Discussion:
WaitForSingleObject and invalid handles...
(too old to reply)
Mike Collins
2007-07-24 13:03:26 UTC
Permalink
Hi all, got a bit of a problem with a system i'm working on. Have an
interception hook that hooks NtCreateProcess/Ex. I spawn a ** waiting **
thread from this call and pass it the process handle returned from
NtCreateProcess/Ex. I need this thread to be singnaled when the new process
is terminated, so i use WaitForInputIdle and WaitForSingleObject with the
handle returned from NtCreateProcess/Ex. In both cases, the wait function
fails retuning a last error of Invalid Handle. Can anyone tell me why the
handle returned from NtCreateProcess/Ex appear to be invalid at this point?

Many thanks

Mike
Gary Chanson
2007-07-24 12:25:35 UTC
Permalink
Post by Mike Collins
Hi all, got a bit of a problem with a system i'm working on. Have an
interception hook that hooks NtCreateProcess/Ex. I spawn a ** waiting **
thread from this call and pass it the process handle returned from
NtCreateProcess/Ex. I need this thread to be singnaled when the new process
is terminated, so i use WaitForInputIdle and WaitForSingleObject with the
handle returned from NtCreateProcess/Ex. In both cases, the wait function
fails retuning a last error of Invalid Handle. Can anyone tell me why the
handle returned from NtCreateProcess/Ex appear to be invalid at this point?
I think you're passing a handle which is valid for the process which
called NtCreateProcessEx into the new process where it is not valid. Handles
are process specific. You need to create a handle that is valid for the new
process by calling DuplicateHandle.
--
- Gary Chanson (Windows SDK MVP)
- Abolish Public Schools
Mike Collins
2007-07-24 15:47:11 UTC
Permalink
Hi Gary, thanks for the reply...

I'm quite new to this so please excuse any misconceptions that I have or may
make. Form what you have said, the process handle is only valid within the
scope of the ** calling ** process - is this correct? So when I pass this
handle, as a parameter to my thread, it becomes invalid? Is this correct?

This would sound like a probably cause, I have a function ProcessHandleToId
which maps / converts a process handle to a Pid. If I call this from within
the hooked function then it works but I found that if I call it from the
thread, it fails.

In following with this, on the surface, this seems likely but if I stick my
wait calls in the hooked function, they still fail.

Can you elaborate a bit on the DuplicateHandle - should I make this call
from within my hooked function or from within the thread - will the handle
be invalid once it is passed to the thread?

Thanks again for your help, and suggestions or pointer will be gratefully
received.

Mike C
Post by Mike Collins
Hi all, got a bit of a problem with a system i'm working on. Have an
interception hook that hooks NtCreateProcess/Ex. I spawn a ** waiting **
thread from this call and pass it the process handle returned from
Don Burn
2007-07-24 14:44:53 UTC
Permalink
Another question is how are you hooking? If this is a kernel hook on
NtCreateProcess/Ex be aware that these are unsafe on all systems, and
unusable on 64-bit. In general hooking is viewed as MALWARE.
--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply
Post by Mike Collins
Hi Gary, thanks for the reply...
I'm quite new to this so please excuse any misconceptions that I have or
may make. Form what you have said, the process handle is only valid
within the scope of the ** calling ** process - is this correct? So when
I pass this handle, as a parameter to my thread, it becomes invalid? Is
this correct?
This would sound like a probably cause, I have a function
ProcessHandleToId which maps / converts a process handle to a Pid. If I
call this from within the hooked function then it works but I found that
if I call it from the thread, it fails.
In following with this, on the surface, this seems likely but if I stick
my wait calls in the hooked function, they still fail.
Can you elaborate a bit on the DuplicateHandle - should I make this call
from within my hooked function or from within the thread - will the
handle be invalid once it is passed to the thread?
Thanks again for your help, and suggestions or pointer will be gratefully
received.
Mike C
Post by Mike Collins
Hi all, got a bit of a problem with a system i'm working on. Have an
interception hook that hooks NtCreateProcess/Ex. I spawn a ** waiting **
thread from this call and pass it the process handle returned from
Mike Collins
2007-07-24 16:07:04 UTC
Permalink
Point taken, it's a user-mode hook and has been tested for stability on all
32-bit systems - where it seems to **hold water**.

Currently it is just intended as an in-house monitoring system - not a
commerical product.
Post by Don Burn
Another question is how are you hooking? If this is a kernel hook on
NtCreateProcess/Ex be aware that these are unsafe on all systems, and
unusable on 64-bit. In general hooking is viewed as MALWARE.
--
Gary Chanson
2007-07-24 15:07:21 UTC
Permalink
Post by Mike Collins
Hi Gary, thanks for the reply...
I'm quite new to this so please excuse any misconceptions that I have or may
make. Form what you have said, the process handle is only valid within the
scope of the ** calling ** process - is this correct? So when I pass this
handle, as a parameter to my thread, it becomes invalid? Is this correct?
This would sound like a probably cause, I have a function ProcessHandleToId
which maps / converts a process handle to a Pid. If I call this from within
the hooked function then it works but I found that if I call it from the
thread, it fails.
In following with this, on the surface, this seems likely but if I stick my
wait calls in the hooked function, they still fail.
Can you elaborate a bit on the DuplicateHandle - should I make this call
from within my hooked function or from within the thread - will the handle
be invalid once it is passed to the thread?
Thanks again for your help, and suggestions or pointer will be gratefully
received.
It's not very clear to me what you're doing and as Dan points out it
sounds like you might be doing some unsafe things. If we knew what you're
trying to accomplish we might be able to suggest better approaches.

A handle is only valid in one process. DuplicateHandle can produce a
second handle which is valid in a different process. It can be executed by
either process since it's parameters define both source and destination
processes. The original handle will still be usable in the original process.

If you are already using process IDs, maybe it would be simpler to just
open a handle to the process as needed.
--
- Gary Chanson (Windows SDK MVP)
- Abolish Public Schools
Mike Collins
2007-07-24 23:34:35 UTC
Permalink
Thats Gary - the DuplicateHandle was all i needed - worker purfectly now.

Thanks again,

Mike C

"Gary Chanson" <***@No.Spam.mvps.org> wrote in message news:***@TK2MSFTNGP05.phx.gbl...
Loading...