Hi,

I have doing a code to get which processes and files are using a
specific disk device.

I've found a lot of help and this funcionality works now, but I have a
little problem:

I'm using NtQuerySystemInformation to get all processes and object
handles.
For each handle I choose only File Handles.
I get the file name with NtQueryInformationFile.

Ex. (winword.exe)
Handle Name
0x0000000C \archivo.doc
0x0000000D \archivo.doc

But, the problem is that I don't know what disk drive is. As you see,
these 2 files seem to be the same, but the first is from C:\ and the
second is from G:\

I was reading about QueryDosDevice, you can pass it as a parameter "C:
\" and it returns "\Device\Harddisk1", well but I can't see this
device name on my output of NtQueryInformationFile.

Somebody knows how obtain something like this:

Ex. (winword.exe)
Handle Name
0x0000000C \Device\Harddisk1\archivo.doc
<--- C DRIVE
0x0000000D \Device\Harddisk1\DP(1)0-0+3\archivo.doc <---
USB DRIVE

thanks

Sergio Peña wrote:

NtQueryObject()

On 13 nov, 14:58, Christian ASTOR <casto...@club-internet.fr> wrote:
Well, In this day i tried to use the function NtQueryObject to get the
full pathname from a handle. But I couldn't get the name of all file
handles, ex:

Process name: cmd.exe

Handle Type Name
--------------------------------------
0x004c File \Device\HarddiskVolume1\Documents .... <----
OK
0x000c
File
<---- Failed (Where is the name?)
0x0064
File
<---- Failed (Where is the name?)

I know that 0x0064 is \Device\Harddisk1\DP(1)-0-0+5 that is my USB
Drive but with the function couldn't get the name, why?

I tried to use Threads (calling a function that gets the name with
NtQueryObject) and if TIMEOUT, then I kill the thread, well, It worked
fine getting me all the pathnames (incluing of my usb drive), but the
program hangs up , and I can't close it even with TaskManager.

What recommends me to do?,

This is the functions I use:

Notes:
1. Calling this function alone, it gets me pathnames from some file
handles.
2. Calling this function from another function that use a Thread, it
gets me more pathnames but it hangs up.

UCHAR* GetObjectInfo(HANDLE h, OBJECT_INFORMATION_CLASS objInfoClass)
{
UCHAR *strReturn = "";
DWORD ntReturn;
DWORD size = 0x2000;
UCHAR *lpBuffer;

NtQueryObject( h, objInfoClass, NULL, 0, &size );

// let's try to use the default
if ( size == 0 )
size = 0x2000;

lpBuffer = (UCHAR *)malloc(sizeof(UCHAR) * size);

if ( NtQueryObject( h, objInfoClass, lpBuffer, size, NULL ) == 0 )
{
if( *(DWORD*)((UNICODE_STRING*)lpBuffer) != 0 )
{
strReturn = (UCHAR*)malloc(((UNICODE_STRING*)lpBuffer)-
((UNICODE_STRING*)lpBuffer)->Length );
}
}

return strReturn;
}

void ThreadGetName( void* param )
{
UCHAR *strName = "";
FILE_NAME_THREAD_PARAM *p = (FILE_NAME_THREAD_PARAM*)param;

strName = GetObjectInfo( p->hFile, ObjectNameInformation );

printf("%s\n", strName);
}

FILE_NAME_THREAD_PARAM tp;
tp.hFile = handle;

//Start the thread to get the file name
hThread = (HANDLE)_beginthread( ThreadGetName, 0, &tp );
if ( hThread == NULL ) goto done;

if ( WaitForSingleObject(hThread, 50 ) == WAIT_TIMEOUT)
{
// Access denied, terminate the thread
TerminateThread( hThread, 0 );
}

By the way, "handle" is duplicated if the current process isn't the
process of the handle.

Sergio Peña wrote:


You code is not quite correct.
I only re-call NtQueryObject() if return size is != 0.
Otherwise I call CreateThread() where I call NtQueryInformationFile() +
NtQueryObject()
With that, it never hangs and I can get most of the object names
(at least on XP SP2...)