Language: C
OS: Windows
My application is framed with nt level apis and has to manipulate file and directory handles.
On a Zwopenfile or zwcreate file, I get a HANDLE
as a result. Usually the values for the HANDLE
are like 0x00000024, 28,2c... etc.
When I cast it as a LPBYTE
to view the contents. Visual studio shows "Expression could not be evaluated". I understood from that the HANDLE
returned from create/open file apis are not pointers to a memory location. However, windows uses the value and performing file operations.
Ntquerydirectory
object supplies me the infomation about handles. However, how windows have implemented this functionality is unknown.
Can anyone throw light on it.
That's a so-called "opaque value" which means "it's completely up to Windows how it is done inside. For example, it could be an index in some global table that is not accessible directly to your program - Windows just knows how to get there and you shouldn't even think of doing it.
Handles are stored in a table accessible only from kernel code. If you are interested in how Windows kernel works, you may find Mark Russinovitch blog or driver development interesting.
The last book I know of that was a good reference for this kind of stuff was Inside Windows 2000 by Mark E. Russinovitch and David A. Solomon. While clearly out of date, a lot of that book is still relevant. Google for "Inside Windows 7" for links to videos of talks by Russinovitch and some other books that I can't vouch for, but seem on topic.
HANDLE is actually a pointer to a struct that contains various fields, often they point to some kernel object. HANDLES are generally used when programming in C to have a notion of object oriented programming.
When debugging with WinDbg you have an extension called !handle that can display various information about a given handle.
The book Windows Internals (by Mark Russinovich) goes into great detail about this and many other Windows' mechanisms.
Perhaps you will find this discussion useful: What is a Windows Handle?
Also check out this blog post by Mark: http://blogs.technet.com/b/markrussinovich/archive/2009/09/29/3283844.aspx. It contains alot of information which could help you answer your question.
User contributions licensed under CC BY-SA 3.0