private static IEnumerable <ProcessWin32Information.SYSTEM_HANDLE_INFORMATION> GetHandles(Process process)
{
var nHandleInfoSize = 0x10000;
var ipHandlePointer = Marshal.AllocHGlobal(nHandleInfoSize);
var nLength = 0;
IntPtr ipHandle;
while (ProcessWin32Information.NtQuerySystemInformation(CNST_SYSTEM_HANDLE_INFORMATION, ipHandlePointer, nHandleInfoSize, ref nLength) == ProcessWin32Information.STATUS_INFO_LENGTH_MISMATCH)
{
nHandleInfoSize = nLength;
Marshal.FreeHGlobal(ipHandlePointer);
ipHandlePointer = Marshal.AllocHGlobal(nLength);
}
var baTemp = new byte[nLength];
Marshal.Copy(ipHandlePointer, baTemp, 0, nLength);
long lHandleCount;
if (Is64Bits())
{
lHandleCount = Marshal.ReadInt64(ipHandlePointer);
ipHandle = new IntPtr(ipHandlePointer.ToInt64() + 8);
}
else
{
lHandleCount = Marshal.ReadInt32(ipHandlePointer);
ipHandle = new IntPtr(ipHandlePointer.ToInt32() + 4);
}
var lstHandles = new List <ProcessWin32Information.SYSTEM_HANDLE_INFORMATION>();
for (long lIndex = 0; lIndex < lHandleCount; lIndex++)
{
var shHandle = new ProcessWin32Information.SYSTEM_HANDLE_INFORMATION();
if (Is64Bits())
{
shHandle = (ProcessWin32Information.SYSTEM_HANDLE_INFORMATION)Marshal.PtrToStructure(ipHandle, shHandle.GetType());
ipHandle = new IntPtr(ipHandle.ToInt64() + Marshal.SizeOf(shHandle) + 8);
}
else
{
ipHandle = new IntPtr(ipHandle.ToInt64() + Marshal.SizeOf(shHandle));
shHandle = (ProcessWin32Information.SYSTEM_HANDLE_INFORMATION)Marshal.PtrToStructure(ipHandle, shHandle.GetType());
}
if (shHandle.ProcessID != process.Id)
{
continue;
}
lstHandles.Add(shHandle);
}
return(lstHandles);
}
private static string GetRegularFileNameFromDevice(string strRawName)
{
string strFileName = strRawName;
foreach (string strDrivePath in Environment.GetLogicalDrives())
{
var sbTargetPath = new StringBuilder(ProcessWin32Information.MAX_PATH);
if (ProcessWin32Information.QueryDosDevice(strDrivePath.Substring(0, 2), sbTargetPath, ProcessWin32Information.MAX_PATH) == 0)
{
return(strRawName);
}
string strTargetPath = sbTargetPath.ToString();
if (strFileName.StartsWith(strTargetPath))
{
strFileName = strFileName.Replace(strTargetPath, strDrivePath.Substring(0, 2));
break;
}
}
return(strFileName);
}
private static string GetFilePath(ProcessWin32Information.SYSTEM_HANDLE_INFORMATION systemHandleInformation, Process process)
{
var ipProcessHwnd = ProcessWin32Information.OpenProcess(ProcessWin32Information.ProcessAccessFlags.All, false, process.Id);
var objBasic = new ProcessWin32Information.OBJECT_BASIC_INFORMATION();
var objObjectType = new ProcessWin32Information.OBJECT_TYPE_INFORMATION();
var objObjectName = new ProcessWin32Information.OBJECT_NAME_INFORMATION();
var strObjectName = "";
var nLength = 0;
IntPtr ipTemp, ipHandle;
if (!ProcessWin32Information.DuplicateHandle(ipProcessHwnd, systemHandleInformation.Handle, ProcessWin32Information.GetCurrentProcess(), out ipHandle, 0, false, ProcessWin32Information.DUPLICATE_SAME_ACCESS))
{
return(null);
}
IntPtr ipBasic = Marshal.AllocHGlobal(Marshal.SizeOf(objBasic));
ProcessWin32Information.NtQueryObject(ipHandle, (int)ProcessWin32Information.ObjectInformationClass.ObjectBasicInformation, ipBasic, Marshal.SizeOf(objBasic), ref nLength);
objBasic = (ProcessWin32Information.OBJECT_BASIC_INFORMATION)Marshal.PtrToStructure(ipBasic, objBasic.GetType());
Marshal.FreeHGlobal(ipBasic);
IntPtr ipObjectType = Marshal.AllocHGlobal(objBasic.TypeInformationLength);
nLength = objBasic.TypeInformationLength;
// this one never locks...
while ((uint)(ProcessWin32Information.NtQueryObject(ipHandle, (int)ProcessWin32Information.ObjectInformationClass.ObjectTypeInformation, ipObjectType, nLength, ref nLength)) == ProcessWin32Information.STATUS_INFO_LENGTH_MISMATCH)
{
if (nLength == 0)
{
return(null);
}
Marshal.FreeHGlobal(ipObjectType);
ipObjectType = Marshal.AllocHGlobal(nLength);
}
objObjectType = (ProcessWin32Information.OBJECT_TYPE_INFORMATION)Marshal.PtrToStructure(ipObjectType, objObjectType.GetType());
if (Is64Bits())
{
ipTemp = new IntPtr(Convert.ToInt64(objObjectType.Name.Buffer.ToString(), 10) >> 32);
}
else
{
ipTemp = objObjectType.Name.Buffer;
}
var strObjectTypeName = Marshal.PtrToStringUni(ipTemp, objObjectType.Name.Length >> 1);
Marshal.FreeHGlobal(ipObjectType);
if (strObjectTypeName != "File")
{
return(null);
}
nLength = objBasic.NameInformationLength;
var ipObjectName = Marshal.AllocHGlobal(nLength);
// ...this call sometimes hangs. Is a Windows error.
while ((uint)(ProcessWin32Information.NtQueryObject(ipHandle, (int)ProcessWin32Information.ObjectInformationClass.ObjectNameInformation, ipObjectName, nLength, ref nLength)) == ProcessWin32Information.STATUS_INFO_LENGTH_MISMATCH)
{
Marshal.FreeHGlobal(ipObjectName);
if (nLength == 0)
{
return(null);
}
ipObjectName = Marshal.AllocHGlobal(nLength);
}
objObjectName = (ProcessWin32Information.OBJECT_NAME_INFORMATION)Marshal.PtrToStructure(ipObjectName, objObjectName.GetType());
if (Is64Bits())
{
ipTemp = new IntPtr(Convert.ToInt64(objObjectName.Name.Buffer.ToString(), 10) >> 32);
}
else
{
ipTemp = objObjectName.Name.Buffer;
}
if (ipTemp != IntPtr.Zero)
{
var baTemp = new byte[nLength];
try
{
Marshal.Copy(ipTemp, baTemp, 0, nLength);
strObjectName = Marshal.PtrToStringUni(Is64Bits() ? new IntPtr(ipTemp.ToInt64()) : new IntPtr(ipTemp.ToInt32()));
}
catch (AccessViolationException)
{
return(null);
}
finally
{
Marshal.FreeHGlobal(ipObjectName);
ProcessWin32Information.CloseHandle(ipHandle);
}
}
string path = GetRegularFileNameFromDevice(strObjectName);
try
{
return(path);
}
catch
{
return(null);
}
}
