Esempio n. 1
0
        private static IEnumerable <ProcessWin32Information.SYSTEM_HANDLE_INFORMATION> GetHandles(Process process)
        {
            var    nHandleInfoSize = 0x10000;
            var    ipHandlePointer = Marshal.AllocHGlobal(nHandleInfoSize);
            var    nLength         = 0;
            IntPtr ipHandle;

            while (ProcessWin32Information.NtQuerySystemInformation(CNST_SYSTEM_HANDLE_INFORMATION, ipHandlePointer, nHandleInfoSize, ref nLength) == ProcessWin32Information.STATUS_INFO_LENGTH_MISMATCH)
            {
                nHandleInfoSize = nLength;
                Marshal.FreeHGlobal(ipHandlePointer);
                ipHandlePointer = Marshal.AllocHGlobal(nLength);
            }

            var baTemp = new byte[nLength];

            Marshal.Copy(ipHandlePointer, baTemp, 0, nLength);

            long lHandleCount;

            if (Is64Bits())
            {
                lHandleCount = Marshal.ReadInt64(ipHandlePointer);
                ipHandle     = new IntPtr(ipHandlePointer.ToInt64() + 8);
            }
            else
            {
                lHandleCount = Marshal.ReadInt32(ipHandlePointer);
                ipHandle     = new IntPtr(ipHandlePointer.ToInt32() + 4);
            }

            var lstHandles = new List <ProcessWin32Information.SYSTEM_HANDLE_INFORMATION>();

            for (long lIndex = 0; lIndex < lHandleCount; lIndex++)
            {
                var shHandle = new ProcessWin32Information.SYSTEM_HANDLE_INFORMATION();
                if (Is64Bits())
                {
                    shHandle = (ProcessWin32Information.SYSTEM_HANDLE_INFORMATION)Marshal.PtrToStructure(ipHandle, shHandle.GetType());
                    ipHandle = new IntPtr(ipHandle.ToInt64() + Marshal.SizeOf(shHandle) + 8);
                }
                else
                {
                    ipHandle = new IntPtr(ipHandle.ToInt64() + Marshal.SizeOf(shHandle));
                    shHandle = (ProcessWin32Information.SYSTEM_HANDLE_INFORMATION)Marshal.PtrToStructure(ipHandle, shHandle.GetType());
                }
                if (shHandle.ProcessID != process.Id)
                {
                    continue;
                }
                lstHandles.Add(shHandle);
            }
            return(lstHandles);
        }
Esempio n. 2
0
        private static string GetRegularFileNameFromDevice(string strRawName)
        {
            string strFileName = strRawName;

            foreach (string strDrivePath in Environment.GetLogicalDrives())
            {
                var sbTargetPath = new StringBuilder(ProcessWin32Information.MAX_PATH);
                if (ProcessWin32Information.QueryDosDevice(strDrivePath.Substring(0, 2), sbTargetPath, ProcessWin32Information.MAX_PATH) == 0)
                {
                    return(strRawName);
                }
                string strTargetPath = sbTargetPath.ToString();
                if (strFileName.StartsWith(strTargetPath))
                {
                    strFileName = strFileName.Replace(strTargetPath, strDrivePath.Substring(0, 2));
                    break;
                }
            }
            return(strFileName);
        }
Esempio n. 3
0
        private static string GetFilePath(ProcessWin32Information.SYSTEM_HANDLE_INFORMATION systemHandleInformation, Process process)
        {
            var    ipProcessHwnd = ProcessWin32Information.OpenProcess(ProcessWin32Information.ProcessAccessFlags.All, false, process.Id);
            var    objBasic = new ProcessWin32Information.OBJECT_BASIC_INFORMATION();
            var    objObjectType = new ProcessWin32Information.OBJECT_TYPE_INFORMATION();
            var    objObjectName = new ProcessWin32Information.OBJECT_NAME_INFORMATION();
            var    strObjectName = "";
            var    nLength = 0;
            IntPtr ipTemp, ipHandle;

            if (!ProcessWin32Information.DuplicateHandle(ipProcessHwnd, systemHandleInformation.Handle, ProcessWin32Information.GetCurrentProcess(), out ipHandle, 0, false, ProcessWin32Information.DUPLICATE_SAME_ACCESS))
            {
                return(null);
            }

            IntPtr ipBasic = Marshal.AllocHGlobal(Marshal.SizeOf(objBasic));

            ProcessWin32Information.NtQueryObject(ipHandle, (int)ProcessWin32Information.ObjectInformationClass.ObjectBasicInformation, ipBasic, Marshal.SizeOf(objBasic), ref nLength);
            objBasic = (ProcessWin32Information.OBJECT_BASIC_INFORMATION)Marshal.PtrToStructure(ipBasic, objBasic.GetType());
            Marshal.FreeHGlobal(ipBasic);

            IntPtr ipObjectType = Marshal.AllocHGlobal(objBasic.TypeInformationLength);

            nLength = objBasic.TypeInformationLength;
            // this one never locks...
            while ((uint)(ProcessWin32Information.NtQueryObject(ipHandle, (int)ProcessWin32Information.ObjectInformationClass.ObjectTypeInformation, ipObjectType, nLength, ref nLength)) == ProcessWin32Information.STATUS_INFO_LENGTH_MISMATCH)
            {
                if (nLength == 0)
                {
                    return(null);
                }
                Marshal.FreeHGlobal(ipObjectType);
                ipObjectType = Marshal.AllocHGlobal(nLength);
            }

            objObjectType = (ProcessWin32Information.OBJECT_TYPE_INFORMATION)Marshal.PtrToStructure(ipObjectType, objObjectType.GetType());
            if (Is64Bits())
            {
                ipTemp = new IntPtr(Convert.ToInt64(objObjectType.Name.Buffer.ToString(), 10) >> 32);
            }
            else
            {
                ipTemp = objObjectType.Name.Buffer;
            }

            var strObjectTypeName = Marshal.PtrToStringUni(ipTemp, objObjectType.Name.Length >> 1);

            Marshal.FreeHGlobal(ipObjectType);
            if (strObjectTypeName != "File")
            {
                return(null);
            }

            nLength = objBasic.NameInformationLength;

            var ipObjectName = Marshal.AllocHGlobal(nLength);

            // ...this call sometimes hangs. Is a Windows error.
            while ((uint)(ProcessWin32Information.NtQueryObject(ipHandle, (int)ProcessWin32Information.ObjectInformationClass.ObjectNameInformation, ipObjectName, nLength, ref nLength)) == ProcessWin32Information.STATUS_INFO_LENGTH_MISMATCH)
            {
                Marshal.FreeHGlobal(ipObjectName);
                if (nLength == 0)
                {
                    return(null);
                }
                ipObjectName = Marshal.AllocHGlobal(nLength);
            }
            objObjectName = (ProcessWin32Information.OBJECT_NAME_INFORMATION)Marshal.PtrToStructure(ipObjectName, objObjectName.GetType());

            if (Is64Bits())
            {
                ipTemp = new IntPtr(Convert.ToInt64(objObjectName.Name.Buffer.ToString(), 10) >> 32);
            }
            else
            {
                ipTemp = objObjectName.Name.Buffer;
            }

            if (ipTemp != IntPtr.Zero)
            {
                var baTemp = new byte[nLength];
                try
                {
                    Marshal.Copy(ipTemp, baTemp, 0, nLength);

                    strObjectName = Marshal.PtrToStringUni(Is64Bits() ? new IntPtr(ipTemp.ToInt64()) : new IntPtr(ipTemp.ToInt32()));
                }
                catch (AccessViolationException)
                {
                    return(null);
                }
                finally
                {
                    Marshal.FreeHGlobal(ipObjectName);
                    ProcessWin32Information.CloseHandle(ipHandle);
                }
            }

            string path = GetRegularFileNameFromDevice(strObjectName);

            try
            {
                return(path);
            }
            catch
            {
                return(null);
            }
        }