CloseHandle

jmkhael

In the following code which is a selfdeleting code on NT i cant seem to understand why the call CloseHandle((HANDLE)4); is there? what is this 4 value that is casted to a HANDLE? #include int main(int argc, char *argv[]) { char buf[MAX_PATH]; HMODULE module; module = GetModuleHandle(0); GetModuleFileName(module, buf, MAX_PATH); CloseHandle((HANDLE)4); __asm { lea eax, buf push 0 push 0 push eax push ExitProcess push module push DeleteFile push UnmapViewOfFile ret } return 0; } Papa while (TRUE) Papa.WillLove ( Bebe ) ;

Phil Hamer

Look at NickRepin's comment near the bottom of this page: http://www.experts-exchange.com/Programming/Programming_Languages/Cplusplus/Q_20170646.html[^] Basically he says CreateFileMapping always returns a handle with a value of 4.

Steve S

I can't be the only one that thinks this can't be true, or you'd never be able to create more than one active file mapping for a given process? Steve S

Phil Hamer

Yeah, I must not have interpreted it correctly. I don't really understand it, so I won't even try to interpret again. Anyone else?

jmkhael

Or for any other orelse they will overlap, right? Papa while (TRUE) Papa.WillLove ( Bebe ) ;

Steve S

Having read the thread, I think the answer is simpler. There's a qualifying comment that says mapping the file for the current EXE always returns 4. I suspect that this is 'true' because the EXE is already mapped to address 00400000, and it's just something happening to obfuscate the value returned, or there's some shifting/misreading going on. In other words, the code is committing suicide in a fancy way by unmapping itself from memory while it's executing. The CPU pipeline cache may then probably prevent a page fault while it terminates. Steve S