Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Trapping HANDLE creation in WOW64

I'm trying to troubleshoot slow startup of a third-party binary (no source). It is a 32-bit application running on 64-bit Windows 7.

I've used a debugger to break into the application while it's hung with 0% CPU usage during startup, and it appears to be waiting for ReadFile to return. The first argument to ReadFile is the handle value, 000000f0. windbg's !handle command tells me:

Handle f0
  Type            File
  Attributes      0
  GrantedAccess   0x120189:
         ReadControl,Synch
         Read/List,ReadEA,ReadAttr,WriteAttr
  HandleCount     2
  PointerCount    4
  No Object Specific Information available

I want to know what device this corresponds to. But Sysinternals Process Explorer doesn't include this handle in its list of process handles.

I've used windbg to trace all calls to ntdll!NtCreateFile and printed the path and returned handle: This handle is not among them. Breakpoints on kernel32!CreateNamedPipeW, kernel32!CallNamedPipeW, and kernel32!WaitNamedPipeW are never triggered (which is odd because Process Explorer did show another handle with path \Device\NamedPipe\).

For reference, here is the command to trace NtCreateFile (akak ZwCreateFile) on Windows x64:

bp ntdll!NtCreateFile "!ustr poi(@r8+10) ; r $t0 = @rcx ; gu ; dd @$t0 L1 ; gc"

Thanks to Skywing for pointing me in the right direction on that.

Where else can a HANDLE of type File come from? Don't the other HANDLE creation functions delegate to NtCreateFile for the actual syscall (I guess not)?

like image 740
Ben Voigt Avatar asked Mar 22 '12 21:03

Ben Voigt


2 Answers

It looks like you can only get the file handle information when doing a kernel debug. So there are 3 options.

  1. Do a local machine kernel debug, this shouldn't be a problem since you only need to get the file handle information and that will stay static. See the following: http://msdn.microsoft.com/en-us/library/windows/hardware/ff553382(v=vs.85).aspx
  2. Do a remote kernel debug of a VM machine. "Safer" in the sense you can't blow up your machine.
  3. BSOD your box and look at the dump that way. Again not a very nice thing to do to your box, but I've done similar things in the past when I needed to be able to do a full analysis on the machine without the machine state changing.
like image 87
Zipper Avatar answered Nov 18 '22 13:11

Zipper


Handles can be inherited and can also be created by DuplicateHandle(). You can try to calling GetFileInformationByHandleEx on the handle and query for FileNameInfo.

like image 27
John Avatar answered Nov 18 '22 11:11

John