From 0cfe451562989754f521136610b37e1a6c43b190 Mon Sep 17 00:00:00 2001
From: "SND\\kernelnet_cp"
 <SND\kernelnet_cp@9b283d60-5439-405e-af05-b73fd8c4d996>
Date: Thu, 4 Oct 2012 07:00:17 +0000
Subject: [PATCH] [0.2.x] added : snippet findhandle.py ( search all handle for
 specified object )

git-svn-id: https://pykd.svn.codeplex.com/svn@80001 9b283d60-5439-405e-af05-b73fd8c4d996
---
 snippets/findhandle.py | 46 ++++++++++++++++++++++++++++++++++++++++++
 snippets/ntobj.py      | 10 +++++----
 2 files changed, 52 insertions(+), 4 deletions(-)
 create mode 100644 snippets/findhandle.py

diff --git a/snippets/findhandle.py b/snippets/findhandle.py
new file mode 100644
index 0000000..f3d41e0
--- /dev/null
+++ b/snippets/findhandle.py
@@ -0,0 +1,46 @@
+from pykd import *
+import ntobj
+import sys
+
+nt = module("nt")
+
+
+def findHanle(objaddr):
+
+    processList = typedVarList( nt.PsActiveProcessHead, "nt!_EPROCESS", "ActiveProcessLinks"  )
+
+    for process in processList:
+
+        dprintln( "search in process %x " % process.UniqueProcessId +  "".join( [chr(i) for i in process.ImageFileName if i != 0] ) )
+
+        objects = ntobj.getListByHandleTable( process.ObjectTable )
+        for obj in objects:
+            if obj[0] == objaddr:
+                dprintln("\tHandle: %x" % ( obj[1],) )
+               
+
+def usage():
+    dprintln("!py findhandle object_address")
+
+def main():
+
+    if not isKernelDebugging():
+        dprintln("This script for kernel debugging only")
+        return
+
+    if len(sys.argv) < 2:
+        usage();
+        return;
+
+    objaddr = expr(sys.argv[1])
+    
+    objectType = ntobj.getType(objaddr)
+    
+    dprintln("Object Type: " + ntobj.getObjectName(objectType) )
+    dprintln("Object Name: "+ ntobj.getObjectName(objaddr) )
+    dprintln("")
+
+    findHanle( objaddr )
+
+if __name__ == "__main__":
+    main()
\ No newline at end of file
diff --git a/snippets/ntobj.py b/snippets/ntobj.py
index 8ef9486..c14a1be 100644
--- a/snippets/ntobj.py
+++ b/snippets/ntobj.py
@@ -124,7 +124,6 @@ def buildObjectName(p):
   return objectFullName
 
 
-
 HANDLE_VALUE_INC = 4
 HT_PAGE_SIZE = 4096
 HT_ENTRY_SIZE = (2 * ptrSize())
@@ -177,11 +176,11 @@ def getListByHandleTable(tableHandles=None, objTypeAddr=0, containHeaders=True):
         continue
 
       if (0 == objTypeAddr):
-        lstObjects.append(p)
+        lstObjects.append( ( p, HandleEntryIndex*HANDLE_VALUE_INC) )
       else:
         pCurrentType = getType(p)
         if (addr64(objTypeAddr) == addr64(pCurrentType)):
-          lstObjects.append(p)
+          lstObjects.append( ( p, HandleEntryIndex*HANDLE_VALUE_INC) )
 
     return lstObjects
 
@@ -230,6 +229,8 @@ def getListByHandleTable(tableHandles=None, objTypeAddr=0, containHeaders=True):
 
   dprintln("ERROR: Unknown handle table level: %u" % nTableLevel)
   return list()
+  
+ 
 
 NUMBER_HASH_BUCKETS = 37
 
@@ -398,7 +399,8 @@ def main():
       dprintln(main.__doc__, True)
       return
 
-  lstObjects = getListByHandleTable(tableHandles, objTypeAddr, containHeaders)
+  lstObjects = [ p[0] for p in getListByHandleTable(tableHandles, objTypeAddr, containHeaders) ]
+
   dprintln("%u objects:" % len(lstObjects))
   for object in lstObjects:
     objectType = getType(object)