Hi all,
i'm trying to get the handle to a file which is already opened with OF_SHARE_DENY_WRITE
by injecting code into the process which opened the file and then write to the file using the new handle. I've tried GetModuleHandle to get the handle, but it returns "module not found". Also i've tried reopening the file since i'm in the same process, but it returns "sharing violation". Anyone has a clue on how to do this?
Thanks in advance!
Sponsored by: █ Sparkhost - Hosting Without Compromises! █ Hybrid Performance Web Hosting █ Spark Host Stream Hosting █ Hybrid IRC & IRCd Server Shell Accounts
Getting The Handle To A File Which Is Opened
Started by
White Scorpion
, May 29 2005 08:52 AM
10 replies to this topic
#1
White Scorpion
-
- Sergeant Major
-
- 674 posts
Sergeant First Class
Posted 29 May 2005 - 08:52 AM
The path of access leads to the server of wisdom..
The Syringe - My Latest Project.
Errors, Vulnerabilities & Exploits explained.
----
www.white-scorpion.nl
www.info-sec.eu
www.info-sec.info
The Syringe - My Latest Project.
Errors, Vulnerabilities & Exploits explained.
----
www.white-scorpion.nl
www.info-sec.eu
www.info-sec.info
#2
belgther
-
- Sergeant Major
-
- 650 posts
Sergeant First Class
Posted 29 May 2005 - 10:09 PM
I think the handles are saved somewhere in a process table. But I don't know where. Because you can see the handle list easily with Softice or Olly, well, olly can be explained with another mechanism, but how about softice?
"The wisest one is the one who knows himself/herself." Quote of the life
belgther... aka... belgther
belgther... aka... belgther
#3
White Scorpion
-
- Sergeant Major
-
- 674 posts
Sergeant First Class
Posted 30 May 2005 - 05:44 AM
I thought so too, but indeed where?
Process explorer from sysinternals can show all open handles as well, so it must be possible, but how?
Process explorer from sysinternals can show all open handles as well, so it must be possible, but how?
The path of access leads to the server of wisdom..
The Syringe - My Latest Project.
Errors, Vulnerabilities & Exploits explained.
----
www.white-scorpion.nl
www.info-sec.eu
www.info-sec.info
The Syringe - My Latest Project.
Errors, Vulnerabilities & Exploits explained.
----
www.white-scorpion.nl
www.info-sec.eu
www.info-sec.info
#4
belgther
-
- Sergeant Major
-
- 650 posts
Sergeant First Class
Posted 30 May 2005 - 06:14 AM
looks like it's being done by GetProp and EnumProps functions, but I am not sure...
"The wisest one is the one who knows himself/herself." Quote of the life
belgther... aka... belgther
belgther... aka... belgther
#5
aapje
-
- Members
-
- 289 posts
Staff Sergeant
Posted 30 May 2005 - 07:33 AM
i think it is possible to hook the closefile from the process you are injected to and make the call to its orgional function to close the handle
#6
White Scorpion
-
- Sergeant Major
-
- 674 posts
Sergeant First Class
Posted 30 May 2005 - 09:04 AM
@belgther > i would have to test it, but from reading it you have to specify a valid window name... i will go deeper into it...
@aapje > i don't want to close it, i just want to borrow it for a second to make some adjustments
@aapje > i don't want to close it, i just want to borrow it for a second to make some adjustments
The path of access leads to the server of wisdom..
The Syringe - My Latest Project.
Errors, Vulnerabilities & Exploits explained.
----
www.white-scorpion.nl
www.info-sec.eu
www.info-sec.info
The Syringe - My Latest Project.
Errors, Vulnerabilities & Exploits explained.
----
www.white-scorpion.nl
www.info-sec.eu
www.info-sec.info
#7
belgther
-
- Sergeant Major
-
- 650 posts
Sergeant First Class
Posted 30 May 2005 - 06:59 PM
WS, but window names can also be got by EnumWindows, as far as I know.
"The wisest one is the one who knows himself/herself." Quote of the life
belgther... aka... belgther
belgther... aka... belgther
#8
aapje
-
- Members
-
- 289 posts
Staff Sergeant
Posted 31 May 2005 - 01:19 AM
@belgther > i would have to test it, but from reading it you have to specify a valid window name... i will go deeper into it...
@aapje > i don't want to close it, i just want to borrow it for a second to make some adjustments
yes but if you detour open or close file you can log the handle and use that handle to write to the file (not 100% if that would work but i think so because you get the same handle that the process uses so you should be able to write using it)
#9
White Scorpion
-
- Sergeant Major
-
- 674 posts
Sergeant First Class
Posted 31 May 2005 - 08:36 AM
@aapje > i don't have a clue what you mean 
@belgther > i've tried GetProp with several values for the first parameter (GetModuleHandle(NULL), etc) and with the 2nd value a string to the filename. unfortunately the function always returns "File not found".
Any other ideas guys?
@belgther > i've tried GetProp with several values for the first parameter (GetModuleHandle(NULL), etc) and with the 2nd value a string to the filename. unfortunately the function always returns "File not found".
Any other ideas guys?
The path of access leads to the server of wisdom..
The Syringe - My Latest Project.
Errors, Vulnerabilities & Exploits explained.
----
www.white-scorpion.nl
www.info-sec.eu
www.info-sec.info
The Syringe - My Latest Project.
Errors, Vulnerabilities & Exploits explained.
----
www.white-scorpion.nl
www.info-sec.eu
www.info-sec.info
#11
White Scorpion
-
- Sergeant Major
-
- 674 posts
Sergeant First Class
Posted 01 June 2005 - 08:13 AM
Thanks JonJon, i didn't think about that one.. I will give it a go
The path of access leads to the server of wisdom..
The Syringe - My Latest Project.
Errors, Vulnerabilities & Exploits explained.
----
www.white-scorpion.nl
www.info-sec.eu
www.info-sec.info
The Syringe - My Latest Project.
Errors, Vulnerabilities & Exploits explained.
----
www.white-scorpion.nl
www.info-sec.eu
www.info-sec.info
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
