Prev: DDK KbFiltr Sample and Hooking
Next: DeviceIoControl CD-ROM access works on one laptop and fails on oth
From: Maverick on 23 Feb 2010 01:43
Hi,
I am enumerating open handles of currently running processes in the
system by calling NtQuerySystemInformation from user mode. I get a
series of SYSTEM_HANDLE_ENTRY structures (defined in winternl.h) if
the call succeeds. To get additional information about these handles,
I have to pass the SYSTEM_HANDLE_ENTRY::ObjectPointer to a kernel mode
driver. The additional information I'm interested in is the complete
file path of file handles. Is there a way to identify whether the
SYSTEM_HANDLE_ENTRY::ObjectPointer points to a file or a folder or
network device, etc. before passing the SYSTEM_HANDLE_ENTRY structure
to the driver? Presently, I have to retrieve the device path and the
file path, then convert the path from dos device format to disk volume
format. Then, I have to open the file and check its attributes to
discover whether it is a file or a folder, etc. I want to save the
time I'm going to spend for every SYSTEM_HANDLE_ENTRY object. Is there
any other better way to retrieve full paths of files opened by
currently running processes?
 | 
Pages: 1
Prev: DDK KbFiltr Sample and Hooking
Next: DeviceIoControl CD-ROM access works on one laptop and fails on oth