Link to home
Start Free TrialLog in
Avatar of AssafLavie
AssafLavie

asked on

process handle table, list of opened files

I want to query the handle tables of processes so that I can determine which processes hold a given file (not just DLL) open.
Some "undocumented API" sites point at the direction of the EPROCESS structure. How do I get a pointer to it, given a process' handle?
Must is run in kernel mode? through a device driver? Because SysInternals' "Process Explorer" doesn't seem to be using a device driver, as far as I'm able to notice...

ASKER CERTIFIED SOLUTION
Avatar of jkr
jkr
Flag of Germany image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of jkr
jkr
Flag of Germany image
BTW, the the structure definitions were taken from Gary Nebbett' book "Native API Reference"
Avatar of AssafLavie
AssafLavie

ASKER

Cool. Trying it out...
btw, a couple of years ago.. have you tried it on XP?
Avatar of jkr
jkr
Flag of Germany image
Yes, it works on XP also.
Avatar of AssafLavie
AssafLavie

ASKER

Any idea where I can find ntdll.h? (did it come with the book?)
Avatar of jkr
jkr
Flag of Germany image
You won't even need it - it's just a helper file that contains some declarations, but all you need are there. Just delete that line :o)
Avatar of jkr
jkr
Flag of Germany image
Just noticed that you'll need to link with ntdll.lib - this one comes with the DDK. Alternatively, you could load the Zw* functions dynamically.
Avatar of AssafLavie
AssafLavie

ASKER

Yea, well it's probably not that simple. If I remove the include line it just fails to recognize stuff like NT::POOL_TYPE.
I actuall found ntdll.h online, but I guess it uses some headers from the ddk, which I don't have...
I'll try to get my hands on them and test it out.
Meanwhile, thanks for the help.
Avatar of jkr
jkr
Flag of Germany image
Well, it *does* work. If you need e.g. the .exe, just drop me a mail :o)