Network Security Hacks [Electronic resources] نسخه متنی

Hack 22 Get a List of Open Files and Their Owning Processes

Look for suspicious activity by monitoring file
accesses.

Suppose
you''re looking at the list of processes in the task
manager one day after noticing some odd behavior on your workstation,
and you notice a process you haven''t seen before.
Well, what do you do now? If you were running something other than
Windows, you might try to determine what the process is doing by
looking at the files it has open. Unfortunately, Windows
doesn''t provide a tool to do this.

Sysinternals makes an excellent tool called
Handle, which is available for free at
http://www.sysinternals.com/ntw2k/freeware/handle.shtml.
Handle is a lot like lsof [Hack #8],
but it can list many other types of operating resources, including
threads, events, and semaphores. It can also display open registry
keys and IOCompletion structures.

Running handle without any command-line arguments
will list all open file handles on the system. You can also specify a
filename, which will list the processes that are currently accessing
it, by typing this:

C:\> handle 
filename

Or you can list only files that are opened by a particular
processin this case
Internet Explorer:

C:\> handle -p iexplore
Handle v2.10
Copyright (C) 1997-2003 Mark Russinovich
Sysinternals - www.sysinternals.com
----------------------------------------------------------------------------
IEXPLORE.EXE pid: 688 PLUNDER\andrew
98: Section       \BaseNamedObjects\MTXCOMM_MEMORY_MAPPED_FILE
9c: Section       \BaseNamedObjects\MtxWndList
12c: Section       \BaseNamedObjects\__R_0000000000d4_SMem_  _
18c: File          C:\Documents and Settings\andrew
\Local Settings\Temporary Internet 
Files\Content.IE5\index.dat
198: Section       \BaseNamedObjects
\C:_Documents and Settings_andrew_Local 
Settings_Temporary Internet Files_Content.IE5_index.dat_3194880
1a0: File          C:\Documents and Settings\andrew\Cookies\index.dat
1a8: File          C:\Documents and Settings
\andrew\Local Settings\History\History.IE5index.dat
1ac: Section       \BaseNamedObjects\C:_Documents and Settings_andrew_Local 
Settings_History_History.IE5_index.dat_245760
1b8: Section       \BaseNamedObjects\C:_Documents and 
Settings_andrew_Cookies_index.dat_81920
228: Section       \BaseNamedObjects\UrlZonesSM_andrew
2a4: Section       \BaseNamedObjects\SENS Information Cache
540: File          C:\Documents and Settings\andrew\Application 
Data\Microsoft\SystemCertificates\My
574: File          C:\Documents and Settings\All Users\Desktop
5b4: Section       \BaseNamedObjects\mmGlobalPnpInfo
5cc: File          C:\WINNT\system32\mshtml.tlb
614: Section       \BaseNamedObjects\WDMAUD_Callbacks
640: File          C:\WINNT\system32\Macromed\Flash\Flash.ocx
648: File          C:\WINNT\system32\STDOLE2.TLB
6a4: File          \Dfs
6b4: File          C:\Documents and Settings\andrew\Desktop
6c8: File          C:\Documents and Settings\andrew
\Local SettingsTemporary Internet Files
\Content.IE5\Q5USFST0\softwareDownloadIndex[1]
70c: Section       \BaseNamedObjects\MSIMGSIZECacheMap
758: File          C:\WINNT\system32\iepeers.dll
75c: File          C:\Documents and Settings\andrew\Desktop
770: Section       \BaseNamedObjects\RotHintTable

If you want to find the Internet Explorer process that owns a
resource with a partial name of handle, you could
type:

C:\> handle -p iexplore handle
Handle v2.10
Copyright (C) 1997-2003 Mark Russinovich
Sysinternals - www.sysinternals.com
IEXPLORE.EXE       pid: 1396  
 C:\Documents and Settings\andrew\Local Settings\Temporary 
Internet Files\Content.IE5\H1EZGFSH\handle[1]

Additionally, if you wanted to list all types of resources, you could
use the -a option. Handle is quite a powerful
tool, and any of its command-line options can be mixed together to
quickly narrow your search and find just what you want.