Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Development
  New Posts New Posts RSS Feed: file name from remote proc
  FAQ FAQ  Forum Search   Calendar   Register Register  Login Login

file name from remote proc
 Post Reply Post Reply Page  12>
Author
Message
  Topic Search Topic Search  Topic Options Topic Options
majkinetor View Drop Down
Groupie
Groupie


Joined: 17 April 2006
Location: Yugoslavia
Online Status: Offline
Posts: 42 		  Quote majkinetor Quote  Post ReplyReply Direct Link To This Post Topic: file name from remote proc
    Posted: 11 May 2006 at 8:14am
I want to obtain file name of file locked by remote process. I used NtQuerySystemInformation to get handles and then I use this function to filter only Files and to obtain file name. Something is wrong and I can't figure out what: 





//h , process ID - returned by NTQSI

//str - output buffer for fileName 

//returns false if handle is not file object or if errors ocured

bool GetFileName (HANDLE h, wchar_t* str, DWORD processId )

{

     ULONG size = 0x2000;

     UCHAR* lpBuffer = NULL;

     bool ret = FALSE;

     

     HANDLE handle;

     HANDLE hRemoteProcess = NULL;

     bool remote = processId != GetCurrentProcessId();

     

     if ( remote )

     {

            // Open the remote process

            hRemoteProcess = OpenProcess( processId );

            if ( hRemoteProcess == NULL ) return FALSE;



            // Duplicate the handle

            handle = DuplicateHandle( hRemoteProcess, h );

     }

     else handle = h;



     // Query the info size

     NtQueryObject( handle, 2, NULL, 0, &size );



     lpBuffer = new UCHAR[size];

     // Query the info size ( type = 2 = ObjectTypeInformation)

     if ( NtQueryObject( handle, 2, lpBuffer, size, NULL ) == 0 )

     {

            int i = _wcsicmp (L"File", (wchar_t*)(lpBuffer+0x60));

            if (i != 0) goto cleanup;

                       

              // --- PROBLEMS ARE HERE ----

            FILE_NAME_INFORMATION fni;

            DWORD status[2];

            long rc = NtQueryInformationFile(h, &status, &fni, sizeof(FILE_NAME_INFORMATION), 9);

            if ( rc != STATUS_SUCCESS) goto cleanup;

               

            wcscpy(str, fni.FileName);

            ret = TRUE;

     }



cleanup:

     if ( remote )

     {

            if ( hRemoteProcess != NULL )

                 CloseHandle(  hRemoteProcess );



            if ( handle != NULL )

                 CloseHandle(  handle );

     }

     if ( lpBuffer != NULL )     delete [] lpBuffer;



     return ret;

}



Everything here works fine until obvious comment line. Also, for some reason, NTSTATUS code returned by NtQueryInformationFile is some large negative value, so I can't see why it isn't working. I hope someobody can help me see the problem, or at least to help me retrieve valid NTSTATUS code.

thx.
Back to Top
EP_X0FF View Drop Down
Senior Member
Senior Member
Avatar

Joined: 08 March 2006
Location: Russian Federation
Online Status: Offline
Posts: 4753 		  Quote EP_X0FF Quote  Post ReplyReply Direct Link To This Post Posted: 11 May 2006 at 8:18am
Look here http://www.sysinternals.com/forum/forum_posts.asp?TID=3577&P N=2
Back to Top
majkinetor View Drop Down
Groupie
Groupie


Joined: 17 April 2006
Location: Yugoslavia
Online Status: Offline
Posts: 42 		  Quote majkinetor Quote  Post ReplyReply Direct Link To This Post Posted: 11 May 2006 at 8:37am
I was already !

The error about return type was trivial:
long rc = NtQueryInformationFile(h, &status ...

long rc -> DWORD rc

error reported is: Invalid Handle.

Now, that is strange, since the same handle was valid for NTQueryObject...



Back to Top
EP_X0FF View Drop Down
Senior Member
Senior Member
Avatar

Joined: 08 March 2006
Location: Russian Federation
Online Status: Offline
Posts: 4753 		  Quote EP_X0FF Quote  Post ReplyReply Direct Link To This Post Posted: 11 May 2006 at 8:39am
OpenProcess flags?
DuplicateHandle flags?
Back to Top
majkinetor View Drop Down
Groupie
Groupie


Joined: 17 April 2006
Location: Yugoslavia
Online Status: Offline
Posts: 42 		  Quote majkinetor Quote  Post ReplyReply Direct Link To This Post Posted: 11 May 2006 at 8:46am
then after fixing handle problem:
The specified request is nota valid operation for the target device
Back to Top
majkinetor View Drop Down
Groupie
Groupie


Joined: 17 April 2006
Location: Yugoslavia
Online Status: Offline
Posts: 42 		  Quote majkinetor Quote  Post ReplyReply Direct Link To This Post Posted: 11 May 2006 at 8:47am
This is how I declared those functions: 

HANDLE OpenProcess( DWORD processId )

{

     // Open the process for handle duplication

     return ::OpenProcess( PROCESS_DUP_HANDLE, TRUE, processId );

}



HANDLE DuplicateHandle( HANDLE hProcess, HANDLE hRemote )

{

     HANDLE hDup = NULL;



     // Duplicate the remote handle for our process

     ::DuplicateHandle( hProcess, hRemote,    GetCurrentProcess(),&hDup, 0, FALSE, DUPLICATE_SAME_ACCESS );



     return hDup;

}


Edited by majkinetor - 11 May 2006 at 8:49am
Back to Top
EP_X0FF View Drop Down
Senior Member
Senior Member
Avatar

Joined: 08 March 2006
Location: Russian Federation
Online Status: Offline
Posts: 4753 		  Quote EP_X0FF Quote  Post ReplyReply Direct Link To This Post Posted: 11 May 2006 at 8:50am
Grant more privilegies to OpenProcess? Why not use NtQueryObject - Object Name Information class?
Back to Top
majkinetor View Drop Down
Groupie
Groupie


Joined: 17 April 2006
Location: Yugoslavia
Online Status: Offline
Posts: 42 		  Quote majkinetor Quote  Post ReplyReply Direct Link To This Post Posted: 11 May 2006 at 11:41am
Thank you EP_X0FF.
I switched to NtQO function and everything is ok up to the part where it hangs for long period of time. I have to open thread to execute this function and kill it after some short time.

I have to ask for opinion here if you have time: Since I am trying to create Total Commander so called content plugin this needs to be fast, because it will be called for each file in the directory. The plugin is supouse to return information about file's lock status and to return string containing names of applications which hold the lock. I am caching information on the first file (I create a snapshot of all open files in the system) and look into cache on all other subsequent files. Therefore, above procedure will be executed only once, but it still have to be fast to alow TC to function normaly (lets say, everything up to 2 seconds should be fine).

I am concerned here how big impact on procedure speed will have creating new thread for every file handle in the system (on my system, currently > 1000)

thx
Back to Top
EP_X0FF View Drop Down
Senior Member
Senior Member
Avatar

Joined: 08 March 2006
Location: Russian Federation
Online Status: Offline
Posts: 4753 		  Quote EP_X0FF Quote  Post ReplyReply Direct Link To This Post Posted: 11 May 2006 at 11:55am
Yes it will decrease performance. Each thread will decrease performance and your plugin will works very slow and probably use more memory. As you know NtQueryObjects sometimes hungs. It happens when it trying to get name of NamedPipe object. So for this reason I think you are creating new threads. But in forum-thread "Enumerate opened files" we have not get solution for this "hung" problem. It is known that under Ring0 (Kernel Mode) everything works fine (look on Process Explorer). But for this solution you need to create driver and this I think is too much for some simple program as "tc plugin". Hope this small information on bad english will help you.

Regards.
Ring0 - the source of inspiration
Back to Top
majkinetor View Drop Down
Groupie
Groupie


Joined: 17 April 2006
Location: Yugoslavia
Online Status: Offline
Posts: 42 		  Quote majkinetor Quote  Post ReplyReply Direct Link To This Post Posted: 12 May 2006 at 3:19am
I don't know what is going on here, since when my console application that I am using for test hang, I can not delete it for very long period of time (it is up for more then 20 minutes now...). TaskInfo & Proc Exp can not kill it also.

You are right, that is too big project for simple plugin, it already took me much time to come to this stage.

Anyway you were of great help and I thank you for that.
Your english is fine by me.
Back to Top
 Post Reply Post Reply Page  12>

Forum Jump Forum Permissions View Drop Down

Privacy Statement