HEy.
i need to get a file handle from a process.
Basicly, i got a dll injected into the process, and now somehow i need to find the handle to the file in that process.
i know the name/location of the file.
How can i get the handle.

the EPROCESS structure of a process contains a table that saves all handles opened by a process

you can retrieve this table in ring0 with PsGetCurrentProcess()->ObjectTable

what is ringo?
can somone give me some info on it?

ringo is ring 0 or kernelmode

that means that you have to write a little driver that sends this info to your application (which runs in ring 3)

if you let us know what you want to do, we can most likely suggest a better approach then searching for an existing file handle stored "somewhere out there".

i doubt there is one.
but here it is :
i got an app that creates a file, opens it , and when the app closes itself it deletes the file...
i need to get that file, i can't copy it becuase it is open, so any ideas on how to get to the file>
thx

Put a breakpoint in the program before the file is closed, then kill the process when it hits. The file is now yours.

You could also modify the flags for the code that opens the file, so that it is not opened in exclusive mode (and not in auto-delete-after-close mode, if that's the case).

that is a possibility, but i wanted a prog that does that for me without actualy screwing with either file, or spending time debugging the progam....and i also wanted to learn some stuff about ring 0, since i never worked with it in the process.

and what do you want to do with that handle?

i dont know if it is possible that you use a handle from another process in your process

or does DuplicateHandle this work?

no, not like that...
i have a dll injected into the other processs, now i want my dll to get the handle from inside the process and use it.....
to find the handle i need to work with ring -0 (i think i do....)......

<pedant>
Ring 0 is not necessarily kernel mode. One does not imply the other - rings are a processor-level security mechanism to segment code via descriptors, whereas kernel & user mode are operating system terms that define where code managed by the o/s is running. On a 680x0 (motorola) processor, supervisor (kernel) mode and user mode do exist as the only 2 "rings", because it's a different cpu design. Ring 0 happens to be kernel mode on Windows because Microsoft stuck to a 2 ring model (even though x86 has 4 rings, only ring 0 and ring 3 are used) due to cross-platform compatibility. So, to pick nits, although the Windows kernel runs in ring 0 it's incorrect to call ring 0 "kernel mode".
</pedant>