|
public static DbgHandleToObjectName ( |
||
| InNamedHandle | ||
| OutNameBuffer | ||
| InBufferSize | ||
| OutRequiredSize | ||
| return | void | |
/// <summary>
/// Reads the kernel object name for a given windows usermode handle.
/// Executes in approx. 100 micro secounds.
/// </summary>
/// <remarks><para>
/// This allows you to translate a handle back to the associated filename for example.
/// But keep in mind that such names are only valid for kernel service routines, like
/// <c>NtCreateFile</c>. You won't have success when calling <c>CreateFile</c> on such
/// object names! The regular windows user mode API has some methods that will allow
/// you to convert such kernelmode names back into usermode names. I know this because I did it
/// some years ago but I've already forgotten how it has to be done! I can only give you
/// some hints: <c>FindFirstVolume()</c>, <c>FindFirstVolumeMountPoint()</c>,
/// <c>QueryDosDevice()</c>, <c>GetVolumePathNamesForVolumeName()</c>
/// </para>
/// <param name="InHandle">A valid usermode handle.</param>
/// </remarks>
/// <returns>The kernel object name associated with the given handle.</returns>
/// <exception cref="ArgumentException">
/// The given handle is invalid or could not be accessed for unknown reasons.
/// </exception>
public static String GetNameByHandle(IntPtr InHandle)
{
Int32 RequiredSize;
NativeAPI.DbgHandleToObjectName(
InHandle,
IntPtr.Zero,
0,
out RequiredSize);
lock (Buffer)
{
Buffer.Alloc(RequiredSize + 1);
NativeAPI.DbgHandleToObjectName(
InHandle,
Buffer.Buffer,
RequiredSize,
out RequiredSize);
UNICODE_STRING Result = new UNICODE_STRING();
Marshal.PtrToStructure(Buffer.Buffer, Result);
return(Result.Buffer);
}
}
