How to obtain the value of a handle

[JohnSmith054]

Hi,

While examining the logs of the sandbox, I found content similar to the following:

{"Plugin": "syscall", "TimeStamp": "1702287095.932219", "PID": 2072, "PPID": 1184, "TID": 2076, "UserName": "SessionID", "UserId": 1, "ProcessName": "fe4a1a0c6b05b6a695d5a387e883ac9fb268b56536aba3cfae4e9d5da5fdcf4a.exe", "Method": "NtCreateSection", "EventUID": "0x7df", "Module": "nt", "vCPU": 1, "CR3": "0x63445000", "Syscall": 71, "NArgs": 7, "SectionHandle": "0x8e348", "DesiredAccess": "0x4", "ObjectAttributes": "0x0", "MaximumSize": "0x0", "SectionPageProtection": "0x2", "AllocationAttributes": "0x8000000", "FileHandle": "\Windows\SysWOW64\imm32.dll"}
{"Plugin": "syscall", "TimeStamp": "1702287095.934259", "PID": 2072, "PPID": 1184, "TID": 2076, "UserName": "SessionID", "UserId": 1, "ProcessName": "fe4a1a0c6b05b6a695d5a387e883ac9fb268b56536aba3cfae4e9d5da5fdcf4a.exe", "Method": "NtMapViewOfSection", "EventUID": "0x7e6", "Module": "nt", "vCPU": 1, "CR3": "0x63445000", "Syscall": 37, "NArgs": 10, "SectionHandle": "0x3c", "ProcessHandle": "0xffffffffffffffff", "*BaseAddress": "0x0", "ZeroBits": "0x7ffeffff", "CommitSize": "0x0", "SectionOffset": "0x0", "ViewSize": "0x8e2b0", "InheritDisposition": "0x1", "AllocationType": "0x0", "Win32Protect": "0x2"}

Currently, I am working on analyzing sample behaviors and want to correlate the continuous behaviors of the samples. However, in the logs, the SectionHandle from the 'NtCreateSection' function and the SectionHandle from the 'NtMapViewOfSection' do not match; it appears that one is the handle address and the other is the actual handle value. I am wondering if there is a way to convert the handle address from the NtCreateSection function into the actual handle value? Thank you.