private static string GetHandleTypeToken(IntPtr handle) { int length; NativeMethods.NtQueryObject(handle, OBJECT_INFORMATION_CLASS.ObjectTypeInformation, IntPtr.Zero, 0, out length); IntPtr ptr = IntPtr.Zero; RuntimeHelpers.PrepareConstrainedRegions(); try { RuntimeHelpers.PrepareConstrainedRegions(); try { } finally { ptr = Marshal.AllocHGlobal(length); } if (NativeMethods.NtQueryObject(handle, OBJECT_INFORMATION_CLASS.ObjectTypeInformation, ptr, length, out length) == NT_STATUS.STATUS_SUCCESS) { OBJECT_TYPE_INFORMATION objTypeInfo = (OBJECT_TYPE_INFORMATION)Marshal.PtrToStructure(ptr, typeof(OBJECT_TYPE_INFORMATION)); return(objTypeInfo.TypeName.Buffer); } } finally { Marshal.FreeHGlobal(ptr); } return(string.Empty); }
public static string GetObjectTypeName(SYSTEM_HANDLE_INFORMATION shHandle, Process process) { IntPtr m_ipProcessHwnd = OpenProcess(ProcessAccessFlags.All, false, process.Id); var objBasic = new OBJECT_BASIC_INFORMATION(); var objObjectType = new OBJECT_TYPE_INFORMATION(); int nLength = 0; if (!DuplicateHandle(m_ipProcessHwnd, shHandle.Handle, GetCurrentProcess(), out IntPtr ipHandle, 0, false, 0x2)) { return(null); } IntPtr ipBasic = Marshal.AllocHGlobal(Marshal.SizeOf(objBasic)); NtQueryObject(ipHandle, (int)ObjectInformationClass.ObjectBasicInformation, ipBasic, Marshal.SizeOf(objBasic), ref nLength); objBasic = (OBJECT_BASIC_INFORMATION)Marshal.PtrToStructure(ipBasic, objBasic.GetType()); Marshal.FreeHGlobal(ipBasic); IntPtr ipObjectType = Marshal.AllocHGlobal(objBasic.TypeInformationLength); nLength = objBasic.TypeInformationLength; while ((uint)(_ = NtQueryObject( ipHandle, (int)ObjectInformationClass.ObjectTypeInformation, ipObjectType, nLength, ref nLength)) == 0xC0000004) { Marshal.FreeHGlobal(ipObjectType); ipObjectType = Marshal.AllocHGlobal(nLength); } objObjectType = (OBJECT_TYPE_INFORMATION)Marshal.PtrToStructure(ipObjectType, objObjectType.GetType()); IntPtr ipTemp; if (Is64Bits()) { ipTemp = new IntPtr(Convert.ToInt64(objObjectType.Name.Buffer.ToString(), 10) >> 32); } else { ipTemp = objObjectType.Name.Buffer; } string strObjectTypeName = Marshal.PtrToStringUni(ipTemp, objObjectType.Name.Length >> 1); Marshal.FreeHGlobal(ipObjectType); return(strObjectTypeName); }
public static string getObjectTypeName(SYSTEM_HANDLE_INFORMATION shHandle, Process process) { var m_ipProcessHwnd = Native.OpenProcess((int)ProcessAccessFlags.All, false, process.Id); var ipHandle = IntPtr.Zero; var objBasic = new OBJECT_BASIC_INFORMATION(); var ipBasic = IntPtr.Zero; var objObjectType = new OBJECT_TYPE_INFORMATION(); var ipObjectType = IntPtr.Zero; var ipObjectName = IntPtr.Zero; var strObjectTypeName = ""; var nLength = 0; var nReturn = 0; var ipTemp = IntPtr.Zero; if (!Native.DuplicateHandle(m_ipProcessHwnd, shHandle.Handle, Native.GetCurrentProcess(), out ipHandle, 0, false, DUPLICATE_SAME_ACCESS)) { return(null); } ipBasic = Marshal.AllocHGlobal(Marshal.SizeOf(objBasic)); Native.NtQueryObject(ipHandle, (int)ObjectInformationClass.ObjectBasicInformation, ipBasic, Marshal.SizeOf(objBasic), ref nLength); objBasic = (OBJECT_BASIC_INFORMATION)Marshal.PtrToStructure(ipBasic, objBasic.GetType()); Marshal.FreeHGlobal(ipBasic); ipObjectType = Marshal.AllocHGlobal(objBasic.TypeInformationLength); nLength = objBasic.TypeInformationLength; while ((uint)(nReturn = Native.NtQueryObject( ipHandle, (int)ObjectInformationClass.ObjectTypeInformation, ipObjectType, nLength, ref nLength)) == STATUS_INFO_LENGTH_MISMATCH) { Marshal.FreeHGlobal(ipObjectType); ipObjectType = Marshal.AllocHGlobal(nLength); } objObjectType = (OBJECT_TYPE_INFORMATION)Marshal.PtrToStructure(ipObjectType, objObjectType.GetType()); ipTemp = Is64Bits() ? new IntPtr(Convert.ToInt64(objObjectType.Name.Buffer.ToString(), 10) >> 32) : objObjectType.Name.Buffer; strObjectTypeName = Marshal.PtrToStringUni(ipTemp, objObjectType.Name.Length >> 1); Marshal.FreeHGlobal(ipObjectType); return(strObjectTypeName); }
public OBJECT_TYPE_INFORMATION GetHandleTypeInfo(int pid, UInt16 handle, OBJECT_BASIC_INFORMATION obi) { IntPtr src_proc_handle = OpenProcess(PROCESS_DUP_HANDLE, 0, pid); if (IntPtr.Zero == src_proc_handle) { return(default(OBJECT_TYPE_INFORMATION)); } IntPtr target_handle = IntPtr.Zero; if (STATUS_SUCCESS != NtDuplicateObject( src_proc_handle, (IntPtr)handle, GetCurrentProcess(), ref target_handle, 0, 0, DUPLICATE_SAME_ACCESS)) { CloseHandle(src_proc_handle); return(default(OBJECT_TYPE_INFORMATION)); } int ret_obj_len = 0; int obj_len = obi.TypeInformationLength + 2; // sizeof(EOF) = sizeof('\0\0') = 2 byte[] bytes_obj_info = new byte[obj_len]; uint ret = NtQueryObject(target_handle, ObjectTypeInformation, bytes_obj_info, obj_len, ref ret_obj_len); if (STATUS_SUCCESS != ret) { CloseHandle(target_handle); CloseHandle(src_proc_handle); return(default(OBJECT_TYPE_INFORMATION)); } GCHandle gch = GCHandle.Alloc(bytes_obj_info, GCHandleType.Pinned); OBJECT_TYPE_INFORMATION oti = (OBJECT_TYPE_INFORMATION)Marshal.PtrToStructure(gch.AddrOfPinnedObject(), typeof(OBJECT_TYPE_INFORMATION)); gch.Free(); CloseHandle(target_handle); CloseHandle(src_proc_handle); return(oti); }
private string GetHandleType(IntPtr handle) { int guessSize = 1024; NT_STATUS ret; IntPtr ptr = Marshal.AllocHGlobal(guessSize); try { while (true) { ret = NativeMethods.NtQueryObject(handle, OBJECT_INFORMATION_CLASS.ObjectTypeInformation, ptr, guessSize, out int requiredSize); if (ret == NT_STATUS.STATUS_INFO_LENGTH_MISMATCH) { Marshal.FreeHGlobal(ptr); guessSize = requiredSize; ptr = Marshal.AllocHGlobal(guessSize); continue; } if (ret == NT_STATUS.STATUS_SUCCESS) { OBJECT_TYPE_INFORMATION oti = (OBJECT_TYPE_INFORMATION)Marshal.PtrToStructure(ptr, typeof(OBJECT_TYPE_INFORMATION)); return(oti.Name.GetText()); } break; } } finally { if (ptr != IntPtr.Zero) { Marshal.FreeHGlobal(ptr); } } return("(unknown)"); }