I have seen NtQueryObject hang for duplicated handles with these granted access values (handle.GrantedAccess
is an ACCESS_MASK type):
1179785 (integer) --> 0b100100000000010001001 (binary)
1180063 (integer) --> 0b100100000000110011111 (binary)
1180041 (integer) --> 0b100100000000110001001 (binary)
2032127 (integer) --> 0b111110000000111111111 (binary)
||||||| | |
||||||| | |
||||||| | |
^^^^^^^ ^ ^
Possible culprit bits seem to be 3rd and 7th bit, but could also be 9th to 15th bit.
Always, the handle.ObjectTypeNumber
is 30. What is this object type number, and how can I get a list of the specific rights of this type? My experiments have kind of shown that it must be bits 0-15 causing the hang on this object type number of 30 (integer). handle
is a SYSTEM_HANDLE type defined as:
typedef struct _SYSTEM_HANDLE
{
ULONG ProcessId;
BYTE ObjectTypeNumber;
BYTE Flags;
USHORT Handle;
PVOID Object;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE, *PSYSTEM_HANDLE;
I am writing a forensic tool to enumerate all open file handles using the method described here.
I'm a little late, but if you're only interested in disk-based files, you can do this:
The hang generally happens for non-disk files (such as pipes). With this technique, you don't need to worry about handle.GrantedAccess at all.