-3

I enumerate all handles of a process. I have process handle and now I want to know the PID of the process the handle is for. Here is the stuct I am using:

public struct SYSTEM_HANDLE_INFORMATION
{
public int ProcessID;
public byte ObjectTypeNumber;
public byte Flags; // 0x01 = PROTECT_FROM_CLOSE, 0x02 = INHERIT
public ushort Handle;
public int Object_Pointer;
public UInt32 GrantedAccess;
}

The ProcessID sadly of all my handles is the same as the PID of the program I am running (host). It should be the Object_Pointer, but I am not sure how to use it. Now the Object_Pointer together with GrantedAccess matches the object address of the process the handle is for - picture

It is weird though, since the GrantedAccess should be the level of access for the process and not part of the address.

Sergiy WontTell
  • 75
  • 1
  • 4

1 Answers1

1

if we have process handle with PROCESS_QUERY_LIMITED_INFORMATION or PROCESS_QUERY_INFORMATION access right we can got it PID by GetProcessId function

and your definition of SYSTEM_HANDLE_INFORMATION is wrong. obviously that Object_Pointer can not be int (4 bytes) when it must be void* (8 bytes on 64-bit system). correct definition of this structure is 

struct SYSTEM_HANDLE_TABLE_ENTRY_INFO
{
    USHORT UniqueProcessId;
    USHORT CreatorBackTraceIndex;
    UCHAR ObjectTypeIndex;
    UCHAR HandleAttributes;
    USHORT HandleValue;
    PVOID Object;
    ULONG GrantedAccess;
};

but however much better use SystemExtendedHandleInformation instead SystemHandleInformation and work with SYSTEM_HANDLE_INFORMATION_EX

RbMm
  • 31,280
  • 3
  • 35
  • 56
  • The PID I get with GetProcessId is 0, Process Hacker confirms the handle is correct (0x184 in my case). If I GetProcessId with this handle I get 0. My code - https://puu.sh/ygb9J/815e650da4.png – Sergiy WontTell Nov 06 '17 at 17:45
  • If rename the SYSTEM_HANDLE_INFORMATION to your code I get "An unhandled exception of type 'System.AccessViolationException' occurred in Unknown Module. Attempted to read or write protected memory. This is often an indication that other memory is corrupt." – Sergiy WontTell Nov 06 '17 at 17:52
  • @SergiyWontTell - if return 0 - need look last error. and in api clear stated that handle must have `PROCESS_QUERY_[LIMITED_]INFORMATION` access. at second - I not paste to you any code. if you got exception - this is only say that was error in my code. in any case this not change fact that my answer is correct – RbMm Nov 06 '17 at 18:23