I've seen methods for getting a list of open handles for a file/folder as they are created, but what about when they already exist, and from only ring3? Searching turns up nothing, and I'm hoping there is some structure or descriptor that can be used..

example application: pass a path to a non-executable or folder and get a list of processes accessing it

Just use Process Monitor or something from SysInternal, If you wanna code such thing, you'll need to work with ring0 (kernel-mode) and write a device driver which is dangerous.

Edit: You'll have to go through some BSOD's, debug it inside a VirtualMachine.

Edited November 10, 201014 yr by rotem156

NtQuerySystemInformation(SystemHandleInformation) -> NtDuplicateHandle -> NtQueryObject(ObjectNameInformation

) -> compare file name ???

Pure user-mode ...

NtQuerySystemInformation(SystemHandleInformation) -> NtDuplicateHandle -> NtQueryObject(ObjectNameInformation

) -> compare file name ???

Pure user-mode ...

He said he wanted results AS SOON as it happens, which makes me think is there such function that installs your driver to a callback chain ?

NtQuerySystemInformation(SystemHandleInformation) -> NtDuplicateHandle -> NtQueryObject(ObjectNameInformation

) -> compare file name ???

Pure user-mode ...

I knew there had to be something like that, thanks! It might go in a end-user app and I didn't want to deal with UAC and loading a driver. I also found out how sandboxie works in the process using detours, and a driver for security.

BTW I want it while process already has the handle which that does. Hooking and injection>detour were the only other ways I seen from ring 3.

Edited November 10, 201014 yr by chickenbutt