对于远程线程,DuplicateHandle失败,错误为ERROR_INVALID_HANDLE

时间:2012-09-02 07:29:25

标签: c++ windows winapi error-handling

您好我正在尝试暂停远程线程,但在途中我偶然发现DuplicateHandle失败,错误6,ERROR_INVALID_HANDLE。

以下方法适用于当前进程,但如果给出了像“calc”这样的远程进程(在同一主机中),则DuplicateHandle将失败。

该过程使用Admin priv运行,并且SeDebugPriv和SeSecurityPriv被授予(Process Explorer确认它),但没有用。任何的想法? `

bool DbgHelpWrapper::GetThreadStartAddress( IntPtr processHandle, DWORD processId, DWORD threadID, DWORD *dwStartAddress )
{
    // Get ntdll entry points.
    HMODULE ntDLLHandle = LoadLibrary(L"ntdll.dll");
    tNtQueryInformationThread NtQueryInformationThread = (tNtQueryInformationThread)GetProcAddress(ntDLLHandle, "NtQueryInformationThread");

    // Open thread with wrong access rights.
    HANDLE hRemoteProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, processId );
    HANDLE hRemoteThread = OpenThread(THREAD_SUSPEND_RESUME, FALSE, threadID);

    if (hRemoteThread != 0 && hRemoteProcess != 0 )
    {
        try
        {
            // Duplicate handle to get correct access rights.
            HANDLE temporaryHandle = 0;
            DWORD duplicateHandleResult = DuplicateHandle(hRemoteProcess, hRemoteThread, GetCurrentProcess(),
                                                              &temporaryHandle, THREAD_QUERY_INFORMATION, FALSE, 0 );
            System::Console::WriteLine( String::Format("DuplicateHandle returned {0}", duplicateHandleResult ));
            System::Console::WriteLine( String::Format("DuplicateHandle error {0}", Marshal::GetLastWin32Error()));
            if (duplicateHandleResult != 0 )
            {
                try
                {
                    NTSTATUS ntStatus = NtQueryInformationThread(temporaryHandle, ThreadQuerySetWin32StartAddress, dwStartAddress, sizeof(DWORD), NULL);
                    System::Console::WriteLine( String::Format("NtQueryInformationThread returned {0}", ntStatus ));
                    if (ntStatus == 0)
                    {
                        System::Console::WriteLine( String::Format("StartAddress: {0:X16}", *dwStartAddress ));
                        return true;
                    }
                    else
                    {
                        System::Console::WriteLine( String::Format("NtQueryInformationThread error {0}", Marshal::GetLastWin32Error()));
                        return false;
                    }
                }
                finally
                {
                    CloseHandle(temporaryHandle);
                }
            }
            else
            {
                System::Console::WriteLine( String::Format("Cannot duplicate the thread handle to THREAD_QUERY_INFORMATION rights"));
                return false;
            }
        }
        finally
        {
            // Cleanup
            CloseHandle(hRemoteThread);
        }
    }
    else
    {
        System::Console::WriteLine( String::Format("Cannot open the thread with THREAD_SUSPEND_RESUME rights"));
        return FALSE;
    }
}

`

1 个答案:

答案 0 :(得分:2)

您告诉DuplicateHandle hRemoteThreadhRemoteProcess中的句柄,但事实并非如此。它是您当前流程的一个句柄 - 您之前打开了几行。 (该线程是远程进程的一部分,但它的句柄不是。)

相关问题
最新问题