0

I can't find any documentation about this. I'm enumerating process handles in another process.

I check the value of SYSTEM_HANDLE::ObjectTypeNumber and apparently it's different between versions of Windows. I found this piece of code in a project on GitHub

// For XP & 2K3 : HANDLE_TYPE_PROCESS = 0x5
// For Vista & Longhorn : HANDLE_TYPE_PROCESS = 0x6
// Windows 8: HANDLE_TYPE_PROCESS = 0x7
#define HANDLE_TYPE_PROCESS 7

Strangely, it skips Windows 7. I've been checking various kernel related books (such as Windows Internals) and wasn't able to find the correct value for Windows 7. I don't own a Windows 7 machine to test on either.

Therefore, my code looks like this at the moment:

BYTE HANDLE_TYPE_PROCESS;
if(IsWindows8OrGreater()) HANDLE_TYPE_PROCESS = 7;
else if(IsWindowsVistaOrGreater()) HANDLE_TYPE_PROCESS = 6;
else HANDLE_TYPE_PROCESS = 5;

What's the object type number for process handles in Windows 7?

Eryk Sun
  • 33,190
  • 5
  • 92
  • 111
shavit
  • 842
  • 1
  • 7
  • 17
  • It's never correct to rely on unverified assumptions. What's the question you really meant to ask? – IInspectable May 23 '20 at 11:48
  • I'm asking what's the value object type number of a process handle in Windows 7, it's undocumented – shavit May 23 '20 at 11:50
  • you need not hardcode it - this is always wrong and bad but found this in runtime – RbMm May 23 '20 at 12:29
  • @RbMm Alright, but how exactly am I supposed to know if a handle is a process handle if not by comparing `ObjectTypeNumber` to a compile-time constant? – shavit May 23 '20 at 12:37
  • you not need any compile-time constant. how - depend from what you need. if you interesting only in process - create by self process handle - look what `ObjectTypeIndex` it have - all another processes have the same. if you need for all object types - call `ZwQueryObject` with `ObjectAllTypeInformation` and look for `TypeIndex` begin from win 8.1. before this use returned record order and one known type index value which you take by way #1 – RbMm May 23 '20 at 12:49
  • Why not just call a function that requires a process handle, like `GetProcessId`. It's even documented and everything. – Raymond Chen May 23 '20 at 13:33
  • @RaymondChen - in most case this will be very not efficient and not working for all case solution (if we say can not duplicate handle to self process). – RbMm May 23 '20 at 14:20
  • @RaymondChen The purpose is to see which process is being opened through other processes – shavit May 23 '20 at 14:25
  • @shavit - you need code like this - https://pastebin.com/QSWjya3D, or for more extended task (you need know all type index - use `ObjectAllTypeInformation`) – RbMm May 23 '20 at 14:34
  • I should've specified, I'm working from usermode – shavit May 23 '20 at 14:46
  • @shavit - and so what ? how this related ? – RbMm May 23 '20 at 15:16
  • The type index is from the system initialization order, so hard coding it for different Windows versions is dubious. You can query it via `NtQueryObject`: [`ObjectTypesInformation`](https://github.com/processhacker/processhacker/blob/6728482a11a2368196c4674b431acc5668e1683d/phnt/include/ntobapi.h#L91) in Windows 8.1+. Otherwise it's in [`SystemObjectInformation`](https://github.com/processhacker/processhacker/blob/6728482a11a2368196c4674b431acc5668e1683d/phnt/include/ntexapi.h#L1754), but that's expensive. Best to follow @RbMm's suggestion to check the type index of a known process handle. – Eryk Sun May 23 '20 at 16:19

0 Answers0