public static DbgHandleToObjectName ( |
||
InNamedHandle | ||
OutNameBuffer | ||
InBufferSize | ||
OutRequiredSize | ||
return | void |
/// <summary> /// Reads the kernel object name for a given windows usermode handle. /// Executes in approx. 100 micro secounds. /// </summary> /// <remarks><para> /// This allows you to translate a handle back to the associated filename for example. /// But keep in mind that such names are only valid for kernel service routines, like /// <c>NtCreateFile</c>. You won't have success when calling <c>CreateFile</c> on such /// object names! The regular windows user mode API has some methods that will allow /// you to convert such kernelmode names back into usermode names. I know this because I did it /// some years ago but I've already forgotten how it has to be done! I can only give you /// some hints: <c>FindFirstVolume()</c>, <c>FindFirstVolumeMountPoint()</c>, /// <c>QueryDosDevice()</c>, <c>GetVolumePathNamesForVolumeName()</c> /// </para> /// <param name="InHandle">A valid usermode handle.</param> /// </remarks> /// <returns>The kernel object name associated with the given handle.</returns> /// <exception cref="ArgumentException"> /// The given handle is invalid or could not be accessed for unknown reasons. /// </exception> public static String GetNameByHandle(IntPtr InHandle) { Int32 RequiredSize; NativeAPI.DbgHandleToObjectName( InHandle, IntPtr.Zero, 0, out RequiredSize); lock (Buffer) { Buffer.Alloc(RequiredSize + 1); NativeAPI.DbgHandleToObjectName( InHandle, Buffer.Buffer, RequiredSize, out RequiredSize); UNICODE_STRING Result = new UNICODE_STRING(); Marshal.PtrToStructure(Buffer.Buffer, Result); return(Result.Buffer); } }