Ale*_*dru 4 windows system internal handle visual-c++
I have seen NtQueryObject hang for duplicated handles with these granted access values (handle.GrantedAccess is an ACCESS_MASK type):
1179785 (integer) --> 0b100100000000010001001 (binary)
1180063 (integer) --> 0b100100000000110011111 (binary)
1180041 (integer) --> 0b100100000000110001001 (binary)
2032127 (integer) --> 0b111110000000111111111 (binary)
||||||| | |
||||||| | |
||||||| | |
^^^^^^^ ^ ^
Possible culprit bits seem to be 3rd and 7th bit, but could also be 9th to 15th bit.
Always, the handle.ObjectTypeNumber is 30. What is this object type number, and how can I get a list of the specific rights of this type? My experiments have kind of shown that it must be bits 0-15 causing the hang on this object type number of 30 (integer). handle is a SYSTEM_HANDLE type defined as:
typedef struct _SYSTEM_HANDLE
{
ULONG ProcessId;
BYTE ObjectTypeNumber;
BYTE Flags;
USHORT Handle;
PVOID Object;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE, *PSYSTEM_HANDLE;
I am writing a forensic tool to enumerate all open file handles using the method described here.
我来晚了,但是如果您只对基于磁盘的文件感兴趣,可以这样做:
if(GetFileType(handle) == FILE_TYPE_DISK) {
...
}
挂起通常发生在非磁盘文件(例如管道)上。使用此技术,您完全不必担心handle.GrantedAccess。
| 归档时间: |
|
| 查看次数: |
1494 次 |
| 最近记录: |