public static bool GetFileNameFromHandle(IntPtr handle, out string fileName)
{
int[] length = { 0x2000 }; // 512 bytes
using (SmartPtr sptr = new SmartPtr())
{
sptr.Allocate(length[0]);
HandleFlag flag;
if (!NativeMethods.GetHandleInformation(handle, out flag))
{
fileName = null;
return(false);
}
if (flag != HandleFlag.None)
{
fileName = null;
return(false);
}
NtStatus ret = default(NtStatus);
ThreadStart threadStart = delegate
{
ret = NativeMethods.NtQueryObject(handle, ObjectInformationClass.ObjectNameInformation,
sptr.Pointer, length[0], out length[0]);
};
Thread thread = new Thread(threadStart);
thread.Start();
bool result = thread.Join(100);
if (!result)
{
fileName = null;
return(false);
}
if (ret == NtStatus.BufferOverflow)
{
sptr.ReAllocate(length[0]);
ret = NativeMethods.NtQueryObject(handle, ObjectInformationClass.ObjectNameInformation, sptr.Pointer,
length[0], out length[0]);
}
if (ret == NtStatus.Success)
{
ObjectNameInformation oti =
(ObjectNameInformation)Marshal.PtrToStructure(sptr.Pointer, typeof(ObjectNameInformation));
UnicodeString unicodeName = oti.Name;
fileName = unicodeName.GetValue();
return(fileName.Length != 0);
}
}
fileName = string.Empty;
return(false);
}
private static string GetObjectNameNt(ProcessHandle process, IntPtr handle, GenericHandle dupHandle)
{
int retLength;
Win32.NtQueryObject(
dupHandle,
ObjectInformationClass.ObjectNameInformation,
IntPtr.Zero,
0,
out retLength
);
if (retLength > 0)
{
using (MemoryAlloc oniMem = new MemoryAlloc(retLength))
{
Win32.NtQueryObject(
dupHandle,
ObjectInformationClass.ObjectNameInformation,
oniMem,
oniMem.Size,
out retLength
).ThrowIf();
ObjectNameInformation oni = oniMem.ReadStruct <ObjectNameInformation>();
UnicodeString str = oni.Name;
//if (KProcessHacker.Instance != null)
//str.Buffer = str.Buffer.Increment(oniMem.Memory.Decrement(baseAddress));
return(str.Text);
}
}
throw new Exception("NtQueryObject failed.");
}
public static async Task <IEnumerable <string> > GetOpenFiles(int pid)
{
List <string> files = new List <string>();
Parallel.ForEach(
await GetHandles(pid),
myHandle =>
{
NTStatus status;
IntPtr myProcessHandle = OpenProcess(ProcessAccessFlags.DuplicateHandle, false, myHandle.GetPid());
IntPtr currentProcessHandle = GetCurrentProcess();
IntPtr targetHandle = Marshal.AllocHGlobal(Marshal.SizeOf <uint>());
status = NtDuplicateObject(myProcessHandle, myHandle.HandleValue, currentProcessHandle, targetHandle, 0, 0, 0);
CloseHandle(myProcessHandle);
CloseHandle(currentProcessHandle);
if (status != NTStatus.Success)
{
Marshal.FreeHGlobal(targetHandle);
return;
}
IntPtr handle = Marshal.PtrToStructure <IntPtr>(targetHandle);
Marshal.FreeHGlobal(targetHandle);
IntPtr objectTypeInfo = Marshal.AllocHGlobal(Marshal.SizeOf <ObjectTypeInformation>());
uint returnLength = 0;
status = NtQueryObject(
handle,
ObjectInformationClass.ObjectTypeInformation,
objectTypeInfo,
(uint)Marshal.SizeOf <ObjectTypeInformation>(),
ref returnLength);
if (status != NTStatus.Success)
{
objectTypeInfo = Marshal.ReAllocHGlobal(objectTypeInfo, (IntPtr)returnLength);
status = NtQueryObject(
handle,
ObjectInformationClass.ObjectTypeInformation,
objectTypeInfo,
returnLength,
ref returnLength);
if (status != NTStatus.Success)
{
Marshal.FreeHGlobal(objectTypeInfo);
CloseHandle(handle);
return;
}
}
ObjectTypeInformation oti = Marshal.PtrToStructure <ObjectTypeInformation>(objectTypeInfo);
string typeName = oti.Name.ToString();
Marshal.FreeHGlobal(objectTypeInfo);
IntPtr objectNameInfo = Marshal.AllocHGlobal(Marshal.SizeOf <ObjectNameInformation>());
returnLength = (uint)Marshal.SizeOf <ObjectNameInformation>();
status = NtQueryObject(
handle,
ObjectInformationClass.ObjectNameInformation,
objectNameInfo,
(uint)Marshal.SizeOf <ObjectNameInformation>(),
ref returnLength);
if (status != NTStatus.Success)
{
objectNameInfo = Marshal.ReAllocHGlobal(objectNameInfo, (IntPtr)returnLength);
status = NtQueryObject(
handle,
ObjectInformationClass.ObjectNameInformation,
objectNameInfo,
returnLength,
ref returnLength);
if (status != NTStatus.Success)
{
Marshal.FreeHGlobal(objectNameInfo);
CloseHandle(handle);
return;
}
}
ObjectNameInformation oni = Marshal.PtrToStructure <ObjectNameInformation>(objectNameInfo);
string objName = oni.Name.ToString();
Marshal.FreeHGlobal(objectNameInfo);
if (typeName.Equals("File"))
{
uint fnLength = 0;
StringBuilder sb = new StringBuilder(0);
fnLength = GetFinalPathNameByHandle(handle, sb, fnLength, 0);
sb.Capacity = (int)fnLength;
if (GetFinalPathNameByHandle(handle, sb, fnLength, 0) > 1)
{
files.Add(sb.ToString());
}
}
CloseHandle(handle);
});
return(files);
}
