private static bool ExtractFileNameFromHandle(SYSTEM_HANDLE_ENTRY handleEntry, SafeHandle processHandle, out string fileName) { var handle = (IntPtr)handleEntry.HandleValue; SafeObjectHandle duplicatedHandle = null; try { if (!DuplicateHandle(handle, processHandle, out duplicatedHandle)) { fileName = null; return(false); } handle = duplicatedHandle.DangerousGetHandle(); if (GetHandleType(handle, out var handleType) && handleType == SystemHandleType.OB_TYPE_FILE) { if (GetFileNameFromHandle(handle, out var devicePath)) { return(ConvertDevicePathToDosPath(devicePath, out fileName)); } } } finally { duplicatedHandle?.Close(); } fileName = null; return(false); }
public IEnumerator <String> GetEnumerator() { NT_STATUS ret; int length = 0x10000; // Loop, probing for required memory. do { IntPtr ptr = IntPtr.Zero; RuntimeHelpers.PrepareConstrainedRegions(); try { RuntimeHelpers.PrepareConstrainedRegions(); try { } finally { // CER guarantees that the address of the allocated // memory is actually assigned to ptr if an // asynchronous exception occurs. ptr = Marshal.AllocHGlobal(length); } int returnLength; ret = NativeMethods.NtQuerySystemInformation(SYSTEM_INFORMATION_CLASS.SystemHandleInformation, ptr, length, out returnLength); if (ret == NT_STATUS.STATUS_INFO_LENGTH_MISMATCH) { // Round required memory up to the nearest 64KB boundary. length = ((returnLength + 0xffff) & ~0xffff); } else if (ret == NT_STATUS.STATUS_SUCCESS) { int handleCount = Marshal.ReadInt32(ptr); int offset = sizeof(int); int size = Marshal.SizeOf(typeof(SYSTEM_HANDLE_ENTRY)); for (int i = 0; i < handleCount; i++) { SYSTEM_HANDLE_ENTRY handleEntry = (SYSTEM_HANDLE_ENTRY)Marshal.PtrToStructure((IntPtr)((int)ptr + offset), typeof(SYSTEM_HANDLE_ENTRY)); if (handleEntry.OwnerPid == processId) { IntPtr handle = (IntPtr)handleEntry.HandleValue; SystemHandleType handleType; if (GetHandleType(handle, handleEntry.OwnerPid, out handleType) && handleType == SystemHandleType.OB_TYPE_FILE) { string devicePath; if (GetFileNameFromHandle(handle, handleEntry.OwnerPid, out devicePath)) { string dosPath; if (ConvertDevicePathToDosPath(devicePath, out dosPath)) { if (File.Exists(dosPath)) { yield return(dosPath); // return new FileInfo(dosPath); } else if (Directory.Exists(dosPath)) { yield return(dosPath); // new DirectoryInfo(dosPath); } } } } } offset += size; } } } finally { // CER guarantees that the allocated memory is freed, // if an asynchronous exception occurs. Marshal.FreeHGlobal(ptr); //sw.Flush(); //sw.Close(); } }while (ret == NT_STATUS.STATUS_INFO_LENGTH_MISMATCH); }
public static IEnumerable <HandleInfo> GetOpenHandles(this Process process) { NT_STATUS returnValue; int length = 0x10000; do { IntPtr ptr = IntPtr.Zero; try { ptr = Marshal.AllocHGlobal(length); int returnLength; returnValue = NativeMethods.NtQuerySystemInformation(SYSTEM_INFORMATION_CLASS.SystemHandleInformation, ptr, length, out returnLength); if (returnValue == NT_STATUS.STATUS_INFO_LENGTH_MISMATCH) { length = ((returnLength + 0xffff) & ~0xffff); } else if (returnValue == NT_STATUS.STATUS_SUCCESS) { int handleCount = Marshal.ReadInt32(ptr); int offset = sizeof(int); int size = Marshal.SizeOf(typeof(SYSTEM_HANDLE_ENTRY)); for (int i = 0; i < handleCount; i++) { SYSTEM_HANDLE_ENTRY handleEntry = (SYSTEM_HANDLE_ENTRY)Marshal.PtrToStructure((IntPtr)((int)ptr + offset), typeof(SYSTEM_HANDLE_ENTRY)); if (handleEntry.OwnerPid == process.Id) { var handle = (IntPtr)handleEntry.HandleValue; HandleInfo handleInfo; if (GetHandleInfo(handle, handleEntry.OwnerPid, out handleInfo)) { string localPath; if (handleInfo.HandleType.IsOneOf(HandleType.OB_TYPE_FILE, HandleType.OB_TYPE_DIRECTORY)) { if (ConvertDevicePathToLocalPath(handleInfo.ObjectName, out localPath)) { handleInfo.LocalPath = localPath; } } yield return(handleInfo); } } offset += size; } } } finally { Marshal.FreeHGlobal(ptr); } }while (returnValue == NT_STATUS.STATUS_INFO_LENGTH_MISMATCH); }
public static List <HandleInfo> GetSystemHandles() { var pid = Process.GetCurrentProcess().Id; NT_STATUS ret; int length = 0x10000; // Loop, probing for required memory. do { IntPtr ptr = IntPtr.Zero; RuntimeHelpers.PrepareConstrainedRegions(); try { RuntimeHelpers.PrepareConstrainedRegions(); try { } finally { // CER guarantees that the address of the allocated // memory is actually assigned to ptr if an // asynchronous exception occurs. ptr = Marshal.AllocHGlobal(length); } int returnLength; ret = NtQuerySystemInformation(SYSTEM_INFORMATION_CLASS.SystemHandleInformation, ptr, length, out returnLength); if (ret == NT_STATUS.STATUS_INFO_LENGTH_MISMATCH) { // Round required memory up to the nearest 64KB boundary. length = ((returnLength + 0xffff) & ~0xffff); } else if (ret == NT_STATUS.STATUS_SUCCESS) { int handleCount = Marshal.ReadInt32(ptr); int offset = IntPtr.Size; int size = Marshal.SizeOf(typeof(SYSTEM_HANDLE_ENTRY)); var result = new List <HandleInfo>(); for (int i = 0; i < handleCount; i++) { SYSTEM_HANDLE_ENTRY handleEntry = (SYSTEM_HANDLE_ENTRY)Marshal.PtrToStructure(ptr + offset, typeof(SYSTEM_HANDLE_ENTRY)); if (handleEntry.UniqueProcessId == pid && !AccessMaskBlackList.Contains(handleEntry.AccessMask)) { // Console.WriteLine($"{handleEntry.AccessMask}"); var handle = (IntPtr)handleEntry.HandleValue; var type = GetHandleTypeNameToken(handle, OBJECT_INFORMATION_CLASS.ObjectTypeInformation); var name = GetHandleTypeNameToken(handle, OBJECT_INFORMATION_CLASS.ObjectNameInformation); result.Add(new HandleInfo() { Handle = handle, Type = type, Name = name }); } offset += size; } return(result); } } finally { // CER guarantees that the allocated memory is freed, // if an asynchronous exception occurs. Marshal.FreeHGlobal(ptr); } }while (ret == NT_STATUS.STATUS_INFO_LENGTH_MISMATCH); throw new Exception($"NtQuerySystemInformation failed with return code {ret}"); }
public void KillProcess(int[] Pids, string path) { //long formal; //int size = Marshal.SizeOf(typeof(SYSTEM_BASIC_INFORMATION)); //IntPtr ptr = Marshal.AllocHGlobal(size); //Console.WriteLine("NTSTATUS: " + APIQuerySystemInformation(SYSTEM_INFORMATION_CLASS.SystemHandleInformation, ptr, size, out formal).ToString("X")); //SYSTEM_BASIC_INFORMATION INFO = ((SYSTEM_BASIC_INFORMATION)Marshal.PtrToStructure(ptr, typeof(SYSTEM_BASIC_INFORMATION))); //Console.WriteLine(INFO.NumberOfProcessors); //Console.WriteLine(formal); int length = 0x10000; int returnLength; NT_STATUS ret; do { IntPtr ptr = Marshal.AllocHGlobal(length); RuntimeHelpers.PrepareConstrainedRegions(); try { ret = NtQuerySystemInformation(SYSTEM_INFORMATION_CLASS.SystemHandleInformation, ptr, length, out returnLength); if (ret == NT_STATUS.STATUS_INFO_LENGTH_MISMATCH) { length = ((returnLength + 0xffff) & ~0xffff); } else { if (ret == NT_STATUS.STATUS_SUCCESS) { int handleCount = Marshal.ReadInt32(ptr); int offset = sizeof(int); int size = Marshal.SizeOf(typeof(SYSTEM_HANDLE_ENTRY)); for (int i = 0; i < handleCount; i++) { SYSTEM_HANDLE_ENTRY handleEntry = (SYSTEM_HANDLE_ENTRY)Marshal.PtrToStructure((IntPtr)((int)ptr + offset), typeof(SYSTEM_HANDLE_ENTRY)); SystemHandleType handleType; IntPtr handle = (IntPtr)handleEntry.HandleValue; foreach (int pid in Pids) { if (handleEntry.OwnerPid == pid) { if (GetHandleType(handle, handleEntry.OwnerPid, out handleType)) { if (handleType == SystemHandleType.OB_TYPE_FILE) { string devicePath; if (GetFileNameFromHandle(handle, handleEntry.OwnerPid, out devicePath)) { string dosPath; if (ConvertDevicePathToDosPath(devicePath, out dosPath)) { if (dosPath.Contains(path)) { System.Diagnostics.Process.GetProcessById(handleEntry.OwnerPid).Kill(); } } } } } } } offset += size; } } } } finally { Marshal.FreeHGlobal(ptr); } }while (ret == NT_STATUS.STATUS_INFO_LENGTH_MISMATCH); }