public RowViewModel(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX info) { _info = info; using (DuplicatedObjectHandle dhandle = new DuplicatedObjectHandle(_info.HandleValue, _info.UniqueProcessId)) { if (dhandle.ErrorMessage != null) { _name = "<" + dhandle.ErrorMessage + ">"; return; } string name; NT_STATUS status = dhandle.TryGetObjectNameFromHandle(out name, timeout); if (status != NT_STATUS.STATUS_SUCCESS) { _name = "<" + status.ToString() + ">"; return; } _name = name; } if (_name != null && !_name.StartsWith("<")) { if (this.ObjectTypeString == "File") { _prettyName = DevicePathConverter.ConvertDevicePathToDosPath(_name); } if (this.ObjectTypeString == "Key") { _prettyName = _name.Replace(@"\REGISTRY\MACHINE", @"HKLM").Replace(@"\REGISTRY\USER\" + cusid, @"HKCU").Replace(@"\REGISTRY\USER", @"HKU"); // todo: do not use replace, use code similar to DevicePathConverter.IsMatch } } }
public static string GetObjectName(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX handle) { IntPtr _processHandle = NativeMethods.OpenProcess(ProcessAccessFlags.All, false, handle.UniqueProcessId); IntPtr _handle = IntPtr.Zero; try { if (!NativeMethods.DuplicateHandle(_processHandle, handle.HandleValue, NativeMethods.GetCurrentProcess(), out _handle, 0, false, DuplicateOptions.DUPLICATE_SAME_ACCESS)) { return(null); } IntPtr _basic = IntPtr.Zero; int nameLength = 0; try { OBJECT_BASIC_INFORMATION basicInfo = new OBJECT_BASIC_INFORMATION(); _basic = Marshal.AllocHGlobal(Marshal.SizeOf(basicInfo)); NativeMethods.NtQueryObject(_handle, (int)ObjectInformationClass.ObjectBasicInformation, _basic, Marshal.SizeOf(basicInfo), ref nameLength); basicInfo = (OBJECT_BASIC_INFORMATION)Marshal.PtrToStructure(_basic, basicInfo.GetType()); nameLength = basicInfo.NameInformationLength; } finally { if (_basic != IntPtr.Zero) { Marshal.FreeHGlobal(_basic); } } if (nameLength == 0) { return(null); } OBJECT_NAME_INFORMATION nameInfo = new OBJECT_NAME_INFORMATION(); IntPtr _objectName = Marshal.AllocHGlobal(nameLength); try { while (NativeMethods.NtQueryObject(_handle, (int)ObjectInformationClass.ObjectNameInformation, _objectName, nameLength, ref nameLength) == NtStatus.InfoLengthMismatch) { Marshal.FreeHGlobal(_objectName); _objectName = Marshal.AllocHGlobal(nameLength); } nameInfo = (OBJECT_NAME_INFORMATION)Marshal.PtrToStructure(_objectName, nameInfo.GetType()); } finally { Marshal.FreeHGlobal(_objectName); } try { return(Marshal.PtrToStringUni(nameInfo.Name.Buffer, nameInfo.Name.Length >> 1)); } catch (Exception e) { Util.Logging.Log(e); } return(null); } finally { if (_handle != IntPtr.Zero) //moved from Marshal.FreeHGlobal(_objectName); { NativeMethods.CloseHandle(_handle); } if (_processHandle != IntPtr.Zero) { NativeMethods.CloseHandle(_processHandle); } } }
public ObjectHandle(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX info) { this.handleInfo = info; }
public static IObjectHandle GetHandle(int processId, string objectName, bool exactMatch) { int infoLength = 0x10000; int length = 0; IntPtr _info = Marshal.AllocHGlobal(infoLength); IntPtr _handle = IntPtr.Zero; long handleCount = 0; try { //CNST_SYSTEM_HANDLE_INFORMATION is limited to 16-bit process IDs while (NativeMethods.NtQuerySystemInformation(SYSTEM_INFORMATION_CLASS.SystemExtendedHandleInformation, _info, infoLength, ref length) == NtStatus.InfoLengthMismatch) { infoLength = length; Marshal.FreeHGlobal(_info); _info = Marshal.AllocHGlobal(infoLength); } if (IS_64) { handleCount = Marshal.ReadInt64(_info); _handle = new IntPtr(_info.ToInt64() + 16); } else { handleCount = Marshal.ReadInt32(_info); _handle = new IntPtr(_info.ToInt32() + 8); } var handleInfo = new SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX(); var infoSize = Marshal.SizeOf(handleInfo); var infoType = handleInfo.GetType(); for (long i = 0; i < handleCount; i++) { if (IS_64) { handleInfo = (SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX)Marshal.PtrToStructure(_handle, infoType); _handle = new IntPtr(_handle.ToInt64() + infoSize); } else { handleInfo = (SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX)Marshal.PtrToStructure(_handle, infoType); _handle = new IntPtr(_handle.ToInt32() + infoSize); } if (processId > 0 && handleInfo.UniqueProcessId.ToUInt32() != processId) { continue; } string name = GetObjectName(handleInfo); if (name == null) { continue; } if (exactMatch) { if (!name.Equals(objectName)) { continue; } } else if (!name.Contains(objectName)) { continue; } return(new ObjectHandle(handleInfo)); } } finally { Marshal.FreeHGlobal(_info); } return(null); }
public static IObjectHandle GetHandle(Process process, string objectName, bool exactMatch) { bool is64 = Marshal.SizeOf(typeof(IntPtr)) == 8 ? true : false; int infoLength = 0x10000; int length = 0; IntPtr _info = Marshal.AllocHGlobal(infoLength); IntPtr _handle = IntPtr.Zero; long handleCount = 0; try { while ((NtQuerySystemInformation(CNST_SYSTEM_EXTENDED_HANDLE_INFORMATION, _info, infoLength, ref length)) == STATUS_INFO_LENGTH_MISMATCH) { infoLength = length; Marshal.FreeHGlobal(_info); _info = Marshal.AllocHGlobal(infoLength); } if (is64) { handleCount = Marshal.ReadInt64(_info); _handle = new IntPtr(_info.ToInt64() + 16); } else { handleCount = Marshal.ReadInt32(_info); _handle = new IntPtr(_info.ToInt32() + 8); } SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX handleInfo; List<SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX> handles = new List<SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX>(); handleInfo = new SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX(); int infoSize = Marshal.SizeOf(handleInfo); Type infoType = handleInfo.GetType(); for (long i = 0; i < handleCount; i++) { if (is64) { handleInfo = (SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX)Marshal.PtrToStructure(_handle, infoType); _handle = new IntPtr(_handle.ToInt64() + infoSize); } else { handleInfo = (SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX)Marshal.PtrToStructure(_handle, infoType); _handle = new IntPtr(_handle.ToInt32() + infoSize); } if (handleInfo.UniqueProcessId.ToUInt32() != process.Id) continue; string name = GetObjectName(handleInfo); if (name == null) continue; if (exactMatch) { if (!name.Equals(objectName)) continue; } else if (!name.Contains(objectName)) continue; return new ObjectHandle(handleInfo); } } finally { Marshal.FreeHGlobal(_info); } return null; }
private static string GetObjectName(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX handle) { IntPtr _processHandle = OpenProcess(ProcessAccessFlags.All, false, handle.UniqueProcessId); IntPtr _handle = IntPtr.Zero; try { if (!DuplicateHandle(_processHandle, handle.HandleValue, GetCurrentProcess(), out _handle, 0, false, DUPLICATE_SAME_ACCESS)) return null; IntPtr _basic = IntPtr.Zero; int nameLength = 0; try { OBJECT_BASIC_INFORMATION basicInfo = new OBJECT_BASIC_INFORMATION(); _basic = Marshal.AllocHGlobal(Marshal.SizeOf(basicInfo)); NtQueryObject(_handle, (int)ObjectInformationClass.ObjectBasicInformation, _basic, Marshal.SizeOf(basicInfo), ref nameLength); basicInfo = (OBJECT_BASIC_INFORMATION)Marshal.PtrToStructure(_basic, basicInfo.GetType()); nameLength = basicInfo.NameInformationLength; } finally { if (_basic != IntPtr.Zero) Marshal.FreeHGlobal(_basic); } if (nameLength == 0) { return null; } OBJECT_NAME_INFORMATION nameInfo = new OBJECT_NAME_INFORMATION(); IntPtr _objectName = Marshal.AllocHGlobal(nameLength); try { while ((uint)(NtQueryObject(_handle, (int)ObjectInformationClass.ObjectNameInformation, _objectName, nameLength, ref nameLength)) == STATUS_INFO_LENGTH_MISMATCH) { Marshal.FreeHGlobal(_objectName); _objectName = Marshal.AllocHGlobal(nameLength); } nameInfo = (OBJECT_NAME_INFORMATION)Marshal.PtrToStructure(_objectName, nameInfo.GetType()); } finally { Marshal.FreeHGlobal(_objectName); CloseHandle(_handle); } try { return Marshal.PtrToStringUni(nameInfo.Name.Buffer, nameInfo.Name.Length >> 1); } catch { } return null; } finally { if (_processHandle != IntPtr.Zero) CloseHandle(_processHandle); } }
static int Compare(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX handle1, SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX handle2) { if (handle1.UniqueProcessId.ToInt64() < handle2.UniqueProcessId.ToInt64()) return 1; if (handle1.UniqueProcessId.ToInt64() > handle2.UniqueProcessId.ToInt64()) return -1; if (handle1.ObjectTypeIndex < handle2.ObjectTypeIndex) return 1; if (handle1.ObjectTypeIndex > handle2.ObjectTypeIndex) return -1; if (handle1.HandleValue.ToInt64() < handle2.HandleValue.ToInt64()) return 1; if (handle1.HandleValue.ToInt64() > handle2.HandleValue.ToInt64()) return -1; return 0; }