的信息:
经过测试:
Win7 64位
Win10 64位(虚拟盒)
我正在尝试获取外部进程的句柄列表并将其名称作为字符串返回,以便我可以在之后关闭特定的句柄。因此我使用Win32API编写了这个函数,它将检查句柄是否是我要关闭的句柄:`
const int CNST_SYSTEM_HANDLE_INFORMATION = 16;
const uint STATUS_INFO_LENGTH_MISMATCH = 0xc0000004;
public static string getObjectTypeName(Win32API.SYSTEM_HANDLE_INFORMATION shHandle, Process process)
{
IntPtr m_ipProcessHwnd = Win32API.OpenProcess(Win32API.ProcessAccessFlags.All, false, process.Id);
IntPtr ipHandle = IntPtr.Zero;
var objBasic = new Win32API.OBJECT_BASIC_INFORMATION();
IntPtr ipBasic = IntPtr.Zero;
var objObjectType = new Win32API.OBJECT_TYPE_INFORMATION();
IntPtr ipObjectType = IntPtr.Zero;
IntPtr ipObjectName = IntPtr.Zero;
string strObjectTypeName = "";
int nLength = 0;
int nReturn = 0;
IntPtr ipTemp = IntPtr.Zero;
if (!Win32API.DuplicateHandle(m_ipProcessHwnd, shHandle.Handle,
Win32API.GetCurrentProcess(), out ipHandle,
0, false, Win32API.DUPLICATE_SAME_ACCESS))
return null;
ipBasic = Marshal.AllocHGlobal(Marshal.SizeOf(objBasic));
Win32API.NtQueryObject(ipHandle, (int)Win32API.ObjectInformationClass.ObjectBasicInformation,
ipBasic, Marshal.SizeOf(objBasic), ref nLength);
objBasic = (Win32API.OBJECT_BASIC_INFORMATION)Marshal.PtrToStructure(ipBasic, objBasic.GetType());
Marshal.FreeHGlobal(ipBasic);
ipObjectType = Marshal.AllocHGlobal(objBasic.TypeInformationLength);
nLength = objBasic.TypeInformationLength;
while ((uint)(nReturn = Win32API.NtQueryObject(
ipHandle, (int)Win32API.ObjectInformationClass.ObjectTypeInformation, ipObjectType,
nLength, ref nLength)) ==
Win32API.STATUS_INFO_LENGTH_MISMATCH)
{
Marshal.FreeHGlobal(ipObjectType);
ipObjectType = Marshal.AllocHGlobal(nLength);
}
objObjectType = (Win32API.OBJECT_TYPE_INFORMATION)Marshal.PtrToStructure(ipObjectType, objObjectType.GetType());
if (Is64Bits())
{
ipTemp = new IntPtr(Convert.ToInt64(objObjectType.Name.Buffer.ToString(), 10) >> 32);
}
else
{
ipTemp = objObjectType.Name.Buffer;
}
strObjectTypeName = Marshal.PtrToStringUni(ipTemp, objObjectType.Name.Length >> 1);
Marshal.FreeHGlobal(ipObjectType);
Win32API.CloseHandle(ipHandle);
return strObjectTypeName;
}`
问题是,此代码适用于Win7 64位,而不是Win10! - >在Win 10 strObjectTypeName = Marshal.PtrToStringUni();中抛出AcessViolationException(代码中的最后几行)
System.AccessViolationException尝试读取或写入受保护的内存。这通常表明其他内存已损坏。
我在这里错过了一些关于如何在win10中访问非托管内存的内容?
答案 0 :(得分:0)
我刚遇到同样的问题。我没有尝试过Win7,但是当你在Win10(x64)上运行32位代码时(例如设置"首选32位标志"你的应用程序)它应该可以工作。 当异常发生时,拖放变量" ipTemp"进入"内存窗口" Visual Studio,如果它只显示问号或错误消息,则表示您没有有效指针。 据我所知,这个API使用的64位版本的结构中有(更多)填充字节: OBJECT_TYPE_INFORMATION包含UNICODE_STRING,并且UNICODE_STRING在64位模式下的缓冲区字段之前有4个填充字节。 我的工作原理是:
[StructLayout(LayoutKind.Sequential, Pack = 1)]
public struct UNICODE_STRING
{
private IntPtr _dummy; // the two ushorts seem to be padded with 4 bytes in 64bit mode only
/// <summary>
/// The length, in bytes, of the string stored in Buffer. If the string is null-terminated, Length does not include the trailing null character.
/// </summary>
public ushort Length
{
get { return (ushort)Marshal.ReadInt16(this, 0); }
}
/// <summary>
/// The length, in bytes, of Buffer.
/// </summary>
public ushort MaximumLength
{
get { return (ushort)Marshal.ReadInt16(this, 2); }
}
public IntPtr Buffer;
}
在我的研究过程中,我发现了很多关于这个主题的问题,基本上是两种示例代码 我正在考虑创建一个名为WinKernelObjectsDotNet的开源库。已经复制了整个Internet。
更新:该库现已可用here。它支持使用单行代码查找锁定文件或串行端口(COM)的进程。
答案 1 :(得分:0)
我建议以这种方式更改UNICODE_STRING结构。
name因此getObjectTypeName方法将类似于以下内容,并且适用于32/64:
public struct UNICODE_STRING
{
public ushort Length;
public ushort MaximumLength;
[MarshalAs(UnmanagedType.LPWStr)] public string Buffer;
}