Results 1 to 11 of 11

Thread: File Handle

  1. #1
    ReVeR
    Guest

    File Handle

    HEy.
    i need to get a file handle from a process.
    Basicly, i got a dll injected into the process, and now somehow i need to find the handle to the file in that process.
    i know the name/location of the file.
    How can i get the handle.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    the EPROCESS structure of a process contains a table that saves all handles opened by a process

    you can retrieve this table in ring0 with PsGetCurrentProcess()->ObjectTable

  3. #3
    ReVeR
    Guest
    what is ringo?
    can somone give me some info on it?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    ringo is ring 0 or kernelmode

    that means that you have to write a little driver that sends this info to your application (which runs in ring 3)

  5. #5
    if you let us know what you want to do, we can most likely suggest a better approach then searching for an existing file handle stored "somewhere out there".

  6. #6
    ReVeR
    Guest
    i doubt there is one.
    but here it is :
    i got an app that creates a file, opens it , and when the app closes itself it deletes the file...
    i need to get that file, i can't copy it becuase it is open, so any ideas on how to get to the file>
    thx
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Put a breakpoint in the program before the file is closed, then kill the process when it hits. The file is now yours.

    You could also modify the flags for the code that opens the file, so that it is not opened in exclusive mode (and not in auto-delete-after-close mode, if that's the case).

  8. #8
    ReVeR
    Guest
    that is a possibility, but i wanted a prog that does that for me without actualy screwing with either file, or spending time debugging the progam....and i also wanted to learn some stuff about ring 0, since i never worked with it in the process.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    and what do you want to do with that handle?

    i dont know if it is possible that you use a handle from another process in your process

    or does DuplicateHandle this work?

  10. #10
    ReVeR
    Guest
    no, not like that...
    i have a dll injected into the other processs, now i want my dll to get the handle from inside the process and use it.....
    to find the handle i need to work with ring -0 (i think i do....)......
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11
    <pedant>
    Ring 0 is not necessarily kernel mode. One does not imply the other - rings are a processor-level security mechanism to segment code via descriptors, whereas kernel & user mode are operating system terms that define where code managed by the o/s is running. On a 680x0 (motorola) processor, supervisor (kernel) mode and user mode do exist as the only 2 "rings", because it's a different cpu design. Ring 0 happens to be kernel mode on Windows because Microsoft stuck to a 2 ring model (even though x86 has 4 rings, only ring 0 and ring 3 are used) due to cross-platform compatibility. So, to pick nits, although the Windows kernel runs in ring 0 it's incorrect to call ring 0 "kernel mode".
    </pedant>
    Still here...

Similar Threads

  1. Server Handle Table Funtions.
    By BanMe in forum Blogs Forum
    Replies: 1
    Last Post: July 1st, 2009, 17:07
  2. Source File
    By raleeper in forum The Newbie Forum
    Replies: 2
    Last Post: September 3rd, 2007, 11:36
  3. File hiding
    By ReVeR in forum The Newbie Forum
    Replies: 7
    Last Post: October 6th, 2004, 09:42
  4. Finding windows Handle
    By Hero in forum The Newbie Forum
    Replies: 6
    Last Post: July 26th, 2004, 22:55
  5. File time
    By crUsAdEr in forum The Newbie Forum
    Replies: 19
    Last Post: May 22nd, 2004, 08:14

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •