How unprotect a handle using MCH

c++ / delphi package - dll injection and api hooking
Post Reply
pambol
Posts: 50
Joined: Sat Jun 23, 2018 1:15 am

How unprotect a handle using MCH

Post by pambol »

How can i unprotect a protected handle?
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: How unprotect a handle using MCH

Post by iconic »

What do you mean "unprotect" a handle, exactly? Do you mean from closing it? If so, see the code below:

Protect

Code: Select all

SetHandleInformation(hObject, HANDLE_FLAG_PROTECT_FROM_CLOSE, HANDLE_FLAG_PROTECT_FROM_CLOSE);
Unprotect

Code: Select all

SetHandleInformation(hObject, HANDLE_FLAG_PROTECT_FROM_CLOSE, 0);
--Iconic
pambol
Posts: 50
Joined: Sat Jun 23, 2018 1:15 am

Re: How unprotect a handle using MCH

Post by pambol »

iconic wrote:What do you mean "unprotect" a handle, exactly? Do you mean from closing it? If so, see the code below:

Protect

Code: Select all

SetHandleInformation(hObject, HANDLE_FLAG_PROTECT_FROM_CLOSE, HANDLE_FLAG_PROTECT_FROM_CLOSE);
Unprotect

Code: Select all

SetHandleInformation(hObject, HANDLE_FLAG_PROTECT_FROM_CLOSE, 0);
--Iconic
i called your routine after:

Code: Select all

if DuplicateHandle(hProcess, StrToInt(InfosHandle[1]), GetCurrentProcess(), @hObject, STANDARD_RIGHTS_REQUIRED, FALSE, DUPLICATE_SAME_ACCESS) then
but handle flags still the same, i tried retrieve actual flags using GetHandleInformation but always return 0, and the handle are set as inherit (i'm looking using Process Hacker).
i'm trying close a protected handle, i can list it fine, but the question is to close if the handle are protected.
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: How unprotect a handle using MCH

Post by iconic »

Unprotecting hObject (which you have duplicated from the remote process) in your own process' handle table will not work. You'd need to call SetHandleInformation() in the context of the remote process with the original source object handle, i.e> remote thread creation etc. Each process has its own unique handle table much like their own address space (on NT)

--Iconic
pambol
Posts: 50
Joined: Sat Jun 23, 2018 1:15 am

Re: How unprotect a handle using MCH

Post by pambol »

iconic wrote:Unprotecting hObject (which you have duplicated from the remote process) in your own process' handle table will not work. You'd need to call SetHandleInformation() in the context of the remote process with the original source object handle, i.e> remote thread creation etc. Each process has its own unique handle table much like their own address space (on NT)

--Iconic
Can you show me an example of how do it?
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: How unprotect a handle using MCH

Post by iconic »

What does (un)protecting an object handle have to do with using MCH? I see no correlation nor do I see a benign use in creating such code. What is your purpose for unprotecting a handle? Is the other process the same bitness as your own process (64 <-> 64, 32 <-> 32 etc.)? Is the other process in a different user session from your own? Many criteria would need to be addressed in writing such a code example. Even if I had more time to write an example for you, how would me writing it for you benefit you in any real way?

--Iconic
pambol
Posts: 50
Joined: Sat Jun 23, 2018 1:15 am

Re: How unprotect a handle using MCH

Post by pambol »

iconic wrote:What does (un)protecting an object handle have to do with using MCH? I see no correlation nor do I see a benign use in creating such code. What is your purpose for unprotecting a handle? Is the other process the same bitness as your own process (64 <-> 64, 32 <-> 32 etc.)? Is the other process in a different user session from your own? Many criteria would need to be addressed in writing such a code example. Even if I had more time to write an example for you, how would me writing it for you benefit you in any real way?

--Iconic
I mean if MCH have some function who do it.
Both application are 64 bits and are on the same session.

If you can't help me no problem, i'll try it do it alone :-x

Thanks anyway.
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: How unprotect a handle using MCH

Post by iconic »

There isn't any MCH API for this specifically.

--Iconic
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: How unprotect a handle using MCH

Post by madshi »

Iconic is perfectly right, as always... 8)
Post Reply