chickenbutt Posted November 10, 2010 Posted November 10, 2010 I've seen methods for getting a list of open handles for a file/folder as they are created, but what about when they already exist, and from only ring3? Searching turns up nothing, and I'm hoping there is some structure or descriptor that can be used..example application: pass a path to a non-executable or folder and get a list of processes accessing it
0xFF Posted November 10, 2010 Posted November 10, 2010 (edited) Just use Process Monitor or something from SysInternal, If you wanna code such thing, you'll need to work with ring0 (kernel-mode) and write a device driver which is dangerous.Edit: You'll have to go through some BSOD's, debug it inside a VirtualMachine. Edited November 10, 2010 by rotem156
GamingMasteR Posted November 10, 2010 Posted November 10, 2010 NtQuerySystemInformation(SystemHandleInformation) -> NtDuplicateHandle -> NtQueryObject(ObjectNameInformation) -> compare file name ???Pure user-mode ...
0xFF Posted November 10, 2010 Posted November 10, 2010 NtQuerySystemInformation(SystemHandleInformation) -> NtDuplicateHandle -> NtQueryObject(ObjectNameInformation) -> compare file name ???Pure user-mode ...He said he wanted results AS SOON as it happens, which makes me think is there such function that installs your driver to a callback chain ?
chickenbutt Posted November 10, 2010 Author Posted November 10, 2010 (edited) NtQuerySystemInformation(SystemHandleInformation) -> NtDuplicateHandle -> NtQueryObject(ObjectNameInformation) -> compare file name ???Pure user-mode ...I knew there had to be something like that, thanks! It might go in a end-user app and I didn't want to deal with UAC and loading a driver. I also found out how sandboxie works in the process using detours, and a driver for security.BTW I want it while process already has the handle which that does. Hooking and injection>detour were the only other ways I seen from ring 3. Edited November 10, 2010 by chickenbutt
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now