#ifdef _MSC_VER#define UNICODE#define _CRT_SECURE_NO_WARNINGS#endif#pr

1. #ifdef _MSC_VER
2. #define UNICODE
3. #define _CRT_SECURE_NO_WARNINGS
4. #endif
5.  
6. #pragma comment(lib, "Kernel32.lib")
7. #include <Windows.h>
8. #include <Winternl.h>
9. #include <Winbase.h>
10. #include <psapi.h>
11. #include <strsafe.h>
12.  
13. #include <cstdio>
14. #include <cstdlib>
15. #include <ctime>
16. #include <cassert>
17.  
18. #include "dtypes.h"
19.    
20.  
21. #define SHARE_EXCLUSIVE             0
22. #define STATUS_INFO_LENGTH_MISMATCH 0xc0000004
23. #define DUPLICATE_SAME_ACCESS       0x00000002
24. #define DUPLICATE_SAME_ATTRIBUTES   0x00000004
25.  
26.  
27. typedef struct _SYSTEM_HANDLE
28. {
29.     ULONG ProcessId;
30.     BYTE ObjectTypeNumber;
31.     BYTE Flags;
32.     USHORT Handle;
33.     PVOID Object;
34.     ACCESS_MASK GrantedAccess;
35. } SYSTEM_HANDLE, *PSYSTEM_HANDLE;
36.  
37. typedef struct _SYSTEM_HANDLE_INFORMATION
38. {
39.     ULONG HandleCount;
40.     SYSTEM_HANDLE Handles[1];
41. } SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
42.  
43. typedef NTSTATUS(WINAPI* _NtQuerySystemInformation)(
44.     ULONG SystemInformationClass,
45.     PVOID SystemInformation,
46.     ULONG SystemInformationLength,
47.     PULONG ReturnLength
48.     );
49.  
50. typedef NTSTATUS(WINAPI* _NtDuplicateObject)(
51.     HANDLE SourceProcessHandle,
52.     HANDLE SourceHandle,
53.     HANDLE TargetProcessHandle,
54.     PHANDLE TargetHandle,
55.     ACCESS_MASK DesiredAccess,
56.     ULONG Attributes,
57.     ULONG Options
58.     );
59.  
60. typedef NTSTATUS(WINAPI* _NtQueryObject)(
61.     HANDLE ObjectHandle,
62.     ULONG ObjectInformationClass,
63.     PVOID ObjectInformation,
64.     ULONG ObjectInformationLength,
65.     PULONG ReturnLength
66.     );
67.  
68. typedef enum _POOL_TYPE
69. {
70.     NonPagedPool,
71.     PagedPool,
72.     NonPagedPoolMustSucceed,
73.     DontUseThisType,
74.     NonPagedPoolCacheAligned,
75.     PagedPoolCacheAligned,
76.     NonPagedPoolCacheAlignedMustS
77. } POOL_TYPE, *PPOOL_TYPE;
78.  
79. typedef struct _OBJECT_TYPE_INFORMATION  
80. {
81.     UNICODE_STRING Name;
82.     ULONG TotalNumberOfObjects;
83.     ULONG TotalNumberOfHandles;
84.     ULONG TotalPagedPoolUsage;
85.     ULONG TotalNonPagedPoolUsage;
86.     ULONG TotalNamePoolUsage;
87.     ULONG TotalHandleTableUsage;
88.     ULONG HighWaterNumberOfObjects;
89.     ULONG HighWaterNumberOfHandles;
90.     ULONG HighWaterPagedPoolUsage;
91.     ULONG HighWaterNonPagedPoolUsage;
92.     ULONG HighWaterNamePoolUsage;
93.     ULONG HighWaterHandleTableUsage;
94.     ULONG InvalidAttributes;
95.     GENERIC_MAPPING GenericMapping;
96.     ULONG ValidAccess;
97.     BOOLEAN SecurityRequired;
98.     BOOLEAN MaintainHandleCount;
99.     USHORT MaintainTypeList;
100.     POOL_TYPE PoolType;
101.     ULONG PagedPoolUsage;
102.     ULONG NonPagedPoolUsage;
103. } OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION;
104.  
105. HANDLE fh;
106.  
107. HANDLE close_list[20];
108. DWORD close_count;
109.  
110. bool IsFileOpen(LPCWSTR fpath);
111. HANDLE GetFileHandle(LPCWSTR fpath);
112. PVOID GetLibraryProcAddr(LPCWSTR LibraryName, LPCSTR ProcName);
113. PSYSTEM_HANDLE_INFORMATION GetAllHandleData(_NtQuerySystemInformation NtQuerySystemInfo);
114.  
115. int main(int argc, WCHAR** argv)
116. {
117.     PSYSTEM_HANDLE_INFORMATION handleInfo;
118.     HANDLE close_handle = NULL;
119.     HANDLE proc_handle  = NULL;
120.     _NtQuerySystemInformation NtQuerySystemInformation = NULL;
121.     _NtDuplicateObject NtDuplicateObject = NULL;
122.     _NtQueryObject NtQueryObject = NULL;
123.     FILE* hLog = fopen("handle_log.txt", "w+");
124.  
125.     LPSYSTEMTIME win_time = new SYSTEMTIME;
126.  
127.  
128.  
129.     NtQuerySystemInformation    = static_cast<_NtQuerySystemInformation>(GetLibraryProcAddr(L"ntdll.dll", "NtQuerySystemInformation"));
130.     NtDuplicateObject           = static_cast<_NtDuplicateObject>(GetLibraryProcAddr(L"ntdll.dll", "NtDuplicateObject"));
131.     NtQueryObject               = static_cast<_NtQueryObject>(GetLibraryProcAddr(L"ntdll.dll", "NtQueryObject"));
132.  
133.     GetSystemTime(win_time);
134.  
135.     fprintf(hLog, "%02d/%02d/%04d\n", win_time->wMonth, win_time->wDay, win_time->wYear);
136.     fprintf(hLog, "%02d:%02d:%02d\n\n", win_time->wHour, win_time->wMinute, win_time->wSecond);
137.  
138.     // fprintf(hLog, "Getting handle data...\n");
139.     handleInfo = GetAllHandleData(NtQuerySystemInformation);
140.  
141.     // fprintf(hLog, "Preparing to parse handles...\n\n");
142.     ZeroMemory(close_list, sizeof(close_list));
143.     close_count = 0;
144.  
145.     // this will run each time we find that a file is still open - don't change handleInfo -
146.     // this will be pulled out and become a function or three in the end
147.     for (ULONG i = 0; i < handleInfo->HandleCount; ++i)
148.     {
149.         SYSTEM_HANDLE sys_h = handleInfo->Handles[i];
150.         HANDLE objdupHandle = NULL;
151.         POBJECT_TYPE_INFORMATION objectTypeInfo;
152.         HANDLE hFileMap;
153.         WCHAR pszFilename[MAX_PATH + 1];
154.         PVOID pMem = NULL;
155.        
156.         // open each process as needed for each handle on the list
157.         if (sys_h.ProcessId != 4)
158.         {
159.             if ( !(proc_handle = OpenProcess(PROCESS_DUP_HANDLE, FALSE, sys_h.ProcessId)) )
160.             {
161.                 // fprintf(hLog, "Could not open PID %d!\n", sys_h.ProcessId);
162.                 continue;
163.             }
164.         }
165.            
166.         // duplicate the handle into my process so i can read it
167.         if ( !NT_SUCCESS( NtDuplicateObject(proc_handle, (HANDLE)sys_h.Handle, GetCurrentProcess(), &objdupHandle, 0, 0, DUPLICATE_SAME_ATTRIBUTES | DUPLICATE_SAME_ACCESS) ) )
168.         {
169.             fprintf(hLog, "Duplication Error! %X\n", sys_h.Handle);
170.             continue;
171.         }
172.        
173.         objectTypeInfo = static_cast<POBJECT_TYPE_INFORMATION>(malloc(0x1000));
174.  
175.         // get the handle's type info for parsing
176.         if ( !NT_SUCCESS( NtQueryObject(objdupHandle, ObjectTypeInformation, objectTypeInfo, 0x1000, NULL) ) )
177.             {
178.                 fprintf(hLog, "Query Error!\n", sys_h.Handle);
179.                 CloseHandle(objdupHandle);
180.                 continue;
181.             }
182.  
183.         if (sys_h.GrantedAccess == 0x0012019f)
184.         {
185.             /* skip these */
186.             fprintf(hLog, "Err: 0x12019F\n");
187.             free(objectTypeInfo);
188.             CloseHandle(objdupHandle);
189.             continue;
190.         }
191.  
192.         if ( wcscmp(L"File", objectTypeInfo->Name.Buffer) == 0 )
193.         {          
194.             fprintf(hLog, "File!\n");
195.            
196.             hFileMap = CreateFileMapping(objdupHandle, NULL, PAGE_READONLY, 0, 1, NULL);
197.              
198.             if (!hFileMap)
199.             {
200.                 fprintf(hLog, "Error: %X\n", GetLastError());
201.             }
202.            
203.             if (hFileMap)
204.             {
205.                 // fprintf(hLog, "Mapped!\n");
206.                 // create a file mapping to get the file name.
207.                 pMem = MapViewOfFile(hFileMap, FILE_MAP_READ, 0, 0, 1);
208.  
209.                 if (pMem)
210.                 {
211.                     // fprintf(hLog, "View mapped!\n");
212.                     if (GetMappedFileNameW(GetCurrentProcess(), pMem, pszFilename, MAX_PATH))
213.                     {
214.                         // fprintf(hLog, "Name gotten!\n\n");
215.                         fwprintf(hLog, L"%ls\n", pszFilename);
216.                     }
217.  
218.                 }
219.             }
220.            
221.         }
222.     }
223.  
224.     fclose(hLog);
225.  
226.  
227.  
228.  
229.  
230.  
231.  
232.  
233.  
234.     // printf("Current handle count: %d\n", handleInfo->HandleCount);
235.    
236.     // if (IsFileOpen(L"D:\\SBT\\PRO30\\APDATA\\apsysd10.dbf"))
237.     if ( IsFileOpen(L"D:\\Mics50\\sbtrindex.PJT") )
238.     {
239.  
240.     }
241.  
242.     printf("Success!");
243.  
244.     while (1);
245.     return 0;
246. }
247.  
248.  
249. bool IsFileOpen(LPCWSTR fpath)
250. {  
251.     fh = CreateFile(fpath, GENERIC_READ, SHARE_EXCLUSIVE /* ask for exclusive access */, NULL, OPEN_EXISTING, 0, NULL);
252.  
253.     if ( fh == INVALID_HANDLE_VALUE )   // check if a file is open by trying to open it again with exclusive access
254.     {
255.         return true;
256.     }
257.     else
258.     {
259.         return false;
260.     }
261. }
262.  
263.  
264. PSYSTEM_HANDLE_INFORMATION GetAllHandleData(_NtQuerySystemInformation NtQuerySystemInfo)
265. {
266.     NTSTATUS query_state;
267.     PSYSTEM_HANDLE_INFORMATION hData;
268.     ULONG hDataSize = 0x80000;     // 512KB
269.  
270.     hData = static_cast<PSYSTEM_HANDLE_INFORMATION>(malloc(hDataSize)); // allocate for sys handle info
271.  
272.     while ( (query_state = NtQuerySystemInfo(static_cast<SYSTEM_INFORMATION_CLASS>(0x10), hData, hDataSize, NULL)) == STATUS_INFO_LENGTH_MISMATCH )
273.     {
274.         hData = static_cast<PSYSTEM_HANDLE_INFORMATION>(realloc(hData, hDataSize <<= 1));   // keep doubling the size of the allocation until we have enough
275.         printf("Bigger! %X\n", hDataSize);
276.     }
277.  
278.     if ( !NT_SUCCESS(query_state) )
279.     {
280.         printf("NtQuerySystemInformation for handle data failed!\n");
281.         while (1);
282.     }
283.     else
284.     {
285.         printf("Got all handles!\n");
286.         return hData;
287.     }  
288. }
289.  
290.  
291. PVOID GetLibraryProcAddr(LPCWSTR LibraryName, LPCSTR ProcName)
292. {
293.     return GetProcAddress(GetModuleHandle(LibraryName), ProcName);
294. }