randomascii / blogstuff Goto Github PK

Hi,

I tried to clone the repo and run the prebuilt binaries for FindZombieHandles. The program works as expected although it warns that it can't find all the zombies due to being unable to get debug privileges. However, even when running as admin I still get the same warning:

I'm on Windows 10 Pro 1709, if that matters.

Thanks!

When PIDs grow over 2^16 - 1 (65535), zombies.Count is almost always 0.

NtApiDotNet's SystemHandleTableInfoEntry stores UniqueProcessId as a ushort. As a UInt16, obviously it'll wrap on >= 2^16.

This is possibly more of a bug in NtApiDotNet, but I don't know the NT API well enough to be sure.

More specifically, it's on

Funnily enough, this makes FindZombieHandles unusable on the worse leaks that force PIDs to grow very quickly.

The latest FindZombieHandles fails after running ProcessCreateTests from this branch/commit:

bdb648c

The error message printed is:
(0xC0000023) - {Buffer Too Small}
The buffer is too small to contain the entry. No information has been written to the buffer.

I have not seen the message trigger under other cases. I suspect the problem is caused by there being a very large number of processes that are holding zombie process handles, rather than it being a problem with a very large number of zombie process handles.

Hi everyone.

I've tested FindZombieHandles in two VM's running Windows Server 2012 R2, and it didn't find any zombies. It returns the above message:

I'm running it as Administrator on both VM's.

Regarding .NET version, I have:

and

Do you have any idea of what is the cause of this issue?

Thank you in advance,

Leandro

C:\data>FindZombieHandles.exe
This version of C:\data\FindZombieHandles.exe is not compatible with the version of Windows you're running. Check your computer's system information and then contact the software publisher.

Microsoft Windows [Version 10.0.17133.1]
x64

Any suggestions? Running as admin, not sure what the deal is..

tool is useful, but how to find all names ?
Windows 10 x64