Page 1 of 1

Help for using of Zw or NtquerySystemInformation

Posted: Tue Jun 05, 2012 6:36 am
by programmer.cpp1986
I used "Zw or NtquerySystemInformation" to obtain all the object handles but for using of NtquerySystemInformation the return value is NULL and for using of ZwquerySystemInformation some parts of return value is NULL or its memory is access denied.
The structure of the return value was casted to PSYSTEM_HANDLE_INFORMATION. I tested both 16 and 64 as the first input value for calling this function.
For example, the Object part of the return value has a FileName part that is a UNICODE_STRING, but for some enteries FileName has a Length and the MaxLength is not zero and the BUFFER value is 0 or pointed to the part of memory that has the "access violation" error.
I get this problem at this line of my code after calling this function:

DbgPrint("%wZ \r\n", FileObject->FileName);

Anybody can solve this problem and help me?

I used this function to get the object handles:
NTSTATUS PhEnumHandles(
__out PSYSTEM_HANDLE_INFORMATION *Handles
)
{
static ULONG initialBufferSize = 0x4000;
NTSTATUS status;
PVOID buffer;
ULONG bufferSize;

bufferSize = initialBufferSize;
buffer = PhAllocate(bufferSize);

while ((status = ZwQuerySystemInformation(
SystemHandleInformation,
buffer,
bufferSize,
NULL
)) == STATUS_INFO_LENGTH_MISMATCH)
{
ExFreePool(buffer);
bufferSize *= 2;

if (bufferSize > PH_LARGE_BUFFER_SIZE)
return STATUS_INSUFFICIENT_RESOURCES;

buffer = ExAllocatePool(bufferSize);
}

if (!NT_SUCCESS(status))
{
ExFreePool(buffer);
return status;
}

if (bufferSize <= 0x100000) initialBufferSize = bufferSize;
*Handles = (PSYSTEM_HANDLE_INFORMATION)buffer;

return status;
}

Re: Help for using of Zw or NtquerySystemInformation

Posted: Tue Jun 05, 2012 9:21 pm
by ekohl
NtQuerySystemInformation.SystemHandleInformation is not fully implemented. If you have a look at ntoskrnl\ex\sysinfo.c, you will see that the current implementation only fills UniqueProcessId for each handle.

You are free to implement the missing parts.