HANDLE - File Handles and Directory Handles Structures

Question

Language: C
OS: Windows

My application is framed with nt level apis and has to manipulate file and directory handles. On a Zwopenfile or zwcreate file, I get a HANDLE as a result. Usually the values for the HANDLE are like 0x00000024, 28,2c... etc. When I cast it as a LPBYTE to view the contents. Visual studio shows "Expression could not be evaluated". I understood from that the HANDLE returned from create/open file apis are not pointers to a memory location. However, windows uses the value and performing file operations. Ntquerydirectory object supplies me the infomation about handles. However, how windows have implemented this functionality is unknown. Can anyone throw light on it.

Based on the values you gave, I bet it's a byte offset into a table of pointers. — ikegami, May 30 '11 at 07:09
@ikegami I assume it as you say. Between do you have any specifications about the table of pointers. or any articles related to that. — Muthukumar Palaniappan, May 30 '11 at 07:11

score 4 · Answer 1 · answered May 30 '11 at 07:10

4

That's a so-called "opaque value" which means "it's completely up to Windows how it is done inside. For example, it could be an index in some global table that is not accessible directly to your program - Windows just knows how to get there and you shouldn't even think of doing it.

answered May 30 '11 at 07:10

sharptooth

167,383
100
513
979

zwQuerydirectoryfile api sets few values in the HANDLE. So on subsequent calls it resumes the enumeration from where it is left. In this case I need to set or read the values held in the HANDLE. Was there any chance in doing so? – Muthukumar Palaniappan May 30 '11 at 07:14
@Beetles: Maybe. Maybe not. I'd not rely on this - it can change with the next service pack. – sharptooth May 30 '11 at 07:17
1

No you don't need to manipulate these values. Why are you even using the native api anyway? – David Heffernan May 30 '11 at 07:20

score 2 · Answer 2 · answered May 30 '11 at 08:10

2

Handles are stored in a table accessible only from kernel code. If you are interested in how Windows kernel works, you may find Mark Russinovitch blog or driver development interesting.

answered May 30 '11 at 08:10

plodoc

2,783
17
17

score 0 · Answer 3 · answered May 30 '11 at 09:48

The last book I know of that was a good reference for this kind of stuff was Inside Windows 2000 by Mark E. Russinovitch and David A. Solomon. While clearly out of date, a lot of that book is still relevant. Google for "Inside Windows 7" for links to videos of talks by Russinovitch and some other books that I can't vouch for, but seem on topic.

score 0 · Answer 4 · edited May 23 '17 at 11:48

HANDLE is actually a pointer to a struct that contains various fields, often they point to some kernel object. HANDLES are generally used when programming in C to have a notion of object oriented programming.

When debugging with WinDbg you have an extension called !handle that can display various information about a given handle.

The book Windows Internals (by Mark Russinovich) goes into great detail about this and many other Windows' mechanisms.

Perhaps you will find this discussion useful: What is a Windows Handle?

Also check out this blog post by Mark: http://blogs.technet.com/b/markrussinovich/archive/2009/09/29/3283844.aspx. It contains alot of information which could help you answer your question.

HANDLE - File Handles and Directory Handles Structures

4 Answers4