1. 首页
  2. 问答
  3. 枚举句柄名称问题

枚举句柄名称问题

2017-09-25 115 views
0

我找到了枚举其他程序句柄的方法,但现在我遇到了问题。我看不到Process类型的线程。我需要检查哪些程序打开了我的进程句柄。枚举句柄名称问题

当我检查输出,它是“未命名”,我不知道如何解决它。

我应该通过dirver来做到这一点吗?或者没有驱动程序的其他方式来做到这一点?

pid = _wtoi(argv[1]); 

if (!(processHandle = OpenProcess(PROCESS_DUP_HANDLE, FALSE, pid))) 
{ 
    printf("Could not open PID %d! (Don't try to open a system process.)\n", pid); 
    return 1; 
} 

handleInfo = (PSYSTEM_HANDLE_INFORMATION)malloc(handleInfoSize); 

/* NtQuerySystemInformation won't give us the correct buffer size, 
    so we guess by doubling the buffer size. */ 
while ((status = NtQuerySystemInformation(
    SystemHandleInformation, 
    handleInfo, 
    handleInfoSize, 
    NULL 
    )) == STATUS_INFO_LENGTH_MISMATCH) 
    handleInfo = (PSYSTEM_HANDLE_INFORMATION)realloc(handleInfo, handleInfoSize *= 2); 

/* NtQuerySystemInformation stopped giving us STATUS_INFO_LENGTH_MISMATCH. */ 
if (!NT_SUCCESS(status)) 
{ 
    printf("NtQuerySystemInformation failed!\n"); 
    return 1; 
} 

for (i = 0; i < handleInfo->HandleCount; i++) 
{ 
    SYSTEM_HANDLE handle = handleInfo->Handles[i]; 
    HANDLE dupHandle = NULL; 
    POBJECT_TYPE_INFORMATION objectTypeInfo; 
    PVOID objectNameInfo; 
    UNICODE_STRING objectName; 
    ULONG returnLength; 

    /* Check if this handle belongs to the PID the user specified. */ 
    if (handle.ProcessId != pid) 
     continue; 

    /* Duplicate the handle so we can query it. */ 
    if (!NT_SUCCESS(NtDuplicateObject(
     processHandle, 
     handle.Handle, 
     GetCurrentProcess(), 
     &dupHandle, 
     0, 
     0, 
     0 
     ))) 
    { 
     printf("[%#x] Error!\n", handle.Handle); 
     continue; 
    } 

    /* Query the object type. */ 
    objectTypeInfo = (POBJECT_TYPE_INFORMATION)malloc(0x1000); 
    if (!NT_SUCCESS(NtQueryObject(
     dupHandle, 
     ObjectTypeInformation, 
     objectTypeInfo, 
     0x1000, 
     NULL 
     ))) 
    { 
     printf("[%#x] Error!\n", handle.Handle); 
     CloseHandle(dupHandle); 
     continue; 
    } 

    /* Query the object name (unless it has an access of 
     0x0012019f, on which NtQueryObject could hang. */ 
    if (handle.GrantedAccess == 0x0012019f) 
    { 
     /* We have the type, so display that. */ 
     printf(
      "[%#x] %.*S: (did not get name)\n", 
      handle.Handle, 
      objectTypeInfo->Name.Length/2, 
      objectTypeInfo->Name.Buffer 
      ); 
     free(objectTypeInfo); 
     CloseHandle(dupHandle); 
     continue; 
    } 

    objectNameInfo = malloc(0x1000); 
    if (!NT_SUCCESS(NtQueryObject(
     dupHandle, 
     ObjectNameInformation, 
     objectNameInfo, 
     0x1000, 
     &returnLength 
     ))) 
    { 
     /* Reallocate the buffer and try again. */ 
     objectNameInfo = realloc(objectNameInfo, returnLength); 
     if (!NT_SUCCESS(NtQueryObject(
      dupHandle, 
      ObjectNameInformation, 
      objectNameInfo, 
      returnLength, 
      NULL 
      ))) 
     { 
      /* We have the type name, so just display that. */ 
      printf(
       "[%#x] %.*S: (could not get name)\n", 
       handle.Handle, 
       objectTypeInfo->Name.Length/2, 
       objectTypeInfo->Name.Buffer 
       ); 
      free(objectTypeInfo); 
      free(objectNameInfo); 
      CloseHandle(dupHandle); 
      continue; 
     } 
    } 

    /* Cast our buffer into an UNICODE_STRING. */ 
    objectName = *(PUNICODE_STRING)objectNameInfo; 

    /* Print the information! */ 
    if (objectName.Length) 
    { 
     /* The object has a name. */ 
     printf(
      "[%#x] %.*S: %.*S\n", 
      handle.Handle, 
      objectTypeInfo->Name.Length/2, 
      objectTypeInfo->Name.Buffer, 
      objectName.Length/2, 
      objectName.Buffer 
      ); 
    } 
    else 
    { 
     /* Print something else. */ 
     printf(
      "[%#x] %.*S: (unnamed)\n", 
      handle.Handle, 
      objectTypeInfo->Name.Length/2, 
      objectTypeInfo->Name.Buffer 
      ); 
    } 

    free(objectTypeInfo); 
    free(objectNameInfo); 
    CloseHandle(dupHandle); 
} 

free(handleInfo); 
CloseHandle(processHandle); 

return 0;

来源

2017-09-25 ismet JM

回答

0 
void SearchMyProcessHandles() 
{ 
    ULONG UniqueProcessId = GetCurrentProcessId(); 

    if (HANDLE hProcess = OpenProcess(MAXIMUM_ALLOWED, FALSE, UniqueProcessId)) 
    { 
     NTSTATUS status; 
     union { 
      PSYSTEM_HANDLE_INFORMATION_EX pshi; 
      PVOID buf; 
     }; 
     ULONG cb = 0x10000; 
     do 
     { 
      status = STATUS_INSUFFICIENT_RESOURCES; 

      if (buf = new UCHAR[cb += PAGE_SIZE]) 
      { 
       if (0 <= (status = ZwQuerySystemInformation(SystemExtendedHandleInformation, buf, cb, &cb))) 
       { 
        if (ULONG_PTR NumberOfHandles = pshi->NumberOfHandles) 
        { 

         SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX* Handles = pshi->Handles; 
         do 
         { 
          if (Handles->UniqueProcessId == UniqueProcessId && 
           Handles->HandleValue == (ULONG_PTR)hProcess) 
          { 
           PVOID Object = Handles->Object; 

           Handles = pshi->Handles; 
           NumberOfHandles = pshi->NumberOfHandles; 

           do 
           { 
            if (Handles->Object == Object && 
             Handles->UniqueProcessId != UniqueProcessId) 
            { 
             DbgPrint("%p %p %08x\n", 
              Handles->UniqueProcessId, 
              Handles->HandleValue, 
              Handles->GrantedAccess); 
            } 
           } while (Handles++, --NumberOfHandles); 

           break; 
          } 

         } while (Handles++, --NumberOfHandles); 
        } 
       } 
       delete [] buf; 
      } 
     } while (status == STATUS_INFO_LENGTH_MISMATCH); 

     CloseHandle(hProcess); 
    } 
}

来源

2017-09-26 18:19:02 RbMm

相关问题

 相关问题