private static bool ExtractFileNameFromHandle(SYSTEM_HANDLE_ENTRY handleEntry, SafeHandle processHandle, out string fileName)
{
var handle = (IntPtr)handleEntry.HandleValue;
SafeObjectHandle duplicatedHandle = null;
try
{
if (!DuplicateHandle(handle, processHandle, out duplicatedHandle))
{
fileName = null;
return(false);
}
handle = duplicatedHandle.DangerousGetHandle();
if (GetHandleType(handle, out var handleType) && handleType == SystemHandleType.OB_TYPE_FILE)
{
if (GetFileNameFromHandle(handle, out var devicePath))
{
return(ConvertDevicePathToDosPath(devicePath, out fileName));
}
}
}
finally
{
duplicatedHandle?.Close();
}
fileName = null;
return(false);
}
public IEnumerator <String> GetEnumerator()
{
NT_STATUS ret;
int length = 0x10000;
// Loop, probing for required memory.
do
{
IntPtr ptr = IntPtr.Zero;
RuntimeHelpers.PrepareConstrainedRegions();
try
{
RuntimeHelpers.PrepareConstrainedRegions();
try { }
finally
{
// CER guarantees that the address of the allocated
// memory is actually assigned to ptr if an
// asynchronous exception occurs.
ptr = Marshal.AllocHGlobal(length);
}
int returnLength;
ret = NativeMethods.NtQuerySystemInformation(SYSTEM_INFORMATION_CLASS.SystemHandleInformation, ptr, length, out returnLength);
if (ret == NT_STATUS.STATUS_INFO_LENGTH_MISMATCH)
{
// Round required memory up to the nearest 64KB boundary.
length = ((returnLength + 0xffff) & ~0xffff);
}
else if (ret == NT_STATUS.STATUS_SUCCESS)
{
int handleCount = Marshal.ReadInt32(ptr);
int offset = sizeof(int);
int size = Marshal.SizeOf(typeof(SYSTEM_HANDLE_ENTRY));
for (int i = 0; i < handleCount; i++)
{
SYSTEM_HANDLE_ENTRY handleEntry = (SYSTEM_HANDLE_ENTRY)Marshal.PtrToStructure((IntPtr)((int)ptr + offset), typeof(SYSTEM_HANDLE_ENTRY));
if (handleEntry.OwnerPid == processId)
{
IntPtr handle = (IntPtr)handleEntry.HandleValue;
SystemHandleType handleType;
if (GetHandleType(handle, handleEntry.OwnerPid, out handleType) && handleType == SystemHandleType.OB_TYPE_FILE)
{
string devicePath;
if (GetFileNameFromHandle(handle, handleEntry.OwnerPid, out devicePath))
{
string dosPath;
if (ConvertDevicePathToDosPath(devicePath, out dosPath))
{
if (File.Exists(dosPath))
{
yield return(dosPath); // return new FileInfo(dosPath);
}
else if (Directory.Exists(dosPath))
{
yield return(dosPath); // new DirectoryInfo(dosPath);
}
}
}
}
}
offset += size;
}
}
}
finally
{
// CER guarantees that the allocated memory is freed,
// if an asynchronous exception occurs.
Marshal.FreeHGlobal(ptr);
//sw.Flush();
//sw.Close();
}
}while (ret == NT_STATUS.STATUS_INFO_LENGTH_MISMATCH);
}
public static IEnumerable <HandleInfo> GetOpenHandles(this Process process)
{
NT_STATUS returnValue;
int length = 0x10000;
do
{
IntPtr ptr = IntPtr.Zero;
try
{
ptr = Marshal.AllocHGlobal(length);
int returnLength;
returnValue = NativeMethods.NtQuerySystemInformation(SYSTEM_INFORMATION_CLASS.SystemHandleInformation, ptr, length, out returnLength);
if (returnValue == NT_STATUS.STATUS_INFO_LENGTH_MISMATCH)
{
length = ((returnLength + 0xffff) & ~0xffff);
}
else if (returnValue == NT_STATUS.STATUS_SUCCESS)
{
int handleCount = Marshal.ReadInt32(ptr);
int offset = sizeof(int);
int size = Marshal.SizeOf(typeof(SYSTEM_HANDLE_ENTRY));
for (int i = 0; i < handleCount; i++)
{
SYSTEM_HANDLE_ENTRY handleEntry = (SYSTEM_HANDLE_ENTRY)Marshal.PtrToStructure((IntPtr)((int)ptr + offset), typeof(SYSTEM_HANDLE_ENTRY));
if (handleEntry.OwnerPid == process.Id)
{
var handle = (IntPtr)handleEntry.HandleValue;
HandleInfo handleInfo;
if (GetHandleInfo(handle, handleEntry.OwnerPid, out handleInfo))
{
string localPath;
if (handleInfo.HandleType.IsOneOf(HandleType.OB_TYPE_FILE, HandleType.OB_TYPE_DIRECTORY))
{
if (ConvertDevicePathToLocalPath(handleInfo.ObjectName, out localPath))
{
handleInfo.LocalPath = localPath;
}
}
yield return(handleInfo);
}
}
offset += size;
}
}
}
finally
{
Marshal.FreeHGlobal(ptr);
}
}while (returnValue == NT_STATUS.STATUS_INFO_LENGTH_MISMATCH);
}
public static List <HandleInfo> GetSystemHandles()
{
var pid = Process.GetCurrentProcess().Id;
NT_STATUS ret;
int length = 0x10000;
// Loop, probing for required memory.
do
{
IntPtr ptr = IntPtr.Zero;
RuntimeHelpers.PrepareConstrainedRegions();
try
{
RuntimeHelpers.PrepareConstrainedRegions();
try { }
finally
{
// CER guarantees that the address of the allocated
// memory is actually assigned to ptr if an
// asynchronous exception occurs.
ptr = Marshal.AllocHGlobal(length);
}
int returnLength;
ret = NtQuerySystemInformation(SYSTEM_INFORMATION_CLASS.SystemHandleInformation, ptr, length, out returnLength);
if (ret == NT_STATUS.STATUS_INFO_LENGTH_MISMATCH)
{
// Round required memory up to the nearest 64KB boundary.
length = ((returnLength + 0xffff) & ~0xffff);
}
else if (ret == NT_STATUS.STATUS_SUCCESS)
{
int handleCount = Marshal.ReadInt32(ptr);
int offset = IntPtr.Size;
int size = Marshal.SizeOf(typeof(SYSTEM_HANDLE_ENTRY));
var result = new List <HandleInfo>();
for (int i = 0; i < handleCount; i++)
{
SYSTEM_HANDLE_ENTRY handleEntry = (SYSTEM_HANDLE_ENTRY)Marshal.PtrToStructure(ptr + offset, typeof(SYSTEM_HANDLE_ENTRY));
if (handleEntry.UniqueProcessId == pid && !AccessMaskBlackList.Contains(handleEntry.AccessMask))
{
// Console.WriteLine($"{handleEntry.AccessMask}");
var handle = (IntPtr)handleEntry.HandleValue;
var type = GetHandleTypeNameToken(handle, OBJECT_INFORMATION_CLASS.ObjectTypeInformation);
var name = GetHandleTypeNameToken(handle, OBJECT_INFORMATION_CLASS.ObjectNameInformation);
result.Add(new HandleInfo()
{
Handle = handle, Type = type, Name = name
});
}
offset += size;
}
return(result);
}
}
finally
{
// CER guarantees that the allocated memory is freed,
// if an asynchronous exception occurs.
Marshal.FreeHGlobal(ptr);
}
}while (ret == NT_STATUS.STATUS_INFO_LENGTH_MISMATCH);
throw new Exception($"NtQuerySystemInformation failed with return code {ret}");
}
public void KillProcess(int[] Pids, string path)
{
//long formal;
//int size = Marshal.SizeOf(typeof(SYSTEM_BASIC_INFORMATION));
//IntPtr ptr = Marshal.AllocHGlobal(size);
//Console.WriteLine("NTSTATUS: " + APIQuerySystemInformation(SYSTEM_INFORMATION_CLASS.SystemHandleInformation, ptr, size, out formal).ToString("X"));
//SYSTEM_BASIC_INFORMATION INFO = ((SYSTEM_BASIC_INFORMATION)Marshal.PtrToStructure(ptr, typeof(SYSTEM_BASIC_INFORMATION)));
//Console.WriteLine(INFO.NumberOfProcessors);
//Console.WriteLine(formal);
int length = 0x10000;
int returnLength;
NT_STATUS ret;
do
{
IntPtr ptr = Marshal.AllocHGlobal(length);
RuntimeHelpers.PrepareConstrainedRegions();
try
{
ret = NtQuerySystemInformation(SYSTEM_INFORMATION_CLASS.SystemHandleInformation, ptr, length, out returnLength);
if (ret == NT_STATUS.STATUS_INFO_LENGTH_MISMATCH)
{
length = ((returnLength + 0xffff) & ~0xffff);
}
else
{
if (ret == NT_STATUS.STATUS_SUCCESS)
{
int handleCount = Marshal.ReadInt32(ptr);
int offset = sizeof(int);
int size = Marshal.SizeOf(typeof(SYSTEM_HANDLE_ENTRY));
for (int i = 0; i < handleCount; i++)
{
SYSTEM_HANDLE_ENTRY handleEntry = (SYSTEM_HANDLE_ENTRY)Marshal.PtrToStructure((IntPtr)((int)ptr + offset), typeof(SYSTEM_HANDLE_ENTRY));
SystemHandleType handleType;
IntPtr handle = (IntPtr)handleEntry.HandleValue;
foreach (int pid in Pids)
{
if (handleEntry.OwnerPid == pid)
{
if (GetHandleType(handle, handleEntry.OwnerPid, out handleType))
{
if (handleType == SystemHandleType.OB_TYPE_FILE)
{
string devicePath;
if (GetFileNameFromHandle(handle, handleEntry.OwnerPid, out devicePath))
{
string dosPath;
if (ConvertDevicePathToDosPath(devicePath, out dosPath))
{
if (dosPath.Contains(path))
{
System.Diagnostics.Process.GetProcessById(handleEntry.OwnerPid).Kill();
}
}
}
}
}
}
}
offset += size;
}
}
}
}
finally
{
Marshal.FreeHGlobal(ptr);
}
}while (ret == NT_STATUS.STATUS_INFO_LENGTH_MISMATCH);
}
