[programmer.cpp1986]

I used "Zw or NtquerySystemInformation" to obtain all the object handles but for using of NtquerySystemInformation the return value is NULL and for using of ZwquerySystemInformation some parts of return value is NULL or its memory is access denied.
The structure of the return value was casted to PSYSTEM_HANDLE_INFORMATION. I tested both 16 and 64 as the first input value for calling this function.
For example, the Object part of the return value has a FileName part that is a UNICODE_STRING, but for some enteries FileName has a Length and the MaxLength is not zero and the BUFFER value is 0 or pointed to the part of memory that has the "access violation" error.
I get this problem at this line of my code after calling this function:

DbgPrint("%wZ \r\n", FileObject->FileName);

Anybody can solve this problem and help me?

[EP_X0FF]

For calls from kernel-mode drivers, the Nt and Zw versions of a services routine can behave differently in the way that they handle and interpret input parameters.

http://msdn.microsoft.com/en-us/library ... s.85).aspx

Show your code.

[iSecure]

DbgPrint("%wZ \r\n", &FileObject->FileName);

you need PUNICODE_STRING to print via %wZ, and FileName is UNICODE_STRING, so u need a pointer.

[programmer.cpp1986]

I tested both Nt and Zw, for Nt return status was ACCESS_VIOLATION and fot Zw the structure had some faulty part in his SYSTEM_HANDLE_INFORMATION.
I used this function to get the object handles:

NTSTATUS PhEnumHandles(
__out PSYSTEM_HANDLE_INFORMATION *Handles
)
{
static ULONG initialBufferSize = 0x4000;
NTSTATUS status;
PVOID buffer;
ULONG bufferSize;

bufferSize = initialBufferSize;
buffer = PhAllocate(bufferSize);

while ((status = ZwQuerySystemInformation(
SystemHandleInformation,
buffer,
bufferSize,
NULL
)) == STATUS_INFO_LENGTH_MISMATCH)
{
ExFreePool(buffer);
bufferSize *= 2;

if (bufferSize > PH_LARGE_BUFFER_SIZE)
return STATUS_INSUFFICIENT_RESOURCES;

buffer = ExAllocatePool(bufferSize);
}

if (!NT_SUCCESS(status))
{
ExFreePool(buffer);
return status;
}

*Handles = (PSYSTEM_HANDLE_INFORMATION)buffer;

return status;
}

[iSecure]

Code: Select all

NTSTATUS PhEnumHandles(
__out PSYSTEM_HANDLE_INFORMATION *Handles
)

probably must be just

Code: Select all

NTSTATUS PhEnumHandles(
__out PSYSTEM_HANDLE_INFORMATION Handles
)

P prefix already means its a pointer to structure, and with P.... *Handles you return pointer to pointer. I dont think it supposed to work with double reference =)

And

Code: Select all

*Handles = (PSYSTEM_HANDLE_INFORMATION)buffer;

should be then

Code: Select all

Handles = (PSYSTEM_HANDLE_INFORMATION)buffer;

P.S. Also show how do you call yours PhEnumHandles() routine.

[EP_X0FF]

I tested both Nt and Zw, for Nt return status was ACCESS_VIOLATION and fot Zw the structure had some faulty part in his SYSTEM_HANDLE_INFORMATION.
I used this function to get the object handles

This is Process Hacker routine and it has no faults. Show how you call it and how you grab information from Handles array -> your actual code.

[iSecure]

If PhEnumHandles() have no faults like EP_X0FF said, then you must call it this way

Code: Select all

 PSYSTEM_HANDLE_INFORMATION pSysHandleInfo;
//...
status = PhEnumHandles( &pSysHandleInfo );

Note the & again...it seems that PhEnumHandles() routine indeed suppose to use double reference for __out arg.

And dont forget to call ExFreePool( pSysHandleInfo ) after you finish with array to prevent memory leaks.

[programmer.cpp1986]

PSYSTEM_HANDLE_INFORMATION Info;
.
.
.
status = PhEnumHandles(&Info);
.
.
.
PFILE_OBJECT FileObject = (PFILE_OBJECT)Info->Handles.object;
.
.
.
DbgPrint("%wZ", &FileObject->FileName); ===> I got the access violation at this line of my code...

[EP_X0FF]

If this is exotic way to retrieve name from handle then see http://www.kernelmode.info/forum/viewto ... 8938#p8938

[iSecure]

PSYSTEM_HANDLE_INFORMATION Info;
.
.
.
status = PhEnumHandles(&Info);
.
.
.
PFILE_OBJECT FileObject = (PFILE_OBJECT)Info->Handles.object;
.
.
.
DbgPrint("%wZ", &FileObject->FileName); ===> I got the access violation at this line of my code...

It seems that either FileObject or FileObject->FileName.Buffer is NULL, do something like

Code: Select all

if (FileObject && FileObject->FileName.Buffer && FileObject->FileName.Length > 0) DbgPrint("%wZ", &FileObject->FileName);

At least you shouldn't see BSODs anymore, but for further investigation you need to watch what yours variables contain through code flow, use WinDbg to debug your driver.

Also make sure that

Code: Select all

i < Info->NumberOfHandles

though its pretty obvious =)