1 /*
2 * Copyright (C) 2012 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 /*
18 * "find_lock.exe", for Windows only.
19 *
20 * References used:
21 *
22 * http://drdobbs.com/windows/184411099
23 * article by Sven B. Schreiber, November 01, 1999
24 *
25 * http://www.codeguru.com/Cpp/W-P/system/processesmodules/article.php/c2827/
26 * by Zoltan Csizmadia, November 14, 2000
27 *
28 * http://stackoverflow.com/questions/860656/
29 * (same technique, but written in unsafe C#)
30 *
31 * Starting with Vista, we can also use the Restart Manager API as
32 * explained here: (TODO for next version)
33 * http://msdn.microsoft.com/en-us/magazine/cc163450.aspx
34 */
35
36 #ifdef _WIN32
37
38 #include "utils.h"
39 #include <ctype.h>
40 #include <fcntl.h>
41 #include <io.h>
42 #include <process.h>
43
44
45 // NtDll structures from the the Dr Dobbs article, adjusted for our needs:
46
47 typedef void *POBJECT;
48 typedef LONG KPRIORITY;
49 typedef LARGE_INTEGER QWORD;
50
51 typedef struct {
52 WORD Length;
53 WORD MaximumLength;
54 PWORD Buffer;
55 } UNICODE_STRING;
56
57 typedef struct {
58 DWORD dIdProcess;
59 BYTE bObjectType; // OB_TYPE_*
60 BYTE bFlags; // bits 0..2 HANDLE_FLAG_*
61 WORD wValue; // multiple of 4
62 POBJECT pObject;
63 ACCESS_MASK GrantedAccess;
64 } SYSTEM_HANDLE;
65
66 typedef struct {
67 DWORD dCount;
68 SYSTEM_HANDLE ash[1];
69 } SYSTEM_HANDLE_INFORMATION;
70
71 typedef struct {
72 DWORD PeakVirtualSize;
73 DWORD VirtualSize;
74 DWORD PageFaultCount;
75 DWORD PeakWorkingSetSize;
76 DWORD WorkingSetSize;
77 DWORD QuotaPeakPagedPoolUsage;
78 DWORD QuotaPagedPoolUsage;
79 DWORD QuotaPeakNonPagedPoolUsage;
80 DWORD QuotaNonPagedPoolUsage;
81 DWORD PagefileUsage;
82 DWORD PeakPagefileUsage;
83 } VM_COUNTERS;
84
85 typedef struct {
86 HANDLE UniqueProcess;
87 HANDLE UniqueThread;
88 } CLIENT_ID;
89
90 typedef enum {
91 // Ignored. We don't actually use these values.
92 Unused
93 } KWAIT_REASON;
94
95 typedef struct {
96 QWORD qKernelTime; // 100 nsec units
97 QWORD qUserTime; // 100 nsec units
98 QWORD qCreateTime; // relative to 01-01-1601
99 DWORD d18;
100 PVOID pStartAddress;
101 CLIENT_ID Cid; // process/thread ids
102 DWORD dPriority;
103 DWORD dBasePriority;
104 DWORD dContextSwitches;
105 DWORD dThreadState; // 2=running, 5=waiting
106 KWAIT_REASON WaitReason;
107 DWORD dReserved01;
108 } SYSTEM_THREAD;
109
110 typedef struct {
111 DWORD dNext; // relative offset
112 DWORD dThreadCount;
113 DWORD dReserved01;
114 DWORD dReserved02;
115 DWORD dReserved03;
116 DWORD dReserved04;
117 DWORD dReserved05;
118 DWORD dReserved06;
119 QWORD qCreateTime; // relative to 01-01-1601
120 QWORD qUserTime; // 100 nsec units
121 QWORD qKernelTime; // 100 nsec units
122 UNICODE_STRING usName;
123 KPRIORITY BasePriority;
124 DWORD dUniqueProcessId;
125 DWORD dInheritedFromUniqueProcessId;
126 DWORD dHandleCount;
127 DWORD dReserved07;
128 DWORD dReserved08;
129 VM_COUNTERS VmCounters;
130 DWORD dCommitCharge; // bytes
131 SYSTEM_THREAD ast[1];
132 } SYSTEM_PROCESS_INFORMATION;
133
134 // The sic opcode for NtQuerySystemInformation
135 typedef enum {
136 SystemProcessInformation = 5,
137 SystemHandleInformation = 16,
138 } SYSTEMINFOCLASS;
139
140
141 #define STATUS_SUCCESS 0x00000000
142 #define STATUS_UNSUCCESSFUL 0xC0000001
143 #define STATUS_NOT_IMPLEMENTED 0xC0000002
144 #define STATUS_INVALID_INFO_CLASS 0xC0000003
145 #define STATUS_INFO_LENGTH_MISMATCH 0xC0000004
146 #define STATUS_INVALID_PARAMETER 0xC000000D
147
148 typedef DWORD (WINAPI *NtQuerySystemInformationFuncPtr)(
149 DWORD sic, VOID* pData, DWORD sSize, ULONG* pdSize);
150 typedef DWORD (WINAPI *NtQueryInformationFileFuncPtr)(HANDLE, PVOID, PVOID, DWORD, DWORD);
151 typedef DWORD (WINAPI *NtQueryObjectFuncPtr)(HANDLE, DWORD, VOID*, DWORD, VOID*);
152
153 static NtQuerySystemInformationFuncPtr sNtQuerySystemInformationFunc;
154 static NtQueryInformationFileFuncPtr sNtQueryInformationFileFunc;
155 static NtQueryObjectFuncPtr sNtQueryObjectFunc;
156
157 //------------
158
159 // Get the NT DLL functions we need to use.
init()160 static bool init() {
161
162 sNtQuerySystemInformationFunc =
163 (NtQuerySystemInformationFuncPtr) GetProcAddress(
164 GetModuleHandleA("ntdll.dll"), "NtQuerySystemInformation");
165
166 sNtQueryInformationFileFunc =
167 (NtQueryInformationFileFuncPtr) GetProcAddress(
168 GetModuleHandleA("ntdll.dll"), "NtQueryInformationFile");
169
170 sNtQueryObjectFunc =
171 (NtQueryObjectFuncPtr) GetProcAddress(
172 GetModuleHandleA("ntdll.dll"), "NtQueryObject");
173
174 return sNtQuerySystemInformationFunc != NULL &&
175 sNtQueryInformationFileFunc != NULL &&
176 sNtQueryObjectFunc != NULL;
177 }
178
terminate()179 static void terminate() {
180 sNtQuerySystemInformationFunc = NULL;
181 sNtQueryInformationFileFunc = NULL;
182 sNtQueryObjectFunc = NULL;
183 }
184
adjustPrivileges()185 static bool adjustPrivileges() {
186 char *error = NULL;
187 HANDLE tokenH;
188
189 // Open a process token that lets us adjust privileges
190 BOOL ok = OpenProcessToken(GetCurrentProcess(), // ProcessHandle
191 TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, // DesiredAccess
192 &tokenH); // TokenHandle
193 if (!ok) {
194 error = "OpenProcessToken failed: ";
195 goto bail_out;
196 }
197
198 // Lookup the privilege by name and get its local LUID token.
199 // What we request:
200 // SE_DEBUG_NAME, aka "SeDebugPrivilege"
201 // MSDN: Required to debug and adjust the memory of a process owned by another account.
202 // User Right: Debug programs.
203 TOKEN_PRIVILEGES priv;
204 priv.PrivilegeCount = 1;
205 priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
206 ok = LookupPrivilegeValueA(NULL, // lpSystemName
207 SE_DEBUG_NAME, // lpName
208 &(priv.Privileges[0].Luid)); // lpLuid
209 if (!ok) {
210 error = "LookupPrivilegeValue failed: ";
211 goto bail_out;
212 }
213
214 ok = AdjustTokenPrivileges(tokenH, // TokenHandle
215 FALSE, // DisableAllPrivileges
216 &priv, // NewState
217 0, // BufferLength
218 NULL, // PreviousState
219 0); // ReturnLength
220 if (!ok) {
221 error = "AdjustTokenPrivileges failed: ";
222 goto bail_out;
223 }
224
225 bail_out:
226 if (error != NULL && gIsDebug) {
227 CString err;
228 err.setLastWin32Error(error);
229 fprintf(stderr, "%s", err.cstr());
230 }
231
232 if (tokenH != NULL) {
233 CloseHandle(tokenH);
234 }
235
236 return !!ok;
237 }
238
getHandleType(HANDLE h,CString * type)239 static bool getHandleType(HANDLE h, CString *type) {
240 bool result = false;
241 ULONG size = 0;
242 // Get the size of the type string
243 int status = sNtQueryObjectFunc(h, 2, NULL, 0, &size);
244 if (status == STATUS_INFO_LENGTH_MISMATCH && size > 0) {
245 // Get the type string itself
246 char *buf = new char[size];
247 status = sNtQueryObjectFunc(h, 2, buf, size, NULL);
248 if (status == 0 && size > 96) {
249 // The type string we want is a wide unicode (UTF16)
250 // zero-terminated string located at offset 96 in the
251 // buffer. In our case we want the string to be
252 // "Directory" or "File" so we know the max useful length
253 // is 9.
254 // Since we can only deal with ansi strings in this program,
255 // we'll make a crude copy of every other byte and just check
256 // that the other bytes are zero.
257 const char *c = buf + 96;
258 const char *e = buf + 96 + size;
259 // we'll write at the beginning of our buffer
260 char *dest = buf;
261 char *dend = dest + 9;
262 for (; c < e && dest < dend && c[0] != '\0' && c[1] == '\0'; c += 2, dest++) {
263 *dest = *c;
264 }
265 *(dest++) = '\0';
266 type->set(buf, dest - buf);
267 result = true;
268 }
269
270 free(buf);
271 }
272 return result;
273 }
274
275 // These is the wide unicode representations of the type we want to find.
276 static const char kFileW[] = "File";
277
isFileHandleType(HANDLE handle)278 static char isFileHandleType(HANDLE handle) {
279 char type = 0;
280 ULONG size = 0;
281 // Get the size of the type string
282 int status = sNtQueryObjectFunc(handle, 2, NULL, 0, &size);
283 if (status == STATUS_INFO_LENGTH_MISMATCH && size > 0) {
284 // Get the type string itself
285 char *buf = new char[size];
286 status = sNtQueryObjectFunc(handle, 2, buf, size, NULL);
287 if (status == 0 && size > 96) {
288 // The type string we want is a wide unicode (UTF16-LE)
289 // zero-terminated string located at offset 96 in the
290 // buffer. In our case we want the string to be "File".
291 //
292 // Since we're reading wide unicode, we want each character
293 // to be the one from our string followed by a zero byte.
294 // e.g. c should point to F \0 i \0 l \0 e \0 \0 \0.
295 const char *c = buf + 96;
296 type = c[0];
297
298 int len = sizeof(kFileW);
299 const char *d = kFileW;
300
301 for (; type != 0 && len > 0; c+=2, d++, len--) {
302 if (c[0] != *d || c[1] != 0) {
303 type = 0;
304 break;
305 }
306 }
307 }
308
309 free(buf);
310 }
311 return type;
312 }
313
314 typedef struct {
315 HANDLE handle;
316 CString *outStr;
317 bool result;
318 } SFileNameInfo;
319
FileNameThreadFunc(void * param)320 static unsigned __stdcall FileNameThreadFunc(void *param) {
321 SFileNameInfo *info = (SFileNameInfo *)param;
322 if (info == NULL) {
323 return 1;
324 }
325
326 char buf[MAX_PATH*2 + 4];
327 DWORD iob[2] = { 0, 0 };
328
329 DWORD status = sNtQueryInformationFileFunc(info->handle, iob, buf, sizeof(buf), 9);
330 if (status == STATUS_SUCCESS) {
331 // The result is a buffer with:
332 // - DWORD (4 bytes) for the *byte* length (so twice the character length)
333 // - Actual string in Unicode
334 // Not sure of the actual type, but it does look like a UNICODE_STRING struct.
335
336 DWORD len = ((DWORD *)buf)[0];
337 if (len <= MAX_PATH * 2) {
338 // We can't handle wide Unicode. What we do is convert it into
339 // straight ansi by just retaining the first of each couple bytes.
340 // Bytes that cannot be mapped (e.g. 2nd byte is != 0) will be
341 // simply converted to 0xFF.
342
343 unsigned char *dest = (unsigned char *)buf + 4;
344 unsigned char *src = (unsigned char *)buf + 4;
345 for (DWORD i = 0; i < len; dest++, src += 2, i += 2) {
346 if (src[1] == 0) {
347 *dest = *src;
348 } else {
349 *dest = 0xFF;
350 }
351 }
352 *dest = '\0';
353 info->outStr->set(buf + 4, len);
354 info->result = true;
355 return 0;
356 }
357 }
358 return 1;
359 }
360
getFileName(HANDLE handle,CString * outStr)361 static bool getFileName(HANDLE handle, CString *outStr) {
362 SFileNameInfo info;
363 info.handle = handle;
364 info.outStr = outStr;
365 info.result = false;
366
367 // sNtQueryInformationFileFunc might hang on some handles.
368 // A trick is to do it in a thread and if it takes too loog then
369 // just shutdown the thread, since it's deadlocked anyway.
370 unsigned threadId;
371 HANDLE th = (HANDLE)_beginthreadex(NULL, // security
372 0, // stack_size
373 &FileNameThreadFunc, // address
374 &info, // arglist
375 0, // initflag
376 &threadId); // thrdaddr
377
378 if (th == NULL) {
379 // Failed to create thread. Shouldn't really happen.
380 outStr->set("<failed to create thread>");
381 return false;
382 }
383
384 bool result = false;
385
386 // Wait for thread or kill it if it takes too long.
387 if (WaitForSingleObject(th /*handle*/, 200 /*ms*/) == WAIT_TIMEOUT) {
388 TerminateThread(th /*handle*/, 0 /*retCode*/);
389 outStr->set("<timeout>");
390 } else {
391 result = info.result;
392 }
393
394 CloseHandle(th);
395 return result;
396 }
397
398 // Find the name of the process (e.g. "java.exe") given its id.
399 // processesPtr must be the list returned by getAllProcesses().
400 // Special handling for javaw.exe: this isn't quite useful so
401 // we also try to find and append the parent process name.
getProcessName(SYSTEM_PROCESS_INFORMATION * processesPtr,DWORD remoteProcessId,CString * outStr)402 static bool getProcessName(SYSTEM_PROCESS_INFORMATION *processesPtr,
403 DWORD remoteProcessId,
404 CString *outStr) {
405 SYSTEM_PROCESS_INFORMATION *ptr = processesPtr;
406 while (ptr != NULL) {
407 if (ptr->dUniqueProcessId == remoteProcessId) {
408 // This is the process we want.
409
410 UNICODE_STRING *uniStr = &(ptr->usName);
411 WORD len = uniStr->Length;
412
413 char buf[MAX_PATH];
414 if (len <= MAX_PATH * 2) {
415 // We can't handle wide Unicode. What we do is convert it into
416 // straight ansi by just retaining the first of each couple bytes.
417 // Bytes that cannot be mapped (e.g. 2nd byte is != 0) will be
418 // simply converted to 0xFF.
419
420 unsigned char *dest = (unsigned char *)buf;
421 unsigned char *src = (unsigned char *)uniStr->Buffer;
422 for (WORD i = 0; i < len; dest++, src += 2, i += 2) {
423 if (src[1] == 0) {
424 *dest = *src;
425 } else {
426 *dest = 0xFF;
427 }
428 }
429 *dest = '\0';
430 outStr->set(buf, len);
431
432 if (strcmp(buf, "javaw.exe") == 0) {
433 // Heuristic: eclipse often shows up as javaw.exe
434 // but what is useful is to report eclipse to the user
435 // instead.
436 // So in this case, look at the parent and report it too.
437 DWORD parentId = ptr->dInheritedFromUniqueProcessId;
438 if (parentId > 0) {
439 CString name2;
440 bool ok2 = getProcessName(processesPtr,
441 parentId,
442 &name2);
443 if (ok2) {
444 outStr->add(" (");
445 outStr->add(name2.cstr());
446 outStr->add(")");
447 }
448 }
449 }
450
451 return true;
452 }
453 }
454
455 // Look at the next process, if any.
456 if (ptr->dNext == NULL) {
457 break;
458 } else {
459 ptr = (SYSTEM_PROCESS_INFORMATION *)((char *)ptr + ptr->dNext);
460 }
461 }
462
463 outStr->setf("<process id %08x name not found>", remoteProcessId);
464 return false;
465 }
466
467 // Query system for all processes information.
468 // Returns an error string in case of error.
469 // Returns the virtual_alloc-allocated buffer on success or NULL on error.
470 // It's up to the caller to do a VirtualFree on the returned buffer.
queryAllProcess(const char ** error)471 static SYSTEM_PROCESS_INFORMATION *queryAllProcess(const char **error) {
472 // Allocate a buffer for the process information. We don't know the
473 // exact size. A normal system might typically have between 100-200 processes.
474 // We'll resize the buffer if not big enough.
475 DWORD infoSize = 4096;
476 SYSTEM_PROCESS_INFORMATION *infoPtr =
477 (SYSTEM_PROCESS_INFORMATION *) VirtualAlloc(NULL, infoSize, MEM_COMMIT, PAGE_READWRITE);
478
479 if (infoPtr != NULL) {
480 // Query the actual size needed (or the data if it fits in the buffer)
481 DWORD needed = 0;
482 if (sNtQuerySystemInformationFunc(
483 SystemProcessInformation, infoPtr, infoSize, &needed) != 0) {
484 if (needed == 0) {
485 // Shouldn't happen.
486 *error = "No processes found";
487 goto bail_out;
488 }
489
490 // Realloc
491 VirtualFree(infoPtr, 0, MEM_RELEASE);
492 infoSize += needed;
493 infoPtr = (SYSTEM_PROCESS_INFORMATION *) VirtualAlloc(
494 NULL, infoSize, MEM_COMMIT, PAGE_READWRITE);
495
496 // Query all the processes objects again
497 if (sNtQuerySystemInformationFunc(
498 SystemProcessInformation, infoPtr, infoSize, NULL) != 0) {
499 *error = "Failed to query system processes";
500 goto bail_out;
501 }
502 }
503 }
504
505 if (infoPtr == NULL) {
506 *error = "Failed to allocate system processes info buffer";
507 goto bail_out;
508 }
509
510 bail_out:
511 if (*error != NULL) {
512 VirtualFree(infoPtr, 0, MEM_RELEASE);
513 infoPtr = NULL;
514 }
515 return infoPtr;
516 }
517
518 // Query system for all handle information.
519 // Returns an error string in case of error.
520 // Returns the virtual_alloc-allocated buffer on success or NULL on error.
521 // It's up to the caller to do a VirtualFree on the returned buffer.
queryAllHandles(const char ** error)522 static SYSTEM_HANDLE_INFORMATION *queryAllHandles(const char **error) {
523 // Allocate a buffer. It won't be large enough to get the handles
524 // (e.g. there might be 10k or 40k handles around). We'll resize
525 // it once we know the actual size.
526 DWORD infoSize = 4096;
527 SYSTEM_HANDLE_INFORMATION *infoPtr =
528 (SYSTEM_HANDLE_INFORMATION *) VirtualAlloc(NULL, infoSize, MEM_COMMIT, PAGE_READWRITE);
529
530 if (infoPtr != NULL) {
531 // Query the actual size needed
532 DWORD needed = 0;
533 if (sNtQuerySystemInformationFunc(
534 SystemHandleInformation, infoPtr, infoSize, &needed) != 0) {
535 if (needed == 0) {
536 // Shouldn't happen.
537 *error = "No handles found";
538 goto bail_out;
539 }
540
541 // Realloc
542 VirtualFree(infoPtr, 0, MEM_RELEASE);
543 infoSize += needed;
544 infoPtr = (SYSTEM_HANDLE_INFORMATION *) VirtualAlloc(
545 NULL, infoSize, MEM_COMMIT, PAGE_READWRITE);
546 }
547 }
548
549 if (infoPtr == NULL) {
550 *error = "Failed to allocate system handle info buffer";
551 goto bail_out;
552 }
553
554 // Query all the handle objects
555 if (sNtQuerySystemInformationFunc(SystemHandleInformation, infoPtr, infoSize, NULL) != 0) {
556 *error = "Failed to query system handles";
557 goto bail_out;
558 }
559
560 bail_out:
561 if (*error != NULL) {
562 VirtualFree(infoPtr, 0, MEM_RELEASE);
563 infoPtr = NULL;
564 }
565 return infoPtr;
566 }
567
findLock(CPath & path,CString * outModule)568 bool findLock(CPath &path, CString *outModule) {
569 bool result = false;
570 const char *error = NULL;
571
572 SYSTEM_PROCESS_INFORMATION *processesPtr = NULL;
573 SYSTEM_HANDLE_INFORMATION *handlesPtr = NULL;
574
575 const HANDLE currProcessH = GetCurrentProcess();
576 const DWORD currProcessId = GetCurrentProcessId();
577 HANDLE remoteProcessH = NULL;
578 DWORD remoteProcessId = 0;
579 DWORD matchProcessId = 0;
580
581 int numHandleFound = 0;
582 int numHandleChecked = 0;
583 int numHandleDirs = 0;
584 int numHandleFiles = 0;
585 int numProcessMatch = 0;
586
587 BYTE ob_type_file = 0;
588
589 // Get the path to search, without the drive letter.
590 const char *searchPath = path.cstr();
591 if (isalpha(searchPath[0]) && searchPath[1] == ':') {
592 searchPath += 2;
593 }
594 int searchPathLen = strlen(searchPath);
595
596 if (gIsDebug) fprintf(stderr, "Search path: '%s'\n", searchPath);
597
598 if (!init()) {
599 error = "Failed to bind to ntdll.dll";
600 goto bail_out;
601 }
602
603 if (!adjustPrivileges()) {
604 // We can still continue even if the privilege escalation failed.
605 // The apparent effect is that we'll fail to query the name of
606 // some processes, yet it will work for some of them.
607 if (gIsDebug) fprintf(stderr, "Warning: adusting privileges failed. Continuing anyway.\n");
608 } else {
609 if (gIsDebug) fprintf(stderr, "Privileges adjusted.\n"); // DEBUG remove lter
610 }
611
612 processesPtr = queryAllProcess(&error);
613 if (processesPtr == NULL) goto bail_out;
614
615 handlesPtr = queryAllHandles(&error);
616 if (handlesPtr == NULL) goto bail_out;
617
618 numHandleFound = handlesPtr->dCount;
619
620 // Check all the handles
621 for (int n = handlesPtr->dCount, i = 0; i < n; i++) {
622 SYSTEM_HANDLE sysh = handlesPtr->ash[i];
623
624 if (ob_type_file != 0 && sysh.bObjectType != ob_type_file) {
625 continue;
626 }
627
628 HANDLE handle = (HANDLE) sysh.wValue;
629 DWORD remoteId = sysh.dIdProcess;
630 HANDLE remoteH = NULL;
631
632 if (remoteId == matchProcessId) {
633 // We already matched that process, we can skip its other entries.
634 continue;
635 }
636
637 if (remoteId == currProcessId) {
638 // We don't match ourselves
639 continue;
640 }
641
642 // Open a remote process.
643 // Most entries of a given process seem to be consecutive, so we
644 // only open the remote process handle if it's a different id.
645 if (remoteProcessH == NULL && remoteId == remoteProcessId) {
646 // We already tried to open this process and it failed.
647 // It's not going to be any better the next time so skip it.
648 continue;
649 }
650 if (remoteProcessH == NULL || remoteId != remoteProcessId) {
651 if (remoteProcessH != NULL) {
652 CloseHandle(remoteProcessH);
653 }
654
655 remoteProcessId = remoteId;
656 remoteProcessH = OpenProcess(PROCESS_DUP_HANDLE,
657 FALSE /*inheritHandle*/,
658 remoteProcessId);
659 if (remoteProcessH == NULL) {
660 continue;
661 }
662 }
663
664 if (remoteProcessH != NULL) {
665 // Duplicate the remote handle
666 if (DuplicateHandle(remoteProcessH, // hSourceProcessHandle
667 handle, // hSourceHandle
668 currProcessH, // hTargetProcessHandle
669 &remoteH, // lpTargetHandle
670 0, // dwDesiredAccess (ignored by same access)
671 FALSE, // bInheritHandle
672 DUPLICATE_SAME_ACCESS) == 0) {
673 continue;
674 }
675 }
676
677 numHandleChecked++;
678
679 char type = isFileHandleType(remoteH);
680
681 if (type != 0) {
682 if (type == 'D') numHandleDirs++;
683 else if (type == 'F') numHandleFiles++;
684
685 // TODO simplify by not keeping directory handles
686 if (ob_type_file == 0 && type == 'F') {
687 // We found the first file handle. Remember it's system_handle object type
688 // and then use it to filter the following system_handle.
689 // For some reason OB_TYPE_FILE should be 0x1A but empirically I find it
690 // to be 0x1C, so we just make this test more dynamic.
691 ob_type_file = sysh.bObjectType;
692 }
693
694 // Try to get a filename out of that file or directory handle.
695 CString name("<unknown>");
696 bool ok = getFileName(remoteH, &name);
697
698 if (gIsDebug) {
699 fprintf(stderr, "P:%08x | t:%02x | f:%02x | v:%08x | %c | %s %s\n",
700 sysh.dIdProcess, sysh.bObjectType, sysh.bFlags, sysh.wValue,
701 type,
702 ok ? "OK" : "FAIL",
703 name.cstr()
704 );
705 }
706
707 if (ok) {
708 // We got a file path. Let's check if it matches our target path.
709 if (_strnicmp(searchPath, name.cstr(), searchPathLen) == 0) {
710 // Remember this process id so that we can ignore all its following entries.
711 matchProcessId = remoteId;
712
713 // Find out its process name
714 CString procName("<unknown>");
715 ok = getProcessName(processesPtr, remoteProcessId, &procName);
716 if (ok) {
717 numProcessMatch++;
718
719 if (!outModule->isEmpty()) {
720 outModule->add(";");
721 }
722 outModule->add(procName.cstr());
723 result = true;
724 }
725
726 if (gIsDebug) {
727 fprintf(stderr, "==> MATCH FOUND: %s %s\n",
728 ok ? "OK" : "FAIL",
729 procName.cstr()
730 );
731 }
732 }
733 }
734
735 }
736
737 if (remoteH != NULL) {
738 CloseHandle(remoteH);
739 remoteH = NULL;
740 }
741 }
742
743 bail_out:
744
745 if (gIsDebug) {
746 fprintf(stderr, "Processes matched: %d\n", numProcessMatch);
747 fprintf(stderr, "Handles: %d found, %d checked, %d dirs, %d files\n",
748 numHandleFound,
749 numHandleChecked,
750 numHandleDirs,
751 numHandleFiles);
752 }
753
754 if (error != NULL) {
755 CString msg;
756 msg.setLastWin32Error(NULL);
757 if (gIsDebug) fprintf(stderr, "[ERROR] %s: %s", error, msg.cstr());
758 }
759
760 if (remoteProcessH != NULL) {
761 CloseHandle(remoteProcessH);
762 }
763
764 if (currProcessH != NULL) {
765 CloseHandle(currProcessH);
766 }
767
768 if (handlesPtr != NULL) {
769 VirtualFree(handlesPtr, 0, MEM_RELEASE);
770 handlesPtr = NULL;
771 }
772
773 terminate();
774
775 return result;
776 }
777
778 #endif /* _WIN32 */
779