public static bool GetFileNameFromHandle(IntPtr handle, out string fileName) { int[] length = { 0x2000 }; // 512 bytes using (SmartPtr sptr = new SmartPtr()) { sptr.Allocate(length[0]); HandleFlag flag; if (!NativeMethods.GetHandleInformation(handle, out flag)) { fileName = null; return(false); } if (flag != HandleFlag.None) { fileName = null; return(false); } NtStatus ret = default(NtStatus); ThreadStart threadStart = delegate { ret = NativeMethods.NtQueryObject(handle, ObjectInformationClass.ObjectNameInformation, sptr.Pointer, length[0], out length[0]); }; Thread thread = new Thread(threadStart); thread.Start(); bool result = thread.Join(100); if (!result) { fileName = null; return(false); } if (ret == NtStatus.BufferOverflow) { sptr.ReAllocate(length[0]); ret = NativeMethods.NtQueryObject(handle, ObjectInformationClass.ObjectNameInformation, sptr.Pointer, length[0], out length[0]); } if (ret == NtStatus.Success) { ObjectNameInformation oti = (ObjectNameInformation)Marshal.PtrToStructure(sptr.Pointer, typeof(ObjectNameInformation)); UnicodeString unicodeName = oti.Name; fileName = unicodeName.GetValue(); return(fileName.Length != 0); } } fileName = string.Empty; return(false); }
private static string GetObjectNameNt(ProcessHandle process, IntPtr handle, GenericHandle dupHandle) { int retLength; Win32.NtQueryObject( dupHandle, ObjectInformationClass.ObjectNameInformation, IntPtr.Zero, 0, out retLength ); if (retLength > 0) { using (MemoryAlloc oniMem = new MemoryAlloc(retLength)) { Win32.NtQueryObject( dupHandle, ObjectInformationClass.ObjectNameInformation, oniMem, oniMem.Size, out retLength ).ThrowIf(); ObjectNameInformation oni = oniMem.ReadStruct <ObjectNameInformation>(); UnicodeString str = oni.Name; //if (KProcessHacker.Instance != null) //str.Buffer = str.Buffer.Increment(oniMem.Memory.Decrement(baseAddress)); return(str.Text); } } throw new Exception("NtQueryObject failed."); }
public static async Task <IEnumerable <string> > GetOpenFiles(int pid) { List <string> files = new List <string>(); Parallel.ForEach( await GetHandles(pid), myHandle => { NTStatus status; IntPtr myProcessHandle = OpenProcess(ProcessAccessFlags.DuplicateHandle, false, myHandle.GetPid()); IntPtr currentProcessHandle = GetCurrentProcess(); IntPtr targetHandle = Marshal.AllocHGlobal(Marshal.SizeOf <uint>()); status = NtDuplicateObject(myProcessHandle, myHandle.HandleValue, currentProcessHandle, targetHandle, 0, 0, 0); CloseHandle(myProcessHandle); CloseHandle(currentProcessHandle); if (status != NTStatus.Success) { Marshal.FreeHGlobal(targetHandle); return; } IntPtr handle = Marshal.PtrToStructure <IntPtr>(targetHandle); Marshal.FreeHGlobal(targetHandle); IntPtr objectTypeInfo = Marshal.AllocHGlobal(Marshal.SizeOf <ObjectTypeInformation>()); uint returnLength = 0; status = NtQueryObject( handle, ObjectInformationClass.ObjectTypeInformation, objectTypeInfo, (uint)Marshal.SizeOf <ObjectTypeInformation>(), ref returnLength); if (status != NTStatus.Success) { objectTypeInfo = Marshal.ReAllocHGlobal(objectTypeInfo, (IntPtr)returnLength); status = NtQueryObject( handle, ObjectInformationClass.ObjectTypeInformation, objectTypeInfo, returnLength, ref returnLength); if (status != NTStatus.Success) { Marshal.FreeHGlobal(objectTypeInfo); CloseHandle(handle); return; } } ObjectTypeInformation oti = Marshal.PtrToStructure <ObjectTypeInformation>(objectTypeInfo); string typeName = oti.Name.ToString(); Marshal.FreeHGlobal(objectTypeInfo); IntPtr objectNameInfo = Marshal.AllocHGlobal(Marshal.SizeOf <ObjectNameInformation>()); returnLength = (uint)Marshal.SizeOf <ObjectNameInformation>(); status = NtQueryObject( handle, ObjectInformationClass.ObjectNameInformation, objectNameInfo, (uint)Marshal.SizeOf <ObjectNameInformation>(), ref returnLength); if (status != NTStatus.Success) { objectNameInfo = Marshal.ReAllocHGlobal(objectNameInfo, (IntPtr)returnLength); status = NtQueryObject( handle, ObjectInformationClass.ObjectNameInformation, objectNameInfo, returnLength, ref returnLength); if (status != NTStatus.Success) { Marshal.FreeHGlobal(objectNameInfo); CloseHandle(handle); return; } } ObjectNameInformation oni = Marshal.PtrToStructure <ObjectNameInformation>(objectNameInfo); string objName = oni.Name.ToString(); Marshal.FreeHGlobal(objectNameInfo); if (typeName.Equals("File")) { uint fnLength = 0; StringBuilder sb = new StringBuilder(0); fnLength = GetFinalPathNameByHandle(handle, sb, fnLength, 0); sb.Capacity = (int)fnLength; if (GetFinalPathNameByHandle(handle, sb, fnLength, 0) > 1) { files.Add(sb.ToString()); } } CloseHandle(handle); }); return(files); }