Tony

Getting Handle table from device driver in Windows 10 Aniversary

Sun Oct 02, 2016 7:46 pm

I have noticed in the source code that there is no logic to get the handle table for a process in Windows 10.
Can someone confirm that this is intentional due to Microsoft hardening the kernel or has it just not yet been implemented?
Thanks in advance.
Tony
 
User avatar
dmex
Posts: 1205
Location: Australia

Re: Getting Handle table from device driver in Windows 10 Aniversary

Sun Oct 02, 2016 10:17 pm

there is no logic to get the handle table for a process in Windows 10
Handle tables work fine for me on Windows 10?
handle_table.PNG
You will get an empty handle table if you're using nightly builds of Process Hacker. You need to disable the kernel driver via Options window > Advanced tab > Untick the "Enable kernel-mode driver" option.
 
Tony

Re: Getting Handle table from device driver in Windows 10 Aniversary

Tue Oct 04, 2016 5:57 pm

Sorry, my bad, I was not specific.
I was looking at the source code you wrote for the driver (processhacker-nightly-src\KProcessHacker).
I was curious if getting the handle table in kernel mode has stopped working because of Microsoft tightening security in kernel mode.
Thanks for all your great work!
Tony
 
User avatar
dmex
Posts: 1205
Location: Australia

Re: Getting Handle table from device driver in Windows 10 Aniversary

Wed Oct 05, 2016 8:12 pm

I was curious if getting the handle table in kernel mode has stopped working because of Microsoft tightening security in kernel mode.
No.

The only issue is with KPH needing to be updated with handle table offsets for the latest build of Windows 10 (14393).
 
Tony

Re: Getting Handle table from device driver in Windows 10 Aniversary

Sat Oct 08, 2016 4:23 pm

If it is not too much trouble.
It is just nice to have the code always hit the same logic for each version of Windows.
I appreciate all your great work.
Thanks!
 
mgrzeg
Posts: 5
OS: Windows 7 64bit

Re: Getting Handle table from device driver in Windows 10 Aniversary

Wed Oct 12, 2016 4:05 pm

+1. The names of the ETW registrations disappeared, if it's not a problem, I'd love to see them back :)
Thanks!
 
Tony

Re: Getting Handle table from device driver in Windows 10 Aniversary

Mon Oct 24, 2016 5:00 pm

Hi,

I there a scheduled date for the next release?
I see the code for the device driver is in for Windows 10 1607 (anniversary update).
However, the driver from the nightly build versions is not signed so not available to the user level code.
Thanks for all the great work!

Who is online

Users browsing this forum: No registered users and 6 guests