)hfirstentry[i].handlevalue, getcurrentprocess(), &targethandlevaluetemp, 0, false, duplicate_same_access)) { cout << "error in duplicatehandle" } closehandle(sourceprochandletemp); tchar path[max_path]; dword dwret = getfinalpathnamebyhandle(targethandlevaluetemp, path, max_path, 0); _tprintf(text("pid: %d\tfilehandle: %d\tthe final path is: %s\n"), hfirstentry[i].ownerpid, targethandlevaluetemp, path); closehandle(targethandlevaluetemp); } digging farther , looking in comments time time. maybe code can useful else here.
thanks @raymondchen , @harryjohnston comments in question able working result. leave here case when else needs that. code bit crappy farther formatting you. remember update ownerpid in loop own when testing.
#include <windows.h> #include <stdio.h> #include <string.h> #include <tchar.h> #include <iostream> #define start_alloc 0x1000 #define status_info_length_mismatch 0xc0000004 #define systemhandleinformation 0x10 typedef long(__stdcall *ntqsi)( ulong systeminformationclass, pvoid systeminformation, ulong systeminformationlength, pulong returnlength ); typedef struct _system_handle_entry { ulong ownerpid; byte objecttype; byte handleflags; ushort handlevalue; pvoid objectpointer; access_mask accessmask; } system_handle_entry, *psystem_handle_entry; int main() { hmodule hntdll = null; ntqsi pntqsi = null; pvoid pmem = null; ulong allocsize = start_alloc; ulong retval = 0; // -------------------------------- ulong hcount = 0; psystem_handle_entry hfirstentry = null; // -------------------------------- ulong i; hntdll = loadlibrarya("ntdll.dll"); if (!hntdll) homecoming 1; pntqsi = (ntqsi)getprocaddress(hntdll, "ntquerysysteminformation"); if (!pntqsi) { freelibrary(hntdll); homecoming 2; } pmem = malloc(allocsize); while (pntqsi(systemhandleinformation, pmem, allocsize, &retval) == status_info_length_mismatch) { pmem = realloc(pmem, allocsize *= 2); } hcount = *(ulong*)pmem; hfirstentry = (psystem_handle_entry)((pbyte)pmem + 4); (i = 0; < hcount; ++i) if ((hfirstentry[i].objecttype == 30) && (hfirstentry[i].ownerpid == 5628)) { handle targethandlevaluetemp = (handle)hfirstentry[i].handlevalue; handle sourceprochandletemp = openprocess(process_dup_handle, false, hfirstentry[i].ownerpid); if (!duplicatehandle(sourceprochandletemp, (handle)hfirstentry[i].handlevalue, getcurrentprocess(), &targethandlevaluetemp, 0, false, duplicate_same_access)) { targethandlevaluetemp = (handle)hfirstentry[i].handlevalue; } closehandle(sourceprochandletemp); tchar path[max_path]; dword dwret = getfinalpathnamebyhandle(targethandlevaluetemp, path, max_path, 0); _tprintf(text("pid: %d\tfilehandle: %d\tthe final path is: %s\n"), hfirstentry[i].ownerpid, targethandlevaluetemp, path); closehandle(targethandlevaluetemp); } free(pmem); freelibrary(hntdll); } c++ windows kernel ntdll
Comments
Post a Comment