public RowViewModel(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX info)
{
_info = info;
using (DuplicatedObjectHandle dhandle = new DuplicatedObjectHandle(_info.HandleValue, _info.UniqueProcessId))
{
if (dhandle.ErrorMessage != null)
{
_name = "<" + dhandle.ErrorMessage + ">";
return;
}
string name;
NT_STATUS status = dhandle.TryGetObjectNameFromHandle(out name, timeout);
if (status != NT_STATUS.STATUS_SUCCESS)
{
_name = "<" + status.ToString() + ">";
return;
}
_name = name;
}
if (_name != null && !_name.StartsWith("<"))
{
if (this.ObjectTypeString == "File")
{
_prettyName = DevicePathConverter.ConvertDevicePathToDosPath(_name);
}
if (this.ObjectTypeString == "Key")
{
_prettyName = _name.Replace(@"\REGISTRY\MACHINE", @"HKLM").Replace(@"\REGISTRY\USER\" + cusid, @"HKCU").Replace(@"\REGISTRY\USER", @"HKU"); // todo: do not use replace, use code similar to DevicePathConverter.IsMatch
}
}
}
public static string GetObjectName(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX handle)
{
IntPtr _processHandle = NativeMethods.OpenProcess(ProcessAccessFlags.All, false, handle.UniqueProcessId);
IntPtr _handle = IntPtr.Zero;
try
{
if (!NativeMethods.DuplicateHandle(_processHandle, handle.HandleValue, NativeMethods.GetCurrentProcess(), out _handle, 0, false, DuplicateOptions.DUPLICATE_SAME_ACCESS))
{
return(null);
}
IntPtr _basic = IntPtr.Zero;
int nameLength = 0;
try
{
OBJECT_BASIC_INFORMATION basicInfo = new OBJECT_BASIC_INFORMATION();
_basic = Marshal.AllocHGlobal(Marshal.SizeOf(basicInfo));
NativeMethods.NtQueryObject(_handle, (int)ObjectInformationClass.ObjectBasicInformation, _basic, Marshal.SizeOf(basicInfo), ref nameLength);
basicInfo = (OBJECT_BASIC_INFORMATION)Marshal.PtrToStructure(_basic, basicInfo.GetType());
nameLength = basicInfo.NameInformationLength;
}
finally
{
if (_basic != IntPtr.Zero)
{
Marshal.FreeHGlobal(_basic);
}
}
if (nameLength == 0)
{
return(null);
}
OBJECT_NAME_INFORMATION nameInfo = new OBJECT_NAME_INFORMATION();
IntPtr _objectName = Marshal.AllocHGlobal(nameLength);
try
{
while (NativeMethods.NtQueryObject(_handle, (int)ObjectInformationClass.ObjectNameInformation, _objectName, nameLength, ref nameLength) == NtStatus.InfoLengthMismatch)
{
Marshal.FreeHGlobal(_objectName);
_objectName = Marshal.AllocHGlobal(nameLength);
}
nameInfo = (OBJECT_NAME_INFORMATION)Marshal.PtrToStructure(_objectName, nameInfo.GetType());
}
finally
{
Marshal.FreeHGlobal(_objectName);
}
try
{
return(Marshal.PtrToStringUni(nameInfo.Name.Buffer, nameInfo.Name.Length >> 1));
}
catch (Exception e)
{
Util.Logging.Log(e);
}
return(null);
}
finally
{
if (_handle != IntPtr.Zero) //moved from Marshal.FreeHGlobal(_objectName);
{
NativeMethods.CloseHandle(_handle);
}
if (_processHandle != IntPtr.Zero)
{
NativeMethods.CloseHandle(_processHandle);
}
}
}
public ObjectHandle(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX info)
{
this.handleInfo = info;
}
public static IObjectHandle GetHandle(int processId, string objectName, bool exactMatch)
{
int infoLength = 0x10000;
int length = 0;
IntPtr _info = Marshal.AllocHGlobal(infoLength);
IntPtr _handle = IntPtr.Zero;
long handleCount = 0;
try
{
//CNST_SYSTEM_HANDLE_INFORMATION is limited to 16-bit process IDs
while (NativeMethods.NtQuerySystemInformation(SYSTEM_INFORMATION_CLASS.SystemExtendedHandleInformation, _info, infoLength, ref length) == NtStatus.InfoLengthMismatch)
{
infoLength = length;
Marshal.FreeHGlobal(_info);
_info = Marshal.AllocHGlobal(infoLength);
}
if (IS_64)
{
handleCount = Marshal.ReadInt64(_info);
_handle = new IntPtr(_info.ToInt64() + 16);
}
else
{
handleCount = Marshal.ReadInt32(_info);
_handle = new IntPtr(_info.ToInt32() + 8);
}
var handleInfo = new SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX();
var infoSize = Marshal.SizeOf(handleInfo);
var infoType = handleInfo.GetType();
for (long i = 0; i < handleCount; i++)
{
if (IS_64)
{
handleInfo = (SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX)Marshal.PtrToStructure(_handle, infoType);
_handle = new IntPtr(_handle.ToInt64() + infoSize);
}
else
{
handleInfo = (SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX)Marshal.PtrToStructure(_handle, infoType);
_handle = new IntPtr(_handle.ToInt32() + infoSize);
}
if (processId > 0 && handleInfo.UniqueProcessId.ToUInt32() != processId)
{
continue;
}
string name = GetObjectName(handleInfo);
if (name == null)
{
continue;
}
if (exactMatch)
{
if (!name.Equals(objectName))
{
continue;
}
}
else if (!name.Contains(objectName))
{
continue;
}
return(new ObjectHandle(handleInfo));
}
}
finally
{
Marshal.FreeHGlobal(_info);
}
return(null);
}
public static IObjectHandle GetHandle(Process process, string objectName, bool exactMatch)
{
bool is64 = Marshal.SizeOf(typeof(IntPtr)) == 8 ? true : false;
int infoLength = 0x10000;
int length = 0;
IntPtr _info = Marshal.AllocHGlobal(infoLength);
IntPtr _handle = IntPtr.Zero;
long handleCount = 0;
try
{
while ((NtQuerySystemInformation(CNST_SYSTEM_EXTENDED_HANDLE_INFORMATION, _info, infoLength, ref length)) == STATUS_INFO_LENGTH_MISMATCH)
{
infoLength = length;
Marshal.FreeHGlobal(_info);
_info = Marshal.AllocHGlobal(infoLength);
}
if (is64)
{
handleCount = Marshal.ReadInt64(_info);
_handle = new IntPtr(_info.ToInt64() + 16);
}
else
{
handleCount = Marshal.ReadInt32(_info);
_handle = new IntPtr(_info.ToInt32() + 8);
}
SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX handleInfo;
List<SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX> handles = new List<SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX>();
handleInfo = new SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX();
int infoSize = Marshal.SizeOf(handleInfo);
Type infoType = handleInfo.GetType();
for (long i = 0; i < handleCount; i++)
{
if (is64)
{
handleInfo = (SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX)Marshal.PtrToStructure(_handle, infoType);
_handle = new IntPtr(_handle.ToInt64() + infoSize);
}
else
{
handleInfo = (SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX)Marshal.PtrToStructure(_handle, infoType);
_handle = new IntPtr(_handle.ToInt32() + infoSize);
}
if (handleInfo.UniqueProcessId.ToUInt32() != process.Id)
continue;
string name = GetObjectName(handleInfo);
if (name == null)
continue;
if (exactMatch)
{
if (!name.Equals(objectName))
continue;
}
else if (!name.Contains(objectName))
continue;
return new ObjectHandle(handleInfo);
}
}
finally
{
Marshal.FreeHGlobal(_info);
}
return null;
}
public ObjectHandle(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX info)
{
this.handleInfo = info;
}
private static string GetObjectName(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX handle)
{
IntPtr _processHandle = OpenProcess(ProcessAccessFlags.All, false, handle.UniqueProcessId);
IntPtr _handle = IntPtr.Zero;
try
{
if (!DuplicateHandle(_processHandle, handle.HandleValue, GetCurrentProcess(), out _handle, 0, false, DUPLICATE_SAME_ACCESS))
return null;
IntPtr _basic = IntPtr.Zero;
int nameLength = 0;
try
{
OBJECT_BASIC_INFORMATION basicInfo = new OBJECT_BASIC_INFORMATION();
_basic = Marshal.AllocHGlobal(Marshal.SizeOf(basicInfo));
NtQueryObject(_handle, (int)ObjectInformationClass.ObjectBasicInformation, _basic, Marshal.SizeOf(basicInfo), ref nameLength);
basicInfo = (OBJECT_BASIC_INFORMATION)Marshal.PtrToStructure(_basic, basicInfo.GetType());
nameLength = basicInfo.NameInformationLength;
}
finally
{
if (_basic != IntPtr.Zero)
Marshal.FreeHGlobal(_basic);
}
if (nameLength == 0)
{
return null;
}
OBJECT_NAME_INFORMATION nameInfo = new OBJECT_NAME_INFORMATION();
IntPtr _objectName = Marshal.AllocHGlobal(nameLength);
try
{
while ((uint)(NtQueryObject(_handle, (int)ObjectInformationClass.ObjectNameInformation, _objectName, nameLength, ref nameLength)) == STATUS_INFO_LENGTH_MISMATCH)
{
Marshal.FreeHGlobal(_objectName);
_objectName = Marshal.AllocHGlobal(nameLength);
}
nameInfo = (OBJECT_NAME_INFORMATION)Marshal.PtrToStructure(_objectName, nameInfo.GetType());
}
finally
{
Marshal.FreeHGlobal(_objectName);
CloseHandle(_handle);
}
try
{
return Marshal.PtrToStringUni(nameInfo.Name.Buffer, nameInfo.Name.Length >> 1);
}
catch
{
}
return null;
}
finally
{
if (_processHandle != IntPtr.Zero)
CloseHandle(_processHandle);
}
}
static int Compare(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX handle1, SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX handle2)
{
if (handle1.UniqueProcessId.ToInt64() < handle2.UniqueProcessId.ToInt64())
return 1;
if (handle1.UniqueProcessId.ToInt64() > handle2.UniqueProcessId.ToInt64())
return -1;
if (handle1.ObjectTypeIndex < handle2.ObjectTypeIndex)
return 1;
if (handle1.ObjectTypeIndex > handle2.ObjectTypeIndex)
return -1;
if (handle1.HandleValue.ToInt64() < handle2.HandleValue.ToInt64())
return 1;
if (handle1.HandleValue.ToInt64() > handle2.HandleValue.ToInt64())
return -1;
return 0;
}
