Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Internals
  New Posts New Posts RSS Feed - Closing FileHandles with KMD's
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Closing FileHandles with KMD's
 Post Reply Post Reply
Author
Message
  Topic Search Topic Search  Topic Options Topic Options
3h1337 View Drop Down
Newbie
Newbie
Avatar

Joined: 24 December 2005
Status: Offline
Points: 12 		Post Options Post Options   Thanks (0) Thanks(0)   Quote 3h1337 Quote  Post ReplyReply Direct Link To This Post Topic: Closing FileHandles with KMD's
    Posted: 19 March 2009 at 6:50pm
Hi (first of all: iam new in Kernel things Wink)
i got a systemwide Handlelist (NtQuerySystemInformation|SystemHandleInformation) there is a FileHandle (PID 4 (System Process) FileHandle = 0xA14) that i wish to close from a Kernel Mode Driver.... but how???

I got a method for Ring3(LocalSystem): CreateRemoteThread|CloseHandle (works with all Processes
except System (PID 4). (because of that the Kernel Mode Driver).

(VISTA)

regards
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Status: Offline
Points: 17506 		Post Options Post Options   Thanks (0) Thanks(0)   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 19 March 2009 at 6:58pm
Hi 3h1337,

Quote CreateRemoteThread|CloseHandle (works with all Processes
except System (PID 4)
Without having tried it in Vista, with a handle from the system process... Embarrassed  Have you tried DuplicateHandle with the DUPLICATE_CLOSE_SOURCE flag?
Daily affirmation:
net helpmsg 4006
Back to Top
3h1337 View Drop Down
Newbie
Newbie
Avatar

Joined: 24 December 2005
Status: Offline
Points: 12 		Post Options Post Options   Thanks (0) Thanks(0)   Quote 3h1337 Quote  Post ReplyReply Direct Link To This Post Posted: 19 March 2009 at 7:10pm
Originally posted by molotov molotov wrote:

Hi 3h1337,

Quote CreateRemoteThread|CloseHandle (works with all Processes
except System (PID 4)
Without having tried it in Vista, with a handle from the system process... Embarrassed  Have you tried DuplicateHandle with the DUPLICATE_CLOSE_SOURCE flag?


ok ... then i need the ProcessHandle.... OpenProcess IMHO dont work inside a KMD i need a Example with ZwOpenProcess.
Back to Top
GamingMasteR View Drop Down
Senior Member
Senior Member
Avatar

Joined: 10 August 2008
Status: Offline
Points: 245 		Post Options Post Options   Thanks (0) Thanks(0)   Quote GamingMasteR Quote  Post ReplyReply Direct Link To This Post Posted: 20 March 2009 at 12:33am

Hi,

You may try this :

ExAcquireRundownProtection

KeStackAttachProcess

ZwCloseHandle

KeUnstackDetachProcess

ExReleaseRundownProtection
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Status: Offline
Points: 17506 		Post Options Post Options   Thanks (0) Thanks(0)   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 20 March 2009 at 3:16am
Quote ok ... then i need the ProcessHandle.... OpenProcess IMHO dont work inside a KMD i need a Example with ZwOpenProcess.
If you did it in usermode, would you even need a driver?
Daily affirmation:
net helpmsg 4006
Back to Top
3h1337 View Drop Down
Newbie
Newbie
Avatar

Joined: 24 December 2005
Status: Offline
Points: 12 		Post Options Post Options   Thanks (0) Thanks(0)   Quote 3h1337 Quote  Post ReplyReply Direct Link To This Post Posted: 22 March 2009 at 11:54am
I try to code this function ->



like a unlocker...


Originally posted by GamingMasteR GamingMasteR wrote:

Hi,

You may try this :

ExAcquireRundownProtection

KeStackAttachProcess

ZwCloseHandle

KeUnstackDetachProcess

ExReleaseRundownProtection



ok i will try this, thx

Originally posted by molotov molotov wrote:

Quote ok ... then i need the ProcessHandle.... OpenProcess IMHO dont work inside a KMD i need a Example with ZwOpenProcess.
If you did it in usermode, would you even need a driver?


ProcessID 4 (System) cant opened by OpenProcess in usermode -> Access Denied
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Status: Offline
Points: 17506 		Post Options Post Options   Thanks (0) Thanks(0)   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 22 March 2009 at 4:31pm
Quote ProcessID 4 (System) cant opened by OpenProcess in usermode -> Access Denied
Enable SE_DEBUG_NAME.
Daily affirmation:
net helpmsg 4006
Back to Top
wj32 View Drop Down
Senior Member
Senior Member
Avatar

Joined: 16 January 2009
Location: Australia
Status: Offline
Points: 1016 		Post Options Post Options   Thanks (0) Thanks(0)   Quote wj32 Quote  Post ReplyReply Direct Link To This Post Posted: 23 March 2009 at 6:19am
Originally posted by molotov molotov wrote:

Quote ProcessID 4 (System) cant opened by OpenProcess in usermode -> Access Denied
Enable SE_DEBUG_NAME.


This will work for Windows XP, but will not work for Vista since System is protected. I think a better idea would be to use ObCloseHandle in kernel mode.
PH, a free and open source process viewer.
Back to Top
3h1337 View Drop Down
Newbie
Newbie
Avatar

Joined: 24 December 2005
Status: Offline
Points: 12 		Post Options Post Options   Thanks (0) Thanks(0)   Quote 3h1337 Quote  Post ReplyReply Direct Link To This Post Posted: 25 March 2009 at 6:44pm
Originally posted by GamingMasteR GamingMasteR wrote:

Hi,

You may try this :

ExAcquireRundownProtection

KeStackAttachProcess

ZwCloseHandle

KeUnstackDetachProcess

ExReleaseRundownProtection



THX, works perfect!
Back to Top
volvorine View Drop Down
Senior Member
Senior Member
Avatar

Joined: 19 September 2008
Location: India
Status: Offline
Points: 104 		Post Options Post Options   Thanks (0) Thanks(0)   Quote volvorine Quote  Post ReplyReply Direct Link To This Post Posted: 30 March 2009 at 2:53pm
why do you want to close it from kernel mode driver ?
 
this might crash your application
sainath IRP_MJ_CREATE
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down