Saturday, September 22, 2007

Old Old New Thing

Today I was trying to catch up with all the new entries on Raymond's blog and I found some interesting posts that are worth taking a look.


What do I do with per-user data when I uninstall?

Microsoft says... oh wait... I mean.. Raymond Chen says that we should not touch it! Quick and Easy! I like that :)

Why isn't QuickEdit on by default in console windows?

Because it breaks console mode applications using the mouse.

Does creating a thread from DllMain deadlock or doesn't it?

It does not. Except if you create the lock yourself by waiting for the thread to do something, because it's not going to run until you exit DllMain.

Posted by nsylvain at 9:32 AM 0 comments

Sunday, September 2, 2007

Handle Format

A couple of posts ago I talked about how to get the list of all open handles. When I started playing with that it did not work at the first try, so I had to use the brute force method to get all the handles in the current process. The code was doing a loop like this:


for (LONG_PTR h = 0; h < 0xFFFF; ++h) {
  HANDLE handle = (HANDLE)(h);
  DoSomething(handle);
}


The result was unexpected to me. All handles in the process were duplicated 4 times. It looks like the lowest 2 bits in the handle value are ignored.

If the handle to a file is 0x7C then you can use 0x7C, 0x7D, 0x7E or 0x7F to access the file.

Is this documented somewhere?

Updated on 9/3/2007:
I was talking with Ivanlef0u about this and my assumption that the last 2 bits are ignored is right. He showed me the disassembly of the function to lookup the object in the handle table and it looks like this:


ExpLookupHandleTableEntry
mov edi, edi
push ebp
mov ebp, esp
and [ebp+Handle], 0FFFFFFFCh ; Unset the last 2 bits
mov eax, [ebp+Handle]
mov ecx, [ebp+HandleTable]
mov edx, [ebp+Handle]
shr eax, 2 ; Shift right the last 2 bits
cmp edx, [ecx+38h] ; HandleTable->NextHandleNeedingPool
jnb loc_49DDF8


Thanks Ivanlef0u.

Posted by nsylvain at 7:37 PM 1 comments

Using Visual Studio to debug your token.

For as long as I remember I have been using TokenMaster to be able to see and dump the information contained in my access tokens.
Recently greggm blogged about another way to get this information. This is now integrated in the visual studio debugger. Just type "$user" in the watch window and you will get a complete view of the current token.

Updated on 9/4/2007
Thanks to Marc-Antoine Ruel for the information, Windbg also does that! Just type this command to get the same information:

      !token -n

Posted by nsylvain at 3:21 PM 0 comments

How to list all the open handles?


Recently I had to get the list of all the handles open in a process. I searched on the web to find a good way to do it, and realized that most of the articles I found are wrong.

I guess this is because the documentation in "Windows NT/2000 Native API Reference" by Gary Nebbett is a little bit misleading.

Under the SystemHandleInformation class, the structure defined is:

typedef struct _SYSTEM_HANDLE_INFORMATION {
  USHORT ProcessId;
  USHORT CreatorBackTraceIndex;
  UCHAR ObjectTypeNumber;
  UCHAR Flags;
  USHORT Handle;
  PVOID Object;
  ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;


One could think that the buffer returned is actually a list of structures like this one. But this is not the case, it's actually returning a structure like this one:


typedef struct _SYSTEM_HANDLE_INFORMATION_EX {
  ULONG NumberOfHandles;
  SYSTEM_HANDLE_INFORMATION Information[1];
} SYSTEM_HANDLE_INFORMATION_EX, *PSYSTEM_HANDLE_INFORMATION_EX;


Even though the description in the book is misleading, Gary Nebbett is not wrong. There is a remark saying: "The data returning to the SystemInformation buffer is a ULONG count of he number of handles followed immediately by an array of SYSTEM_HANDLE_INFORMATION".


There is another factor making this task a little bit more complex to achieve: The function is really picky about the buffer size.


Usually you can call the function with a NULL buffer and 0 for the size and then get back the size you need to allocate your buffer. This does not work here. The return value is 0xC0000004 : The specified information record length does not match the length required for the specified information class.


If you try with a SYSTEM_HANDLE_INFORMATION buffer, it won't work either. You need to pass to the function a buffer large enough to hold the number of handles and the first handle if you want to get the size needed back. This is a little bit weird.


Finally, the code:



  // Get the number of handles on the system
  DWORD buffer_size = 0;
  SYSTEM_HANDLE_INFORMATION_EX temp_info;


  NTSTATUS status = NtQuerySystemInformation(
      SystemHandleInformation, &temp_info, 
      sizeof(temp_info), &buffer_size);


  SYSTEM_HANDLE_INFORMATION_EX *system_handles =
    (SYSTEM_HANDLE_INFORMATION_EX*)(new BYTE[buffer_size]);


  status = NtQuerySystemInformation(SystemHandleInformation,
                                    system_handles,
                                    buffer_size, &buffer_size);


  printf("nb of handles = %d", system_handles->NumberOfHandles);

Posted by nsylvain at 11:26 AM 1 comments

Subscribe to: Posts (Atom)