public OBJECT_NAME_INFORMATION GetHandleNameInfo(int pid, UInt16 handle, OBJECT_BASIC_INFORMATION obi)
{
// 枚举进程句柄 - xbgprogrammer的专栏 - 博客频道 - CSDN.NET
// http://blog.csdn.net/xbgprogrammer/article/details/26386733
// HOWTO: Enumerate handles - Sysinternals Forums
// http://forum.sysinternals.com/howto-enumerate-handles_topic18892.html
if (MAGIC_FLAG == (MAGIC_FLAG & obi.GrantedAccess))
{
return(default(OBJECT_NAME_INFORMATION));
}
IntPtr src_proc_handle = OpenProcess(PROCESS_DUP_HANDLE, 0, pid);
if (IntPtr.Zero == src_proc_handle)
{
return(default(OBJECT_NAME_INFORMATION));
}
IntPtr target_handle = IntPtr.Zero;
if (STATUS_SUCCESS != NtDuplicateObject(
src_proc_handle, (IntPtr)handle,
GetCurrentProcess(), ref target_handle,
0, 0, DUPLICATE_SAME_ACCESS))
{
CloseHandle(src_proc_handle);
return(default(OBJECT_NAME_INFORMATION));
}
int ret_obj_len = 0;
int obj_len = obi.NameInformationLength + 2; // sizeof(EOF) = sizeof('\0\0') = 2
byte[] bytes_obj_info = new byte[obj_len];
uint ret = NtQueryObject(target_handle, ObjectNameInformation, bytes_obj_info, obj_len, ref ret_obj_len);
if (STATUS_SUCCESS != ret)
{
CloseHandle(target_handle);
CloseHandle(src_proc_handle);
return(default(OBJECT_NAME_INFORMATION));
}
GCHandle gch = GCHandle.Alloc(bytes_obj_info, GCHandleType.Pinned);
OBJECT_NAME_INFORMATION oni = (OBJECT_NAME_INFORMATION)Marshal.PtrToStructure(gch.AddrOfPinnedObject(), typeof(OBJECT_NAME_INFORMATION));
gch.Free();
CloseHandle(target_handle);
CloseHandle(src_proc_handle);
return(oni);
}
public static string GetObjectTypeName(SYSTEM_HANDLE_INFORMATION shHandle, Process process)
{
IntPtr m_ipProcessHwnd = OpenProcess(ProcessAccessFlags.All, false, process.Id);
var objBasic = new OBJECT_BASIC_INFORMATION();
var objObjectType = new OBJECT_TYPE_INFORMATION();
int nLength = 0;
if (!DuplicateHandle(m_ipProcessHwnd, shHandle.Handle,
GetCurrentProcess(), out IntPtr ipHandle,
0, false, 0x2))
{
return(null);
}
IntPtr ipBasic = Marshal.AllocHGlobal(Marshal.SizeOf(objBasic));
NtQueryObject(ipHandle, (int)ObjectInformationClass.ObjectBasicInformation,
ipBasic, Marshal.SizeOf(objBasic), ref nLength);
objBasic = (OBJECT_BASIC_INFORMATION)Marshal.PtrToStructure(ipBasic, objBasic.GetType());
Marshal.FreeHGlobal(ipBasic);
IntPtr ipObjectType = Marshal.AllocHGlobal(objBasic.TypeInformationLength);
nLength = objBasic.TypeInformationLength;
while ((uint)(_ = NtQueryObject(
ipHandle, (int)ObjectInformationClass.ObjectTypeInformation, ipObjectType,
nLength, ref nLength)) ==
0xC0000004)
{
Marshal.FreeHGlobal(ipObjectType);
ipObjectType = Marshal.AllocHGlobal(nLength);
}
objObjectType = (OBJECT_TYPE_INFORMATION)Marshal.PtrToStructure(ipObjectType, objObjectType.GetType());
IntPtr ipTemp;
if (Is64Bits())
{
ipTemp = new IntPtr(Convert.ToInt64(objObjectType.Name.Buffer.ToString(), 10) >> 32);
}
else
{
ipTemp = objObjectType.Name.Buffer;
}
string strObjectTypeName = Marshal.PtrToStringUni(ipTemp, objObjectType.Name.Length >> 1);
Marshal.FreeHGlobal(ipObjectType);
return(strObjectTypeName);
}
public static string getObjectTypeName(SYSTEM_HANDLE_INFORMATION shHandle, Process process)
{
var m_ipProcessHwnd = Native.OpenProcess((int)ProcessAccessFlags.All, false, process.Id);
var ipHandle = IntPtr.Zero;
var objBasic = new OBJECT_BASIC_INFORMATION();
var ipBasic = IntPtr.Zero;
var objObjectType = new OBJECT_TYPE_INFORMATION();
var ipObjectType = IntPtr.Zero;
var ipObjectName = IntPtr.Zero;
var strObjectTypeName = "";
var nLength = 0;
var nReturn = 0;
var ipTemp = IntPtr.Zero;
if (!Native.DuplicateHandle(m_ipProcessHwnd, shHandle.Handle,
Native.GetCurrentProcess(), out ipHandle,
0, false, DUPLICATE_SAME_ACCESS))
{
return(null);
}
ipBasic = Marshal.AllocHGlobal(Marshal.SizeOf(objBasic));
Native.NtQueryObject(ipHandle, (int)ObjectInformationClass.ObjectBasicInformation,
ipBasic, Marshal.SizeOf(objBasic), ref nLength);
objBasic = (OBJECT_BASIC_INFORMATION)Marshal.PtrToStructure(ipBasic, objBasic.GetType());
Marshal.FreeHGlobal(ipBasic);
ipObjectType = Marshal.AllocHGlobal(objBasic.TypeInformationLength);
nLength = objBasic.TypeInformationLength;
while ((uint)(nReturn = Native.NtQueryObject(
ipHandle, (int)ObjectInformationClass.ObjectTypeInformation, ipObjectType,
nLength, ref nLength)) ==
STATUS_INFO_LENGTH_MISMATCH)
{
Marshal.FreeHGlobal(ipObjectType);
ipObjectType = Marshal.AllocHGlobal(nLength);
}
objObjectType = (OBJECT_TYPE_INFORMATION)Marshal.PtrToStructure(ipObjectType, objObjectType.GetType());
ipTemp = Is64Bits() ? new IntPtr(Convert.ToInt64(objObjectType.Name.Buffer.ToString(), 10) >> 32) : objObjectType.Name.Buffer;
strObjectTypeName = Marshal.PtrToStringUni(ipTemp, objObjectType.Name.Length >> 1);
Marshal.FreeHGlobal(ipObjectType);
return(strObjectTypeName);
}
public OBJECT_TYPE_INFORMATION GetHandleTypeInfo(int pid, UInt16 handle, OBJECT_BASIC_INFORMATION obi)
{
IntPtr src_proc_handle = OpenProcess(PROCESS_DUP_HANDLE, 0, pid);
if (IntPtr.Zero == src_proc_handle)
{
return(default(OBJECT_TYPE_INFORMATION));
}
IntPtr target_handle = IntPtr.Zero;
if (STATUS_SUCCESS != NtDuplicateObject(
src_proc_handle, (IntPtr)handle,
GetCurrentProcess(), ref target_handle,
0, 0, DUPLICATE_SAME_ACCESS))
{
CloseHandle(src_proc_handle);
return(default(OBJECT_TYPE_INFORMATION));
}
int ret_obj_len = 0;
int obj_len = obi.TypeInformationLength + 2; // sizeof(EOF) = sizeof('\0\0') = 2
byte[] bytes_obj_info = new byte[obj_len];
uint ret = NtQueryObject(target_handle, ObjectTypeInformation, bytes_obj_info, obj_len, ref ret_obj_len);
if (STATUS_SUCCESS != ret)
{
CloseHandle(target_handle);
CloseHandle(src_proc_handle);
return(default(OBJECT_TYPE_INFORMATION));
}
GCHandle gch = GCHandle.Alloc(bytes_obj_info, GCHandleType.Pinned);
OBJECT_TYPE_INFORMATION oti = (OBJECT_TYPE_INFORMATION)Marshal.PtrToStructure(gch.AddrOfPinnedObject(), typeof(OBJECT_TYPE_INFORMATION));
gch.Free();
CloseHandle(target_handle);
CloseHandle(src_proc_handle);
return(oti);
}
/// <summary>
/// Get size of the name info block for that handle.
/// </summary>
/// <param name="handle">Handle to process.</param>
/// <returns></returns>
private static int GetHandleNameLength(IntPtr handle)
{
int infoBufferSize = Marshal.SizeOf(typeof(OBJECT_BASIC_INFORMATION)); //size of OBJECT_BASIC_INFORMATION struct
IntPtr pInfoBuffer = Marshal.AllocHGlobal(infoBufferSize); //allocate
// Query for handle's OBJECT_BASIC_INFORMATION
NtQueryObject(handle, OBJECT_INFORMATION_CLASS.ObjectBasicInformation, pInfoBuffer, infoBufferSize, out infoBufferSize);
// Map memory to structure
OBJECT_BASIC_INFORMATION objInfo = (OBJECT_BASIC_INFORMATION)Marshal.PtrToStructure(pInfoBuffer, typeof(OBJECT_BASIC_INFORMATION));
Marshal.FreeHGlobal(pInfoBuffer); //release
// If the handle has an empty name, we still need to give the buffer a size to map the UNICODE_STRING struct to.
if (objInfo.NameInformationLength == 0)
{
return(0x100); //reserve 256 bytes, since nameinfolength = 0 for filenames
}
else
{
return((int)objInfo.NameInformationLength);
}
}
public static string GetObjectName(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX handle)
{
IntPtr _processHandle = NativeMethods.OpenProcess(ProcessAccessFlags.All, false, handle.UniqueProcessId);
IntPtr _handle = IntPtr.Zero;
try
{
if (!NativeMethods.DuplicateHandle(_processHandle, handle.HandleValue, NativeMethods.GetCurrentProcess(), out _handle, 0, false, DuplicateOptions.DUPLICATE_SAME_ACCESS))
{
return(null);
}
IntPtr _basic = IntPtr.Zero;
int nameLength = 0;
try
{
OBJECT_BASIC_INFORMATION basicInfo = new OBJECT_BASIC_INFORMATION();
_basic = Marshal.AllocHGlobal(Marshal.SizeOf(basicInfo));
NativeMethods.NtQueryObject(_handle, (int)ObjectInformationClass.ObjectBasicInformation, _basic, Marshal.SizeOf(basicInfo), ref nameLength);
basicInfo = (OBJECT_BASIC_INFORMATION)Marshal.PtrToStructure(_basic, basicInfo.GetType());
nameLength = basicInfo.NameInformationLength;
}
finally
{
if (_basic != IntPtr.Zero)
{
Marshal.FreeHGlobal(_basic);
}
}
if (nameLength == 0)
{
return(null);
}
OBJECT_NAME_INFORMATION nameInfo = new OBJECT_NAME_INFORMATION();
IntPtr _objectName = Marshal.AllocHGlobal(nameLength);
try
{
while (NativeMethods.NtQueryObject(_handle, (int)ObjectInformationClass.ObjectNameInformation, _objectName, nameLength, ref nameLength) == NtStatus.InfoLengthMismatch)
{
Marshal.FreeHGlobal(_objectName);
_objectName = Marshal.AllocHGlobal(nameLength);
}
nameInfo = (OBJECT_NAME_INFORMATION)Marshal.PtrToStructure(_objectName, nameInfo.GetType());
}
finally
{
Marshal.FreeHGlobal(_objectName);
}
try
{
return(Marshal.PtrToStringUni(nameInfo.Name.Buffer, nameInfo.Name.Length >> 1));
}
catch (Exception e)
{
Util.Logging.Log(e);
}
return(null);
}
finally
{
if (_handle != IntPtr.Zero) //moved from Marshal.FreeHGlobal(_objectName);
{
NativeMethods.CloseHandle(_handle);
}
if (_processHandle != IntPtr.Zero)
{
NativeMethods.CloseHandle(_processHandle);
}
}
}
public static string GetObjectName(SYSTEM_HANDLE_INFORMATION shHandle, Process process)
{
IntPtr m_ipProcessHwnd = OpenProcess(ProcessAccessFlags.All, false, process.Id);
IntPtr ipHandle = IntPtr.Zero;
var objBasic = new OBJECT_BASIC_INFORMATION();
IntPtr ipBasic = IntPtr.Zero;
var objObjectName = new OBJECT_NAME_INFORMATION();
IntPtr ipObjectName = IntPtr.Zero;
string strObjectName = "";
int nLength = 0;
int nReturn = 0;
IntPtr ipTemp = IntPtr.Zero;
if (!DuplicateHandle(m_ipProcessHwnd, shHandle.Handle, GetCurrentProcess(),
out ipHandle, 0, false, DUPLICATE_SAME_ACCESS))
{
return(null);
}
ipBasic = Marshal.AllocHGlobal(Marshal.SizeOf(objBasic));
NtQueryObject(ipHandle, (int)ObjectInformationClass.ObjectBasicInformation,
ipBasic, Marshal.SizeOf(objBasic), ref nLength);
objBasic = (OBJECT_BASIC_INFORMATION)Marshal.PtrToStructure(ipBasic, objBasic.GetType());
Marshal.FreeHGlobal(ipBasic);
nLength = objBasic.NameInformationLength;
ipObjectName = Marshal.AllocHGlobal(nLength);
while ((uint)(nReturn = NtQueryObject(
ipHandle, (int)ObjectInformationClass.ObjectNameInformation,
ipObjectName, nLength, ref nLength))
== STATUS_INFO_LENGTH_MISMATCH)
{
Marshal.FreeHGlobal(ipObjectName);
ipObjectName = Marshal.AllocHGlobal(nLength);
}
objObjectName = (OBJECT_NAME_INFORMATION)Marshal.PtrToStructure(ipObjectName, objObjectName.GetType());
if (Is64Bits())
{
ipTemp = ipObjectName + 16;
}
else
{
ipTemp = objObjectName.Name.Buffer;
}
if (ipTemp != IntPtr.Zero)
{
var baTemp2 = new byte[nLength];
try
{
Marshal.Copy(ipTemp, baTemp2, 0, nLength);
strObjectName = Marshal.PtrToStringUni(ipTemp);
//strObjectName = Encoding.Unicode.GetString (baTemp2);
return(strObjectName);
}
catch (AccessViolationException)
{
return(null);
}
finally
{
Marshal.FreeHGlobal(ipObjectName);
CloseHandle(ipHandle);
}
}
return(null);
}
public static string GetObjectName(SYSTEM_HANDLE_INFORMATION shHandle, Process process)
{
var m_ipProcessHwnd = OpenProcess(ProcessAccessFlags.All, false, process.Id);
var objBasic = new OBJECT_BASIC_INFORMATION();
var objObjectName = new OBJECT_NAME_INFORMATION();
int nLength = 0;
if (!DuplicateHandle(m_ipProcessHwnd, shHandle.Handle, GetCurrentProcess(),
out IntPtr ipHandle, 0, false, 0x2))
{
return(null);
}
var ipBasic = Marshal.AllocHGlobal(Marshal.SizeOf(objBasic));
NtQueryObject(ipHandle, (int)ObjectInformationClass.ObjectBasicInformation,
ipBasic, Marshal.SizeOf(objBasic), ref nLength);
objBasic = (OBJECT_BASIC_INFORMATION)Marshal.PtrToStructure(ipBasic, objBasic.GetType());
Marshal.FreeHGlobal(ipBasic);
nLength = objBasic.NameInformationLength;
IntPtr ipObjectName = Marshal.AllocHGlobal(nLength);
while ((uint)(_ = NtQueryObject(
ipHandle, (int)ObjectInformationClass.ObjectNameInformation,
ipObjectName, nLength, ref nLength))
== 0xC0000004)
{
Marshal.FreeHGlobal(ipObjectName);
ipObjectName = Marshal.AllocHGlobal(nLength);
}
objObjectName = (OBJECT_NAME_INFORMATION)Marshal.PtrToStructure(ipObjectName, objObjectName.GetType());
IntPtr ipTemp;
if (Is64Bits())
{
ipTemp = new IntPtr(Convert.ToInt64(objObjectName.Name.Buffer.ToString(), 10) >> 32);
}
else
{
ipTemp = objObjectName.Name.Buffer;
}
if (ipTemp != IntPtr.Zero)
{
byte[] baTemp2 = new byte[nLength];
try
{
Marshal.Copy(ipTemp, baTemp2, 0, nLength);
string strObjectName = Marshal.PtrToStringUni(Is64Bits() ?
new IntPtr(ipTemp.ToInt64()) :
new IntPtr(ipTemp.ToInt32()));
return(strObjectName);
}
catch (AccessViolationException)
{
return(null);
}
finally
{
Marshal.FreeHGlobal(ipObjectName);
CloseHandle(ipHandle);
}
}
return(null);
}
private static string GetObjectName(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX handle)
{
IntPtr _processHandle = OpenProcess(ProcessAccessFlags.All, false, handle.UniqueProcessId);
IntPtr _handle = IntPtr.Zero;
try
{
if (!DuplicateHandle(_processHandle, handle.HandleValue, GetCurrentProcess(), out _handle, 0, false, DUPLICATE_SAME_ACCESS))
return null;
IntPtr _basic = IntPtr.Zero;
int nameLength = 0;
try
{
OBJECT_BASIC_INFORMATION basicInfo = new OBJECT_BASIC_INFORMATION();
_basic = Marshal.AllocHGlobal(Marshal.SizeOf(basicInfo));
NtQueryObject(_handle, (int)ObjectInformationClass.ObjectBasicInformation, _basic, Marshal.SizeOf(basicInfo), ref nameLength);
basicInfo = (OBJECT_BASIC_INFORMATION)Marshal.PtrToStructure(_basic, basicInfo.GetType());
nameLength = basicInfo.NameInformationLength;
}
finally
{
if (_basic != IntPtr.Zero)
Marshal.FreeHGlobal(_basic);
}
if (nameLength == 0)
{
return null;
}
OBJECT_NAME_INFORMATION nameInfo = new OBJECT_NAME_INFORMATION();
IntPtr _objectName = Marshal.AllocHGlobal(nameLength);
try
{
while ((uint)(NtQueryObject(_handle, (int)ObjectInformationClass.ObjectNameInformation, _objectName, nameLength, ref nameLength)) == STATUS_INFO_LENGTH_MISMATCH)
{
Marshal.FreeHGlobal(_objectName);
_objectName = Marshal.AllocHGlobal(nameLength);
}
nameInfo = (OBJECT_NAME_INFORMATION)Marshal.PtrToStructure(_objectName, nameInfo.GetType());
}
finally
{
Marshal.FreeHGlobal(_objectName);
CloseHandle(_handle);
}
try
{
return Marshal.PtrToStringUni(nameInfo.Name.Buffer, nameInfo.Name.Length >> 1);
}
catch
{
}
return null;
}
finally
{
if (_processHandle != IntPtr.Zero)
CloseHandle(_processHandle);
}
}
public static string getObjectName(SYSTEM_HANDLE_INFORMATION shHandle, Process process)
{
var m_ipProcessHwnd = Native.OpenProcess((int)ProcessAccessFlags.All, false, process.Id);
var ipHandle = IntPtr.Zero;
var objBasic = new OBJECT_BASIC_INFORMATION();
var ipBasic = IntPtr.Zero;
var ipObjectType = IntPtr.Zero;
var objObjectName = new OBJECT_NAME_INFORMATION();
var ipObjectName = IntPtr.Zero;
var nLength = 0;
var nReturn = 0;
var ipTemp = IntPtr.Zero;
if (!Native.DuplicateHandle(m_ipProcessHwnd, shHandle.Handle, Native.GetCurrentProcess(),
out ipHandle, 0, false, DUPLICATE_SAME_ACCESS))
{
return(null);
}
ipBasic = Marshal.AllocHGlobal(Marshal.SizeOf(objBasic));
Native.NtQueryObject(ipHandle, (int)ObjectInformationClass.ObjectBasicInformation,
ipBasic, Marshal.SizeOf(objBasic), ref nLength);
objBasic = (OBJECT_BASIC_INFORMATION)Marshal.PtrToStructure(ipBasic, objBasic.GetType());
Marshal.FreeHGlobal(ipBasic);
nLength = objBasic.NameInformationLength;
ipObjectName = Marshal.AllocHGlobal(nLength);
while ((uint)(nReturn = Native.NtQueryObject(
ipHandle, (int)ObjectInformationClass.ObjectNameInformation,
ipObjectName, nLength, ref nLength))
== STATUS_INFO_LENGTH_MISMATCH)
{
Marshal.FreeHGlobal(ipObjectName);
ipObjectName = Marshal.AllocHGlobal(nLength);
}
objObjectName = (OBJECT_NAME_INFORMATION)Marshal.PtrToStructure(ipObjectName, objObjectName.GetType());
ipTemp = Is64Bits() ? new IntPtr(Convert.ToInt64(objObjectName.Name.Buffer.ToString(), 10) >> 32) : objObjectName.Name.Buffer;
if (ipTemp != IntPtr.Zero)
{
var baTemp2 = new byte[nLength];
try
{
Marshal.Copy(ipTemp, baTemp2, 0, nLength);
var strObjectName = Marshal.PtrToStringUni(Is64Bits() ? new IntPtr(ipTemp.ToInt64()) : new IntPtr(ipTemp.ToInt32()));
return(strObjectName);
}
catch (AccessViolationException)
{
Console.WriteLine("[WARNING] Access violation!");
return(null);
}
finally
{
Marshal.FreeHGlobal(ipObjectName);
Native.CloseHandle(ipHandle);
}
}
return(null);
}
