Closed MaulingMonkey closed 2 years ago
I'm inclined to simply prevent opening said handles in the first place. My biggest concern was inherited handles, and UpdateProcThreadAttribute
w/ PROC_THREAD_ATTRIBUTE_HANDLE_LIST
already handles that beautifully.
process::ThreadAttributeRef::handle_list
allows passing in a specific list of handlesIt also appears to be possible to enumerate another process's handles with undocumented system APIs: https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/get-all-open-handles-and-kernel-object-address-from-userland: