/* * Copyright (C) 2012 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ /* * "find_lock.exe", for Windows only. * * References used: * * http://drdobbs.com/windows/184411099 * article by Sven B. Schreiber, November 01, 1999 * * http://www.codeguru.com/Cpp/W-P/system/processesmodules/article.php/c2827/ * by Zoltan Csizmadia, November 14, 2000 * * http://stackoverflow.com/questions/860656/ * (same technique, but written in unsafe C#) * * Starting with Vista, we can also use the Restart Manager API as * explained here: (TODO for next version) * http://msdn.microsoft.com/en-us/magazine/cc163450.aspx */ #ifdef _WIN32 #include "utils.h" #include #include #include #include // NtDll structures from the the Dr Dobbs article, adjusted for our needs: typedef void *POBJECT; typedef LONG KPRIORITY; typedef LARGE_INTEGER QWORD; typedef struct { WORD Length; WORD MaximumLength; PWORD Buffer; } UNICODE_STRING; typedef struct { DWORD dIdProcess; BYTE bObjectType; // OB_TYPE_* BYTE bFlags; // bits 0..2 HANDLE_FLAG_* WORD wValue; // multiple of 4 POBJECT pObject; ACCESS_MASK GrantedAccess; } SYSTEM_HANDLE; typedef struct { DWORD dCount; SYSTEM_HANDLE ash[1]; } SYSTEM_HANDLE_INFORMATION; typedef struct { DWORD PeakVirtualSize; DWORD VirtualSize; DWORD PageFaultCount; DWORD PeakWorkingSetSize; DWORD WorkingSetSize; DWORD QuotaPeakPagedPoolUsage; DWORD QuotaPagedPoolUsage; DWORD QuotaPeakNonPagedPoolUsage; DWORD QuotaNonPagedPoolUsage; DWORD PagefileUsage; DWORD PeakPagefileUsage; } VM_COUNTERS; typedef struct { HANDLE UniqueProcess; HANDLE UniqueThread; } CLIENT_ID; typedef enum { // Ignored. We don't actually use these values. Unused } KWAIT_REASON; typedef struct { QWORD qKernelTime; // 100 nsec units QWORD qUserTime; // 100 nsec units QWORD qCreateTime; // relative to 01-01-1601 DWORD d18; PVOID pStartAddress; CLIENT_ID Cid; // process/thread ids DWORD dPriority; DWORD dBasePriority; DWORD dContextSwitches; DWORD dThreadState; // 2=running, 5=waiting KWAIT_REASON WaitReason; DWORD dReserved01; } SYSTEM_THREAD; typedef struct { DWORD dNext; // relative offset DWORD dThreadCount; DWORD dReserved01; DWORD dReserved02; DWORD dReserved03; DWORD dReserved04; DWORD dReserved05; DWORD dReserved06; QWORD qCreateTime; // relative to 01-01-1601 QWORD qUserTime; // 100 nsec units QWORD qKernelTime; // 100 nsec units UNICODE_STRING usName; KPRIORITY BasePriority; DWORD dUniqueProcessId; DWORD dInheritedFromUniqueProcessId; DWORD dHandleCount; DWORD dReserved07; DWORD dReserved08; VM_COUNTERS VmCounters; DWORD dCommitCharge; // bytes SYSTEM_THREAD ast[1]; } SYSTEM_PROCESS_INFORMATION; // The sic opcode for NtQuerySystemInformation typedef enum { SystemProcessInformation = 5, SystemHandleInformation = 16, } SYSTEMINFOCLASS; #define STATUS_SUCCESS 0x00000000 #define STATUS_UNSUCCESSFUL 0xC0000001 #define STATUS_NOT_IMPLEMENTED 0xC0000002 #define STATUS_INVALID_INFO_CLASS 0xC0000003 #define STATUS_INFO_LENGTH_MISMATCH 0xC0000004 #define STATUS_INVALID_PARAMETER 0xC000000D typedef DWORD (WINAPI *NtQuerySystemInformationFuncPtr)( DWORD sic, VOID* pData, DWORD sSize, ULONG* pdSize); typedef DWORD (WINAPI *NtQueryInformationFileFuncPtr)(HANDLE, PVOID, PVOID, DWORD, DWORD); typedef DWORD (WINAPI *NtQueryObjectFuncPtr)(HANDLE, DWORD, VOID*, DWORD, VOID*); static NtQuerySystemInformationFuncPtr sNtQuerySystemInformationFunc; static NtQueryInformationFileFuncPtr sNtQueryInformationFileFunc; static NtQueryObjectFuncPtr sNtQueryObjectFunc; //------------ // Get the NT DLL functions we need to use. static bool init() { sNtQuerySystemInformationFunc = (NtQuerySystemInformationFuncPtr) GetProcAddress( GetModuleHandleA("ntdll.dll"), "NtQuerySystemInformation"); sNtQueryInformationFileFunc = (NtQueryInformationFileFuncPtr) GetProcAddress( GetModuleHandleA("ntdll.dll"), "NtQueryInformationFile"); sNtQueryObjectFunc = (NtQueryObjectFuncPtr) GetProcAddress( GetModuleHandleA("ntdll.dll"), "NtQueryObject"); return sNtQuerySystemInformationFunc != NULL && sNtQueryInformationFileFunc != NULL && sNtQueryObjectFunc != NULL; } static void terminate() { sNtQuerySystemInformationFunc = NULL; sNtQueryInformationFileFunc = NULL; sNtQueryObjectFunc = NULL; } static bool adjustPrivileges() { char *error = NULL; HANDLE tokenH; // Open a process token that lets us adjust privileges BOOL ok = OpenProcessToken(GetCurrentProcess(), // ProcessHandle TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, // DesiredAccess &tokenH); // TokenHandle if (!ok) { error = "OpenProcessToken failed: "; goto bail_out; } // Lookup the privilege by name and get its local LUID token. // What we request: // SE_DEBUG_NAME, aka "SeDebugPrivilege" // MSDN: Required to debug and adjust the memory of a process owned by another account. // User Right: Debug programs. TOKEN_PRIVILEGES priv; priv.PrivilegeCount = 1; priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; ok = LookupPrivilegeValueA(NULL, // lpSystemName SE_DEBUG_NAME, // lpName &(priv.Privileges[0].Luid)); // lpLuid if (!ok) { error = "LookupPrivilegeValue failed: "; goto bail_out; } ok = AdjustTokenPrivileges(tokenH, // TokenHandle FALSE, // DisableAllPrivileges &priv, // NewState 0, // BufferLength NULL, // PreviousState 0); // ReturnLength if (!ok) { error = "AdjustTokenPrivileges failed: "; goto bail_out; } bail_out: if (error != NULL && gIsDebug) { CString err; err.setLastWin32Error(error); fprintf(stderr, "%s", err.cstr()); } if (tokenH != NULL) { CloseHandle(tokenH); } return !!ok; } static bool getHandleType(HANDLE h, CString *type) { bool result = false; ULONG size = 0; // Get the size of the type string int status = sNtQueryObjectFunc(h, 2, NULL, 0, &size); if (status == STATUS_INFO_LENGTH_MISMATCH && size > 0) { // Get the type string itself char *buf = new char[size]; status = sNtQueryObjectFunc(h, 2, buf, size, NULL); if (status == 0 && size > 96) { // The type string we want is a wide unicode (UTF16) // zero-terminated string located at offset 96 in the // buffer. In our case we want the string to be // "Directory" or "File" so we know the max useful length // is 9. // Since we can only deal with ansi strings in this program, // we'll make a crude copy of every other byte and just check // that the other bytes are zero. const char *c = buf + 96; const char *e = buf + 96 + size; // we'll write at the beginning of our buffer char *dest = buf; char *dend = dest + 9; for (; c < e && dest < dend && c[0] != '\0' && c[1] == '\0'; c += 2, dest++) { *dest = *c; } *(dest++) = '\0'; type->set(buf, dest - buf); result = true; } free(buf); } return result; } // These is the wide unicode representations of the type we want to find. static const char kFileW[] = "File"; static char isFileHandleType(HANDLE handle) { char type = 0; ULONG size = 0; // Get the size of the type string int status = sNtQueryObjectFunc(handle, 2, NULL, 0, &size); if (status == STATUS_INFO_LENGTH_MISMATCH && size > 0) { // Get the type string itself char *buf = new char[size]; status = sNtQueryObjectFunc(handle, 2, buf, size, NULL); if (status == 0 && size > 96) { // The type string we want is a wide unicode (UTF16-LE) // zero-terminated string located at offset 96 in the // buffer. In our case we want the string to be "File". // // Since we're reading wide unicode, we want each character // to be the one from our string followed by a zero byte. // e.g. c should point to F \0 i \0 l \0 e \0 \0 \0. const char *c = buf + 96; type = c[0]; int len = sizeof(kFileW); const char *d = kFileW; for (; type != 0 && len > 0; c+=2, d++, len--) { if (c[0] != *d || c[1] != 0) { type = 0; break; } } } free(buf); } return type; } typedef struct { HANDLE handle; CString *outStr; bool result; } SFileNameInfo; static unsigned __stdcall FileNameThreadFunc(void *param) { SFileNameInfo *info = (SFileNameInfo *)param; if (info == NULL) { return 1; } char buf[MAX_PATH*2 + 4]; DWORD iob[2] = { 0, 0 }; DWORD status = sNtQueryInformationFileFunc(info->handle, iob, buf, sizeof(buf), 9); if (status == STATUS_SUCCESS) { // The result is a buffer with: // - DWORD (4 bytes) for the *byte* length (so twice the character length) // - Actual string in Unicode // Not sure of the actual type, but it does look like a UNICODE_STRING struct. DWORD len = ((DWORD *)buf)[0]; if (len <= MAX_PATH * 2) { // We can't handle wide Unicode. What we do is convert it into // straight ansi by just retaining the first of each couple bytes. // Bytes that cannot be mapped (e.g. 2nd byte is != 0) will be // simply converted to 0xFF. unsigned char *dest = (unsigned char *)buf + 4; unsigned char *src = (unsigned char *)buf + 4; for (DWORD i = 0; i < len; dest++, src += 2, i += 2) { if (src[1] == 0) { *dest = *src; } else { *dest = 0xFF; } } *dest = '\0'; info->outStr->set(buf + 4, len); info->result = true; return 0; } } return 1; } static bool getFileName(HANDLE handle, CString *outStr) { SFileNameInfo info; info.handle = handle; info.outStr = outStr; info.result = false; // sNtQueryInformationFileFunc might hang on some handles. // A trick is to do it in a thread and if it takes too loog then // just shutdown the thread, since it's deadlocked anyway. unsigned threadId; HANDLE th = (HANDLE)_beginthreadex(NULL, // security 0, // stack_size &FileNameThreadFunc, // address &info, // arglist 0, // initflag &threadId); // thrdaddr if (th == NULL) { // Failed to create thread. Shouldn't really happen. outStr->set(""); return false; } bool result = false; // Wait for thread or kill it if it takes too long. if (WaitForSingleObject(th /*handle*/, 200 /*ms*/) == WAIT_TIMEOUT) { TerminateThread(th /*handle*/, 0 /*retCode*/); outStr->set(""); } else { result = info.result; } CloseHandle(th); return result; } // Find the name of the process (e.g. "java.exe") given its id. // processesPtr must be the list returned by getAllProcesses(). // Special handling for javaw.exe: this isn't quite useful so // we also try to find and append the parent process name. static bool getProcessName(SYSTEM_PROCESS_INFORMATION *processesPtr, DWORD remoteProcessId, CString *outStr) { SYSTEM_PROCESS_INFORMATION *ptr = processesPtr; while (ptr != NULL) { if (ptr->dUniqueProcessId == remoteProcessId) { // This is the process we want. UNICODE_STRING *uniStr = &(ptr->usName); WORD len = uniStr->Length; char buf[MAX_PATH]; if (len <= MAX_PATH * 2) { // We can't handle wide Unicode. What we do is convert it into // straight ansi by just retaining the first of each couple bytes. // Bytes that cannot be mapped (e.g. 2nd byte is != 0) will be // simply converted to 0xFF. unsigned char *dest = (unsigned char *)buf; unsigned char *src = (unsigned char *)uniStr->Buffer; for (WORD i = 0; i < len; dest++, src += 2, i += 2) { if (src[1] == 0) { *dest = *src; } else { *dest = 0xFF; } } *dest = '\0'; outStr->set(buf, len); if (strcmp(buf, "javaw.exe") == 0) { // Heuristic: eclipse often shows up as javaw.exe // but what is useful is to report eclipse to the user // instead. // So in this case, look at the parent and report it too. DWORD parentId = ptr->dInheritedFromUniqueProcessId; if (parentId > 0) { CString name2; bool ok2 = getProcessName(processesPtr, parentId, &name2); if (ok2) { outStr->add(" ("); outStr->add(name2.cstr()); outStr->add(")"); } } } return true; } } // Look at the next process, if any. if (ptr->dNext == NULL) { break; } else { ptr = (SYSTEM_PROCESS_INFORMATION *)((char *)ptr + ptr->dNext); } } outStr->setf("", remoteProcessId); return false; } // Query system for all processes information. // Returns an error string in case of error. // Returns the virtual_alloc-allocated buffer on success or NULL on error. // It's up to the caller to do a VirtualFree on the returned buffer. static SYSTEM_PROCESS_INFORMATION *queryAllProcess(const char **error) { // Allocate a buffer for the process information. We don't know the // exact size. A normal system might typically have between 100-200 processes. // We'll resize the buffer if not big enough. DWORD infoSize = 4096; SYSTEM_PROCESS_INFORMATION *infoPtr = (SYSTEM_PROCESS_INFORMATION *) VirtualAlloc(NULL, infoSize, MEM_COMMIT, PAGE_READWRITE); if (infoPtr != NULL) { // Query the actual size needed (or the data if it fits in the buffer) DWORD needed = 0; if (sNtQuerySystemInformationFunc( SystemProcessInformation, infoPtr, infoSize, &needed) != 0) { if (needed == 0) { // Shouldn't happen. *error = "No processes found"; goto bail_out; } // Realloc VirtualFree(infoPtr, 0, MEM_RELEASE); infoSize += needed; infoPtr = (SYSTEM_PROCESS_INFORMATION *) VirtualAlloc( NULL, infoSize, MEM_COMMIT, PAGE_READWRITE); // Query all the processes objects again if (sNtQuerySystemInformationFunc( SystemProcessInformation, infoPtr, infoSize, NULL) != 0) { *error = "Failed to query system processes"; goto bail_out; } } } if (infoPtr == NULL) { *error = "Failed to allocate system processes info buffer"; goto bail_out; } bail_out: if (*error != NULL) { VirtualFree(infoPtr, 0, MEM_RELEASE); infoPtr = NULL; } return infoPtr; } // Query system for all handle information. // Returns an error string in case of error. // Returns the virtual_alloc-allocated buffer on success or NULL on error. // It's up to the caller to do a VirtualFree on the returned buffer. static SYSTEM_HANDLE_INFORMATION *queryAllHandles(const char **error) { // Allocate a buffer. It won't be large enough to get the handles // (e.g. there might be 10k or 40k handles around). We'll resize // it once we know the actual size. DWORD infoSize = 4096; SYSTEM_HANDLE_INFORMATION *infoPtr = (SYSTEM_HANDLE_INFORMATION *) VirtualAlloc(NULL, infoSize, MEM_COMMIT, PAGE_READWRITE); if (infoPtr != NULL) { // Query the actual size needed DWORD needed = 0; if (sNtQuerySystemInformationFunc( SystemHandleInformation, infoPtr, infoSize, &needed) != 0) { if (needed == 0) { // Shouldn't happen. *error = "No handles found"; goto bail_out; } // Realloc VirtualFree(infoPtr, 0, MEM_RELEASE); infoSize += needed; infoPtr = (SYSTEM_HANDLE_INFORMATION *) VirtualAlloc( NULL, infoSize, MEM_COMMIT, PAGE_READWRITE); } } if (infoPtr == NULL) { *error = "Failed to allocate system handle info buffer"; goto bail_out; } // Query all the handle objects if (sNtQuerySystemInformationFunc(SystemHandleInformation, infoPtr, infoSize, NULL) != 0) { *error = "Failed to query system handles"; goto bail_out; } bail_out: if (*error != NULL) { VirtualFree(infoPtr, 0, MEM_RELEASE); infoPtr = NULL; } return infoPtr; } bool findLock(CPath &path, CString *outModule) { bool result = false; const char *error = NULL; SYSTEM_PROCESS_INFORMATION *processesPtr = NULL; SYSTEM_HANDLE_INFORMATION *handlesPtr = NULL; const HANDLE currProcessH = GetCurrentProcess(); const DWORD currProcessId = GetCurrentProcessId(); HANDLE remoteProcessH = NULL; DWORD remoteProcessId = 0; DWORD matchProcessId = 0; int numHandleFound = 0; int numHandleChecked = 0; int numHandleDirs = 0; int numHandleFiles = 0; int numProcessMatch = 0; BYTE ob_type_file = 0; // Get the path to search, without the drive letter. const char *searchPath = path.cstr(); if (isalpha(searchPath[0]) && searchPath[1] == ':') { searchPath += 2; } size_t searchPathLen = strlen(searchPath); if (gIsDebug) fprintf(stderr, "Search path: '%s'\n", searchPath); if (!init()) { error = "Failed to bind to ntdll.dll"; goto bail_out; } if (!adjustPrivileges()) { // We can still continue even if the privilege escalation failed. // The apparent effect is that we'll fail to query the name of // some processes, yet it will work for some of them. if (gIsDebug) fprintf(stderr, "Warning: adusting privileges failed. Continuing anyway.\n"); } else { if (gIsDebug) fprintf(stderr, "Privileges adjusted.\n"); // DEBUG remove lter } processesPtr = queryAllProcess(&error); if (processesPtr == NULL) goto bail_out; handlesPtr = queryAllHandles(&error); if (handlesPtr == NULL) goto bail_out; numHandleFound = handlesPtr->dCount; // Check all the handles for (int n = handlesPtr->dCount, i = 0; i < n; i++) { SYSTEM_HANDLE sysh = handlesPtr->ash[i]; if (ob_type_file != 0 && sysh.bObjectType != ob_type_file) { continue; } HANDLE handle = (HANDLE) sysh.wValue; DWORD remoteId = sysh.dIdProcess; HANDLE remoteH = NULL; if (remoteId == matchProcessId) { // We already matched that process, we can skip its other entries. continue; } if (remoteId == currProcessId) { // We don't match ourselves continue; } // Open a remote process. // Most entries of a given process seem to be consecutive, so we // only open the remote process handle if it's a different id. if (remoteProcessH == NULL && remoteId == remoteProcessId) { // We already tried to open this process and it failed. // It's not going to be any better the next time so skip it. continue; } if (remoteProcessH == NULL || remoteId != remoteProcessId) { if (remoteProcessH != NULL) { CloseHandle(remoteProcessH); } remoteProcessId = remoteId; remoteProcessH = OpenProcess(PROCESS_DUP_HANDLE, FALSE /*inheritHandle*/, remoteProcessId); if (remoteProcessH == NULL) { continue; } } if (remoteProcessH != NULL) { // Duplicate the remote handle if (DuplicateHandle(remoteProcessH, // hSourceProcessHandle handle, // hSourceHandle currProcessH, // hTargetProcessHandle &remoteH, // lpTargetHandle 0, // dwDesiredAccess (ignored by same access) FALSE, // bInheritHandle DUPLICATE_SAME_ACCESS) == 0) { continue; } } numHandleChecked++; char type = isFileHandleType(remoteH); if (type != 0) { if (type == 'D') numHandleDirs++; else if (type == 'F') numHandleFiles++; // TODO simplify by not keeping directory handles if (ob_type_file == 0 && type == 'F') { // We found the first file handle. Remember it's system_handle object type // and then use it to filter the following system_handle. // For some reason OB_TYPE_FILE should be 0x1A but empirically I find it // to be 0x1C, so we just make this test more dynamic. ob_type_file = sysh.bObjectType; } // Try to get a filename out of that file or directory handle. CString name(""); bool ok = getFileName(remoteH, &name); if (gIsDebug) { fprintf(stderr, "P:%08x | t:%02x | f:%02x | v:%08x | %c | %s %s\n", sysh.dIdProcess, sysh.bObjectType, sysh.bFlags, sysh.wValue, type, ok ? "OK" : "FAIL", name.cstr() ); } if (ok) { // We got a file path. Let's check if it matches our target path. if (_strnicmp(searchPath, name.cstr(), searchPathLen) == 0) { // Remember this process id so that we can ignore all its following entries. matchProcessId = remoteId; // Find out its process name CString procName(""); ok = getProcessName(processesPtr, remoteProcessId, &procName); if (ok) { numProcessMatch++; if (!outModule->isEmpty()) { outModule->add(";"); } outModule->add(procName.cstr()); result = true; } if (gIsDebug) { fprintf(stderr, "==> MATCH FOUND: %s %s\n", ok ? "OK" : "FAIL", procName.cstr() ); } } } } if (remoteH != NULL) { CloseHandle(remoteH); remoteH = NULL; } } bail_out: if (gIsDebug) { fprintf(stderr, "Processes matched: %d\n", numProcessMatch); fprintf(stderr, "Handles: %d found, %d checked, %d dirs, %d files\n", numHandleFound, numHandleChecked, numHandleDirs, numHandleFiles); } if (error != NULL) { CString msg; msg.setLastWin32Error(NULL); if (gIsDebug) fprintf(stderr, "[ERROR] %s: %s", error, msg.cstr()); } if (remoteProcessH != NULL) { CloseHandle(remoteProcessH); } if (currProcessH != NULL) { CloseHandle(currProcessH); } if (handlesPtr != NULL) { VirtualFree(handlesPtr, 0, MEM_RELEASE); handlesPtr = NULL; } terminate(); return result; } #endif /* _WIN32 */