Access violation reading location 0x00378004.

so0_lanhlung2

i use NtQuerySystemInformation but i get a error

if(!NtQuerySystemInformation(16,&hInfo,sizeof(hInfo),NULL))
{
printf("Load NtQuery Unsucessfull");
Sleep(-1);
return 1;
}
CString szTam;
szTam.Format(L"%d",hInfo.HandleCount);
MessageBox(0,szTam,0,0);

for(int i=0;i < hInfo.HandleCount;i++)
{
	**SYSTEM\_HANDLE hSystem=hInfo.Handles\[i\];** //error here
	HANDLE hdupHandle=NULL;
       ......
    }

can you help me? or i must ReadProcessMemory?

CPallini

so0_lanhlung2 wrote:

if(!NtQuerySystemInformation(16,&hInfo,sizeof(hInfo),NULL))

What does the '16' stand for? On my winternl.h file the SYSTEM_INFORMATION_CLASS enumeration does not contain such a value. :)

If the Lord God Almighty had consulted me before embarking upon the Creation, I would have recommended something simpler. -- Alfonso the Wise, 13th Century King of Castile.
This is going on my arrogant assumptions. You may have a superb reason why I'm completely wrong. -- Iain Clarke
[My articles]

Code o mat

Would help if you'd tell us -so we don't have to try and look it up- which SystemInformationClass '16' is and what is hInfo. I checked NtQuerySystemInformation[^] in MSDN, and i guess you might be using SYSTEM_PROCESS_INFORMATION. In the documentation it says: The HandleCount member contains the total number of handles being used by the process in question; use GetProcessHandleCount to retrieve this information instead. Maybe you should use GetProcessHandleCount[^] instead? However, MSDN does not seem to list a Handles member there so i might be off track, altrough this GetProcessHandleCount thing might be applicable to your case too.

> The problem with computers is that they do what you tell them to do and not what you want them to do. < > //TODO: Implement signature here<

modified on Saturday, March 19, 2011 6:07 AM

so0_lanhlung2 · modified on Saturday, March 19, 2011 6:07 AM

this is my function

void CShowHandlesOfProc::AddHandlesToList(CListCtrl *m_list,DWORD pid)
{
int nItem=0;
NTSTATUS status;
PSYSTEM_HANDLE_INFORMATION handleInfo;
ULONG handleInfoSize = 0x10000;
HANDLE processHandle;
ULONG i;

\_NtQuerySystemInformation NtQuerySystemInformation = 
(\_NtQuerySystemInformation)GetLibraryProcAddress("ntdll.dll", "NtQuerySystemInformation");

\_NtDuplicateObject NtDuplicateObject =
(\_NtDuplicateObject)GetLibraryProcAddress("ntdll.dll", "NtDuplicateObject");

\_NtQueryObject NtQueryObject =
(\_NtQueryObject)GetLibraryProcAddress("ntdll.dll", "NtQueryObject");

if(!(processHandle = OpenProcess(PROCESS\_DUP\_HANDLE|PROCESS\_QUERY\_INFORMATION|PROCESS\_VM\_READ,FALSE,pid))) return;

handleInfo = (PSYSTEM\_HANDLE\_INFORMATION)malloc(handleInfoSize);

while((status = NtQuerySystemInformation(SystemHandleInformation,handleInfo,handleInfoSize,NULL)) == STATUS\_INFO\_LENGTH\_MISMATCH)
handleInfo = (PSYSTEM\_HANDLE\_INFORMATION)realloc(handleInfo, handleInfoSize \*= 2);

if(!NT\_SUCCESS(status)) return;

for(i = 0; i < handleInfo->HandleCount; i++)
{
    SYSTEM\_HANDLE handle     = handleInfo->Handles\[i\];
    HANDLE dupHandle         = NULL;
    POBJECT\_TYPE\_INFORMATION objectTypeInfo;
    PVOID                    objectNameInfo;
    UNICODE\_STRING           objectName;
    ULONG                    returnLength;

    if(handle.ProcessId != pid) continue;
    if(!NT\_SUCCESS(NtDuplicateObject(processHandle,(HANDLE)handle.Handle,GetCurrentProcess(),&dupHandle,0,0,0))) continue;
    objectTypeInfo = (POBJECT\_TYPE\_INFORMATION)malloc(0x1000);

    if(!NT\_SUCCESS(NtQueryObject(dupHandle,ObjectTypeInformation,objectTypeInfo,0x1000,NULL)))
    {
        CloseHandle(dupHandle);
        continue;
    }

    if((handle.GrantedAccess != 0x0012019f)
    && (handle.GrantedAccess != 0x001a019f)
    && (handle.GrantedAccess != 0x00120189)
    && (handle.GrantedAccess != 0x00100000))
    {
        wprintf(L"%s - 0x%X - ",objectTypeInfo->Name.Buffer, handle.Handle);
        //wprintf(L"0x%X",handle.GrantedAccess);
		CString szType,szHandle,szName;
		szHandle.Format(L"0x%X",handle.Handle);
		m\_list->InsertItem(nItem,szHandle);
		nItem++;
        objectNameInfo = malloc(0x1000);

so0_lanhlung2

i posted my function and my struct for reply of Code-o-mat(member).. this i System infomation class http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/System%20Information/SYSTEM_INFORMATION_CLASS.html[^] plz help me :).. thansk for reply sorry if my english is not good

Lost User

so0_lanhlung2 wrote:

Access violation reading location 0xbaadf00d.
i

I think this value suggests that you are trying to use a pointer that has not been initialised. It's a pity you posted all this code above, but not the part that causes the error.

I must get a clever new signature for 2011.

Code o mat

From http://en.wikipedia.org/wiki/Hexspeak[^]: # 0xBAADF00D ("bad food") is used by Microsoft's LocalAlloc(LMEM_FIXED) to indicate uninitialised allocated heap memory when the debug heap is used. [3[^]] My guess would be that something goes wrong during memory allocation. Maybe you are trying to allocate too much (continous) memory. Check out Listing Used Files[^] here on CodeProject, it seems to be doing something similar than you are, there seems to be a way to query how much memory you need so you don't need to keep increasing the buffer with realloc until it is big enough. Can't say anything better at this point, am not much familiar with sysinternals.

> The problem with computers is that they do what you tell them to do and not what you want them to do. < > //TODO: Implement signature here<

CPallini

Just a silly attempt: could you try to comment out all the lines below the offending one, until for loop ends? :)

If the Lord God Almighty had consulted me before embarking upon the Creation, I would have recommended something simpler. -- Alfonso the Wise, 13th Century King of Castile.
This is going on my arrogant assumptions. You may have a superb reason why I'm completely wrong. -- Iain Clarke
[My articles]

so0_lanhlung2

thanks for reply :)... i'll reseach :)