public OBJECT_NAME_INFORMATION GetHandleNameInfo(int pid, UInt16 handle, OBJECT_BASIC_INFORMATION obi) { // 枚举进程句柄 - xbgprogrammer的专栏 - 博客频道 - CSDN.NET // http://blog.csdn.net/xbgprogrammer/article/details/26386733 // HOWTO: Enumerate handles - Sysinternals Forums // http://forum.sysinternals.com/howto-enumerate-handles_topic18892.html if (MAGIC_FLAG == (MAGIC_FLAG & obi.GrantedAccess)) { return(default(OBJECT_NAME_INFORMATION)); } IntPtr src_proc_handle = OpenProcess(PROCESS_DUP_HANDLE, 0, pid); if (IntPtr.Zero == src_proc_handle) { return(default(OBJECT_NAME_INFORMATION)); } IntPtr target_handle = IntPtr.Zero; if (STATUS_SUCCESS != NtDuplicateObject( src_proc_handle, (IntPtr)handle, GetCurrentProcess(), ref target_handle, 0, 0, DUPLICATE_SAME_ACCESS)) { CloseHandle(src_proc_handle); return(default(OBJECT_NAME_INFORMATION)); } int ret_obj_len = 0; int obj_len = obi.NameInformationLength + 2; // sizeof(EOF) = sizeof('\0\0') = 2 byte[] bytes_obj_info = new byte[obj_len]; uint ret = NtQueryObject(target_handle, ObjectNameInformation, bytes_obj_info, obj_len, ref ret_obj_len); if (STATUS_SUCCESS != ret) { CloseHandle(target_handle); CloseHandle(src_proc_handle); return(default(OBJECT_NAME_INFORMATION)); } GCHandle gch = GCHandle.Alloc(bytes_obj_info, GCHandleType.Pinned); OBJECT_NAME_INFORMATION oni = (OBJECT_NAME_INFORMATION)Marshal.PtrToStructure(gch.AddrOfPinnedObject(), typeof(OBJECT_NAME_INFORMATION)); gch.Free(); CloseHandle(target_handle); CloseHandle(src_proc_handle); return(oni); }
public static string GetObjectTypeName(SYSTEM_HANDLE_INFORMATION shHandle, Process process) { IntPtr m_ipProcessHwnd = OpenProcess(ProcessAccessFlags.All, false, process.Id); var objBasic = new OBJECT_BASIC_INFORMATION(); var objObjectType = new OBJECT_TYPE_INFORMATION(); int nLength = 0; if (!DuplicateHandle(m_ipProcessHwnd, shHandle.Handle, GetCurrentProcess(), out IntPtr ipHandle, 0, false, 0x2)) { return(null); } IntPtr ipBasic = Marshal.AllocHGlobal(Marshal.SizeOf(objBasic)); NtQueryObject(ipHandle, (int)ObjectInformationClass.ObjectBasicInformation, ipBasic, Marshal.SizeOf(objBasic), ref nLength); objBasic = (OBJECT_BASIC_INFORMATION)Marshal.PtrToStructure(ipBasic, objBasic.GetType()); Marshal.FreeHGlobal(ipBasic); IntPtr ipObjectType = Marshal.AllocHGlobal(objBasic.TypeInformationLength); nLength = objBasic.TypeInformationLength; while ((uint)(_ = NtQueryObject( ipHandle, (int)ObjectInformationClass.ObjectTypeInformation, ipObjectType, nLength, ref nLength)) == 0xC0000004) { Marshal.FreeHGlobal(ipObjectType); ipObjectType = Marshal.AllocHGlobal(nLength); } objObjectType = (OBJECT_TYPE_INFORMATION)Marshal.PtrToStructure(ipObjectType, objObjectType.GetType()); IntPtr ipTemp; if (Is64Bits()) { ipTemp = new IntPtr(Convert.ToInt64(objObjectType.Name.Buffer.ToString(), 10) >> 32); } else { ipTemp = objObjectType.Name.Buffer; } string strObjectTypeName = Marshal.PtrToStringUni(ipTemp, objObjectType.Name.Length >> 1); Marshal.FreeHGlobal(ipObjectType); return(strObjectTypeName); }
public static string getObjectTypeName(SYSTEM_HANDLE_INFORMATION shHandle, Process process) { var m_ipProcessHwnd = Native.OpenProcess((int)ProcessAccessFlags.All, false, process.Id); var ipHandle = IntPtr.Zero; var objBasic = new OBJECT_BASIC_INFORMATION(); var ipBasic = IntPtr.Zero; var objObjectType = new OBJECT_TYPE_INFORMATION(); var ipObjectType = IntPtr.Zero; var ipObjectName = IntPtr.Zero; var strObjectTypeName = ""; var nLength = 0; var nReturn = 0; var ipTemp = IntPtr.Zero; if (!Native.DuplicateHandle(m_ipProcessHwnd, shHandle.Handle, Native.GetCurrentProcess(), out ipHandle, 0, false, DUPLICATE_SAME_ACCESS)) { return(null); } ipBasic = Marshal.AllocHGlobal(Marshal.SizeOf(objBasic)); Native.NtQueryObject(ipHandle, (int)ObjectInformationClass.ObjectBasicInformation, ipBasic, Marshal.SizeOf(objBasic), ref nLength); objBasic = (OBJECT_BASIC_INFORMATION)Marshal.PtrToStructure(ipBasic, objBasic.GetType()); Marshal.FreeHGlobal(ipBasic); ipObjectType = Marshal.AllocHGlobal(objBasic.TypeInformationLength); nLength = objBasic.TypeInformationLength; while ((uint)(nReturn = Native.NtQueryObject( ipHandle, (int)ObjectInformationClass.ObjectTypeInformation, ipObjectType, nLength, ref nLength)) == STATUS_INFO_LENGTH_MISMATCH) { Marshal.FreeHGlobal(ipObjectType); ipObjectType = Marshal.AllocHGlobal(nLength); } objObjectType = (OBJECT_TYPE_INFORMATION)Marshal.PtrToStructure(ipObjectType, objObjectType.GetType()); ipTemp = Is64Bits() ? new IntPtr(Convert.ToInt64(objObjectType.Name.Buffer.ToString(), 10) >> 32) : objObjectType.Name.Buffer; strObjectTypeName = Marshal.PtrToStringUni(ipTemp, objObjectType.Name.Length >> 1); Marshal.FreeHGlobal(ipObjectType); return(strObjectTypeName); }
public OBJECT_TYPE_INFORMATION GetHandleTypeInfo(int pid, UInt16 handle, OBJECT_BASIC_INFORMATION obi) { IntPtr src_proc_handle = OpenProcess(PROCESS_DUP_HANDLE, 0, pid); if (IntPtr.Zero == src_proc_handle) { return(default(OBJECT_TYPE_INFORMATION)); } IntPtr target_handle = IntPtr.Zero; if (STATUS_SUCCESS != NtDuplicateObject( src_proc_handle, (IntPtr)handle, GetCurrentProcess(), ref target_handle, 0, 0, DUPLICATE_SAME_ACCESS)) { CloseHandle(src_proc_handle); return(default(OBJECT_TYPE_INFORMATION)); } int ret_obj_len = 0; int obj_len = obi.TypeInformationLength + 2; // sizeof(EOF) = sizeof('\0\0') = 2 byte[] bytes_obj_info = new byte[obj_len]; uint ret = NtQueryObject(target_handle, ObjectTypeInformation, bytes_obj_info, obj_len, ref ret_obj_len); if (STATUS_SUCCESS != ret) { CloseHandle(target_handle); CloseHandle(src_proc_handle); return(default(OBJECT_TYPE_INFORMATION)); } GCHandle gch = GCHandle.Alloc(bytes_obj_info, GCHandleType.Pinned); OBJECT_TYPE_INFORMATION oti = (OBJECT_TYPE_INFORMATION)Marshal.PtrToStructure(gch.AddrOfPinnedObject(), typeof(OBJECT_TYPE_INFORMATION)); gch.Free(); CloseHandle(target_handle); CloseHandle(src_proc_handle); return(oti); }
/// <summary> /// Get size of the name info block for that handle. /// </summary> /// <param name="handle">Handle to process.</param> /// <returns></returns> private static int GetHandleNameLength(IntPtr handle) { int infoBufferSize = Marshal.SizeOf(typeof(OBJECT_BASIC_INFORMATION)); //size of OBJECT_BASIC_INFORMATION struct IntPtr pInfoBuffer = Marshal.AllocHGlobal(infoBufferSize); //allocate // Query for handle's OBJECT_BASIC_INFORMATION NtQueryObject(handle, OBJECT_INFORMATION_CLASS.ObjectBasicInformation, pInfoBuffer, infoBufferSize, out infoBufferSize); // Map memory to structure OBJECT_BASIC_INFORMATION objInfo = (OBJECT_BASIC_INFORMATION)Marshal.PtrToStructure(pInfoBuffer, typeof(OBJECT_BASIC_INFORMATION)); Marshal.FreeHGlobal(pInfoBuffer); //release // If the handle has an empty name, we still need to give the buffer a size to map the UNICODE_STRING struct to. if (objInfo.NameInformationLength == 0) { return(0x100); //reserve 256 bytes, since nameinfolength = 0 for filenames } else { return((int)objInfo.NameInformationLength); } }
public static string GetObjectName(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX handle) { IntPtr _processHandle = NativeMethods.OpenProcess(ProcessAccessFlags.All, false, handle.UniqueProcessId); IntPtr _handle = IntPtr.Zero; try { if (!NativeMethods.DuplicateHandle(_processHandle, handle.HandleValue, NativeMethods.GetCurrentProcess(), out _handle, 0, false, DuplicateOptions.DUPLICATE_SAME_ACCESS)) { return(null); } IntPtr _basic = IntPtr.Zero; int nameLength = 0; try { OBJECT_BASIC_INFORMATION basicInfo = new OBJECT_BASIC_INFORMATION(); _basic = Marshal.AllocHGlobal(Marshal.SizeOf(basicInfo)); NativeMethods.NtQueryObject(_handle, (int)ObjectInformationClass.ObjectBasicInformation, _basic, Marshal.SizeOf(basicInfo), ref nameLength); basicInfo = (OBJECT_BASIC_INFORMATION)Marshal.PtrToStructure(_basic, basicInfo.GetType()); nameLength = basicInfo.NameInformationLength; } finally { if (_basic != IntPtr.Zero) { Marshal.FreeHGlobal(_basic); } } if (nameLength == 0) { return(null); } OBJECT_NAME_INFORMATION nameInfo = new OBJECT_NAME_INFORMATION(); IntPtr _objectName = Marshal.AllocHGlobal(nameLength); try { while (NativeMethods.NtQueryObject(_handle, (int)ObjectInformationClass.ObjectNameInformation, _objectName, nameLength, ref nameLength) == NtStatus.InfoLengthMismatch) { Marshal.FreeHGlobal(_objectName); _objectName = Marshal.AllocHGlobal(nameLength); } nameInfo = (OBJECT_NAME_INFORMATION)Marshal.PtrToStructure(_objectName, nameInfo.GetType()); } finally { Marshal.FreeHGlobal(_objectName); } try { return(Marshal.PtrToStringUni(nameInfo.Name.Buffer, nameInfo.Name.Length >> 1)); } catch (Exception e) { Util.Logging.Log(e); } return(null); } finally { if (_handle != IntPtr.Zero) //moved from Marshal.FreeHGlobal(_objectName); { NativeMethods.CloseHandle(_handle); } if (_processHandle != IntPtr.Zero) { NativeMethods.CloseHandle(_processHandle); } } }
public static string GetObjectName(SYSTEM_HANDLE_INFORMATION shHandle, Process process) { IntPtr m_ipProcessHwnd = OpenProcess(ProcessAccessFlags.All, false, process.Id); IntPtr ipHandle = IntPtr.Zero; var objBasic = new OBJECT_BASIC_INFORMATION(); IntPtr ipBasic = IntPtr.Zero; var objObjectName = new OBJECT_NAME_INFORMATION(); IntPtr ipObjectName = IntPtr.Zero; string strObjectName = ""; int nLength = 0; int nReturn = 0; IntPtr ipTemp = IntPtr.Zero; if (!DuplicateHandle(m_ipProcessHwnd, shHandle.Handle, GetCurrentProcess(), out ipHandle, 0, false, DUPLICATE_SAME_ACCESS)) { return(null); } ipBasic = Marshal.AllocHGlobal(Marshal.SizeOf(objBasic)); NtQueryObject(ipHandle, (int)ObjectInformationClass.ObjectBasicInformation, ipBasic, Marshal.SizeOf(objBasic), ref nLength); objBasic = (OBJECT_BASIC_INFORMATION)Marshal.PtrToStructure(ipBasic, objBasic.GetType()); Marshal.FreeHGlobal(ipBasic); nLength = objBasic.NameInformationLength; ipObjectName = Marshal.AllocHGlobal(nLength); while ((uint)(nReturn = NtQueryObject( ipHandle, (int)ObjectInformationClass.ObjectNameInformation, ipObjectName, nLength, ref nLength)) == STATUS_INFO_LENGTH_MISMATCH) { Marshal.FreeHGlobal(ipObjectName); ipObjectName = Marshal.AllocHGlobal(nLength); } objObjectName = (OBJECT_NAME_INFORMATION)Marshal.PtrToStructure(ipObjectName, objObjectName.GetType()); if (Is64Bits()) { ipTemp = ipObjectName + 16; } else { ipTemp = objObjectName.Name.Buffer; } if (ipTemp != IntPtr.Zero) { var baTemp2 = new byte[nLength]; try { Marshal.Copy(ipTemp, baTemp2, 0, nLength); strObjectName = Marshal.PtrToStringUni(ipTemp); //strObjectName = Encoding.Unicode.GetString (baTemp2); return(strObjectName); } catch (AccessViolationException) { return(null); } finally { Marshal.FreeHGlobal(ipObjectName); CloseHandle(ipHandle); } } return(null); }
public static string GetObjectName(SYSTEM_HANDLE_INFORMATION shHandle, Process process) { var m_ipProcessHwnd = OpenProcess(ProcessAccessFlags.All, false, process.Id); var objBasic = new OBJECT_BASIC_INFORMATION(); var objObjectName = new OBJECT_NAME_INFORMATION(); int nLength = 0; if (!DuplicateHandle(m_ipProcessHwnd, shHandle.Handle, GetCurrentProcess(), out IntPtr ipHandle, 0, false, 0x2)) { return(null); } var ipBasic = Marshal.AllocHGlobal(Marshal.SizeOf(objBasic)); NtQueryObject(ipHandle, (int)ObjectInformationClass.ObjectBasicInformation, ipBasic, Marshal.SizeOf(objBasic), ref nLength); objBasic = (OBJECT_BASIC_INFORMATION)Marshal.PtrToStructure(ipBasic, objBasic.GetType()); Marshal.FreeHGlobal(ipBasic); nLength = objBasic.NameInformationLength; IntPtr ipObjectName = Marshal.AllocHGlobal(nLength); while ((uint)(_ = NtQueryObject( ipHandle, (int)ObjectInformationClass.ObjectNameInformation, ipObjectName, nLength, ref nLength)) == 0xC0000004) { Marshal.FreeHGlobal(ipObjectName); ipObjectName = Marshal.AllocHGlobal(nLength); } objObjectName = (OBJECT_NAME_INFORMATION)Marshal.PtrToStructure(ipObjectName, objObjectName.GetType()); IntPtr ipTemp; if (Is64Bits()) { ipTemp = new IntPtr(Convert.ToInt64(objObjectName.Name.Buffer.ToString(), 10) >> 32); } else { ipTemp = objObjectName.Name.Buffer; } if (ipTemp != IntPtr.Zero) { byte[] baTemp2 = new byte[nLength]; try { Marshal.Copy(ipTemp, baTemp2, 0, nLength); string strObjectName = Marshal.PtrToStringUni(Is64Bits() ? new IntPtr(ipTemp.ToInt64()) : new IntPtr(ipTemp.ToInt32())); return(strObjectName); } catch (AccessViolationException) { return(null); } finally { Marshal.FreeHGlobal(ipObjectName); CloseHandle(ipHandle); } } return(null); }
private static string GetObjectName(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX handle) { IntPtr _processHandle = OpenProcess(ProcessAccessFlags.All, false, handle.UniqueProcessId); IntPtr _handle = IntPtr.Zero; try { if (!DuplicateHandle(_processHandle, handle.HandleValue, GetCurrentProcess(), out _handle, 0, false, DUPLICATE_SAME_ACCESS)) return null; IntPtr _basic = IntPtr.Zero; int nameLength = 0; try { OBJECT_BASIC_INFORMATION basicInfo = new OBJECT_BASIC_INFORMATION(); _basic = Marshal.AllocHGlobal(Marshal.SizeOf(basicInfo)); NtQueryObject(_handle, (int)ObjectInformationClass.ObjectBasicInformation, _basic, Marshal.SizeOf(basicInfo), ref nameLength); basicInfo = (OBJECT_BASIC_INFORMATION)Marshal.PtrToStructure(_basic, basicInfo.GetType()); nameLength = basicInfo.NameInformationLength; } finally { if (_basic != IntPtr.Zero) Marshal.FreeHGlobal(_basic); } if (nameLength == 0) { return null; } OBJECT_NAME_INFORMATION nameInfo = new OBJECT_NAME_INFORMATION(); IntPtr _objectName = Marshal.AllocHGlobal(nameLength); try { while ((uint)(NtQueryObject(_handle, (int)ObjectInformationClass.ObjectNameInformation, _objectName, nameLength, ref nameLength)) == STATUS_INFO_LENGTH_MISMATCH) { Marshal.FreeHGlobal(_objectName); _objectName = Marshal.AllocHGlobal(nameLength); } nameInfo = (OBJECT_NAME_INFORMATION)Marshal.PtrToStructure(_objectName, nameInfo.GetType()); } finally { Marshal.FreeHGlobal(_objectName); CloseHandle(_handle); } try { return Marshal.PtrToStringUni(nameInfo.Name.Buffer, nameInfo.Name.Length >> 1); } catch { } return null; } finally { if (_processHandle != IntPtr.Zero) CloseHandle(_processHandle); } }
public static string getObjectName(SYSTEM_HANDLE_INFORMATION shHandle, Process process) { var m_ipProcessHwnd = Native.OpenProcess((int)ProcessAccessFlags.All, false, process.Id); var ipHandle = IntPtr.Zero; var objBasic = new OBJECT_BASIC_INFORMATION(); var ipBasic = IntPtr.Zero; var ipObjectType = IntPtr.Zero; var objObjectName = new OBJECT_NAME_INFORMATION(); var ipObjectName = IntPtr.Zero; var nLength = 0; var nReturn = 0; var ipTemp = IntPtr.Zero; if (!Native.DuplicateHandle(m_ipProcessHwnd, shHandle.Handle, Native.GetCurrentProcess(), out ipHandle, 0, false, DUPLICATE_SAME_ACCESS)) { return(null); } ipBasic = Marshal.AllocHGlobal(Marshal.SizeOf(objBasic)); Native.NtQueryObject(ipHandle, (int)ObjectInformationClass.ObjectBasicInformation, ipBasic, Marshal.SizeOf(objBasic), ref nLength); objBasic = (OBJECT_BASIC_INFORMATION)Marshal.PtrToStructure(ipBasic, objBasic.GetType()); Marshal.FreeHGlobal(ipBasic); nLength = objBasic.NameInformationLength; ipObjectName = Marshal.AllocHGlobal(nLength); while ((uint)(nReturn = Native.NtQueryObject( ipHandle, (int)ObjectInformationClass.ObjectNameInformation, ipObjectName, nLength, ref nLength)) == STATUS_INFO_LENGTH_MISMATCH) { Marshal.FreeHGlobal(ipObjectName); ipObjectName = Marshal.AllocHGlobal(nLength); } objObjectName = (OBJECT_NAME_INFORMATION)Marshal.PtrToStructure(ipObjectName, objObjectName.GetType()); ipTemp = Is64Bits() ? new IntPtr(Convert.ToInt64(objObjectName.Name.Buffer.ToString(), 10) >> 32) : objObjectName.Name.Buffer; if (ipTemp != IntPtr.Zero) { var baTemp2 = new byte[nLength]; try { Marshal.Copy(ipTemp, baTemp2, 0, nLength); var strObjectName = Marshal.PtrToStringUni(Is64Bits() ? new IntPtr(ipTemp.ToInt64()) : new IntPtr(ipTemp.ToInt32())); return(strObjectName); } catch (AccessViolationException) { Console.WriteLine("[WARNING] Access violation!"); return(null); } finally { Marshal.FreeHGlobal(ipObjectName); Native.CloseHandle(ipHandle); } } return(null); }